Slashdot Mirror
Vista's TCP/IP Promises and Perils
boyko.at.netqos tips us to a new writeup on Vista's TCP/IP stack, which is called Compound TCP/IP (CTCP). From the article: "...security policy will come from a centralized source. When you get your DHCP lease, your computer will report to the stack what OS you're using, what version level, what patches, what anti-virus software that's active — all that kind of stuff. It will have the ability to restrict your network access if you have a down-level machine... We could see a lot of our customers with much higher WAN network utilization because of this new TCP/IP stack... CTCP can be enabled/disabled from the command prompt but there has been no mention of tuning parameters which leads us to ask the question: How are you supposed to configure this setting in Vista?... What worries us... is that Microsoft is basing this on packet round trip time. The round-trip time from the client-side will have the server processing time in it; but the clients aren't likely going to be the running the CTCP at first. If you have a server-to-server backup running, for example, CTCP may think its part of the round-trip time and it'll throw the delay window through the roof..."
So my trojan will be reporting values honored by the DHCP servers. This system is still relying on the information sent by the (possibly infected) machine, so it is not secure in any way.
Life is just nature's way of keeping meat fresh.
What about when ISPs need this "CTCP" and your running linux, will it kick you or, will linux once more, added some code to the TCP/IP Stack to send some bogus CTCP repely
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
Article summary:
We haven't used Vista.
We haven't tested the features we're talking about.
We think they're actually probably very good.
We don't know (and nor does anyone) because we haven't tested them.
They could be bad.
They could do nasty stuff to your networks.
But we don't know because we haven't tested anything.
Sounds good in theory though.
And all the MS guys that have ever wrote about it say it works.
We don't think it'll work perfectly first time.
But we don't know because we haven't tested anything at all in any way.
We advise others to test before they make any decision.
Good article. (That was sarcasm. At least I think it was but I haven't tested it myself yet).
But, alas, falls short of implementing the "Evil Bit."
If you open yourself to the foo, You and foo become one.
apart from providing some "security" measures, is to lock Linux out of the corporate network. As soon as a Longhorn server goes into a network, then Linux boxes will have all sorts of problems. And there won't be any way to legally get around it as Microsoft will have all the required patents to wave in the faces of anyone who attempts to do so.
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
I don't get it. If you're just going to be querying the OS for information about its configuration (antivirus, patch state, version level, etc.) why don't you just implement it at a higher level? I don't see any reason to bury this sort of stuff down in the network stack. It could just as easily run as an application-level service rather than being built in down on the transport level. (And in fact I know of systems which do this sort of thing running as userspace tools.)
The goal here seems to just be a way to allow corporate networks like WANs to restrict access based on the version of Windows that's running and the security software being implemented on the client. Setting aside how a rootkit would just fake the responses (and I don't believe for a second that there won't be rootkits for Vista once it gets mainstream), why does this have to be in the network stack? It could be easily implemented as part of the higher-level networking services like WINS or Active Directory, as a requirement before the user is allowed access to particular network resources.
This whole concept seems rather flawed, unless there's some large part of it that I'm missing, and it just seems like it's going to require other OSes to rewrite their perfectly good TCP/IP stacks in order to inter-operate with Windows networks. Maybe that's the whole point?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
... complex things especially when they plan to be very cumbersome, slow, error prone and possibly non working.
Many thanks to the big brains in Redmond!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
How are you going to ask the client, when said DHCP client is one of those nifty routers we all own?
/., or even most in the world, directly connect their machines to a network connection anymore. All the broadband connections all go through some sort of router these days, provided by the ISPs themselves.
I don't think anyone on
The cesspool just got a check and balance.
I haven't read TFA, but based on blurb it will be horrible.
Compound TCP is not a TCP/IP stack! It's congestion avoidance/recovery algorithm for TCP streams. It's one of many (Vega, Reno, BIC, CUBIC etc. etc.). It's also available for Linux (but was removed from standard kernel some time ago).
