funsec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Internet security moving toward "white list"

From: "Young, Keith" <Keith.Young () montgomerycountymd gov>
Date: Wed, 19 Sep 2007 08:52:58 -0400
Internet security is headed toward a major reversal in philosophy,

where a "white list" which allows only benevolent programs to run on a
computer...
 

Hardly a new idea of course. I've been hearing this for many years

from many vendors. 
 
And even longer from Dr. Solly, Marcus Ranum, etc....
 

 But for home computers this just won't work. They'll never have an

adequate list and 

people will insist on installing what's in front of them. 

And how are they going to identify programs for consumers? They could

use code 

signatures, but even at the high end developers bitch and moan about

that. If they 

use some sort of checksum then they need to monitor every valid build

of every program.
 
The Ubuntu trusted software repository model, along with an enforcement
application like SELinux, puts this almost within reach today. 
 
Grannyx anyone?
 
--Keith



Keith Young, Security Official
Department of Technology Services
Montgomery County, Maryland
phone - (240) 777-2955


 


________________________________

From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Larry Seltzer
Sent: Wednesday, September 19, 2007 8:25 AM
To: funsec () linuxbox org
Subject: RE: [funsec] Internet security moving toward "white list"



Internet security is headed toward a major reversal in philosophy,

where a "white list" which allows only benevolent programs to run on a
computer...
 
Hardly a new idea of course. I've been hearing this for many years from
many vendors. It's an OK idea for a business network where IT can
reasonably say "you can't run anything on your computer that we don't
give you to run." And where the administration can show the security
software what the valid programs are for proper identification, perhaps
with IT even code-signing them.
 
But for home computers this just won't work. They'll never have an
adequate list and people will insist on installing what's in front of
them. 
 
And how are they going to identify programs for consumers? They could
use code signatures, but even at the high end developers bitch and moan
about that. If they use some sort of checksum then they need to monitor
every valid build of every program.
 
I'll believe this when I see it.
 
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/ <blocked::http://security.eweek.com/> 
http://blogs.eweek.com/cheap_hack/
<http://blog.eweek.com/blogs/larry_seltzer/>
<http://blog.ziffdavis.com/seltzer> 
Contributing Editor, PC Magazine
larry.seltzer () ziffdavisenterprise com

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: