Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Internet Security Moving Toward 'White List'

Zonk posted about 7 years ago | from the instead-of-the-other-way-around dept.

Security 316

ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."

cancel ×

316 comments

Sorry! There are no comments related to the filter you selected.

Works for me! (3, Insightful)

BadAnalogyGuy (945258) | about 7 years ago | (#20664613)

I'm all for this idea. We're counting Flash and Javascript as external programs too, right?

Re:Works for me! (2, Interesting)

moranar (632206) | about 7 years ago | (#20664851)

You can disable those in your browser, you know? You don't even have to install Flash.

Or is this a *WOOSH* moment?

Re:Works for me! (4, Insightful)

walt-sjc (145127) | about 7 years ago | (#20665281)

There is whitelisting, and there is disabling. Two different things. Noscript for Firefox is a whitelisting tool.

Surf safe. Use Noscript.

Re:Works for me! (1)

moranar (632206) | about 7 years ago | (#20665299)

Not adding flash and javascript to the whitelists, as the OP suggested, is not exactly "whitelisting" sites.

What happened to good OS design? (5, Insightful)

Moraelin (679338) | about 7 years ago | (#20665317)

Frankly, I'm not all for this idea. It creates a cumbersome and abusable solution to something that was solved better already.

E.g., whatever happened to running something in a sandbox, ffs? You can go as far as running something untrusted (e.g., a plugin, ActiveX control, etc) in a virtual box, but even a chroot jail is a good start. It _is_ possible to isolate something to the point where it can't do any harm at all, and can't touch anything except itself. It's also possible to nice it to the point where it only runs when nothing else wants to, so it can't DOS your system that way.

So why doesn't anyone do just that already? E.g., MS could have fixed their own ActiveX crap that way ages ago. Instead we got this baroque, but fundamentally broken, model where you get to decide (or have decided for you based on zones) whether something can't run at all, or can run with full rights as an executable. Except if a malicious one slipped through the cracks, it's still a full executable running on your machine.

Heck, even Java is essentially the wrong way about it as a browser plugin. It tried to implement itself some restrictions which belong in the OS or browser itself, and if the JVM itself is compromised (there _have_ been a couple of JVM vulnerabilities), it can do anything. Kudos to Sun for trying that, but it's a workaround essentially. It shouldn't have been the JVM which does that, it should have been the OS and browser.

Whitelisting is just an extra step in that wrong direction, essentially. Instead of making sure that a malicious thing in the browser can't touch anything else, we're one step further in the baroque, fragile and monumentally work-intensive direction of determining which of them should be allowed. Except again, if something slipped through the cracks, you'll still get screwed so hard you'll walk bow-legged for a week.

Am I the only one who finds that dumb?

Re:What happened to good OS design? (2, Interesting)

Mike89 (1006497) | about 7 years ago | (#20665327)

I remember reading on Slashdot in the past that when Anti-Vir was first around (I think the old DOS Program Norton Navigator was refererenced), we started with a White List. The same White List idea outlined here. Then for whatever stupid reason we moved to a blacklist. There's only a finite number of good programs, whereas bad ones spring up every 5 minutes.

who uses a black list? (3, Funny)

DragonTHC (208439) | about 7 years ago | (#20664617)

My Internet security philosophies have always been drop 'em all, let iptables sort 'em out!

Re:who uses a black list? (1)

Baddas (243852) | about 7 years ago | (#20664879)

But... how then did you post anything? The mind boggles.

White List (1)

miketheanimal (914328) | about 7 years ago | (#20664619)

I bet Vista gets on the whitelist. Whitelist RIP

You maybe more right than some realize (5, Insightful)

Moraelin (679338) | about 7 years ago | (#20665259)

You may be more right than some probably realize. See, whitelisting is essentially all that "trusting computing" was about.

Yes, "trusted computing" had all that DRM stuff and crypto signatures and all components authenticating themselves and their drivers, but essentially that's what you need to have a bullet-proof whitelist.

- E.g., if you don't have a strong hash to be sure that it indeed is the program you think you're running, and it's an untampered executable, then you don't really know what you're running. (E.g., if you were to do it just by name, and you allow, say, "WoW.exe", then you'll also run a virus attachment called "WoW.exe" just as cheerfully.)

- E.g., if you don't make the system startup itself bullet-proof, people will use spoof drivers and whatnot to compromise that security

So basically we're essentially back to the same Palladium shit that we ranted and raved against as the great Satan. It's what MS wanted in Vista in the first place, but apparently realized grudgingly that noone else wanted. And _of_ _course_ Vista would be on the list. In fact, better than that, Vista was supposed to be the one enforcing it. (Which, if you think about it, is pretty much needed. If the OS doesn't do it, and doesn't double-check its startup and components at that, any other link down the chain is not guaranteed to be guaranteed enough to be the uncompromised.)

So now it's snuck back under the same claim that you need it to protect you from the evil hackers. Right.

Well, the problems are the same any way anyone wants to slice it. E.g.,

- it essentially discourages running stuff you compiled yourself. (Just changing the options you compile a kernel with, for example, is enough to change the hash, if the hash is any good. So essentially the only safe thing a "trusted computing" system should conclude there is that the system itself has been tampered with and is no longer secure or trustable.)

- it places an undue burden on small time developpers and hobbyists. I know if I was distributing a small utility on sourceforge, I'd be annoyed if I had to re-certify it every time I refactor something or fix some obscure bug. Doubly so if it costs anything to get it certified, which would likely be the case if a commercial entity is doing it. Getting it virus scanned, ran through some automated heuristics, hashed, and put on the list, can take some time and infrastructure and a paid employees time costs money.

And, frankly, even if it was something as trivial as 10$, why would I pay it for something that makes me no money? It'd be like ROI except without the R. And if you want it thoroughly dissected and certified that it 100% can't possibly be a virus, then it'll cost a heck of a lot more than that.

