Slashdot Mirror
Microsoft Eyes PC Isolation Ward To Thwart Botnets
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
I have a simpler pc health idea, stop installing the disease that is windows.
I presume that fully patched disqualifies anything that doesn't use Windows Update, yes?
another good approach to censorship.
RUN NORTON OR NO INTERNET
M$ should be bared from the Internet.
And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?
Shh.
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.
Ask me about repetitive DNA
Certification is only open to M$FT licensed computers, the rest of us can sit in spam h*ll.
This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.
If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!
It's called BSOD :-)
Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.
There is no cure for stupid.
while bot-infected PCs might be barred from the Internet.
Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.
Seven puppies were harmed during the making of this post.
padded chairs.
Table-ized A.I.
So I don't patch my system because Microsoft's all knowing patch breaks my line of business app. So now I'm out of business whether I am patched and have no apps but can get on the internet, or I have my business app but can't contact my customers
Way to go MS
This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?
File under "Dumb Ideas"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license
The best test environment is production. - Me
chrome://browser/content/browser.xul
They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.
Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.
A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.
Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.
First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?
Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.
They sell a product called Cisco NAC, formerly known as "Clean Access," which requires a host to prove it has Antivirus installed and running and the latest patches. If it doesn't, it is only allowed on to a remediation network to get up to date.
Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"
Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.
Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.
I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
Vaccinations are voluntary, at least in the free world. They don't shut the door to the hospital if you haven't had one.
[Please don't start about health insurance now, that's not mentioned in the article.]
I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.
Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.
Just like Detroit, no more traffic jams!
Everybody's complaining about Microsoft being Big Brother here, but I'm reading this differently. It's more like a proposal for something like the W3C, which is a collective body of organizations. W3C's purpose is standardization (they own HTML and XML). This body's purpose would be to quarantine infected systems... so as long as infected != (insert your operating system here), it's good.
Think about it: this sounds like blacklisting specific computers, not blacklisting a whole class of computers or whitelisting another class.
Honestly, if this proposal had come from Red Hat, would you be so quick to throw darts at the company proposing it?
And I suppose they check whether your PC is healthy enough to go on the internet.....via an internet connection? A chain is only as strong as its weakest link.
Perhaps Micro$oft hasn't heard the story of Typhoid Mary (http://en.wikipedia.org/wiki/Typhoid_Mary). It's a much better security model to apply here.
Just coding a real OS, with real security, with real support?
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.
Domestic spying is now "Benign Information Gathering"
Who gets to decide what constitutes "fully patched", I guess Microsoft? So if I refuse the WGA patch, my machine will be quarantined?
Of course, to make this work, program doing the detecting (ie Windows) must be running on a trusted base. Um, didn't we heard something like this before, like Trusted Computing?
We all know this is not about security. This is about control, MS just wants to have its own walled garden, seeing how profitable Apple's garden is.
Oliver.
Is retarded. What about the people like myself who don't fully patch up our systems? The number one safeguard against viruses and exploits are safe computing. If you aren't retarded about what you do on the internet, you probably won't have many problems. On an older machine of mine, installing the service packs and supporting patches just slows down the machine and causes annoyances.
...PC must be running the latest greatest version of windows. None of that dubious "open source" stuff. But of course there's no self-interest here, nononosireee(ms)bob.
Now! Download your Microsoft Health Advantage certification application! (Note, validation required.)
Those are my principles, and if you don't like them... well, I have others.
It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.
The Attitude Adjuster, I hate me, you can too.
the new attack of the future denial of health certificate
"... while bot-infected PCs might be barred from the Internet."
So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...
I often find the internet vital to download the latest updates to programs like Spy Bot, how am I going to do that (and get rid of the infection) if my computer is banned from the net?
At an ISP level, it wouldn't be just the infected machine.
And what about wireless hot spots?
=================
Unix is very user friendly, it's just picky about who its friends are.
