From bfaccc32571df8a02f69518d8864244efba3b5b5 Mon Sep 17 00:00:00 2001
From: 53hornet <atc@53hor.net>
Date: Wed, 28 Jul 2021 10:58:58 -0400
Subject: php site, templating and partials, faster index generation

---
 posts/2020-12-29-antivirus-software-is-a-hack.php | 137 ++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 posts/2020-12-29-antivirus-software-is-a-hack.php

(limited to 'posts/2020-12-29-antivirus-software-is-a-hack.php')

diff --git a/posts/2020-12-29-antivirus-software-is-a-hack.php b/posts/2020-12-29-antivirus-software-is-a-hack.php
new file mode 100644
index 0000000..cc5f0d0
--- /dev/null
+++ b/posts/2020-12-29-antivirus-software-is-a-hack.php
@@ -0,0 +1,137 @@
+<?php
+$title = "Antivirus Software is a Hack";
+if (isset($early) && $early) {
+	return;
+}
+include($_SERVER['DOCUMENT_ROOT'] . '/includes/head.php');
+?>
+
+<p>
+	<img src="https://nextcloud.53hor.net/index.php/s/jJoFoA7Ppjb7rey/preview" />
+</p>
+
+<p class="description">
+	I read a really terrific article today about computer security and
+	really dumb ideas or trends that have developed in this field. It's
+	<a href="https://www.ranum.com/security/computer_security/editorials/dumb/">M. Ranum's <em>The Six Dumbest Ideas in Computer Security</em></a>, and I highly recommend reading through the whole thing. It's got
+	great anecdotes and really simple language for what I consider to be
+	some of the obvious issues with the way programmers and sysadmins think
+	about security (myself included). One portion of it (idea #2), however,
+	finally put something into words that I've felt for a really long time.
+	It enables me to explain why I think all antivirus software is a total
+	hack and is virtually useless.
+</p>
+
+<blockquote>
+	hack<br />
+	1. n. Originally, a quick job that produces what is needed, but not
+	well.
+	<br />
+	<cite>-- The Jargon File (version 4.4.7, 29 Dec 2003) [jargon]</cite>
+</blockquote>
+
+<p>
+	This is the Jargon File's definition of a hack. And to me, this is what
+	antivirus software is. Antivirus software, as I understand it, emerged
+	in the mid to late 1980s and became prolific in the 1990s. In the 2000s
+	it was considered an essential piece of software and people were paying
+	for yearly subscriptions for antivirus suites from Norton, Avast, and
+	McAfee.
+</p>
+
+<p>
+	The most basic functionality of an antivirus program is to determine
+	whether malware exists on a host operating system. The typical method of
+	doing this is to use a collection of virus definitions and compare each
+	and every potentially-infected file with each and every definition to
+	determine whether the file is malware or has been infected by some. An
+	over-simplified way of implementing this is to store a collection of
+	hashes, each taken from a known potentially unwanted program or
+	infectious executable. You can then hash entire files or portions of
+	files and compare the checksums to see whether a file contains or is
+	equivalent to the definition, and is therefore infected and shouldn't be
+	executed. Some security suites go beyond this with heuristic matching,
+	but if you run an antivirus that has to "update definitions" on a
+	routine basis, it probably works something like this*. With any luck, it
+	does it without being a total detriment to system performance. Ideally
+	it also doesn't act like a piece of malware itself by making itself near
+	impossible to remove (looking at you, McAfee).
+</p>
+
+<p>
+	To me, a virus definition database is "enumerating badness" (Ranum's
+	Dumb Idea #2). The premise is that it is not only logical but even
+	possible to compile a list of <em>all</em> potentially unwanted
+	programs, viruses, ransomware, and worms. An environment of trust should
+	be built around the programs that you want to run (read:
+	<em>allow to run</em>), not the other way around. Picture an operating
+	system where no binary file can be executed unless it is specifically
+	flagged as being allowed to. Oh and picture also being able to restrict
+	this execution to just the file's owner, or other groups of users.
+	Wouldn't it be easier to store the list of 30 odd programs that you and
+	other system users trust to be run than the thousands (millions?) of
+	programs that are infectious, forbidden, or unwanted? What about when
+	those trusted applications become compromised? Would it not also be
+	easier to maintain a list of checksums for those binaries and compare
+	those checksums before they're executed to make sure they haven't been
+	infected or replaced?
+</p>
+
+<p>
+	The answer is yes, it would be easier. And yes, it is easier. Of course,
+	your system has to work that way. Antivirus software is a hack because
+	it's a hack-y solution to a problem that has a better, simpler solution.
+	It also has the potential for making a ton of money but I won't go into
+	that. It's easier to enumerate goodness, to specifically open up to a
+	select few trustworthy applications. Good lists are usually shorter than
+	bad lists. This builds on top of Ranum's Dumb Idea #1: Default Permit.
+	You wouldn't configure a firewall to just block some known bad ports and
+	traffic. You configure it to block all of it, and then whitelist the
+	ones you know you can trust. You wouldn't configure a browser ad-blocker
+	to permit all ads, and select the ones you don't want to see. You block
+	all of them! Then, if there are sites or ads you're okay with seeing,
+	you whitelist them. You shouldn't default permit all programs to be
+	given control over your computer, and then meticulously list the ones
+	that don't have that permission.
+</p>
+
+<p>
+	Oh and of course, as always, there's free software that lets you do
+	this. You don't have to pay for an antivirus suite, or even use an
+	unpaid one that slows down your computer or barrages you with ads. On
+	the BSDs and virtually all Linux distributions, there are built-in tools
+	to control access and execution of binaries. There are additional tools
+	that you can install that check whether binaries (in locations like
+	<code>/bin</code> or <code>/usr/local/bin</code> have been modified
+	since you last used them. On Windows, the story is a little different.
+	Most home Windows 10 users are automatically allowed to install and run
+	any software they want to by default. Windows Server does have Software
+	Restriction Policies that allow you to create a "default deny" policy
+	and whitelist only the software that's allowed to run. If you're using a
+	home edition you probably have to look for software that lets you do
+	this. I haven't tried any of them so I'm not going to endorse or even
+	name them here.
+</p>
+
+<p>
+	Preventing malware from running on your system is a problem. Solving
+	this problem is the right thing to do. But please, try to solve it the
+	right way. I stopped using an antivirus after I moved out and got to
+	control my own computer. I don't think it ever did me any good besides
+	flag false positives (a lot of the time with programs or applications
+	that I wrote, which weren't malicious in any way!) and grind my spinning
+	disk to a halt. Evaluate what software you use. Is most of it online?
+	Are there one or two applications that you know you need to use? How
+	often do you install and use unknown or untrusted software? Odds are you
+	can come up with a list of very few programs that you want or need to
+	use. If it's less than 100,000, you're probably better off with a
+	default deny policy than an antivirus suite.
+</p>
+
+<p>
+	* What I didn't mention here is that as soon as a new piece of malware
+	is constructed, if it's different enough from its predecessors, it's
+	impervious to all antivirus suites on the planet that don't have it in
+	their definitions. So until that malware is used, detected, and added to
+	the list, it has free reign.
+</p>
-- 
cgit v1.2.3