Other things mentioned are parts of Network Access Control, which is already deployed in many companies. There are many software and hardware solutions available, Vista isn't special. It becoming must-have in corporate environment, praising Vista for having it is like claiming that DHCP client in OS is innovation.
:wq
"It will have the ability to restrict your network access if you have a down-level machine."
Ehm... and who decides what is a down-level machine?
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
which is called Compound TCP/IP (CTCP). From the article: "...security policy will come from a centralized source.
Yeah, trust a blind man to invent a new pencil...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Is it just me, or does this article sound like random babbling? Nowhere did I see any explanation of what CTCP is, what it does, how it does it, or why it's a good or bad thing. Instead there's lots of uninformed speculation. Apparently it has something to do with bigger TCP windows and/or better or throttled thruput. But we end up more mystified than when we came in.
It seems that M$'s vision of having your computer being nothing more than a "content delivery device" that you have to buy and they control is coming to fruition.
It is amazing to me how far those people that use M$ products will allow themselves to be, 0wn3d.
Change is hard and scary, but why would one ever actually pay to be treated in the manner M$ wants to treat you.
Sheep.
Cheers
PS> This is not a troll, it is really the way I feel.
* Carthago Delenda Est *
"Windows network(ing)" is an oxymoron in the first place, so you shouldn't be surprised...
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
"It will have the ability to restrict your network access if you have a down-level machine..."
Translation: "You WILL upgrade all of your machines to Vista, or Microsoft will artificially degrade their performance." It's called "market development."
Those M$ asshats are actually going to try to sell this as a NAC feature, when it's nothing but another license fee grab. Piss on them: I'm still running several totally stable, bullet-proof web servers on NT4 with 128Mb (albeit behind a good firewall), and I have neither the need nor the intention to "upgrade" them anytime soon (or ever, for that matter).
About the word "if": If bullfrogs had wings, they wouldn't bounce around on their little green butts.
CTCP is also a portion of the core IRC protocol, which was a goofy way to extend command set.
[
Specifically, something to tell the CTCP stack that you're running the very latest version of everything, so that you don't get penalized by other nodes.
Of course, that would be bad news for everyone else on the network, if in fact your old, unpatched OS (which you are reporting as new and patched to avoid having to upgrade to Vista 2.5.9.396) _is_ infected. But then, that's part of the problem with including features that work AGAINST the person buying/using them.
To sum up: malicious/hijacked computers will report that everything's OK. Computers controlled by savvy users who don't want hassle will report that everything's OK. Computers that really have nothing interesting about them will report that everything's OK. There'll be a thin band of computers that really do have old OS versions but that nobody cares about enough to doctor -- these will report that everything's not OK, until they become an issue and are considered a painful extra cost of MS-based networks. The remaining 90% of all computers will have this feature disabled, thus saving all the bother at a very very low cost in security.
It's not that this feature is evil, it just comes from the wrong mindset. I think MS's misconception that it's good to start from the question 'how can we restrict or coerce customers', rather than 'how can we empower and help customers', is likely to prove permanent.
Whence? Hence. Whither? Thither.
They're always engineering crappy half-solutions that are worse than nothing at all, and always involve using more resources and sending out more personal information.
When are they gonna engineer something properly? If nearly every open-source/linux programmer can do it, why can't Microsoft?
WindowsUpdate after you haven't phoned home to verify your copy of Vista isn't pirated?
People keep saying that your trojan'd box could report false information, but what about a rooted DHCP server (like in a coffee shop, or any area with free WIFI)? You computer would be telling an unknown system its exact patch level. Screw brute force attacks, it would know exactly where you're vulnerable. didn't microsoft learn anything about offering too much information?
Broadcast packets? Snooping? ICMP? DoS
None require an IP address.
"It will have the ability to restrict your network access if you have a down-level machine."
That raises some questions. Does this mean that the stack itself on the system in question will place some kind of access restriction? Are they trying to wedge this into layer 4? Have they devised some kind of MS client-server extension to DHCP that sends a data structure to a server which in turn pushes a policy out to the stack? Or is this intended to be part of an 802.1x based scheme?
"We are all geniuses when we dream"
- E.M. Cioran
One big problem is that few of these gateways are MS-Windows machines. Most are Criscos that get fried up by the heavy traffic :) I doubt an x86 box could service a full-speed OC-3 if the table look-ups get extensive.
By making these changes in the stack you can improve the windowswindows performance while reducing the windowsother performance. It creates an environment which in which it is strongly beneficial to have a windows only network.
Deleted
Microsoft is famous for its "Embrace and Extend" philosophy of locking people into their products by corrupting open standards. This looks to be the same thing once again.
I have to admit, it's been a while since I've read the TCP/IP protocol specs, but I don't remember there being any provisions for communicating things like OS type, version, or patch lists over the TCP/IP headers.
This brings up a major compatibility question as to how this is going to work with routers, linux servers, printers, and other devices on a network who either don't know about CTCP or don't give a shit about CTCP. This scheme also seems to be extremely vunerable to spoofing.
If M$ would spend half as much effort in securing their OS as they do coming up with these hare-brained schemes, then we wouldn't need such contrived solutions to security.
When all else fails, run.
[sarcasm] Because features of an application or operating system (not just MS based applications/OSes) have never been used to write malware before. [/sarcasm]
On the plus side, this is a nice smoking gun, when something goes wrong just blame the TCP/IP implementation.
Okay so on to my point. For the home user, CTCP is disabled by default. I don't anticipate many home users will turn this feature on. For the corporate user it is enabled by default. I can see the DISA/NSA/NIST or any other security STIG indicating the first step after installing is to turn off CTCP. It's kind of like any other feature, if you don't need it turn it off! I can't see anyone that uses SMS, WSUS, or any other good patch management program needing this from a security standpoint (no comment on speed issue as I am not an expert in TCP/IP, nor do I know all the details about how CTCP works). Maybe for laptops but that is a stretch. Unless there is something beyond patching that this could benefit.
Any word on what happens for backward compatibility? What if my brand spanking new VISTA box wants to pull down content over TCP that is hosted on a *nix/*BSD box that doesn't implement this CTCP. I'd hope the handshake defaults to something they can both use....
Admittedly though, I think part of this is market-driven. Partially because people have just accepted that "Windows way" is just how computers in general are supposed to work, a lot of home users are frustrated with computers and would probably readily accept 'applianceized' computing.
A significant percentage of users only want a 'content delivery box' for their computer. That's what they use it for; that and as a game machine. Most people don't really use their computer for anything that wouldn't be provided as part of a Microsoft Communication Machine that would only run signed code and play DRMed media.
Not saying it's a good thing, but people bitch about their cable boxes far less often than they bitch about their computers, in my experience.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
The network admins. Won't apply patches? You don't get network access. Won't run AV software? You don't get network access. Infected with known malware? You lose network access until it's cleaned up.
Or you could go with the paranoid conspiracy theory and assume that MS will shoot themselves in the foot by trying to close out competing OSes at the network level; that would be the slashdot way, after all.
It's official. Most of you are morons.
Hopefully not whoever owns the network. I mean, what kind of a world would it be where sysadmins could control who connected to their networks! Allowing sysadmins to keep unpatched Windows boxes off their networks is obviously nothing but pure evil. It's Microsoft, so it must be evil, right?
Chernobyl 'not a wildlife haven' - BBC News
I heard that, buried deep in Vista's core, is a distributed computing program that emulates the mind of Bill Gates, and that he is able to jack into this virtual mind at his bunker on the Redmond Campus. Just like his corporation overwhelmed and undercut the competition, now his electronic minions are going to slowly and surely take over the internet, one LAN at a time. You see, VISTA will always work flawlessly, but will randomly inject false packets to non-Vista machines, briefly kicking them off the net. People will start seeing flakey performance on Macs, linux, and BSD machines. Corporate PHBs will demand more Vista replacements, and with each replacement, the mind of Bill Gates, his "ego" if you will, swells.
(Of course, that's just a rumour I started. I haven't actually seen Vista, or tested any of this myself.)
When our name is on the back of your car, we're behind you all the way!
Probably the network administrator, but as the article admits, they've really no idea.
I discover NAC/NAP. Network Admission Control and Network Access Protection. While the idea is noble, its going to be costly (for customers) to implement in mixed networks. They also don't discuss non PC network clients (Printers, Scanners, hand held etc). Even worse (see below), your going to have to pay for a 3rd party network stack for Windows 2000.
f 717-d752-4fa2-a77a-ab29f0b29266/NAC-NAP_Whitepaper .pdf
t rans/network/06_0914_tn_network.mspx
White paper here: http://download.microsoft.com/download/d/0/8/d08d
Interesting chat transcript here: http://www.microsoft.com/technet/community/chats/
From the transcript:
Q: NAP seems to fulfill the pre-admission health/integrity check very well. Can customers use the same NAP infrastructure to support post-admission NAC? e.g. with NAP today I can check a desktop PC is healthy when it joins, but what about 24 hours later?
A: Post-admission enforcement depends on the enforcement mechanism you're using. For instance, health will be re-evaluated when a client attempts to renew their IP address when using DHCP as the enforcement mechanism. For IPSec, it will happen when health certs expire. For 802.1x, it will happen when re-authentication occurs. For VPN, it will happen when clients reconnect. Any health change on the client will trigger re-evaluation of the health state, too.
Q: What is the likelihood of a NAP agent for Windows 2000 clients in the network?
A: We are not planning to implement a Windows 2000 NAP client. However, we are licensing our protocols to 3rd party companies so that they can offer NAP clients on Windows 2000 (and other OS's like Mac, Linux, etc.)
Enjoy,
It's just the normal noises in here.
Downlevel = Anything from MS that's not => Windows 6.0 and everything not sold by MS.
At least that's my guess.
Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
Every time I start to have faith in humanity, I ruin it by driving to work between 7 and 8 am.
Assuming one can trust the DHCP server to not send bogus and forged request to the client OS, which would then shut the thing down.
Here's the scenario: Client OS = Vista, DHCP Server is Rooted or otherwise compromised box. The client requests DHCP using standard Vista protocols, and gets a response from the Hosed server, which then sees that it is a Vista box (because the vista box tells everything), and sends either a response designed to shut it off, or worse "infect" it with a known exploit based upon current REV. values.
The more complicated things are, the easier it is to cripple them. In this case, if I were blackhat, I would deliberately seek out DHCP servers that I could exploit, and use in this method.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Paranoid or not, it matches Microsoft's M.O. However, they're more likely to use subtle patent FUD to prevent interoperability with this technology than explicit lockout. Note that network admins don't control patent FUD. Microsoft alone decides who they choose to vaguely bless or rebuke.
If you have to ask, you don't get to decide and you definintely have a down-level machine.
My first thought on reading this article is that this could control some of the Windows network spamming I've seen too much of, but this really is the wrong way to go about fixing it.
The extra effort this entails for BIG deployments of windows will be a temporary headache for a small group of sysadmins until of course they upgrade to the Microsoft server designed to handle this....
The bigger picture is locking everything out.
1. Reaching into the networking peripherals market to extract a tax for the privilege of connecting to a Vista PC. Give Microsoft a few cents for every device sold and no consumer will care. Microsoft can then tighten the DRM noose and increase revenue simultaneously.
2. Making mixed computing environments harder to deploy.
3. Each Vista PC will obviously send a unique id/signature so DRM and law enforcement knows what you are doing online all of the time. Has it happened? No. Will it happen? Yes. How do I know? Historic evidence of what other monopolies have done makes it a sure bet. Economists also have one of their very exciting graphs illustrating this as well.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Allowing sysadmins to keep unpatched Windows boxes off their networks is obviously nothing but pure evil. It's Microsoft, so it must be evil, right?
Keeping windows boxes off a network would be nice, but it would be better to simply cut off machines that misbehave. Every machine on the botnet is going to know exactly what to tell the silly C(luster fuck)DHCP server for maximum access. Brands of OS M$ does not like will not. DHCP is already slow, adding this overhead won't rid your network of infections, it will just make it slower.
Yes, Microsoft is evil and commits both technical and social vandalism. They break competitor's products and do things behind their sysadmin's backs. Don't you remember how their resolve configuration had M$ IP addresses hard coded, overriding your hosts files? Think this DHCP thing will be any easier to override? The social aspects of discouraging sharing and suing public schools beggar debate. So there you have it, evil from propaganda to implementation and enforcement. You still trust those people?
Friends don't help friends install M$ junk.
The /. latent homosexuals with mods points got you.
falls short of implementing the "Evil Bit."
I'm sure there are plenty of evil bits in this new M$TCP/IP. Remember, folks, the 1998 Halloween document called for replacing all of the world's simple protocols. They have finally gotten around to DHCP and TCP. Hopefully vendors will have the good sense to ignore the whole scheme. A network that discriminates on OS brand rather than behavior is worse than one that does not discriminate at all.
Friends don't help friends install M$ junk.
is while I see a lot of verbiage in the terms of "asume", "think" and "suspect" that hard facts are left out. Maybe it is just that silly engineer notion I have to do a repro on an issue and get some real-to-life metrics before I cry wolf and make an ASS out of U and ME.
Supporting MS products doesn't mean you have to like them.
To all home, business and corporate admins, you want control? Of which PC can connect to your LAN? Complete with OS versioning and all?
Best existing methods are in combo:
- IEEE 802.1X (wlan_supplicant)
- VLAN (IEEE 802.1Q)
- IPSec (various IEEE RFCs)
- THEN finger protocol
These options gives LAN administrator absolute power to allow which PC can join their own precious LAN or not.Every protocol "enhancement" that came out of Redmond has been demonstrably disruptive and rarely beneficial to the general network community (i.e., evil bit in MIT Kerberos), not to mention, highly inefficient. This stems largely because Microsoft repeatedly failed to engage or brusquely abuse the power of various standards community without proper and sufficient in-depth review of the professional network standard community.
Vinton Cerf said it best.
Use the standard, Luke.
Some MS patches are made to add hard DRM (WMP10) or police liscenses (GenuineAdvantage) and maybe there are some other tinfoil-needy reasons.
MS and the next-gen DVD consortium for that matter treat the customer as a potential criminal and require the ability to disable functionality in whole or in part. In other words, "security" to these people, including Microsoft, means keeping things secured against the user.
As a real security scheme it looks quite weak and vulnerable. But engineering a way to get user's machines to spy on them and report not only compliance with security policies but also use of arbitrary applications seems quite useful both for pushing OS upgrades and conversions to Windows down people's throats and for providing ammo to content liscensing organizations. Vista will be able to tell centralized servers who you are, whether you comply with some policy, and whether you can withstand an arbitrary network attack. Doesn't sound too secure to me. Wonder how SuSE will "interoperate" with this.
What!?...I think you are missing the point. The guy was trying to say that unless YOU have an IP address (which the issue everyone has been discussing), you cannot do anything.
The AC has a point - the things he mentions are all possible without an IP. Spreading general mischief on a LAN requires no IP.
What the AC fails to acknowledge is that that the proposed technique would prevent some malware from spreading. This is a good thing.
What isn't addresses is how to then get updates - kind of hard without an address.
