Delist This Security Idea

Everybody loves lists. Magazines love lists, TV shows love lists, websites really like lists. But possibly no one loves lists more than security vendors. When you break down a lot of the core elements of security products, it often comes down to big lists. Lists of known viruses and spyware, lists of vulnerabilities, lists of access controls, and lists of programs that we want to run and programs that we don't want to run. This obsession with lists most recently came up in reports from one of the largest security vendors out there, namely Symantec. In interviews related to the most recent release of the Symantec Internet Security Threat report, Symantec executives have said that because of the growing security threats and the increased sophistication of the bad guys, it may be time to move from the classic black list approach to security and go to a white list approach. This means that instead of determining which programs running on someone's computer might be bad guys, future security tools would instead only let known, "good" programs run and block out all other programs. Now the idea of white lists isn't a new one, most good security implementations involve some combination of white listing and black listing. And I do think that white listing is a good idea, when done on an individual or company basis (meaning that I as a person or a company choose which applications I want to let run). But this isn't the kind of white listing that is being talked about. Instead it sure seems that Symantec is talking about managing a centralized white list of good applications and if an application isn't on it, it won't run. And if this is Symantec's idea, then in my opinion it is a really bad one. First of all, how would one get an application onto this list? Would it be free and easy for any developer or would there be regular fees and hurdles that would leave many open source and small developers out in the cold? And what about programs I myself or my company writes? Would I be able to circumvent the Symantec white list controls and easily get these to run or would I have to jump through a series of complex hoops just to run my own applications? One other thing. Doesn't this whole idea sound an awful lot like Trusted Computing, you know, that great thing where Microsoft would protect us from running bad programs and using our own computers in the way we wanted to? I don't know about you but if I don't trust Microsoft to tell me what I can and can't do with my own computers I really don't trust Symantec to do the same. Finally, the really big weakness behind the whole white listing idea is that it doesn't really work from a security standpoint. Just because some central authority says that a certain application is safe or trusted, doesn't mean that that application itself can't be used as an attack point by the bad guys. A large number of security problems don't result from some rogue application getting on a system, they come about because an application already on the system has a hole in it than can be abused. So thanks but no thanks. When it comes to making lists of what can and can't run on my system, I'm going to make the call on what goes on that lists, not some third party security firm. Hey, here's a new list idea for you! How about bad security ideas? Sounds like we have a candidate for the list.

SecurityEverybody loves lists. Magazines love lists; TV shows love lists; Web sites really like lists. But possibly no one loves lists more than security vendors.

When you break down a lot of the core elements of security products, it often comes down to big lists. Lists of known viruses and spyware, lists of vulnerabilities, lists of access controls and lists of programs that we want to run and programs that we don't want to run.

This obsession with lists most recently came up in reports from one of the largest security vendors out there, namely Symantec. In interviews related to the most recent release of the Symantec Internet Security Threat report, Symantec executives have said that because of the growing security threats and the increased sophistication of the bad guys, it may be time to move from the classic black list approach to security and go to a white list approach.

This means that instead of determining which programs running on someone's computer might be bad guys, future security tools would instead only let known, "good" programs run and block out all other programs.

Now the idea of white lists isn't a new one, most good security implementations involve some combination of white listing and black listing. And I do think that white listing is a good idea, when done on an individual or company basis (meaning that I as a person or a company choose which applications I want to let run).

But this isn't the kind of white listing that is being talked about. Instead it sure seems that Symantec is talking about managing a centralized white list of good applications and if an application isn't on it, it won't run.

And if this is Symantec's idea, then in my opinion it is a really bad one.

First of all, how would one get an application onto this list? Would it be free and easy for any developer or would there be regular fees and hurdles that would leave many open-source and small developers out in the cold?

And what about programs I myself or my company writes? Would I be able to circumvent the Symantec white list controls and easily get these to run or would I have to jump through a series of complex hoops just to run my own applications?

One other thing. Doesn't this whole idea sound an awful lot like Trusted Computing; you know, that great thing where Microsoft would protect us from running bad programs and using our own computers in the way we wanted to? I don't know about you, but if I don't trust Microsoft to tell me what I can and can't do with my own computers I really don't trust Symantec to do the same.

Finally, the big weakness behind the whole white listing idea is that it doesn't really work from a security standpoint. Just because some central authority says that a certain application is safe or trusted, it doesn't mean that that application itself can't be used as an attack point by the bad guys.

A large number of security problems don't result from some rogue application getting on a system; they come about because an application already on the system has a hole in it that can be abused.

So thanks but no thanks. When it comes to making lists of what can and can't run on my system, I'm going to make the call on what goes on those lists, not some third-party security firm.

Hey, here's a new list idea for you! How about bad security ideas? Sounds like we have a candidate for the list.