- it can be used to shaft you the other way around too. A program can authenticate the system it runs on, and some might even need to. (E.g., I sure hope an anti-virus utility pipes up loudly if it thinks it runs on a system where the OS itself has been compromised. E.g., I sure hope a banking applet pipes up loudly if it runs in a browser that's been compromised.) So there's nothing to keep someone from making a program that refuses to run in Wine or a flash applet that refuses to work in Mozilla.

And if you think noone other than MS would ever do that, think again. There was this recent story even on Slashdot about webmasters who explicitly don't want Mozilla users because they block their ads.

Etc.

Follow the money (3, Interesting)

mdm42 (244204) | about 7 years ago | (#20664621)

Sounds to me more like a scheme to squeeze money out of software producers: "Give us teh money if ya wants yer program whilelisted."

Re:Follow the money (2, Interesting)

CRCulver (715279) | about 7 years ago | (#20664649)

Microsoft Hotmail has already extorted people in such a manner: "We know you are not a spammer, but give us a thousand dollars to unblock your e-mail."

Not going to happen (4, Interesting)

MadMidnightBomber (894759) | about 7 years ago | (#20664623)

Can someone send me a list of all IPv4 hosts which are not malicious? k thanx bye.

PS. please can you also send me an update whenever a new machine is compromised?

Re:Not going to happen (5, Funny)

Architect_sasyr (938685) | about 7 years ago | (#20664717)

127.0.0.1

Re:Not going to happen (5, Funny)

Anonymous Coward | about 7 years ago | (#20664757)

according to my scanner, that machine is totally compromised

Re:Not going to happen (-1, Redundant)

Anonymous Coward | about 7 years ago | (#20664813)

d00d! thats' y00!!!!

HAHAHAHA Suxor!!!

Re:Not going to happen (-1, Redundant)

Anonymous Coward | about 7 years ago | (#20665021)

Wooosh!

Re:Not going to happen (0, Redundant)

Aceticon (140883) | about 7 years ago | (#20664905)

127.0.0.1

Update: This machine is now compromised

Re:Not going to happen (0)

Anonymous Coward | about 7 years ago | (#20664771)

207.46.19.254
--- end of list ---

Re:Not going to happen (1)

richie2000 (159732) | about 7 years ago | (#20664849)

He wrote "NOT" malicious. You got the other list.

No list needed (0)

Anonymous Coward | about 7 years ago | (#20664901)

I've been using whitelists for years now. Kerio Personal Firewall does it for me on Windows, but I'm sure most of the other firewalls also provide these features:

*) Whitelist ALL internet connections, mark networks as "safe" or make advanced rules for IP traffic
*) Stop any new program from running until approved. Checking signature, date, filesize and filename.
*) Various web-filters etc., but I don't use the pay-version so they disable themselves.

Of course, this won't stop ignorant users running "Britney screensavers" and what not, but should be secure enough for me.

Where are the Web Safety basics ? (5, Insightful)

Burz (138833) | about 7 years ago | (#20665043)

Indeed, the only possible "success" from the whitelist idea is that the Internet morphs into television (shudder).

Q: Where has the Internet failed?

A: Its main proponents and enthusiasts ignored Drivers' Ed for the info-superhighway. They didn't teach people how to use web browser and email programs, didn't show how to read a URL and pay attention to the protocol and domain, nor instill the habit of mousing-over links to see where they go beforehand. Teaching people about the padlock symbol should have also included how to deal with SSL certificate alerts.

The result of this neglect is that people cannot recognize authenticity on the Internet, so the value of the Internet's "currency" is spoiling. Imagine if people weren't clued-in on how to authenticate a $20 bill: Over time only certain government and corporate entities would be trusted to handle currency to prevent spoiling by counterfeiters.

Our job as Internet cognoscenti is to keep correcting the people around you on the right way to use Web and email. Granted, this is not a cure-all given the other major factor here (Windows malware) but its several steps in the right direction. This stuff is not hard.

The alternative is an Internet-II re-worked around big corporations and government sites through a whitelist enforced by Trusted Computing remote attestation. Don't think they won't be opportunistic enough to scare the public into that corner.

Re:Where are the Web Safety basics ? (2, Insightful)

feepness (543479) | about 7 years ago | (#20665335)

Imagine if people weren't clued-in on how to authenticate a $20 bill: Over time only certain government and corporate entities would be trusted to handle currency to prevent spoiling by counterfeiters.
Recognizing counterfeit money is a specialization within the FBI. Also, there are few fake $20 bills, not worth the effort. They usually counterfeit $100s. And ever been in a casino where they authenticate with that special marker? This is because you can't tell unless you've got years of experience. We've all probably handled counterfeit money in your lifetime without ever knowing.

Our job as Internet cognoscenti is to keep correcting the people around you on the right way to use Web and email.
That job isn't paying enough. Let me know when it gets past $50 bucks an hour. Until then I've got paying work and when I'm not doing that I'd like to spend time with the family.

This stuff is not hard.
No, no it isn't. Neither is changing my oil but you won't find me under my car doing it because frankly I only vaguely know how, don't find it one bit interesting, and I certainly don't expect my Engine cognoscenti friends to teach me how to do it. In fact, I would likely be slightly annoyed if they kept trying to do so.

Re:Where are the Web Safety basics ? (1)

icebrain (944107) | about 7 years ago | (#20665363)

Dealing with currency counterfeiting is the job of the Secret Service. From the Treasury dept. website [treas.gov] :

"The Secret Service has exclusive jurisdiction for investigations involving the counterfeiting of United States obligations and securities. This authority to investigate counterfeiting is derived from Title 18 of the United States Code, Section 3056. Some of the counterfeited United States obligations and securities commonly dealt with by the Secret Service include U.S. currency and coins; U.S. Treasury checks; Department of Agriculture food coupons and U.S. postage stamps."

What about Javascript? (4, Interesting)

Beryllium Sphere(tm) (193358) | about 7 years ago | (#20664633)

A lot of the work my computer does for me happens via Google's Javascript. Will I have to whitelist it all over again every time the gmail implementation changes? If it's whitelisted by domain, then you still have to protect against cross-site scripting attacks somehow (all hail NoScript!)

The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint.

