Google Security Engineer Urges Hackers To Focus Less on Anti-Virus and Intrusion Products (theregister.co.uk) 54
Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection and instead focus on more meaningful defenses such as whitelisting applications. From a report on The Register:The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security. "Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand today. "We need to stop investing in those things we have shown do not work. And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help. [...] Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.
What? (Score:2)
Re: (Score:2, Funny)
Re: (Score:1)
Did he make a remark encouraging whitelisting either? Whitelisting is a security don't do it.
slashcrap clickbait hype shaming (Score:1)
my rss feed claims that slashdot ran this originally with the headline "antivirus tools are a useless box-ticking exercise says google security engineer".
Way to stigmatize critical thinking and mental health in the same AC tweet scale word vomiting.
I'm an actual Google Security Engineer (Score:1)
Fuck this guy.
Re:I'm an actual Google Security Engineer (Score:5, Funny)
Fuck this guy.
Back off. I'm an actual Google Pornography Engineer, and I say when to fuck this guy.
Re: I'm an actual Google Security Engineer (Score:1)
Dude, you just got raped by Darren Bilby!
Antivirus isn't entirely useless (Score:5, Interesting)
An antivirus may not protect against a new attack, but it sure can reduce the value of an existing exploit (thus increasing R&D costs for script kiddies while reducing their profits). Though it is rather amusing how some "antivirus" comes bundled with, or is itself, malware -- but much less amusing that it is legal.
Re: (Score:2)
I know what is their plan (Score:1)
>instead focus on more meaningful defenses such as whitelisting applications
They want to become the whitelisting authority, then to de-whitelist their competitors. Just like what Apple did. Too greedy!
Re: (Score:2)
For a home user it is more useful than whitelistin (Score:2)
The problem with whitelisting is there has to be someone who does that whitelisting. Now that's fine in an enterprise organization. You presumably have trained IT staff who can test a program in a test lab and see if it is ok, if there's any issues against other programs, and so on. It does cost more, and slows down the speed at which you can adopt new software, but it is doable. However that only works because you have experts there who can test and make a presumably informed judgement call.
At home, there'
Re: (Score:2)
You presumably have trained IT staff who can test a program in a test lab and see if it is ok,
Not really. Malware is good at evading detection under VM/test environments.
slows down the speed at which you can adopt new software
This is the major advantage that whitelisting provides --- slowing down the speed is mostly the major security benefit.
You aren't just searching the web, downloading, and rolling out programs willy nilly.... you have to wait, which throws away a lot of malware because you weren'
Re: (Score:2)
Whitelisting renders your computer useless... (Score:5, Insightful)
Well, as a computer, that is. The great strength of a general purpose computer is just that - it can do anything.
Once you have a whitelisting "solution" on it, it can only do what the IT Dept. explicitly approves of, which now means that it's about as useful as an iPhone - only files that have been explicitly whitelisted are allowed to be executed.
A whitelisting client that actually locks things down properly won't even allow you to use the shell, well, it won't allow you to run .BAT files. Running the individual commands may still be allowed!
It might provide security, but at the cost of stifling the ability of "power users" (ie - programmers of limited ability - or indeed, any ability).
My last job installed one on the developer's computers... and gave us the permissions to override it. Pressing "OK" after every single build to be allowed to run it was... special.
Re: (Score:3)
It also stifles the ability of your organization to change it's software - our IT department demanded a £5,000 fee for every program to be whitelisted so it could go through a security audit!
Re:Whitelisting renders your computer useless... (Score:4, Insightful)
And it creates a security risk because it means you trust those apps no matter what they turn out to be doing.
Re: (Score:2)
In our case, we had a third party contract excited to make a quick quid, but they couldn't actually deliver on what they promised.
Re: (Score:2)
Actually, all you really need to do is whitelist anything that runs from folders which the user does not have write access to. That will automatically get all the system apps as well as the apps installed by root/administrator.
Conversely, you could just blacklist all apps that run from user writeable locations.
Not that hard really.
Re: (Score:1)
Whitelisting done properly doesn't lock down your shell nor stops you from running batch scripts. It stops you from running any random script that runs executables that were not whitelisted.
Re: (Score:2)
Assuming your IT staff do it properly is the first mistake.
Our whitelister locked down .BAT files and .VBS and the like, but left the much more dangerous Powershell untouched.
It also allowed you to load and run any .JAR file into Java - once you whitelisted Java (and any native libs it used), you were golden, you could have written anything in Java and run it.
