Monday, October 3, 2011

Whitelisting vs. blacklisting in our non-tech environments

I was recently searching for a comparison of whitelisting vs. blacklisting, and ran across Bruce Schneier's January 28 post on the topic. Schneier chose to illustrate the concepts with examples from the real world.

Physical security works generally on a whitelist model: if you have a key, you can open the door; if you know the combination, you can open the lock.


To find blacklists in the real world, you have to start looking at environments where almost everyone is allowed. Casinos are a good example: everyone can come in and gamble except those few specifically listed in the casino's black book or the more general Griffin book.

And some are a mixture of the two:

Marcus [Ranum] is correct to point to passport control as a system with both a whitelist and a blacklist. There are people who are allowed in with minimal fuss, people who are summarily arrested with as minimal a fuss as possible, and people in the middle who receive some amount of fussing. Airport security works the same way: the no-fly list is a blacklist, and people with redress numbers are on the whitelist.

Schneier notes that his post is excerpted from a point-counterpoint between himself and Ranum. It appears that Schneier thought that society would move toward whitelist model, and Ranum thought the opposite. However, I couldn't tell, because to read the entire point-counterpoint, a login and password are required.

Score one for the whitelist.
blog comments powered by Disqus