Re:What about Javascript? (0)

Anonymous Coward | about 7 years ago | (#20664715)

"The whole idea of a program being a quasi-static executable installed locally is starting to seem quaint."

Yet another unthinking user who has lost track of how many programs are actually running on their computer at any given time. I'll give you a hint: you're using way more local apps than fancy web twenny apps right now.

Re:What about Javascript? (2, Interesting)

darthflo (1095225) | about 7 years ago | (#20665151)

protect against cross-site scripting attacks
Your browser takes care of securing you against XSS, so you'd make sure it's not an insecure [secunia.com] software [secunia.com] and use reliable [secunia.com] instead [secunia.com] . HTTPS would protect against phishing and "real" man-in-the-middle attacks and the mentioned whitelist would make sure nobody messes with yer browser. Problem solved :)

Is it me (4, Interesting)

damburger (981828) | about 7 years ago | (#20664647)

Or is this going to really screw small-scale windows developers?

Seems to me to be a blatant attempt by the big boys to lock users into their software (or software from companies they have an arrangement with. Since the majority of users probably won't know how to disable this 'feature', they will have less choice, and therefore higher costs.

Re:Is it me (4, Interesting)

beakerMeep (716990) | about 7 years ago | (#20664793)

maybe, but coming from symantec this is just marketing tripe for their own services or future services. As an approach to security this already takes place. Think of firefox or a firewall asking you "are you sure you would like to run this program?"

Though it does seem like they are position themselves to be the gatekeepers of all software, good or bad. Want to run a program? Don't ask the user, ask Symantec. People wont stand for that though. There is a certain level of control over a computer most users are willing to give up in certain circumstances to the OS or an outside party or the like, but this is total control. Even novice users would probably find some piece of software they wanted to run that wasn't in the system and get annoyed at symantec for breaking their computer while more technical users would likely never want to be early adopters of something like this.

not only that, but I wonder.... wouldn't the list of "good" software be unimaginably larger than the list of malicious trojans and viruses?

Think about that number for a second. The only way they would ever look good would be if every single one of the users only ever ran software on the list. So for each user that uses dozens of applications, if even just one of those dozens isn't on the list, they are going to blame symantec.

sadly i don't think this will stop them from trying to pull this off anyways and at least getting a small userbase of complete novices and maybe corporate IT depts that want to lock down the drones.

Re:Is it me (0)

Anonymous Coward | about 7 years ago | (#20664811)

Very true. Surely the logical end point will be a continuation of the Windows "signed" software system, where you have to add unsigned software to a whitelist rahter than just say "ok do it anyway" like you do now.

Of course, bad programs will just disable the whitelist anyway... I give it 15 minutes until beaten

Re:Is it me (1)

erroneus (253617) | about 7 years ago | (#20664949)

I wish I could see it that way myself, but I really think the state of things is so bad that short of dumping Windows entirely, it's just too unsafe to run software under Microsoft Windows. The blame is pretty evenly spread, though, among the users, the criminal and Microsoft, but the history of what led us to this point is so wide and deep that no one could really be held seriously accountable.

Re:Is it me (1)

drmerope (771119) | about 7 years ago | (#20665119)

Its interesting, I've heard intel talking about this before (wish I remembered a particular link). Reportedly anyone willing to pay enough could buy a license to sign their software. Along with viral protection they mentioned enhanced DRM... meaning the ability to prevent "circumvention" tools from running.

Unlikely to work (2, Interesting)

Dibblah (645750) | about 7 years ago | (#20664651)

Why? Because AV vendors want your money.

With a whitelist, the user clicks 'Accept' for everything he runs. Then he's protected until he installs something else.

Blacklists are great since they require yearly subscriptions.

Re:Unlikely to work (1)

MoonFog (586818) | about 7 years ago | (#20664835)

First McAffee's CEO claims that cybercrime is bigger than drug crime, and now Symantec says that we need white lists. Has there been so little noise around viruses and trojans lately that they need to do this to get attention?

Re:Unlikely to work (1)

mrjb (547783) | about 7 years ago | (#20665117)

Why? Because AV vendors want your money. I once released a commercial anti-virus and got this type of comment all the time and got really tired of it. I understand your train of thinking, but remember that the AV guys are supposed to be the good guys.

The flip side? (2, Interesting)

A Life in Hell (6303) | about 7 years ago | (#20664653)

isn't the flip side of this that now you're only allowed to run approved programs on your computer? Only IE is approved for web browsing, only MSN Live is approved for instant messaging. I know that I, for one, welcome our corporate overlords.

White lists have been proposed since the beginning of time - from web filtering to spam provention, and now to malware provention - and they all suffer from exactly the same problem, which is the fact that humans are not all identical clones of each other, and neither consume information in the same way, nor communicate with others in the same way.

Re:The flip side? (1)

Dawizman (775405) | about 7 years ago | (#20664683)

Are you forgetting about monopoly laws? Microsoft is already getting slapped around by the EU. Alowing only their own programs to be "approved" you only dig them a deeper hole.

Re:The flip side? (1)

A Life in Hell (6303) | about 7 years ago | (#20664713)

I obviously picked two bad examples there - replace them with Yahoo Instant Messenger and Netscape 10 respectivly, and my point still stands :).

I can see it now (4, Funny)

Colin Smith (2679) | about 7 years ago | (#20664659)

This application has not been signed by Microsoft. Do you want to run this application? Yes/No

Are you sure you want to run this application? Yes/No

Are you really sure you want to run this application? Yes/No

I mean, if it's not Microsoft, it's not really "official", what makes you sure you should be running this application. You probably shouldn't. There's a nice Microsoft alternative which is "official". Wouldn't you like to download that instead? Yes/No

 

Re:I can see it now (3, Insightful)

Anonymous Brave Guy (457657) | about 7 years ago | (#20664971)

I mean, if it's not Microsoft, it's not really "official", what makes you sure you should be running this application. You probably shouldn't. There's a nice Microsoft alternative which is "official". Wouldn't you like to download that instead? Yes/No

You forgot option 3:

[T]hanks, but I already did download an alternative to Microsoft.

