Re: Hacking: As American as Apple Cider

[Nick Drage <nickd () metastasis org uk>]

On Fri, Sep 09, 2005 at 06:15:25PM -0400, Kyle Quest wrote:

> First of all, systems would be impractical and unusable. If you have
> an OS module or an AV that blocked everything that's not known to be
> good what would happen a person bought a software that the AV or the
> OS module didn't know about? It wouldn't work, right. It's not very
> likely that users would put up with that. Even if we look at the
> application white listing techniques used by the current host security
> software, what's the story? Well, we have an average user who gets
> this pop up asking if he/she wants to allow application xyz to run. In
> over 99% of the time the user says yes...

But you would hope that even that most inexperienced user can spot the
different between software-i-just-installed.exe and
never-heard-of-it.exe.  Its not a perfect solution, but it helps.

> It's somewhat similar if we look at network based security mechanisms.
> There are times when white listing works, but there are many times
> when it doesn't. Let's say you have a service provider that has who
> knows how many customers. Do you think they'd be able to get
> information about every single web, ftp, etc server to create a
> "Default Deny" policy? The task would be slightly easier if there was
> no dynamically generated content, but what if there was? 

Whitelisting is not a perfect solution, but it helps ;)  If the
situation is unworkable, such as the one you've invented, then
whitelisting isn't the solution.  However in a lot of cases it can make
a huge difference between being woken up at three in the morning for
fifteen minutes to confirm to the customer that yes, the new worm is
blocked by default, and staying up for a good few hours gathering
information on how this week's problem works so the correct rules can be
put in place.

-- 
When the pin is pulled, Mr. Grenade is not our friend.