Re: (Score:2)
Much of that is down to a single Windows design decision - deciding that a file is executable because of how it's name is spelled, rather than whether the user has explicitly enabled it to be executable.
Unix got this right. DOS got this wrong, and Windows is still paying for that mistake 35 years later.
But yes, the core problem here is the differential levels of responsibility. You should have to pass a test to get the whitelisting lifted so you can actually use the computer like a computer, and not a multi
Re: (Score:2)
BTW: What OS is this engineer referring to? Since he works for google, I would think either Android or ChromeOS. Is he suggesting a whitelisting app on android? I don't know if most phone users can handle that.
Re: (Score:2)
> Is he suggesting a whitelisting app on android?
There is already an effective mechanism for whitelisting on Android and iOS : signed package files, which is all the official app stores distribute. Don't trust it? Don't install it. And don't sideload or use 3rd party stores.
He must be specifically discussing the desktop case, where whitelisting has come into vogue.
Re: (Score:1)
Power users! Those are the developers/managers/executives who want unlimited access and then someone else has to go clean up the datacenter when their favorite porn website gives their laptop cooties, and it spreads like, well, cooties.
You get the access you need, the end.
Re: (Score:2)
Easier said than done (Score:5, Insightful)
Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.
The alternative is horribly locked down appliances that can't do what the user asks it to do. It means distrusting the owner of the device. There are scenarios where that can make sense where the role of the device is very well defined (ATMs, Point of Sale equipment, etc), but personal computers are by their very nature empower their users to do things the vendor would not have necessarily conceived of.
I agree that anti virus measures are not that good, but it just means that user education is all the *more* important, unless you don't want to let the users do anything or you don't have any users doing creative technical work.
Re: (Score:3, Funny)
All Google wants is for you to consume content so they can get you to view ads. They don't care about empowering users.
Re: (Score:3)
As I said, "There are scenarios where that can make sense where the role of the device is very well defined (ATMs, Point of Sale equipment, etc)", which would include the IoT category. Note that no one is suggesting deploying antivirus onto those platforms, it would be a ridiculous concept.
Anti virus only makes sense on platforms that are open ended. To the extent you have more special purpose applications (document editors), then yes, the vendor should be held accountable for lazily allowing things that
Dangerous (Score:3, Funny)
He's not wrong (Score:1)
He's not wrong about the problem, but Google has yet to show us what the silver bullet solution is. Android. nuff said.
Fake apps and "fake" news (Score:4, Interesting)
See the pattern? Selling a locked down machine will become much easier with just a little FUD. However a user should have the option of whitelisting, works on spam also.
We need a new law (Score:3)
Re: (Score:2)
its been done (Score:1)
there's a very old anti-virus utility called "Vaccine" which did exactly this.
only programs on the whitelist were allowed to be run,
and every program was checked using a checksum in the products internal database.
You could allow and disallow products whenever you liked,
and it would automatically prompt you if you tried to run something that wasn't white listed.
now, of course, none of this, or what the article suggests will prevent stupid users from running stuff they shouldn't.
But, Vaccine was the best anti
Same issue as killing net neutrality: bad idea (Score:2)
You can't whitelist everything you need to, and you can't trust end users to be able to do that all themselves (no matter how many dialogs you pop up). A/V is only capable of doing so much, so users still need educations.
The other option, as this Google engineer proposes, is to lock everything down and only allow vetted programs. This is called Trusted Computing [wikipedia.org] (a.k.a. Treacherous Computing [gnu.org]) for software and digital rights management [wikipedia.org] (digital restrictions management [fsf.org]) for media. These are very secure (
Consider PRISM (Score:2)
When a US brand asks the wider global security community to do anything different, thats the time to start really looking.
Any safe product would not be doing anything to make any AV product interested over days, weeks, months of updates?
What is it about skilled, advanced global AV efforts that induced such a request?
Users need layers of good security applications. Intrusion detection, firewalls, working real crypto, software looking for changes deep in
Different architecture (Score:1)
I had huge problems implementing white lists in a previous work (software development company).
However it is real that this is the only solution. It is "very" painful, but what medicine is not painful to take or have bad said effects?" The huge mistake was to think on general purpose computers where you can mix the highly sensitive stuff with reading newspapers or Facebook profiles and visiting dangerous places; this is the same as to say that you can walk without care through a hall full of mosquitoes wi