Seriously, though, how can anyone possibly believe this could ever work? The computing world is driven by countless specialist applications, many of them written in-house by small businesses, or just by individuals to solve a specific problem they have. It's pretty obvious that no organisation could possibly whitelist all of this stuff effectively, without having some sort of automated system that every malicious developer in the world could abuse just as easily.

Re:I can see it now (4, Funny)

Terrasque (796014) | about 7 years ago | (#20664977)

Microsoft has not authorized this. Continue? No / Cancel

Re:I can see it now (4, Funny)

bentcd (690786) | about 7 years ago | (#20664993)

Heh.

"This software has been signed by Microsoft. Are you sure you want to install?"

(yes)

"This software has been signed by Microsoft. Are you sure you want to install?"

(yes)

"Proceeding will void your warranty. Are you sure?"

(yes)

"Well, it's your funeral. Please wait."

Re:I can see it now (0)

Anonymous Coward | about 7 years ago | (#20665093)

I can imagine that not long after, they'll be trying to trick you with double negatives:

Are you not sure you don't want to not uninstall this application? No/Not-no

This is the stupidest idea (2, Insightful)

Zouden (232738) | about 7 years ago | (#20664665)

anyone has ever suggested about computer security.

Again? (5, Insightful)

suv4x4 (956391) | about 7 years ago | (#20664669)

Certificates were intended as a white list: you protect the submitted data and have certificate from a central authority that this is indeed the company the certificate says it is.

We know how this ended (certificates given left and right without proper verification).

Now they try again with new certificates, which are more expensive.

So that's about that part.

What about site filters. Whitelisting sites in security suites has got to be the dumbest idea I've heard in a long time. Last I checked there's like billions of pages out there, some of which safe and some not.

So now that we find it impossible to cover the entire subset of malicious pages, what do we do? Yes, we try to cover the even great subset of legal pages.

This will either end with many small harmless sites filtered out, or sites having to pay ransom to all security suite vendors out there to get whitelisted or something of a similar nature.

Not happening.

Re:Again? (1)

Zironic (1112127) | about 7 years ago | (#20665167)

I don't have a problem with whitelists as such. The wonderful addon to Firefox called NoScript is whitelist based and seems to work fine. Everything is blocked until you choose to unblock it.

Re:Again? (1)

suv4x4 (956391) | about 7 years ago | (#20665243)

I don't have a problem with whitelists as such. The wonderful addon to Firefox called NoScript is whitelist based and seems to work fine. Everything is blocked until you choose to unblock it.

The subtle difference is, the suite vendors get to make the list, not you. Imagine NoScript, but with a whitelist of sites you're allowed to *view*.

We alreayd have a taste of the Allow/Deny whitelisting in Vista, I don't think it solved anything either. I believe revokeable company certificates is the way.

This way you give the company a certificate and it should follow the rules (not publish signed malicious executables). If the alliance of security vendors spots an executable in the wild signed with said certificate and is malicious, the certificate is revoked.

This is the most efficient way to do it, while protecting users from executables they can't always know in advance are safe or not.

But it means again you PAY someone to run your executables. If the certificate costs less than $500 per company (or project group, for OSS software), then that's ok. But I and you know, if you allow them to charge $500, they'll try to charge more next year.

Greed knows no borders.

what about the small developer? (4, Interesting)

rucs_hack (784150) | about 7 years ago | (#20664679)

Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.

I'd be interested in knowing how they deal with the fast release cycle of open source software (excluding mine, oh for a 48 hour day...).

I'm pretty keen on the whitelist idea though. If nothing else it'll make malware more inventive, they'll start imitating the fingerprints of validated software.

Re:what about the small developer? (0)

Anonymous Coward | about 7 years ago | (#20664785)

Don't worry. It'll probably work in the same way as personal firewalls (as opposed to hardware ones) do: with a user controlled list. Of course, such a control mechanism would be useless if users start allowing everything to run without thinking.

Re:what about the small developer? (0)

Anonymous Coward | about 7 years ago | (#20664817)

Take me for example. My open source software has a tiny number of users, being very specialised, and I'm not alone in having this class of software. We can't all be Apache developers. How will people like me get their program approved? Is it going to cost money? That's what I want to know.
MOD PARENT UP, he actually read the article and caught its drift. No doubt MS Office will get white listed and OO won't till SUN has a word with them. They are not talking about whitelisting of websites or computer owners giving their approval for a piece of software to run, they are talking about whitelists created by MS and whatever 3rd party security software you run, which if they have their way will be Symantec. FSF should keep an eye on this. Wouldn't be suprised if they try to sell this to the governments of the world and/or the financial institutions. Wonder how the corporations will like this when it won't let their custom in house software run.

*proudly displays his tinfoil hat

Re:what about the small developer? (1)

jrumney (197329) | about 7 years ago | (#20665047)

To prevent imitation of fingerprints by malware, the scheme should be based on digital signatures rather than a simple fingerprint. Users can either choose to trust the developer's signature, in which case they get upgrades without any problem, or they can sign the binaries themselves if they want to limit the approval to a particular version. To cater to both open source and commercial software, such a scheme would have to accept GPG signatures as well as signatures from Verisign issued keys.

Shouldn't it have been this way from the start? (2, Interesting)

ukatoton (999756) | about 7 years ago | (#20664685)

This is not a new idea, and many have talked about it before [ranum.com]

Really, black lists were a bad idea from the start. Usually, the programs people want to run on a computer will remain fairly static, with perhaps a few changes when they update or find something online that looks interesting.

I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?

Re:Shouldn't it have been this way from the start? (2, Interesting)

1u3hr (530656) | about 7 years ago | (#20664735)

I'm sure they're must be some security software that uses whitlists already. Does anyone know of any free ones?

Many firewalls use the whitelist principle. Eg, Zonealarm. When you install it, nothing is approved. As any program tries to access hte network, you get a popup asking you to approve one-time-only, or to put the program on the trusted list. Seems to work quite well, 5 years, and none of the PCs I or my family use have had any security issues.

But it does require some judgement. The stereotypical Joe User will just approve anything, making the alerts moot. (My daughter has a non-admin account and can't do that.)

