Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

A better PC health idea

[h4rr4r]

I have a simpler pc health idea, stop installing the disease that is windows.

Re:A better PC health idea

[Moryath]

While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.

"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...

Re:A better PC health idea

[h4rr4r]

If by archaic you mean what windows finally got via powershell only about 30 years late, then yes. Exactly that, or one of many other GUI environments.

Re:A better PC health idea

[jc42]

I have a simpler pc health idea, stop installing the disease that is windows.

Except that if you aren't running Windows, your machine will be declared totally infected and not allowed any access at all.

Remember that it'll be Microsoft software doing the checking.

Re:A better PC health idea

[postbigbang]

I double dog dare you to vet a wifi-connected smartphone. No bases covered *at all*. Your idea only works on flat networks, rather than multi-tiered, as well. It isn't as easy as it looks.

And when you get close, your help desk lines light up with people that can't get logged on because you set your criteria too tightly and they don't have remediation for their Ubuntu 10.10.... or even their freaking Macs. The whole rubric here is to sell more Microsoft stuff underneath the perceived goodwill proffered by trying to vet then shackle machines whose state is unknown.

Re:A better PC health idea

[Jeremiah+Cornelius]

"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!

You only need to block access to a protected resource - who's management ELECTS this level of defense.

The real play is NOT to protect the Online Bank or Payment Portal.

It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.

Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.

Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.

They all see this as a problem with Microsoft - if not at fault - at its hub.

Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.

Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"

Trust me. I have seen how these guys work.

Re:A better PC health idea

[bloodhawk]

isolating different machines has never been a problem, the problem is that isolation is not what people are after, they want to read documents and access their apps on their portable devices, they want to use whatever they prefer external to the organisation and still have their connectivity. isolating and blocking is easy, safely permitting is the problem here.

Re:A better PC health idea

[postbigbang]

Sounds good on paper.

Now user Magee needs to access his email on his iPad. First, there's the pop3 account. Then there's gmail. He surfs. A complex page cites more than a dozen (often dozens and dozens) of other IP addresses.

You gonna shut him down? I don't think so.

Re:A better PC health idea

[technos]

They've seen the horrible uptake numbers from Vista continue with Windows 7.

Step 1. Convince everyone to get behind the idea of black-holing insecure or infected machines.
Step 2. End support for all versions of Windows other than the current.
Step 3. Wait for a new remote vulnerability in older versions.
Step 4. Refuse to patch the issue.
Step 5. Profit as everyone either has to buy a new PC or a newer operating system to access the internet.

Just think about it. Something like two thirds of machines running a Microsoft operating system are still running the end-of-life Windows XP.

Re:A better PC health idea

[mysidia]

Why in the devil do you have ssh available to the world?

Because SSH is a secure protocol for remote management of computer systems.

Re:A better PC health idea

[DAldredge]

Windows 7 isn't have "horrible uptake numbers" It is actually doing very well.

Re:A better PC health idea

Maybe you guys should stop signing up for contracts you don't agree with?

Re:A better PC health idea

[Moryath]

Obviously not an American ISP.

Re:A better PC health idea

[GreenTom]

And once we have a monoculture of any other operating system, do you really think it will be any better?

Re:A better PC health idea

[Your.Master]

After three years? Are you posting from a time warp? Windows 7 general availability was October 22, 2009. It hasn't even been 1 year. And yet its install base is about a third of a product that has been on sale for almost *9* years, of which for less than 3 of those years there was another OS product (which did not do so well in the marketplace).

Even if you decided to change the subject by combining Vista and Windows 7, they combine to well over 1/3 of XP's marketshare in well under 3 years.

So let's replace that by something that makes more sense:

"Failing to replace more than a third of a previous OS product before 1 year".

I'd say that this does not contradict doing well *at all*.

Re:A better PC health idea

[Nyder]

I have a simpler pc health idea, stop installing the disease that is windows.

I'm a gamer, so what should I do then?

Re:A better PC health idea

[mysidia]

however you can restrict it to known-good hosts

That's no good, when you need to connect to your machines from your laptop in the hotel room or coffee shop wireless.

Remote management technologies are for remote management.

Of course public key / certificate based authentication is the proper mechanism to use for remote access using SSH, and you need the server's public keys pre-installed on your client as well.

But it really does no good to limit SSH to known hosts, when you actually can't know what IP address you will be accessing from a-priori.

WTF

M$ should be bared from the Internet.

Pay for it?

[headkase]

And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?

Re:Pay for it?

[sqldr]

I'm more worried about the implications. On one hand it's great to not have loads of unpatched computers bent over with their arseholes facing the internet sending me spam, DOSing stuff and distributing child porn. Then again, "you cannot go online unless you download this patch from microsoft".. what if the patch contains something I don't like?

What he really means is

[santax]

If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!

Further proof

[Darkenole]

There is no cure for stupid.

Re:ahem

[marcello_dl]

I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".

File under "Dumb Ideas"

[vtcodger]

If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?

File under "Dumb Ideas"

Re:File under "Dumb Ideas"

[MightyMartian]

Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".

Re:File under "Dumb Ideas"

[adjuster]

It's worse than that. The idea is to introduce pervasive and potentially legally-mandated "trusted computing".

Re:File under "Dumb Ideas"

[pspahn]

Thank you for being the one to say it.

I almost never use AV software. In the past, when I suspected an infection, I would run something that told me I was infected, and I would just backup-reformat-reinstall.

I know that malware of today tends to be much more inconspicuous. It is not always obvious that malware is present. I run this risk will full knowledge of potential consequences. One of the consequences is that my machine isn't always bogged down by some crappy AV suite that will tell me I'm infected, and then attempt to remove malware unsuccessfully, meaning I have to reimage/reinstall anyway.

