diff options
author | 53hornet <atc@53hor.net> | 2021-07-28 10:58:58 -0400 |
---|---|---|
committer | 53hornet <atc@53hor.net> | 2021-07-28 10:58:58 -0400 |
commit | bfaccc32571df8a02f69518d8864244efba3b5b5 (patch) | |
tree | cc71a44054af00e73d0db2a1c79c347db3f31327 /posts/2020-12-29-antivirus-software-is-a-hack.html | |
parent | dd75b4a341925e4ba3408b018941241d4317dd9f (diff) | |
download | 53hor-bfaccc32571df8a02f69518d8864244efba3b5b5.tar.xz 53hor-bfaccc32571df8a02f69518d8864244efba3b5b5.zip |
php site, templating and partials, faster index generation
Diffstat (limited to 'posts/2020-12-29-antivirus-software-is-a-hack.html')
-rw-r--r-- | posts/2020-12-29-antivirus-software-is-a-hack.html | 197 |
1 files changed, 0 insertions, 197 deletions
diff --git a/posts/2020-12-29-antivirus-software-is-a-hack.html b/posts/2020-12-29-antivirus-software-is-a-hack.html deleted file mode 100644 index 5c602a2..0000000 --- a/posts/2020-12-29-antivirus-software-is-a-hack.html +++ /dev/null @@ -1,197 +0,0 @@ -<!DOCTYPE html> -<html lang="en"> - <head> - <link rel="stylesheet" href="/includes/stylesheet.css" /> - <meta charset="utf-8" /> - <meta name="viewport" content="width=device-width, initial-scale=1" /> - <meta - property="og:description" - content="The World Wide Web pages of Adam Carpenter" - /> - <meta - property="og:image" - content="https://nextcloud.53hor.net/index.php/s/Nx9e7iHbw4t99wo/preview" - /> - <meta property="og:site_name" content="53hor.net" /> - <meta property="og:title" content="Antivirus Software is a Hack" /> - <meta property="og:type" content="website" /> - <meta property="og:url" content="https://www.53hor.net" /> - <title>53hornet ➙ Antivirus Software is a Hack</title> - </head> - - <body> - <nav> - <ul> - <li> - <a href="/"> - <img alt="home" src="/includes/icons/home-roof.svg" /> - Home - </a> - </li> - <li> - <a href="/info.html"> - <img alt="information" src="/includes/icons/information-variant.svg" /> - Info - </a> - </li> - <li> - <a href="https://git.53hor.net"> - <img alt="git" src="/includes/icons/git.svg" /> - Repos - </a> - </li> - <li> - <a href="/software.html"> - <img alt="software" src="/includes/icons/floppy-variant.svg" /> - Software - </a> - </li> - <li> - <a type="application/rss+xml" href="/rss.xml"> - <img alt="rss" src="/includes/icons/rss.svg" /> - RSS - </a> - </li> - </ul> - </nav> - - <article> - <h1>Antivirus Software is a Hack</h1> - - <p> - <img - src="https://nextcloud.53hor.net/index.php/s/jJoFoA7Ppjb7rey/preview" - /> - </p> - - <p class="description"> - I read a really terrific article today about computer security and - really dumb ideas or trends that have developed in this field. It's - <a - href="https://www.ranum.com/security/computer_security/editorials/dumb/" - >M. Ranum's <em>The Six Dumbest Ideas in Computer Security</em></a - >, and I highly recommend reading through the whole thing. It's got - great anecdotes and really simple language for what I consider to be - some of the obvious issues with the way programmers and sysadmins think - about security (myself included). One portion of it (idea #2), however, - finally put something into words that I've felt for a really long time. - It enables me to explain why I think all antivirus software is a total - hack and is virtually useless. - </p> - - <blockquote> - hack<br /> - 1. n. Originally, a quick job that produces what is needed, but not - well. - <br /> - <cite>-- The Jargon File (version 4.4.7, 29 Dec 2003) [jargon]</cite> - </blockquote> - - <p> - This is the Jargon File's definition of a hack. And to me, this is what - antivirus software is. Antivirus software, as I understand it, emerged - in the mid to late 1980s and became prolific in the 1990s. In the 2000s - it was considered an essential piece of software and people were paying - for yearly subscriptions for antivirus suites from Norton, Avast, and - McAfee. - </p> - - <p> - The most basic functionality of an antivirus program is to determine - whether malware exists on a host operating system. The typical method of - doing this is to use a collection of virus definitions and compare each - and every potentially-infected file with each and every definition to - determine whether the file is malware or has been infected by some. An - over-simplified way of implementing this is to store a collection of - hashes, each taken from a known potentially unwanted program or - infectious executable. You can then hash entire files or portions of - files and compare the checksums to see whether a file contains or is - equivalent to the definition, and is therefore infected and shouldn't be - executed. Some security suites go beyond this with heuristic matching, - but if you run an antivirus that has to "update definitions" on a - routine basis, it probably works something like this*. With any luck, it - does it without being a total detriment to system performance. Ideally - it also doesn't act like a piece of malware itself by making itself near - impossible to remove (looking at you, McAfee). - </p> - - <p> - To me, a virus definition database is "enumerating badness" (Ranum's - Dumb Idea #2). The premise is that it is not only logical but even - possible to compile a list of <em>all</em> potentially unwanted - programs, viruses, ransomware, and worms. An environment of trust should - be built around the programs that you want to run (read: - <em>allow to run</em>), not the other way around. Picture an operating - system where no binary file can be executed unless it is specifically - flagged as being allowed to. Oh and picture also being able to restrict - this execution to just the file's owner, or other groups of users. - Wouldn't it be easier to store the list of 30 odd programs that you and - other system users trust to be run than the thousands (millions?) of - programs that are infectious, forbidden, or unwanted? What about when - those trusted applications become compromised? Would it not also be - easier to maintain a list of checksums for those binaries and compare - those checksums before they're executed to make sure they haven't been - infected or replaced? - </p> - - <p> - The answer is yes, it would be easier. And yes, it is easier. Of course, - your system has to work that way. Antivirus software is a hack because - it's a hack-y solution to a problem that has a better, simpler solution. - It also has the potential for making a ton of money but I won't go into - that. It's easier to enumerate goodness, to specifically open up to a - select few trustworthy applications. Good lists are usually shorter than - bad lists. This builds on top of Ranum's Dumb Idea #1: Default Permit. - You wouldn't configure a firewall to just block some known bad ports and - traffic. You configure it to block all of it, and then whitelist the - ones you know you can trust. You wouldn't configure a browser ad-blocker - to permit all ads, and select the ones you don't want to see. You block - all of them! Then, if there are sites or ads you're okay with seeing, - you whitelist them. You shouldn't default permit all programs to be - given control over your computer, and then meticulously list the ones - that don't have that permission. - </p> - - <p> - Oh and of course, as always, there's free software that lets you do - this. You don't have to pay for an antivirus suite, or even use an - unpaid one that slows down your computer or barrages you with ads. On - the BSDs and virtually all Linux distributions, there are built-in tools - to control access and execution of binaries. There are additional tools - that you can install that check whether binaries (in locations like - <code>/bin</code> or <code>/usr/local/bin</code> have been modified - since you last used them. On Windows, the story is a little different. - Most home Windows 10 users are automatically allowed to install and run - any software they want to by default. Windows Server does have Software - Restriction Policies that allow you to create a "default deny" policy - and whitelist only the software that's allowed to run. If you're using a - home edition you probably have to look for software that lets you do - this. I haven't tried any of them so I'm not going to endorse or even - name them here. - </p> - - <p> - Preventing malware from running on your system is a problem. Solving - this problem is the right thing to do. But please, try to solve it the - right way. I stopped using an antivirus after I moved out and got to - control my own computer. I don't think it ever did me any good besides - flag false positives (a lot of the time with programs or applications - that I wrote, which weren't malicious in any way!) and grind my spinning - disk to a halt. Evaluate what software you use. Is most of it online? - Are there one or two applications that you know you need to use? How - often do you install and use unknown or untrusted software? Odds are you - can come up with a list of very few programs that you want or need to - use. If it's less than 100,000, you're probably better off with a - default deny policy than an antivirus suite. - </p> - - <p> - * What I didn't mention here is that as soon as a new piece of malware - is constructed, if it's different enough from its predecessors, it's - impervious to all antivirus suites on the planet that don't have it in - their definitions. So until that malware is used, detected, and added to - the list, it has free reign. - </p> - </article> - </body> -</html> |