Re:Shouldn't it have been this way from the start? (1)

nickh01uk (749576) | about 7 years ago | (#20664985)

Theres a nice little article here [exaprotect.com] that talks about this subject in a vendor-neutral way.

AG

Re:Shouldn't it have been this way from the start? (1)

Ailure (853833) | about 7 years ago | (#20665257)

NoScript does [noscript.net] . It basically blocks javascript and flash for any pages you hadn't whitelisted. Since most security problems are related to javascript, it does make browsing more safe... and less annoying. :)

I wouldn't mind seeing something similar for software now too... as long it's open source.

High time too (4, Interesting)

jimicus (737525) | about 7 years ago | (#20664689)

The Internet in general terms started moving in this direction years ago when people started to configure their firewalls to block everything and allow only what you need through. Previously it was reasonably common practise not to have a firewall at all - or if you did, all it did was block against things which were known to be malicious.

It is a lot of work to maintain any whitelist of any significant size. But the reason you do it is because it's a lot more work to maintain any blacklist of any significant size, and even more work still to clear up the mess after something slips the net.

I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network. Email through their SMTP server, web access through their proxy, sucks if you want any other service your ISP doesn't provide. Some of the more expensive ISPs may set up some sort of "sign a disclaimer and we'll let you do anything, but we reserve the right to pull the plug if we see so much as a single malicious packet" system.

Re:High time too (1)

aj50 (789101) | about 7 years ago | (#20665291)

I thnk residential ISPs will be the first - I'd be surprised if it was even possible to connect outside your own ISPs network.

Wasn't that how AOL started?

Re:High time too (2, Insightful)

Kjella (173770) | about 7 years ago | (#20665347)

What you're asking for is basicly for AOL to go full circle and close up to their own AOLweb again. Not going to happen, ever. People use Internet for all sorts of stuff, and noone is going to be able to put that cat back in the bag.

Torrents & Academic institutions (1)

ProteusQ (665382) | about 7 years ago | (#20664691)

A whitelist of torrents would help the college I work at. It doesn't make sense to block torrenting per se, but they have no (legal) choice. As more and more big downloads become available via torrent, I hope we'll see the third-party security companies offer content filtering on this basis.

Great idea! (1)

suv4x4 (956391) | about 7 years ago | (#20664699)

Once we whitelist all legit programs, we only have to blacklist the legit programs with injected code (via open source or assembler hacks) and we're done!

Amazing!

Or will security suites actually have to whitelist every single modification of the program? Will I be locked out of my HelloWorld.cpp program as soon as I compile it?

Re:Great idea! (1)

rucs_hack (784150) | about 7 years ago | (#20664749)

well, yes, you would be. Unless they created some kind of sandbox for developing code. This would then become an attack vector for virus writers who would inject code to this 'run anything' region. If you allow such a system onto your pc, you will certainly end up in confirmation box hell regardless of the method they initiate to cater for developers.

What will most likely happen is that the firms offering whitelists will offer the software equivalent of a gated compound that people can choose to be inside, running just approved (and for the most part non free I reckon) software. Other people may choose not to, but you'll probably find you will eventually have to be in this controlled system of computers to interact with another computer already in such a system.

It seems a bit dodgy for us freedom freaks, but for someone like my mum, or sister, who works from home, it would be something they would jump at to avoid the 'terror' of virus attacks.
I'd add something about linux, but no doubt other linux zealots are foaming at the mouth as I write this preparing huge tracts of anti windows text. Me? Dunno about that, I just use linux because I like it.

Then once everything is whitelisted... (0)

Anonymous Coward | about 7 years ago | (#20664725)

and folks are used to anti-virus software routinely blocking stuff that's not on the list, It'll be a real easy step for TPC hardware to start blocking execution of all non-whitelisted software, including all FOSS and anything else Microsoft choose not to sign. Microsoft's stranglehold will then be complete...

Hooligans (-1, Troll)

frup (998325) | about 7 years ago | (#20664731)

That's the biggest fucking bullshit I ever heard. It just shows they can't do their job properly. They're sitting in their board room aware that they're not making any more money because people a sick of their adware and bloatish antics when some bright spark says "WELL LETS MAKE EVERYTHING A VIRUS AND MAKE THE DEVELOPERS PAY US TO GET THEIR PROGRAM WORKING!!!!!!1". Fucking Chav dickheads. I'm fucking glad I use Linux.

Firewall does this already (1)

StrawberryFrog (67065) | about 7 years ago | (#20664763)

My home pc's Symantec firewall already has a whitelist. The first time an application tries to use the internet, it gets in the way to check. If the program's size/date changes, it does it again.

This makes the fix-compile-test-fix cycle on a simple net client application just a little harder, since each time I run a new build, the firewall comes up all over again. Not to mention that by the time I clean it out, the whitelist contains 30+ records of old builds, and the Ui to that list sucks dead donkeys through a straw.

Do this on a developer box for all apps that don't access the internet? Ouch. I can see it working for my uncle's email and web machine, maybe, kind-of.

Nested Rings of Decreasing Trust (2, Interesting)

presidenteloco (659168) | about 7 years ago | (#20664767)

I would like to see an OS that maintains
several rings (concentric circles) into which programs can qualify
through increasingly rigourous standards and testing as they
get closer to the central core ring of software.

So essentially this OS would have a core ring of whitelisted and essential
programs. Just outside this would be a 2nd ring of whitelisted but
optional programs.

Then a ring of "grey listed" (reputationally vouched for, for both security
and usefulness and quality)

Followed by a "wild west" outer ring.

The OS would be designed so that programs in a more outer (less trusted,
and less essential) ring, could not have any access to the memory or disk
areas of more inner programs, and could only ever use the services of inner
programs through narrow public interfaces supervised by the OS.
   