Wait, it's actually sort of obvious. It won't work for its intended purpose, it will annoy users and keep them from getting work done, and people will exploit the system to knock computers offline.
Pay me money to certify your computer, or you can't access the Internet. I won't guarantee anything, mind you.
The recent court decision that allows corporations to make unlimited "donations" to politicians.
So systems not runing a M$ os will be locked out?
will they also say when windows 8 comes out that all xp, vista, and 7 systems will be locked out?
Let me get this straight M$ designed and still releases operating systems that are riddled with security issues. M$ charges more or less the same amount for their OS no matter which country it is sold in. It takes the consumer on the average wage this many years in countries such as China (20 years) and India(40 years) - (this has reduced in more recent years with office workers in China now taking much less), providing they lived on air, and saved every bit of money they earned, in order to save up enough money and purchase a legitimate copy of M$ Windoze. M$ issued WGA to identify machines that were installed without an authentic license. Once identified as non genuine, M$ refused security updates to those machines to protect them from infection through vulnerability. These machines get compromised by malware due largely through lack of adequate security protection and are then used for malicious purposes on the internet. M$ answer is to deny these user access to the internet.
The funny thing about this... older versions of Windows are being exploited less and far fewer malwarez are currently being written that even support them. So, if I have a windows 2K box that I only play game "X" on, then I would not qualify for a "health certificate". Patch that, Charney!
Secondly, what about non-M$ OSes?
I hope no one at M$ is making the determination as to how secure my nix distro is. They can't secure their own OS, much less mine.
Lastly, WHO is going to be in charge of this? The government? ISPs? M$? The FCC? Not one of those sounds even a little qualified to do the job.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
In other news, suddenly no Linux machines can connect to Windows servers.
Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."
The only right response to both is "Drop dead!"
-- Barbie
What part of "fuck M$" did people not understand?
i have a better idea, why not just ban all pc's that identify as having anything less than a 100% current Microsoft operating system from the internet? Unless you have the patch that just came out, you wont have internet access until you do! OSX and *nix will be exempt until they start to display similar problems with malware, at which time a similar system could be implemented banning anything less than the latest updated machines! if you have a kernel older than 4.6.x than BAN, if your not on OSX "Sea Dolphin" BAN.... this will 100% solve the problem, as eventually as security patches roll out, it will wind up banning EVERYONE!!! no more viruses!!! (well except those pesky usb worms.... oh and bios worms... oh and CD root kits.... and whatever other non net methods there are). The only way to keep from being banned would be to leave the system on 24/7 and having it check for updates every .1 second!
Isn't that kinda like making a person who has leprosy walk through the town square ring a bell instead of curing the disease?
Two roads diverged in a wood, and I - I took the one less travelled by. (Robert Frost, 1916)
Yeah, this would have been first post. Unfortunately I wasn't allowed to connect to the internet. Something about Zeus...
Honestly though, if you can't access the internet, how does Microsoft expect most people to remove their virus? Geeksquad?
Why in the devil do you have ssh available to the world?
I almost automatically moderated this up, but decided instead to respond.
ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.
So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.
One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...
Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords, for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.
Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.
Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Let's take a trip back in the eayback machine, all the way to 1996. Remember the "good times virus"? The hoax email that kept getting forwarded around because the very idea of a virus you could catch through email was funny?
Am I REALLY supposed to take security advice coming from the organization that actually turned that joke into nightmarish reality seriously?
It's not as if nobody predicted that their foolish conflation of opening a document and running a program would result in disaster. Pretty much everyone not waving the MS flag predicted it loudly.
If we're REALLY serious about cleaning up the viruses, ban Windows from the net until they rip that abominable idea out of their OS by the roots.
Because fully patched pcs, with updated antivirus, running a firewall, never get compromised right?
If we cut off all microsoft PC's from the internet, patched or not, 99.9% of the problem goes away.
2 types of Win PC's exist..one that IS infected, and one that is ABOUT to be infected.