Additionally, new malware will simply figure out the network geometry, sniff for unused adreeses and use one. Most networks will permit this.
VLAN
A better way to handle the whole problem is to put machines into a quarantined VLAN and then dynamically change their port's VLAN after authorization has been established via any number of criteria. I believe CMU was doing this with Kerberos tickets at one point.
Microsoft has gone for the quick-n-dirty hack method, but it might be marginally helpful. Imagine that.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Or to cut off net access for any non-windows PCs maybe?
The race isn't always to the swift... but that's the way to bet!
So then no worries, right? The first virus I get will surely disable CTCP for me, no sweat...
It's refreshing to see someone on ./ point out some of the absurdity of the MS bashing going on. Nice job.
Disclaimer: I have not RTFA, nor do I know all the fields of a DHCP request by heart.
From what I've read in the summary and comments if the system doesn't use DHCP,ie IP address of a machine is hard set, then this latest stunt by m$ won't do anything.
I could see a virus/trojan that sniffs some packets, determins the class and range of addresses used by a network and then picks one that will work, Hell I worked out an app that did this sort of thing years ago and I am a mediocre programmer at best, so it won't be too hard for a l337 programmer to automate it for a trojan.
Network Access Protection - http://www.microsoft.com/technet/network/nap/defau lt.mspx which will leave some options open after researching it a bit.
It's nothing, just you're carbodyluminocap acting up... just a couple of hours to fix.
Windows Genuine(TM) TCP/IP Experience(TM)?
My turnips listen for the soft cry of your love
There are bound to be lots of problems. They escalate like so...
Eventually they get poked with holes and become nothing more then background noise
I guess linux doesn't have this problem because everyone keeps their boxen up to date. But then there aren't any security problems with linux anyways, so really you don't even need to do that. If it's true for linux then it must be doubly true for mac. Har dee har har... I crack myself up.
It works like this:
[Internet]
^
|
v
[Gateway with this bastardized DHCP]
^
|
v
[Down-level machines]
So, because the network admins who set up this DHCP are controlling your internet access from their network, they'll probably end up giving you crap because your Linux box can't support the proprietary information they want you to send and because you "don't have any antivirus software! are you crazy!?"
Not that the clueless tech support *needs* any help from them to come out with idiotic stuff like this, but this'll just help them enforce it. "I'm sorry, but our network doesn't support anything but Microsoft Vista! You'll have to come back when you have a more compatible computer."
Lameness filter filler:
Slow Down Cowboy!
It's been 35 minutes since you last successfully posted a comment
Specifically the Canadian Traditional Conservative Party.
FYI TTFN HAND
Crap. What did the new CSS do with the "Post anonymously" option??
This was my first thought. One of the most important part of any security system is the alarm.
They will get in; the point is to have the cops waiting for them.
Crap. What did the new CSS do with the "Post anonymously" option??
Why don't they just use TCP/IP fingerprinting as available in security packages like say NMap? It has been around for years (I've used it since NT 3) and works perfectly for what you want. So if the patch level changes the TCP/IP fingerprint or it embeds it in the DHCP request, we don't have to mess around with special software written to only run for Windows and screw the users/servers having Mac, Linux and other OS'es.
Custom electronics and digital signage for your business: www.evcircuits.com
This reminds me of the "evil" bit -- a bit that's transmitted with each packet or file that indicates if the content is "evil".
In this case, the DHCP request is accompanied by a collection of information that, collectively, can be converted to a single bit: is the requestor evil or not?
Will be pulling their hair out when they try to mooch wifi from my hacked router. No matter what they do it will say they are unpatched
I've seen this before....http://netreg.sourceforge.net/
My university uses a custom netreg implementation that checks for patches and antivirus before it lets you on the network. Sounds a lot like this. I love innovation.
There's a specific difference. Residential ISPs are more likely to require something that is available as part of the Windows base install than something that requires proprietary software from Cisco. In addition, something from Microsoft is more likely to be used to deny Linux users the ability to connect or to require them to move up to the next tier of service at twice the monthly rate.
