Antivirus tools are a useless box-ticking exercise says Google security chap
Advocates whitelists and other tools that 'genuinely help' security
Kiwicon Google senior security engineer Darren Bilby has asked fellow hackers to expend less effort on tools like antivirus and intrusion detection to instead research more meaningful defences such as whitelisting applications.
The incident responder from Google's Sydney office, who is charged with researching very advanced attacks including the 2009 Operation Aurora campaign, decried many existing tools as ineffective "magic" that engineers are forced to install for the sake of compliance but at the expense of real security.
"Please no more magic," he told the Kiwicon hacking conference in Wellington, New Zealand today.
"We need to stop investing in those things we have shown do not work."
"And sure you are going to have to spend some time on things like intrusion detection systems because that's what the industry has decided is the plan, but allocate some time to working on things that actually genuinely help."
Bilby wants security types to focus on tools such as whitelisting, hardware security keys and dynamic access rights efforts like Google's Beyond Corp internal project.
"Antivirus does some useful things, but in reality it is more like a canary in the coal mine. It is worse than that. It's like we are standing around the dead canary saying 'Thank god it inhaled all the poisonous gas'," he said.
The Google hacker also argued that networks are not a security defence because users are so easily able to use mobile networks to upload data to cloud services, bypassing all traditional defences.
Advice on safe internet use is "horrible", he added. Telling users not to click on phishing links and to download strange executables effectively shifts blame to them and away from those who manufactured hardware and software that is not secure enough to be used online.
"We are giving people systems that are not safe for the internet and we are blaming the user."
Referring to the 314 remote code execution holes disclosed in Adobe Flash last year alone, he compared the strategy to patch those holes to a car yard which sells vehicles that catch on fire every other week. ®