Microsoft decides they can't build a secure OS so they want to shift the onus to the end user. If this ever gets close to "off the ground" hopefully with the advances in wireless technology someone can feasibly launch Internet 2 (3?) via wireless and lockout these controlling freaks.
I fell behind on my security patches, so my machine was disconnected.
But it's ok, because I'll just get online and download th..
Oh.
May require a bit of a portability layer to run on some systems.
#!/bin/sh ;; ;;
case "$(uname -s)" in
Cygwin )
echo "dive for the network cable and yank it out, as fast as you can!"
echo "also, flip the wireless switch to off!"
exit 1
* )
echo "good to go"
exit 0
esac
"No thank you"
This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.
Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.
I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.
By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.
Microsoft created all of these issues. They know it's not profitable to actually solve them.
There is an Open Source alternative to Microsoft's proprietary system, called PacketFence.
Systems not running a M$ OS will be fine as long as there is either an exception established, or a NAP agent Installed: Microsoft has promised to make the technology available so people can develop NAP agents for Linux and MacOS.
UNETsystem announced NAP compatible versions of their AnyClick product for Linux and Macintosh OS X operating systems.
I don't think this is really intended to lock other OSes out, although it may make things more expensive, be a slight annoyance, and more annoying (with no real benefit for these other OSes), if you have to buy some proprietary product for them.....
And it can also be a unique problem for the likes of Knoppix... won't fit well into a NAP scheme. Thus forcing Linux on the network to have some of Windows' inflexibilities, unless you set aside special IP address ranges for Linux boxes and exclude them from the NAP scheme.
--
--Mysid__2010 1007 bcf68101-61e9-32b5-bd2a-e671f9d2f379
Even if you buy the premise that this would work the way described and actually "increase" security and "decrease" the botnet problem, and even if it works 100% of the time, and even if they somehow also do this so that OSX, Ubuntu, and 1000 other operating system variants can take advantage of it, and even if you then do not run into the problem of the computer behind the computer/router having been certified (remember NAT?) being infected ...
Even then, do you really think that if this infrastructure were pervasively implemented, it would not then get used for something entirely different? I mean, you are already looking deeply into the system, you are already cutting off internet access permanently ... Why not simply check for Limewire while you are at it? Or uTorrent? I am sure the right lobby could persuade Microsoft to do that with a wad of cash or some juicy contracts for their media division ... And really, LibreOffice is not certified secure (all those homeless, stinky hackers working on it for free never really got a proper Microsoft Certified Security Expert badge, they probably don't even know what security is all about ... so better not allow subversive freeloader-stuff like that to run, either. Oracle OpenOffice is OK, after all, they are a big company and MS really needs that patent exchange deal with their database folks, right? ... Surely facebook can secure their stuff (they can pay MS Security experts with badges to secure their Windows servers, after all), but twitter? Those guys don't even have a revenue stream. Better to just cut off access to that as well.
And everybody knows people get their viruses and worms via social networks, especially the newfangled ones like Ping or newcomers
Granted, I need to patch some holes in my tinfoil hat, but is it really so far-fetched to assume MS or whoever were to be in charge of it would not abuse it? And if they are all ethical, reasonable people who will not at all abuse their power when given the chance, do you really think they could secure their own services so that they are beyond reproach? Why develop a botnet to take down Amazon.com when you can simply flip a switch and take half the planet offline?
.
Questions that need to be answered:
Instead, how about a class action lawsuit against MS for all this nonsense? (ya ya..I know...eula says they can abuse me..but just sayin!) For the all the sys admins who have worked all night to fix infected servers..over and over. For all the customers who waited for the sys admins to fix their infected servers. For all the money spent on nonsense like anti virus programs, spybot cleaners and malware removers that don't work. For all the businesses who spend millions and endure downtime during insane repetitive patching that never ends, and never will end. For all the people who had to deal with a infected home PC by enlisting Geek Squad geeks or others, over and over. For all the computer geeks who continually get called to family and friends houses to fix infected windows PC's At even 10$ per hour spent on all this nonsense worldwide, you could instead feed all the hungry on the planet and have money left over. Are we so accustomed to this insanity that everyone has given up and just accepts this status quo? Is there no one else, but me, who feels this way ?
