[unisog] enumerating badness was : zotob variant?

Gary Flynn flynngn at jmu.edu
Fri Oct 14 13:29:49 GMT 2005


Valdis.Kletnieks at vt.edu wrote:

> On Thu, 13 Oct 2005 14:30:20 PDT, John Stauffacher said:
> 
> 
>>I've really always wondered why Anti-Floop (shameless..i know) vendors 
>>always want to "Enumerate Badness", wouldn't it be a whole lot easier to 
>>enumerate the good.
> 
> 
> Follow The Money.
> 
> They want to keep enumerating badness because there's a continuing revenue
> stream to be found that way.  If they sold something that actually *secured*
> the system, they'd find themselves in the same position as Willy Wonka trying
> to sell somebody a second Everlasting Gobstopper.....

I wouldn't blame the vendors for that. I believe they
enumerate badness because of the "personal computer"
mentality that still exists in organizations. When the
desktop is treated like part of the organization's
information infrastructure rather than another piece
of personal office equipment like a typewriter or,
heaven forbid, a radio, more proactive (and restrictive)
tools and policies can be used. As long as the philosophy
is "I want to do it when I want, how I want, from where
I want, without restriction or procedure, etc.", reactive
"enumerate badness" is the only feasible approach. To
enumerate goodness, you have to define goodness and
limit usage to goodness and nobody wants to restrict
themselves to that. Its inconvenient, intrusive, and
slows things down. Its a default deny policy on behavior.

Additionally, in the home market, it would be impossible.
How do you limit a home computer to "goodness" in
applications, application behavior, network communications,
etc. on a general purpose computer administered by the
homeowner?

One can say that the Homeland Security Department tries
to enumerate badness too. Enumerating goodness in human
behavior would be quite a challenge. :)

Come to think of it, what examples of enumerating goodness
are there in day to day security? I guess most kinds of
access controls try to enforce goodness. Provisioning
accounts for people rather than letting anyone log on is
one example. Car inspection stickers are another. But
the granularity of goodness doesn't lead to very strong
security unless everyone cooperates which makes the risk
acceptable.

Trying to enumerate either badness or goodness in computer
behavior may boil down to once again trying to do things
with technology that we can't do for ourselves. At some
point higher than "the program accessed this file" or
"the program sent this traffic" human values are put on
those transactions.

I think the reason we have so much problem with computing
is because of its speed, complexity (versatility), and
interconnectedness. The same things that make it good, make
it hard to secure.

I've got to go get some work done before by boss evaluates
my meandering as badness. :)

-- 
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security


More information about the unisog mailing list