Re:Nested Rings of Decreasing Trust (1)

thebear05 (916315) | about 7 years ago | (#20664847)

You go ahead and design and market that concept. I just filed the patent and will talk to you about all the money you have made that you owe me in a couple of years. thanks

Re:Nested Rings of Decreasing Trust (1)

pipatron (966506) | about 7 years ago | (#20664883)

The OS would be designed so that programs in a more outer (less trusted, and less essential) ring, could not have any access to the memory or disk areas of more inner programs, and could only ever use the services of inner programs through narrow public interfaces supervised by the OS.

Dude.

This is how all operating systems (even Windows, in theory, not in practice) works already. Except everything is in the outermost ring. Want to write to disk? Have to go through the system call. Not allowed to write to this file? Tough shit. Want to write to memory? Are you allowed to write here? No? Then die a gruesome death and end with a coredump.

Re:Nested Rings of Decreasing Trust (1)

KanjiMonster (1016616) | about 7 years ago | (#20664887)

Symbian OS does something like that, and is probably not the first. Normal applications are heavily restricted in using any APIs that might change the system (or might generate costs, like sending sms, calling somewhere or connecting to the internet), and trigger an allow/deny-dialog for certain things. Symbian Signed applications may use a big part of the Symbian API, like autostarting etc. And there are the Symbian Signed applications with additional phone manufacturer approval, those may use everything the manufacturer chose to make public (not necessarily all things the phone offers). Testing and developing is handled through self signing (for up to ten IMEI, so you cant use it to publish software, but its free (as in beer), so you can use it to use open source apps), and applications need to pass several tests to get approved for general signing.

Re:Nested Rings of Decreasing Trust (1)

Rufty (37223) | about 7 years ago | (#20665069)

This is the way Windows *should* do it, and did in the early versions (up to NT 3.51). The catch is this way
is slower, so for performance reasons various exceptions have been made. The Graphics subsystem in NT4, IIS when it was getting spanked by Apache, SQL server and more, and now even parts of .NET
Any of these "privilidged" subsystems can now compromise the security of the OS.
And that now includes IE and Clippy...
So the M$ engineers tried to do a good job, but were overruled.

Will only be useful for people who dont experiment (2, Insightful)

Lonewolf666 (259450) | about 7 years ago | (#20664807)

For instance, users in a corporate environment where setups are exactly defined and IT can check out in advance what works.

For a private user with a mostly static set of application, it should still work but expect the occasional blocked program.

For developers and the rest of the /. crowd: forget it, the whitelist wil annoy you more that it helps ;-)

Re:Will only be useful for people who dont experim (1)

thebear05 (916315) | about 7 years ago | (#20664859)

Exactly developers are prbly users that can run a machine that has very user configurable security parameters. Most pc users use email/web. The more advanced users us email/web/games so have a secure environment for email/web and an os that sandboxes the other apps on top of that so for the non developers have a configuration that is safe and hard for the user to circumvent then also have a developer edition.

And why would I trust Symantecs opinion? (5, Insightful)

CaptainZapp (182233) | about 7 years ago | (#20664823)

Remember the Sony rootkit fiasco [wikipedia.org] ? Remeber that F-Secure was the only security company detecting it and approaching Sony?

This leads to the conclusion that all other "security"-companies where either in bed with Sony, or that their "security"-products are utterly useless. I'm not sure, which is worse.

So why again should I give a rats ass about the opinion of those guys, when it comes to security?

So this is like... (1)

ettlz (639203) | about 7 years ago | (#20664881)

...execute permissions and mandatory access control, yeah?

Now where have I seen this before...

Daft (0)

Anonymous Coward | about 7 years ago | (#20664891)

Any vulnerability that allows dropping and launching unwanted executable code musts surely also also allow editing any whitelist. And all those vulnerbilities MUST be in existing white-listed software. This is shutting the door after the burglar is inside. It doesn't help.

Guilty until proven innocent? (1)

clarkkent09 (1104833) | about 7 years ago | (#20664895)

From TFA: A "white list" would instead compile every known legitimate software program, including applications such as Microsoft Word and Adobe Acrobat, and add new ones as they are developed.

And what loops does a small software developer have to jump through to get Symantec to put his program on their white list?

Re:Guilty until proven innocent? (0)

Anonymous Coward | about 7 years ago | (#20665147)

And when it includes programs like Microsoft Word and Adobe Acrobat, that contain language interpreters that can execute user-submitted or -downloaded code, how does vetting a program tell anything about what it is going to do?

The first layer of defense is a white-list (2, Interesting)

A1kmm (218902) | about 7 years ago | (#20664899)

I think people should look at the big picture before taking this too seriously as a security measure: Programs only run on a system if they are either started by the end-user, or started by some other code on the system which has explicitly allowed that program run. Put another way, the current first line of defense is a 'white-list' like approach where processes only run when they are allowed to run.

The problem is that there are lots of people / large software monopolists in the world who don't know how to code well, and this creates security flaws which cause this authorised code to do things on behalf of other code, including possibly executing arbitrary.

This code is then theoretically built on top of a kernel which attempts to restrict what the code can do even if it is executed (of course, often there are flaws here too, and often the exploited code is run with more privileges than it should have, so the entire system can be compromised).

Virus scanners and other security software of this kind are supposed to provide an extra, reactive layer of defense on top of the existing proactive measure for anything which slips through the cracks. Suggesting that they be turned into another white-list is therefore not a logical suggestion, and implies that they are not being entirely honest:
    * They might just want to create hype to utilise unsuspecting journalists to sell more of their products for them.
    * Perhaps this is part of another Digital Restrictions Management style plot to take the decisions of what runs on computers from computer owners and give it to some central pseudo-authority so they can (mis)use the power for their own purposes.

Exists for phones (1)

H.Dersch (901499) | about 7 years ago | (#20664921)

Java apps for cellphones need to be signed to get access to certain onboard services. Last I checked this costs on the order of 500USD/year and I doubt that it involves any actual tests.

Even the owner of the phone can't sign applications which he himself wrote and wants to install on his own device. Eg on my Nokia 6230i I can allow my apps to access the memory card, but only after closing a dialog at each read/write-attempt. Only a signed application has unlimited read/write access, etc.

