Thursday, September 24, 2009

Dumb security idea #3: Enumerating Badness

Hi all,

Today I was in the support chat room for OpenWrt when someone was asking about stopping people in his organisation from draining available bandwidth using Youtube. OpenWrt uses dnsmasq so it was a simple matter of blocking all domain names ending in - and once you do that, you then only need to worry about CollegeHumor, Vimeo, Google Video, Ebaum's World...

It really highlights the stupidity of what's often referred to as Enumerating Badness, as outlined in an article about The Six Dumbest Ideas in Computer Security. In a nutshell, it's where you say "block this, block that, let everything else through", and while it made sense in the very early days, it stopped making sense when the level of bad on the Internet began to vastly outweight the level of good. It is estimated that for every bit of good out there, there's somewhere in the order of dozens of malware, spyware, adware, trojans and viruses - which number in the millions these days. In fact, in the year to April 2008, Symantec discovered over 711,000 new viruses. There's a good reason we pay $30 per year for our anti-virus updates - it's a mammoth job trying to contain them all.

The stupid thing is, it could me made so much simpler if we focused our attention on enumerating the good programs we use on our computer. It's a near impossible task to track over a million bits of bad when even a simpleton could track 30 bits of good. Sadly, no operating system really supports this. Vista and Windows 7's UAC is a step in the right direction, but the problem is far from licked.

A far simpler solution is to look at the sorts of traffic that need priority, then assign the highest priority to those streams, then set everything else at rock bottom. I would also put the remaining traffic onto a throttle, just to be sure. This is far simpler than blocking every single video streaming website.

No comments:

Post a Comment