AC: Which items of Paul Rogers' laundry list did twitter's comment violate? If the M$ one was the most significant, consider that M$ is a valid name for a string variable in (at least early dialects of) BASIC; a lot of people thus use M$ to imply that the world might have been a better place had Microsoft kept making languages and office software instead of branching off into operating systems.
I can't imagine a patent covering this functionality.
While the idea might be patentable, it would be a patent of restricting access to the network based on what software the computer is running.
On a Linux box, to serve back a packet to allow the machine to obtain access would most certainly not use the same algorithm nor be an example of the same idea since the Linux box would be implementing a "work-around" -- simulating a "valid reply" -- not actually returning it's real "windows patch level".
OTOH -- Maybe MS could encrypt & sign the extra DHCP info then use the DMCA if Linux tried to break this [network] "access protection mechanism".
I.e. -- suppose you could be allowed to connect to a "net" if you provide the proper "authorization" (some summary of machine state). Perhaps on that net is offered some "unrestricted" movie & TV watching ability. The "authorization" key could be said to restricting access to the premium content. Cracks to circumvent having a valid "key" (again, perhaps, some software/machine state), might be interpretable as violations of the DMCA...
A virus gets on to the network and thinks, "Hmm, who should I try to attack next." Suddenly, a broadcast, "Hey, everyone! I'm running Vista version XYZ. You know, the one that came out before that big vulnerability patch? Yeah, if someone were to try to infect me, no need to waste time with technique B since I still have security flaw A from before that patch came out." Virus says, "Thanks for the tip," infects the machine, tells it to shut up about needing patches. Administrator comes by and looks at the setting reported by the network. "Hmm, looks like they're up-to-date. Good. Now it's safe for me to let my guard down."
Seriously, there is no chance of this helping security at all and a strong chance that it will set security back.
...is not a typo, but a Dutch company that offers solutions that claim to do the same thing Microsoft does with regard to detecting and quarantining (potentially) compromised hosts, except it's not limited to just windoze boxes. I'm not affiliated with them, but I know for a fact that the quarantining is being thoroughly stress-tested in the field at Twente University, where some 12,000 hosts are under continuous attack from the 'net (mainly due to their fat pipe to it).
Link: Quarantainenet
The Hacker's Guide To The Kernel: Don't panic()!
The article is referring to Network Access Protection (NAP). NAP is not built into the stack - it utilizes existing network protocols to enforce policies. Enforcement mechanisms include DHCP, 802.1x, VPN, and IPSec.
If it's conjestion etc control, QoS and back-offs ought to fit the bill. If it's having a "jail" network, several vendors do that too. Also, it's called a VLAN stupid.
Jury's still out, but none of the features discussed seem worth a crap. Just more icing on a mostly icing cake..err cupcake.
I think this also renders a 30fps 1024x768 MPEG 4 video stream of bells and whistles to a non-existant loopback UDP listener...to keep the processor warm, also implements the little known while(1); algorithm.
Ye$, Micro$oft i$ evil and commit$ both technical and $ocial vandali$m. They break competitor'$ product$ and do thing$ behind their $y$admin'$ back$. Don't you remember how their re$olve configuration had Microsoft IP addre$$e$ hard coded, overriding your ho$t$ file$? Think thi$ DHCP thing will be any ea$ier to override? The $ocial a$pect$ of di$couraging $haring and $uing public $chool$ beggar debate. $o there you have it, evil from propaganda to implementation and enforcement. You $till tru$t tho$e people?
Instead of a re-boot of the PC you can stop & Restart the Network Connections in the services list to clear the IP stack, or create a cmd file the MUST be run as Adminstrator on Vista. Copy and paste the following into a text file and save as xxx.cmd
net STOP Netman
net START Netman
Echo "Netman service stopped & Restarted"
Exit