The Six Dumbest Ideas in Computer Security. ⇒
12 September 2005, lunch time
This link was found via Slashdot.
This is a post from my link log: If you click the title of this post you will be taken the web page I am discussing.
12 September 2005, lunch time
This link was found via Slashdot.
This is a post from my link log: If you click the title of this post you will be taken the web page I am discussing.
I read this yesterday. From a high-level perspective, he makes good points, but the essay is irreparably tainted by a lack of precision (and accuracy). For example:
Examine a typical antivirus package and you’ll see it knows about 75,000+ viruses that might infect your machine. Compare that to the legitimate 30 or so apps that I’ve installed on my machine, and you can see it’s rather dumb to try to track 75,000 pieces of Badness when even a simpleton could track 30 pieces of Goodness.
Each individual user may have only 30 pieces of “Goodness” on their computer at one time, but all users, over a time period (of say a couple years), have tens or hundreds of thousands of pieces of “Goodness”. For instances, most users use some form of software to play music, and each user probably only uses one such application on a regular basic. But, there is iTunes, Windows Media Player, WinAmp, Real Player, Quicktime, etc. Moreover, each of these applications has multiple versions (iTunes 4.7, 4.8, 4.9, 5.0, etc.) and each of these applications is really multiple executables. (e.g. Right now there is iPodService.exe, iTunes.exe, and iTunesHelper.exe all running on my computer and that’s not even counting the installer, the uninstaller, optional iPod drivers/software, etc.). All-in-all, you end up with scores of executables for just playing music. Do this for each type of application (and, remember to consider esoteric software which has much more variation, not just common ones like word processors and e-mail clients) and you have a heck of a lot of “Goodness” to enumerate. [And please don’t complain that by counting executables and versions that I’m artifically inflating the count, since (a) versions of executables are the unit of interest and (b) most of that malware in the 75k figure are just variations on a theme, creating by “script kiddies” who modify existing viruses/worms/etc. rather than write a new from scratch].
Here the same point comes up again:
There are probably another 20 or 30 installed that I use every couple of months or so. I still don’t understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me...Instead of you taking the time to list the 30 or so legitimate things you need to do, it’s easier to pay $29.95/year to someone else who will try to maintain an exhaustive list of all the evil in the world. [Quotes taken from separate sections and emphasis was added by me].
Per above, maintaining an exhaustive list of “goodness” is non-trival and arguably equally as hard as it is for “badness”. And if you think prompting the user for guidance (as the author implies)...is gonna work then you should ponder point #5 some more. [Aside: So is it just me or his essay internally inconsistent?]. These are the two most obvious ways of solving the “enumeration” problem (and the only two mentioned by the author). i.e. The problem not even astronomically as “simple” and solvable by a “simpleton” as he so often suggests. [i.e. The utter lack of precision in the essay]. (And, at worst, the problem of enumerating “goodness” is harder to do and/or harder to get right than enumerating “badness”).
I could dissect the flaws with the rest of the essay…but I’m sure you get my point (and I have better things to do).
by Ryan on September 13 2005, 2:50 am #