Google Security Engineer Urges Hackers To Focus Less on Anti-Virus and Intrusion Products

Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection and instead focus on more meaningful defenses such as whitelisting applications. From a report on The Register:The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security. "Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand today. "We need to stop investing in those things we have shown do not work. And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help. [...] Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.

Whitelisting renders your computer useless...

[Dr_Barnowl]

Well, as a computer, that is. The great strength of a general purpose computer is just that - it can do anything.

Once you have a whitelisting "solution" on it, it can only do what the IT Dept. explicitly approves of, which now means that it's about as useful as an iPhone - only files that have been explicitly whitelisted are allowed to be executed.

A whitelisting client that actually locks things down properly won't even allow you to use the shell, well, it won't allow you to run .BAT files. Running the individual commands may still be allowed!

It might provide security, but at the cost of stifling the ability of "power users" (ie - programmers of limited ability - or indeed, any ability).

My last job installed one on the developer's computers... and gave us the permissions to override it. Pressing "OK" after every single build to be allowed to run it was... special.

Re:Whitelisting renders your computer useless...

[RonVNX]

And it creates a security risk because it means you trust those apps no matter what they turn out to be doing.

Easier said than done

[Junta]

Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.

The alternative is horribly locked down appliances that can't do what the user asks it to do. It means distrusting the owner of the device. There are scenarios where that can make sense where the role of the device is very well defined (ATMs, Point of Sale equipment, etc), but personal computers are by their very nature empower their users to do things the vendor would not have necessarily conceived of.

I agree that anti virus measures are not that good, but it just means that user education is all the *more* important, unless you don't want to let the users do anything or you don't have any users doing creative technical work.