SharePoint is the shit! Not figuratively, literally. Heaping mounds of steaming shit.
Damping absorbs vibrations. Dampening is caused by moisture.
This all stinks of microshit. Nix and Maybe Mac won't be part of this system will they.
Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.
WHAT ELSE DOES MICROSOFT WANT FROM ME?!?!
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
It will never happen. Not when certain malware goes undetected by most antivirus (http://thepcsecurity.com/latest-security-software-cannot-detect-zeus-virus/). Not even Microsoft can ensure 100% protection from malware with their free Microsoft Security Essentials antivirus.
Fully patched Adobe products have remained full of holes for months (forcing some to disable certain functionality manually.) Furthermore, new patches can never be tested on all configurations before deployment, meaning someone is going to be vulnerable despite patching.
I can't see this coming about as advertised, but it is certainly generating a lot of interest and feedback. That's probably what Microsoft intended: a political manouvering to get everyone aware of the problem before they compromise with a "lesser" solution.
"To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
I'm sure the machine will have to run windows to get the health certificate.
So how are these Windows PCs going to download the patches if they are banned from connecting in the first place?
Microsoft's trustworthy computing group
Be seeing you...
I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configuration stored in the NIC but Linux did!
After that experience I decided that I was better of not trusting Microsoft to not deliberately muck up my hardware any way that they could. Of course, many others have suffered other ways in adopting Microsoft patches, or even have them forced on them without consent. I'll continue to trust my own ability to defend against the bad guys on the Internet, as far as I'm concerned Microsoft is one of the bad guys.
I still have a no longer supported copy of Win98 running on one system, quite happily and safely. I'm sure that Microsoft would love to pop up a message saying that since they no long want to support my old OSs that I can't use them to connect to the Internet any longer.
I'm an American. I love this country and the freedoms that we used to have.
Perhaps crooks are quite happy with a more homogenous (and still "open", wink wink) MS OS landscape. All systems will be provided with the latest patch (read "new hole").
Bert
come on, what's the first thing these malware guys are going to do? spoof your little certificates! hell, if they didnt, i would so that i can continue my windows free lifestyle.
I like the idea of cutting all those Windows boxes off the net. It would be very interesting to see what all those millions of users do once they realize Microsoft has sold them crap that they cant use on the internet because its a steaming pile of security holes. Today most people wont notice their computer have been owned, cutting them off would change that pretty clearly.
TPM etc are just thrown in by Microsoft to use this as a way of cutting non-windows systems.
The way this would better security isnt that the computers are cut off the net. It would work by making Microsofts users start to see clearly the downsides of bad security and start demanding better security from Microsoft instead of todays lipservice. A couple of million users without access to the internet wont accept Microsoft sidestepping the blame with UAC, they will demand them fixing the underlying issues.
HTTP/1.1 400
Next time you hear a politician talking about "securing the Internet" through legislation, remind them of this:
Granny's medic alert device failing to summon help from Symantec's "beg for mercy" captive portal would make a dynamite campaign ad, wouldn't it?
http://bit.ly/adEngl
So unless US politicians really want to shut off the home internet on a majority the voters, every Netgear, every Linksys, every tablet and iPod, every Wii and Playstation, every home alarm system, every voip phone, every digital picture frame, you name it, which is made before this "grand solution" can imposed will end up with a blanket exemption.
That's pretty much everything with an ethernet port or wifi.
Except, of course, those systems from Microsoft and any other vendors that might go along with the plan. But look out! If their big power play is successful, they've won themselves the ability to f*** with their customers' network connections!
