ISP Restrictions Based on Hardware/Software?

An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"

Of course MS would object

[Todd+Knarr]

Of course Microsoft would object to this proposal. Any objective analysis (which the ISPs are certain to do) would put Windows high on the list of vulnerable systems. No matter how much Microsoft tries, it's always hard to configure a Windows system to be both secure and capable of easily running the software most users want to run without glitches. Putting a hardware firewall in front of it's just as bad from Microsoft's point of view: you're still telling users they have to spend more money and do more work to use Windows on the Internet. By contrast, many of the competing systems (Max OSX, *nix) are at low risk and would pass most security checks easily out of the box. No way does Microsoft want ISPs making it easier to put a Mac or a Linux box on the Internet than a Windows box.

Bend us over and Shape our Bandwidth...

[xoip]

It is becoming increasingly obvious that the large ISPs are out to put a strangle hold on the "Services" they deliver. There will be problems with VOIP caused by port restrictions, Others will stop offering basic services like nntp access. They have taken the view that the network is theirs and that they will dictate what is run over them with consumers being and endless cash cow that can be milked for access to "Premium" applications.

Terms of Service

[saikatguha266]

> Laptop and home users also have the right to run an insecure PC

Absolutely. But do they have the right to abuse the ISP's network by sending spam/DDoS attacks etc?

Run what you may on your PC, but if you are using the network infrastructure owned and maintained by your ISP, you have to adhere to their Terms of Service, and they should have the right to enforce those terms of service.

If you don't like your ISP's TOS, find a different one. But don't confuse you right to run an insure PC with your right to abuse your ISP's network -- you do not have the latter.

Re:Of course Microsoft is against it...

[grub]

Depending on your definitions, banning malware could mean banning Windows!

Or if the RIAA/MPAA have their way: P2P traffic. Be careful what you wish for.

Re:Of course Microsoft is against it...

[N3Roaster]

While true, I really doubt ISPs are going to start blocking Windows users from accessing the Internet. Not only because they'd be blocking somewhere between most and all of their customers (Why yes, we'll sell you Internet access, we just won't let you use it.), but I've also encountered a lot of ISPs that would get really freaked out (for no good reason) if they heard you planned on connecting with anything but a Windows PC.

The two sides of this issue:

[crazyphilman]

Side #1: Microsoft is terrified of this because it will set a precedent whereby an ISP will be able to cut people off based on the ISP's view of their software configuration. So, ISPs will be able to threaten to kick Microsoft in the balls unless they get favorable treatment (RE: cheaper prices), and home users will be able to demand that tainted machines get knocked off the web until they're fixed (which will mostly affect MICROSOFT). Microsoft, God bless 'em, is naturally against the whole thing.

Side #2: The TRUE result of this will be that lazy ISPs (read: most ISPs) will just lock out anything that doesn't match some piece of shit filter they put in place. So, a fully patched Microsoft or Apple box will probably be able to connect, but my Slackware box will NOT. And when I call tech support, the retard who takes my call will say "SlackWHAT? You can't run that on our network, for, uh... SECURITY reasons. Why don'cha run Winders like everyone else?" And I will be forced to resort to cruel, mocking language, upsetting his supervisor and getting me absolutely NOWHERE.

So, naturally, I'm against this bullshit too. ;)

Even if...

[jd]

...you are generous and don't define Windows as malware, you can reasonably define it as insecure, so it would certainly be bannable under the proposal. Especially early versions of Windows. And that's important, as a very large number of Windows users haven't upgraded and won't upgrade. (Windows 98 is still a very common OS and Windows 95 is still far from dead.)

The other concern Microsoft may well have is that if you can only run "approved" OS' on the Internet, it will kill their beta programs and may well make it harder to roll out service packs. After all, it changes the version ID, so won't be an "approved" OS any more. If nobody patches their system, for fear of being disconnected from the Internet, it will be Microsoft that suffers.

What about Linux users? Well, there's always the IP Personality patch. This disguises your OS, so that common methods of fingerprinting your computer will return the OS identity that you choose. You can always make a Linux box look like Windows XP or whatever.

That's probably another concern of Microsoft. Linux distributions can be easily modified to fool such restrictions and existing Linux users will likely install the necessary patches. This could make Linux more attractive to the Walmarts of the world (fewer customer complaints) and also to corporations (no risk of unexpected downtime, due to ISPs not keeping up).

I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard. Only closed-source vendors and closed-minded customers have anything to be scared of, and I've no problem with them being scared silly by Homeland Security.

blah blah blah

[Transcendent]

...blah blah blah, of course Microsoft is against it blah blah blah...

But this IS a horrible practice? Restricting people's internet access based on their computer? Does anyone see what is wrong with this or are you all going to complain about MS?

Client-side official spyware

[AndroidCat]

Vendors call them by different names, but all use an agent on the client to verify its configuration. If the agent reports software (or in more advanced versions, hardware) that isn't on a white list, access is denied.

Access control agents have two big practical problems on a private network, both of which are more serious on the wider Internet: Not all clients can run the agents, and new programs not yet certified malware-free won't be on the white list. Worse, ISPs might base their lists on commercial considerations. So while custom enterprise applications are locked out, Sony's rootkit gets through.

Okay, it's not quite spyware, but it does raise a few questions, doesn't it? The above misses a few like: (a) What if you develop software? (Software which isn't on anyone's list?) (b) And what's this about hardware? Are haxors leaving trojan hardware on people's doorsteps now? (Hmm...) (c) Lastly, I'm not going to open my security to let their untrusted agent software phone home to tell my ISP that everything is okay. Sorry. If need be, I'll haul out an old box to run their agent to tell that that everything is fine--but it'll be isolated as much as possible from everything else on my LAN.