Whitelist specialists already emerging (0)

Anonymous Coward | about 7 years ago | (#20664941)

Although this is a relatively new area, there are already some experts emerging in the field. I came across these guys [360is.com] , who recently published this article [exaprotect.com] on the subject. The article talks about the loss of control by IT of the desktop, and how peopel are now trying to use software to regain control.
AG

Not just whitelist, but need-to-use (2, Interesting)

davidwr (791652) | about 7 years ago | (#20664965)

It won't just be "you're on the list, welcome to the party" but access to each resource will be given only if that particular access is whitelisted.

You already see this in some security programs, where program A is white-listed for ports 80 and 443, program B is listed for ports 20 and 21, etc. etc. etc.

Eventually, this will be locked down even more. Program A may be whitelisted for port 80, but only for the purposes of self-updating or reporting bugs to its manufacturer, and only to a short list of domain-names or IP addresses.

Within a web browser, not only will add-ons like flash and Java have their own restrictions, each add-on will have its own restriction. Java implements a version this already, allowing applets: it's supposed to let talk to home base but not much more.

I also see the rise of ordinary applications running in a full or lightweight VM, with applications in different VMs talking to each other over a virtual network rather than through shared memory or shared files. Rogue or compromised applications in a VM will be limited to what they can do, much like a chroot'd or BSD-jailed application, only more so.

They have a sense of humor (1)

suv4x4 (956391) | about 7 years ago | (#20665005)

Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution.

You see, a white list would be bigger than the black list. But how come then a black list is daunting to create, and a white isn't?

Simple, they'll charge the legal software vendors to be white listed.

It's funny, laugh.. Hmm, no one is laughing.

Re:They have a sense of humor (1)

ThirdPrize (938147) | about 7 years ago | (#20665235)

You see, a white list would be bigger than the black list.

Would it? I think you will find that there is a finite (and probably quite small) number of programs out there. Each of those might ocasionally get updated. Compare that with malware or a virus that by nature morph each time it replicates. The bad guys are releasing new versions every day precisely to get around the blacklist.

Of course it does raise the question of what constitutes a good program. How many search toolbars do we really need?

Re:They have a sense of humor (1)

suv4x4 (956391) | about 7 years ago | (#20665253)

Would it? I think you will find that there is a finite (and probably quite small) number of programs out there.

You making funny, me laughing silly :P

Whitelist keeper = make money (4, Insightful)

Aceticon (140883) | about 7 years ago | (#20665009)

Being a gatekeeper in a whitelist scheme is a great business opportunity:

After all, businesses would be willing to pay to get their products into said whitelist, while one hardly expects virus makers to pay for getting their creations into a blacklist.

Of course, i'm sure the Symantec guys are naturally not at all thinking of all those extra $$$

Scientific programs (1)

Per Abrahamsen (1397) | about 7 years ago | (#20665033)

I just released version 421 of a scientific simulation model The model is mostly of interest to our own students and research partners, but occasionally a unrelated ph.d. student might try it out. So we distribute it from our home page. If any single version is downloaded by five people, that is unusually popular.

Should each version of this program be "judged" in order for others to run it?

There are zillions of these kinds of highly specialized scientific programs, and other branches have their own ad-hoc program with narrow but high impact utility. Vertical markets.

It seems to me that thes4e white lists must come with user specified exceptions. Which basically means "allow this program to run" pop-ups. Which we already have in abundance in Vista, and thus are being conditioned to press "yes" for.

So nothing is really gained by white lists.

Re:Scientific programs (1)

the_womble (580291) | about 7 years ago | (#20665173)

No one will be forced to use this software.

If you want to run a limited number of well known programs, install this. If you want to have a general purpose computer, stay away from it.

Yep. Good idea (1)

bytesex (112972) | about 7 years ago | (#20665035)

And always been a good idea, but whitelists should be personal, with distributed advice and combined with greylisting and blacklisting algorithms. That is to say, I want the OS, when it installs, to have a few things in userland whitelisted, but only when I install something, can I add to the whitelist. You may throw in a bit of internet opinion, as in - 70% of users think that this program is Ok and 0% of users think that this program is malware, or sandbox this greylisted program until I whitelist it in a month's time. Same for email really. I want whitelisted 'from' addresses only. Plus any greylisted stuff that consists of one line only. And no blacklisted stuff (of course).

Translation into english (1)

Idaho (12907) | about 7 years ago | (#20665051)

According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer


According to Symantic, *Windows system* security is headed towards a major reversal in philosophy, where a "white list" managed by us, Symantec, will allow only benevolent programs that registered with us (for a small, very reasonable fee. No, really!) to run.

They have to find a new way to make money now that Vista broke their existing business model.

*sigh* (1)

Effugas (2378) | about 7 years ago | (#20665061)

Yes, because when I think "desktop application", I think "the file format parsers in this application are totally not vulnerable to complete and utter compromise, the effect of which would be the evasion of software restriction policies."

No longer a computer (3, Insightful)

thsths (31372) | about 7 years ago | (#20665143)

There is only one problem with this approach: once you install a white list, you no longer have a general computing device (short: computer), but an embedded device. You are limited in what you can do by what is on the list.

Developers will be the first to notice: you can still write and compile a program, but you cannot test it. But the typical user will also be affected: what about the useful firefox extension you like? Bummer, not on the list. Want to use facebook? Sorry, the javascript in the new version is not approved.

The white list is a pretty futile anyway, because you can program on several levels. Javascript is only an example: what if the browser is approved, but your javascript code does nasty things? Or what about a heap overflow in the browser? Suddenly you are running custom code, but how is the white list going to notice this?

Two questions... (2, Insightful)

darthflo (1095225) | about 7 years ago | (#20665189)

1: What kind of person even remotely interesting in anything "Internet Security" would even consider dreaming about considering taking Symantec seriously?
2: Didn't we have this discussion not too long ago except the "List" would've been administered by MSFT (&co), called TCPA (then Palladium then NGSCB then OMGWTFBBQ) and be a little bit more "hardware-assisted"? (For anti-microsoft-fanboy coverage, check out AgainstTCPA [againsttcpa.com] , for msft coverage try Microsoft, Wikipedia [wikipedia.org] has some rather neutral insights)

How about also whitelisting files? (0)

Anonymous Coward | about 7 years ago | (#20665223)

Because, you know, if a software badly parses a file format allowing code injection, it won't be safe anymore...