Way to go guys, let us know how that works out for ya.
Embrace, extend, extinguish.
Certain Linux systems won't have need to spoof the "health certificates", they'll issue an equivalent of their own with Microsoft's new "Linux friendly, cross compatible, generic system certificate" or some other nonsense, which, you can be sure, will include patented code provided by Microsoft via those Linux distros who were so quick to sign those nonaggression pacts with Microsoft (I'm looking at you, Novell!).
All for a "nominal" fee, of course.
As for identifying systems....easy as including hardware serial numbers, which, as I recall, WGA uses for validation purposes ever since XP service pack 2.
This might be a boom for darknets, though, particularly those using nonstandard infrastructure, dialup, and open air transmission.
and to whom to complain about false positives?
every time we have a story about this I've mentioned this idea. Botnets have specific behaviour. They do things which are bot-like. They send mass amounts of e-mails, connect in certain ways, etc. It should actually not be that difficult for an ISP to determine if one of their customers is infected by checking logs for certain patterns.
The solution to botnets, spammers, and others like that has always been very simple. Cut them off.
Then have the "good" ISPs who cut these people off blacklist any ISP that won't do it. If someone wants to be a haven for spammers and malware distributors I can't really see the need of doing business with them.
This shouldn't be a pre-emptive thing. it should be responsive. Give people the benefit of the doubt. Let them make whatever choices they want. But if it appears they're infected with a bot net, give them a chance to either clean it up, or cut them off. It's trivial to add that customer to an automatic group whose only access is to a local intranet where they're given a choice of a wide variety of free and paid applications (along with all recent definitions) to clean up their machine. After doing so, they can be moved back into the general public.
The whole idea reminds me of "Data Execution Prevention": http://en.wikipedia.org/wiki/Data_Execution_Prevention and "restore points", etc.. :rolleyes:
yeah, that worked great
Sounds like their chasing their dream of dictating what you install & run on your PC, and who is "allowed" to connect to the internet. Think we all know where they can stick that certificate.
Good to see that almost no-one on here has any confidence that the ostensible purpose of this suggestion is the real one.
This time it's gonna be different, trust me.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
Just over a year ago?
And when someone doesn't like you, or the files on your computer, or posts you make... yeah, you appear to be part of a botnet, your "health cert" is being revoked.
We should promote a policy that any Windows systems that are not fully patched be automatically upgraded to run Linux. That nicely solves the problem of them joining botnets and means that MS doesn't ever have to worry about those systems again. MS shouldn't care because they've already made all the money they are getting from these systems anyway (since the owners have demonstrated that they are not going to ever pay for an upgrade). This way, older systems would eventually all convert to Linux, a much safer thing for the internet,
And this idea blows up as soon as spammers/phishers/bot herders just start building fake "your computer has been infected" homepage redirects that take clueless users to their own fake "here's the tools you need to install" page.
There is no software in the world that will cure stupid.
The Digital Sorceress
Deny internet access because you're not fully patched? That's never going to fly!
In several regulated fields (such as for medical software) you can't install a patch before testing the regulated software on a patched test system. If the tests pass, then you can install the patches on the production system.
They expect us to run a battery of tests everytime MS releases a patch just so the system can keep its internet access?
~Syberz
Systems like these already exist from vendors like Cisco and Trend Micro. Besides.. My PC is already protected with Antivirus 2009 and Windows reports that I'm fully protected!
Something like six years ago... It essentially sat between the DHCP server and the client, requiring that you had the a certain patch level and virus protection/firewall settings before you were allowed on the network. Seemed like about as much of a pain as most security products are, but it worked for the general case. Malicious people could still bypass it, but if random marketing guy plugged in his vulnerable laptop it generally kept it from infecting anything.
ENDFORCE was the name of the company then, but there were other competitors out there.
