Internet Security Moving Toward 'White List'

ehud42 writes "According to Symantec, 'Internet security is headed toward a major reversal in philosophy, where a 'white list' which allows only benevolent programs to run on a computer will replace the current 'black list' system' as described in an article on the CBC's site. The piece mentions some issues with fairness to whose program is 'safe' including a comment that judges need to be impartial to open source programs which can change quite rapidly. Would this work? The effort to maintain black lists is becoming so daunting that white lists may be an effective solution."

It's like this for mobiles, and it sucks

[bjornte]

It's already like this in the mobile environment, and it's a terrible pain for developers.

When making apps in Java/J2ME or Symbian (e.g. for Nokia nSeries), you need to have the client signed by a third party in order to use native resources like memory efficiently. While the signing process it not technically the same as a white list, is has similar consequences: You are hindered in successfully demonstrating your software for potential customers until some unknown person has expressed his subjective opinion about it.

I know cause we make such an application right now, and during development we're screwed, as we can't get around these limitations even on our development devices. It's no good.

IF this idea catches on, real world developers need to test the god damn system before they enforce it on people.

Addressing malware.

[Burz]

I'd like to expand on my first post by pointing out a few ways for fighting malware that are the most freedom-friendly, encouraging users to make responsible decisions. These depend on OS vendors employing sane UI policies:

Do not engage in filename-mangling! If a file is named "apicture.jpg.exe" then it MUST be displayed that way and must not undergo any automatic alteration (falsification) that, for instance, makes an executable appear as data.

Additionally, all executable files are shown with a red warning flag whenever that filename is displayed by the desktop, file manager or file dialog. This is important, as Windows will execute files ending in ".com" and this suffix is a part of most websites the user trusts; clicking on a "monster.com" file is natural so another indicator is necessary to cut down on trojans.

Make web site scripting purely an opt-in affair by default. This goes for anything else the html engine is used for, like chat clients.

No more "Open this file" option in download dialogs. Period. If the user cannot manage opening the file themselves from the regular UI, then hopefully they will get stuck and sign up for an introductory computer class.

Re:Follow the money

[Crayon Kid]

Jesus, there's so much paranoia and resistance that apparently everybody forgets that black listing is one of the dumbest things you could do when it comes to security. It's no rocket science to see that if you're dealing with bots that attack blindly and dozens of new threats every day there's no way you're going to be able to keep track of all of them.

White listing is not about someone approving the list for you, it's just a generic mechanism that allows YOU to white list.

More explanations for a security expert here: The Six Dumbest Ideas in Computer Security [ranum.com].