Not viable in a real world (0)

Anonymous Coward | about 7 years ago | (#20665255)

In a real business scenario, scripts, programs and macros are created to solve day to day problems. How do these get on the WhiteList? For the developers trying to test their work this becomes a true nightmare. At what point do you draw the line? VB 'macros' inside of Excel? Perl scripts? Batch/cmd files? Moving electrons?
Anyway, as pointed out in some other posts, the entire network would be at risk if a trusted application or host machine that are WhiteListed get infected or compromised.

better idea? (1)

mathfeel (937008) | about 7 years ago | (#20665261)

One thing I always liked about the FOSS/linux world is their package management. e.g. All I have to know is that I trust certain repository maintained by OS developer/enthusiasts. As long as I am pulling apps from them (apt-get, emerge, yum...whatever), I know I am not getting screwed over (Should also check MD5 or something, but usually quite automatic). If I have to use something very special that's not in the repository, then I do my own research (yeah, I know, most user can't be bothered with that).

How is this not essentially the same thing except that Symantec wants to be the middle man and charge everybody for it. So how's this idea: instead of a white/grey/black list maintained by some large Corporation, have some sort of app management program that, whenever an unknown executable runs, make a checksum or hash or whatever, and check against some wiki-ish site that user rate program for trustiness. Surely malware writer can run some bot that boost their rating, but it seems like a technically solvable problem.

Just some though before some large corporation asks me to surrender control of my computer to them.

If this catches on... (1)

jsiren (886858) | about 7 years ago | (#20665265)

...the whitelist mechanism will be cracked, and what you thought was Solitaire is really spam, Solitaire and spam.

I can see some immediate problems with trusting a list that says "you can only run these known safe programs":

  • Users disabling the whitelist when programs they want to run aren't listed. (E.g. self-made, custom, or legacy software.)
  • Malware being run in environments not controlled by the whitelist. (E.g. various macro languages, Javascript, XSS, ActiveX...)
  • Malware squeezing itself into the whitelist. (As a Trojan, or bypassing the whitelisting mechanism altogether: e.g. breaking out of a virtual machine.)

I for one think... (2)

El-Wrongo (1105293) | about 7 years ago | (#20665295)

...That if people could start using more secure OS's, meaning more of the necessary apps gets developed for said OS's, white, black, grey etc listing wouldn't be needed. I think all PC's should have a sensor, which senses if a certain user is going to do something stupid, then knock said user out with a blunt (and semi soft) instrument, pick it self up and run away. The bane of PC security is users doing stupid things. (This is coming from a guy who just have had to spend a day cleaning out RavMon from a bunch of Windows PC's because some schmuck tried to download some games over Limewire and thought Hitman: Bloodmoney really only is 5mb, somebody have to teach people how to pirate properly, since improper pirating spreads viruses)

Well, at least its a better idea then a black list (1)

Souchirou (1157835) | about 7 years ago | (#20665333)

The whole idea of a black list really doesn't work on large networks like the internet there's probably thousands of pc's being compromised and making a new not infected software is child's play. It's probably easier and less work to keep a white list instead... if its actually useful all together is another thing...

It's like this for mobiles, and it sucks (3, Informative)

bjornte (536493) | about 7 years ago | (#20665339)

It's already like this in the mobile environment, and it's a terrible pain for developers.

When making apps in Java/J2ME or Symbian (e.g. for Nokia nSeries), you need to have the client signed by a third party in order to use native resources like memory efficiently. While the signing process it not technically the same as a white list, is has similar consequences: You are hindered in successfully demonstrating your software for potential customers until some unknown person has expressed his subjective opinion about it.

I know cause we make such an application right now, and during development we're screwed, as we can't get around these limitations even on our development devices. It's no good.

IF this idea catches on, real world developers need to test the god damn system before they enforce it on people.

Whitelisting only useful for vendor oligopoly (1)

TheLink (130905) | about 7 years ago | (#20665355)

As I've mentioned before, what would help would be sandbox templates.

Basically a program requests the template sandbox it'd like to run in, and it runs in that sort of sandbox if the user has approved that before (or approves it now), or the program is signed by User Trusted Vendor X to run in that template.

Then even if the program is inherently evil or is exploited by some "save game" or other stuff, the program still can't break out of its sandbox.

In contrast, the problem with plain whitelisting methods, is if whitelisted programs like Mozilla/IE get exploited, they get to access the users files, eavesdrop/keylog etc. Cynically, whitelisting of programs is just good for extending monopolies/oligopolies and control, and doesn't do that much for security.

And even worse are Vista UAC or other "Are you sure you want to allow this" schemes which effectively require the user to solve the "halting problem", except that instead of "will this program halt?", it's "will this program do something evil?". AFAIK the halting problem isn't solved, and so it's not reasonable to expect "Aunt May" to solve it.

It is more reasonable to train "Aunt May" to not click "Yes" when she sees "'Cute Frog Game' requests Full System Install Privileges allow Y/N" with the usual exclamation marks and red/striped backgrounds and scary warnings. And to only click "Yes" for "'Cute Frog Game' requests Guest Game privileges". In which case "Cute Frog Game" does not have access to the microphone, no network, and can only read stuff from a few places and write to even fewer places.

All this is not easy to do - because programs need read access to libs/DLLs etc, and you need to standardize file layouts, device, network access etc, and create a reasonable and manageable set of templates (custom templates should be allowed - esp templates signed by a trusted party, but if everything is custom it breaks down).

But the technology is already there - e.g. SELinux, AppArmor, but it needs more user friendly wrapping, cooperation from GUI/desktop, standards etc.

And it is possible - Microsoft could do it - they already have stuff like Local Settings and so on. Apple could too - they moved people from PPC to x86 etc.

I'm too lazy to go to the details on how it could work so please fill in the rest of the blanks intelligently yourselves ;).
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>