I believe that the capability already exists in Active Directory to isolate systems that do not pass muster when it comes to security patches and a recent malware scan showing the system to be clean. All that is required is for ISPs to mandate that their users be joined to an AD forest maintained by the ISP in order to get "full" internet service. If your system fails the security checks, it gets shunted to a walled off network where the only thing you can do is download WSUS updates and antimalware definitions updates and removal tools, until such time as you have installed them and can recertify that your system is safe to be on the real network once again.
It's already here, in terms of capabilities; it just remains to be implemented. There's plenty of business and political obstacles to that happening in non-corporate environments like residential ISPs, but my hunch is that it's all but certain it'll just take a cyber-9/11 event to get the necessary laws passed to overcome those obstacles.
You see? You see? Your stupid minds! Stupid! Stupid!
A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever,
If this is client-side, what stops malware from performing those same "registry hacks or whatever" automatically on behalf of the user?
Good idea, but will still fail....because, once the culprits who write the malware know what the certs are, and how to fake or manipulate them, we are just back to square 1. I have said once before, the main spam problem can only be rectified one way...by charging per email, .01 cent! with a cap of about 50$. That's it, your ISP provider will send you off a bill at the end of the month, of which if you hit 50$, you know you are infected seeing as you have not sent any mail, you will disconnect yourself, and bring your pc to a tech who will clean it for you, or install legit windows for you, and then you will be back on the internet.
Once back on the internet, if it happens again, you will know next bill. Not only will this help pay the ISP for all the bandwidth they are loosing, but also make it impossible for spammers to spam legitimately....it would be too expensive, and the reason most malware exist, is to send spam, so if you block the spam, then there is not much profit to be had if you can not send your emails, or are disconnected from the botnet.
So far most have missed the point of this. you all might as well say please bend me over and stick it in deep with no lube. WHat sounds good out the gate is going to take away much more than you think from each and everyone of you. You will be controlled to look at what they want you to see hear what they want you to hear to be watched as you do anything at all. Fine if it were to stop malware ect but in the end it controlles all aspects of your web. This step has been coming now welcome it with open arms like you all do the one world government.
Please bash me tear me down and make me look like I have no idea. WHen its all over I will be laughing
I guess that if my ISP's servers ever got infected, then either they would cut their ownselves off the internet or the backbone to which they are connected would do that for the rest of the world? All ideas of disconnecting people from the internet because they are "infected" are trash. We're only treating a symptom of a problem: lack of security in application development.
Well this is a great idea (replete with sarcasm), well at least for Microsoft to regain control over the whole PC market. They would get to decide whose PC is worthy of Internet access. WOW, Wonderful, Robotic Overlords, who needs them when Microsoft gets to say who can access what. Hm why am I seeing a requirement for access being Windows running on the machine?
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
Nothing particularly new under the sun, and then it's just the MS way... They've been incorporating this kind of things for quite a while now. About a year ago, I attended the offical MS cryptography class 2821A, aka PKI environment managing and setup. The tutor was a very bright guy, great instructor AND seller of MS-related stuff. He was also kind enough to share that some of the bleeding edge stuff they were currently doing was just like what the article announces. The weird part? It was done in Kosovo of all places on the face of Earth... It begs to differ but this reminds me of the opportunities that disaster capitalism offers to, hm, MS innovators. Being able to implement a Layer 1 or Layer 2 discriminatory network that doesn't let a single PC plugin to a simple router and get on the network without all the patches to the OS and the Antivirus soft already present - whoa, that is a whole new level of paranoia. But yet again, it was work done for their banking and financial systems - literrary being recreated from scratch, that recently had to bleed some upper management staff, due to misappropriations and money laundering. Given the ripe atmosphere of rogue law-less-ness, no wonder those boys didn't want to share the pie with some - with any - script kiddies. ;)
Now, Make Your WISE Move...
If you're deemed unworthy and internet privileges revoked... how does one get the required updates and patches to get back online? I presume they - the ISPs - would allow you access to certain websites like windows update or mcafee patch central (whatever it's called) - so how do you get on the list of allowed sites? who controls that list?
