Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

Modelling real disease?

[gringer]

If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.

Re:A better PC health idea

[postbigbang]

They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.

Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.

Re:A better PC health idea

[postbigbang]

Ah, were it true. While I follow your logic on COICA, it's not just Microsoft whose software can be swiss-cheesed, given enough attempts.

Today, one of my servers was under attack. I sent complaints to vsnl.in and their abuse and postmaster accounts bounce. No one is at the switch... or perhaps they're sleeping. So I tried to characterize the attacker. It's a Linux box running an old version of CentOS. As I write this, it's dutifully trying to logon with single letter logon names.

Yet Microsoft Windows users represent not just the statistically largest attacking surface, but the one with the most plentiful cracks that have botted machines. Bots come in all sizes, shapes and characterizations. They're not exclusive to Microsoft, just the most statistically significant.

There are better ways to prevent attacks, and better kill switches to partition-out attackers. We just have to agree on how to deploy them, rather than give the enemies of genuine freedom the tools to kill the friendlies.

Re:This would get abused

[znerk]

You do know that Linux has security issues too? Don't you?

I am aware that a few Linux security issues exist, but I haven't seen anything even remotely like the Windows exploits' proliferation. Can you point me at a website or other documentation that shows some in-the-wild exploits for Linux-based systems? I swear I'm not trolling, I just really don't see the parallel.

To be honest, I read something along the lines of "Tens of thousands of new Windows malwares (virus, trojan, adware/spyware, etc) in the wild every day, 25 proven exploits of Linux in the last 15 years (only 2 of which were ever in the wild)", but I can't recall where I read it. I would welcome some information that contradicts that. No, really.

Again: This is not a troll, this is a serious inquiry.

Re:Microsoft's real motive

[Dr_Barnowl]

This comes from the MS Treacherous Computing group, so spoofing the certificate may not be easy.

A certificate would be composed of a hash of all your critical OS components, constructed and signed by the TPM chip on your motherboard.

This would be a form of Remote Attestation. MS, and their real customers in the media cartels, would love to get the thin end of this wedge into Windows, because it would mean that you could e.g. provide streaming media servers while being sure that the client is an official approved client, running an approved software stack that hasn't been tampered with to do naughty things like dump the stream to disk.

Using it to keep virus-infected machines off the internet is just a piece of spin - the real reason for wanting this is the usual - a general purpose computer is a powerful tool, and many powerful interests feel nervous about them being under the full control of their owners.

Re:Gov vs Corp

[Alsee]

Can you imagine the hysterics if the government had proposed this!

I regret to inform you that the government has been proposing this every year for at least the last ten years.

It seems to have disappeared from the internet, but I saved a copy of a PDF from the December 4&5 2001 Global Tech Summit in Washington D.C. It contains the keynote speech from Richard Clarke, Special Advisor to the President for Cyberspace Security. He literally cited Osama bin Laden in his call to secure the internet. Here are some snippets from that keynote speech:

I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.

TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough. It's a good beginning, but it's not enough.

It is not beyond the wit of this industry to figure out a way of forcing down patches.

ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.

If you check the PDF on this story, the plan is explicitly based on TPM Trust Enforcement Chips being built into computers as part of forcing down these patches and controlling internet access. "TPM" is the modern name for TCPA.

The US Government has been pushing this crap harder and harder each year in the "National Plan to Secure Cyberspace" and the plans to "Secure the National Information Infrastructure" and in every other Capitalized Plan And Policy And Strategy Regarding The Internet. The government has been funneling tens of millions of dollars of grants every year into developing this crap. Starting in 2006 the US Army mandated Trust Enforcement Chips be included in all new computer purchaces, I think(?) this policy been science extended to all military computer purchases, and the government has been seriously discussing making it mandatory for all government computer purchases. The really fun is that the explicitly stated purpose for this government policy. The purpose is to use government buying power to fund and manipulate the manufacturing industry. The declared purpose is fabricate a commercial demand to ramp up production of these chips, and for these chips to be included by default in ALL new consumer PCs. The government has been increasingly pushing this agenda in international relations and in bodies under the UN. Unfortunately the European Union has, if anything, become even more eager than the US in their grand plans to in promoting the new Information Economy and the new Information Society. Yay for more Capitalized Plans from our European brothers. There has been increasing activity from all parties on plans for instituting Internet Governance. It's interesting to note that the world's most repressive regiems are most enthusiastic. They are just drooling over the surveillance, control, tracking, law enforcement, repression, and censorship that comes along with locking down computers and locking down the internet internet access and internet communications.

Just to link a single example of recent government work product, Slashdot reported on White House Unveils Plans For "Trusted Identities In Cyberspace" from the President's Cyberspace Policy Review. And lets have a Capitalized Yay for the Capitalized Identity Ecosystem it wants impose on us. If you actually get down into the proposal it is the same crap to lock down our computers with these Trust Enforcement Chips. Not only can these chips preform Health Checks to grant or deny you access to the internet, these chips will lock down our digital identities and manage our privacy. If you read the fine PDF in that link, page 4 has an "Envision it!" box explaining how this Identity