I find myself wondering exactly what it should take to get a "health certificate" for any system that could operate as a NAT router.
How frequently should health certificates be rechecked?
You'd need the active equivalent of an SSL session with every device to make substituting your real computer after validation at least a little harder, maybe even as hard as it is to crack DRM now.
That's for people who want to plug arbitrary devices onto the Internet. Auntie chatting and tubing and filling out marketing surveys would have to stay current on whatever OS could get a key.
As always, all IMO. Insert "I think" everywhere grammatically possible.
"'Commonly available cyber defenses such as firewalls, antivirus and automatic updates for security patches can reduce risk, but they're not enough'" Charney said." - By Gregg Keizer October 7, 2010 06:49 AM ET http://www.computerworld.com/s/article/9189838/Microsoft_pitches_PC_isolation_ward_to_defeat_botnets?taxonomyId=17&pageNumber=1
They're not as comprehensive as this guide is, this is certain:
http://www.pcreview.co.uk/forums/thread-3511888-1.php
----
"And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?" - by headkase (533448) on Thursday October 07, @08:12PM (#33831560)
Nobody has to PAY for it: CIS Tool, or MBSA, are 100% free, and they work (both are based on "industry best practices" for "layered security", & CIS Tool is also multi-platform (runs on Windows, Solaris, Linux, and BSD variants)).
Take 1-2 hours of your time and secure yourself with free reliable and highly respected/noted tools as your guides that use the concept of layered security practices.
Do it yourself, & for years to decades of uninfested/uninfected uptime.
E.G.-> It has worked for myself for years, and my customers, friends, and families (along with a LITTLE "user education" - "online behavioral modification" in "best practices online" etc./et al, too), simply by using the concepts of "layered security" noted in the guide's points/tips/tricks/techniques/toolsets.
APK
P.S.=> For testimonials of how WELL it's worked for others? See that at many of the places it is posted on forums worldwide which have DIRECT user feedback in them, and they are found via searching this on google:
http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE
Many folks have experienced the same as I have (or Thronka & others at 3dguru.com & MANY other sites - no malware infestations for years after applying this guide and its concepts)... apk
This means that organizations will have to be patching their systems constantly again. Many organizations gave up on that a few years ago because patching Windows in particular in any large organization is a full-time job.
I am surprised that ISPs haven't already built up terminal service farms and started renting out thin clients to grandmas. You get a thin client computer installed and setup by a tech, a fully managed desktop with most of the common software you need to get on the Internet plus they can sell you space to store your family photos. Grandma doesn't need anything more than a web browser, Office Online, and the Microsoft freebie sites. An ISP could do the same with an LTSP solution and Google Crome and Google Docs but it is just way easier to find people who have set up Citrix/terminal server farms. An even better solution would be thin provisioned virtual machines. If the ISP controlled so many of the computers I feel you would get that 100 Mbit link a whole lot faster. Back to the mainframe days. And yes, I know there are lots of barriers to this type of solution and it severely restricts grandma from running all the stupid apps she thinks she needs, but that is not the point. The point is why aren't ISPs looking to tap this market? It is there.
I like it. First Microsoft invents an OS that is easily infected with whatever plague one can invent, now they are trying to decide whether the system is defended enough. A number of products such as antivirus tools, firewalls etc are NOT properly recognized by Windows. The result is obvious - if you use, say, ClamWin which is free and NOT recognized by Windows, you will be blocked from Internet. I hope this idiotic proposal will make some people switch from Windows to anything else, more sane. Botnet problem has the only solution: exterminate Windows as class, that's for a start. Microsoft was and is pormoting the idea that any incompetent user should be able to use computers. Now we see the consequences of that.
It's not the viruses per se, but the user that lets them in the door. Are you using a mail client that defaults to HTML view and allowing JS to run? Do you click on that popup you've never noticed before that says your system is infected? Do you ever empty your temp folder (either system or user)? Do you have a decent system monitor (SysInternals procexp is good) to detect which app might be causing weird bahavior? Do you ever look in the drivers folder, sys32 or other known hangouts of "potential bad guy" files? Ever check the registry (another plug for SI, autoruns can be quite useful) to see what's happening at startup?.
This is a downward spiral. Some bright kid will make a patch to override M$'s disabling of the TCP stack. M$ will issue a patch to override that. Rinse & repeat. As usual, they're using a sledgehammer where a scalpel is preferred.
Perhaps Windoze should just incorporate Git & cron; every 5 seconds you make a hash of the hard drive, with 2 weeks of reversion available. Just click on the smiley-face & viri be gone! (Along with any recent emails, documents, installed apps. What price security?)
Oh, you *are* running the latest i7 with 16 gigs of memory on WinDoze, aren't you? Would be quite hardware intensive to keep up with such a frenetic backup schedule. Be prepared for a constant hourglass.
Then we have Intel building security into their processors, and Microsoft decides not to use it. A while later Microsoft and Intel decide native code writers cannot be trusted and provide system-wide controls to keep "non-managed code" from running.
Computers being certified to be free of malware is like hookers being certified to be free of STDs. The certification is good for a few minutes, and then you are back to square one.
The healthiest thing we could do for the Internet would be to ban all Windows machines until Microsoft can prove that their operating systems are robust enough to survive on the Internet. If Microsoft operating systems need anti-virus enhancements, I think Microsoft should pay for that. After several years of paying for Symantec, the anti-virus software has costed more than the computer did to begin with.
And of course what makes this even more scary is Microsoft's demonstrated ability to wag around the US Government and get whatever they want. The decision to store public data in a proprietary format continues to astound me.
And others here have mentioned the fact that a company that cannot produce a secure operating system should not be trusted to judge the health of anyone else's systems.
I have had a healthy computer since 1998 ... no virus checkers needed. My family has been running Linux since then for the Internet.
The first comment above is right on. Everyone would be best to abandon operating systems like Windows that can carry viruses.
Ian Soutar
Vancouver Island
I can see it now....
Me: "Hello Comcast I have a problem
Comcast: Give me the certificate number...
Me: I run Gentoo and emerged the entire world yesterday
Comcast: Sorry we only work on windows and I can now see that you used a P2P download -- the download police are on their way.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.
M$ only cares about making money. The prevalence of bot-nets already shows us how much stock M$ places on security when designing Windows.
So let's consider what happens when malware uses those convenient holes in Windows security.
Windows detects the malware, but instead of removing it, disables your internet connection.
What do you do now? You can't use your computer to download a free utility that removes that malware, so now your options are either buy a commercial utility at Best Buy, or call M$ to help you fix your problem (which M$ will definitely charge you for).
It also begs the question, "Who put that malware on your computer in the first place." Abusing this you-have-malware-therefore-kiss-your-internet-goodbye feature is possible for any group that intends to subvert internet communications in a nation, state, company, what have you. Not to mention greedy capitalists who have no moral dilemma infecting your computer with malware so you'll A) buy their well marketed product that is guarenteed to remove said malware, or B) pay for that service call to M$ who didn't have the sense to innovate first class security into Windows.
Let's not forget that in M$'s journey to pry every penny from your fingers, they'd love nothing more than to shift from selling Windows to leasing Windows. Want those updates, patches, and critical secutity fixes? Plan on paying a monthly fee. Refuse to pay? Don't be surprised when Windows disables your internet connection.
This rant may be far fetched, but don't complacently let a capitalist (as in cares more about money than ethics and morality) company decide what's best for you without considering where this road leads. You may see a road far different than mine, but if you think M$ has our best interests in mind, you're sorely mistaken and ignorant of their behavior for the past 20+ years.