The irony here is that I do run that Windows Defender thing occasionally. It comes back and says everything is fine. I don't really trust its accuracy, but then again, if someone wants to try and steal my banking info or something, they won't find much anyway.

Re:File under "Dumb Ideas"

[sshir]

you do understand that as soon as it's widely used, virus writers will add that "functionality"?

computers or windows installations?

[brenddie]

computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license

Re:computers or windows installations?

[djdanlib]

Computers don't get infected? They sure do. Like those SCADA systems infected by Stuxnet, for example. Yes, Windows is an infection /vector/ for them, but they don't run Windows and if you manage them from another OS, you can still inject the same code. How about hypervisor viruses, and things that otherwise push malware into the BIOS or other flashable EEPROMs? Heard of the ones where they can compromise your car's electronic control systems? What about the ATM exploits that were demoed this year? Oh, how about the hacks that alter the firmware on a printer, PS3, Wii or iPhone?

Now, if you changed it to "OSes and applications and data and sometimes hardware all get infected" you'd be mostly correct but your original argument sort of dies at that point.

ok, then: a couple questions

[Dhrakar]

First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?

    Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.

Re:ok, then: a couple questions

[MightyMartian]

In one respect it reminds me of all those really stupid anti-spam proposals like SPF that started rolling off the assembly line of dumb-ass ideas about six or seven years ago.

Moron: Yeah, you see, everyone with a legitimate mail server will have this TXT record that says "I'm legit, you can trust mail from me!"

Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the SPF TXT record? What happens when a server with an SPF record is hacked?

Moron: Um, well, you know, we need to add some sort of certificate... Yeah, that's it, a cert, and that will make it a-okay. You'll be able to automatically tell the good stuff from the spam.

Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the DKIM record? What happens when a server with an DKIM record is hacked?

Moron: Um, well, um... um.. UM... <BOOM... HEAD EXPLODES>

I think this idea sits in the same category of simplistic idea put forward by morons who really haven't got the foggiest idea what the fuck they're talking about.

Re:Modelling real disease?

[girlintraining]

Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....

And nothing will change except you'll be paying more.

This would get abused

[erroneus]

Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"

Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.

Re:Catch 22

You get what you deserve. Next time, don't drink the Microsoft (spiked) kool-aid

Re:ahem

[Literaryhero]

Actually, I see it as a way to stop people from using pirated Windows. Oh, you can't pass the Windows Genuine Advantage (or whatever it is called these days), so you can't properly update your machine. Since your machine isn't updated, that means no internet for you. That would be a big disincentive to pirates everywhere.

Re:IPV6's Killer App!

[plover]

I have a cheaper implementation. Just set the evil bit upon boot up, then clear it once the PC passes a health check. And it's even IPv4 compatible!

Predicated on "trusted computing"...

[adjuster]

It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.

Re:ahem

[similar_name]

At least in the U.S. it's hard to see how MS can justify anything because of pirates. Unless you build your own PC you are paying for Windows anyway. Even if you specifically look for a prebuilt PC without Windows it's hard (it is a small fraction of the market) to find one where you don't pay for Windows whether or not it's already installed. It is a travesty how hard they make it for legitimate users to reinstall Windows.

In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.

My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box :) ) and then one day came up with the WGA crap. He typed in his valid COA key on the bottom and Vista rejected.

Now I have a few options to help him.

Call MS for support I should never need to activate a valid license.

Install a cracked version of Windows

Give him another reason to use Linux.

Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.

anlny

the new attack of the future denial of health certificate

Wait, WTF?!

[wbav]

I often find the internet vital to download the latest updates to programs like Spy Bot, how am I going to do that (and get rid of the infection) if my computer is banned from the net?

At an ISP level, it wouldn't be just the infected machine.

And what about wireless hot spots?

Re:This is just a lockout for OSS

[Rich0]

Yes, and I wouldn't use any of them if I couldn't choose to modify them at will - and get myself kicked off the internet in the process...

Nothing against distros - they're wonderful. But, the whole idea of FOSS is that the computer OWNER gets to choose what to run.

Two Words: "Microsoft's trustworthy"

[tomhudson]

They lost me at "Microsoft's trustworthy $INSERT_ANYTHING".

Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."

The only right response to both is "Drop dead!"

-- Barbie

Re:Two Words: "Microsoft's trustworthy"

[Hylandr]

What this really boils down to is:

We are sorry, XP is no longer supported and a patch is not available. You will not be allowed to connect to the Internet. Here's a $7 Rebate for Windows 7.

- Dan.

Security theater

[Dracos]

This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.

Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.

I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.

By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.

Microsoft created all of these issues. They know it's not profitable to actually solve them.

Re:Really?

[sjames]

I do remember that. Security is an ongoing process. The difference is that the metamail problem wasn't a deliberate design decision ignoring a loud chorus of NOs. It was also fixed rather than stubbornly maintaining that it's the way of the future.

Mistakes happen. They're made all the time. It's refusal to admit it was a mistake in the face of a mountain of contrary evidence that creates the real problems.

But yes, not making that particular huge mistake doesn't mean we get to go to sleep now.

Re:How is this like vaccinations?

[Oligonicella]

I only showed my daughter's vaccination in grade school. She and I both went through middle, high and college without having to show. I have never in my life shown vaccination proof for a job. Other than grade school, you're blowing it out your ass.

cure worse than the problem

[frovingslosh]

I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configuration stored in the NIC but Linux did!

After that experience I decided that I was better of not trusting Microsoft to not deliberately muck up my hardware any way that they could. Of course, many others have suffered other ways in adopting Microsoft patches, or even have them forced on them without consent. I'll continue to trust my own ability to defend against the bad guys on the Internet, as far as I'm concerned Microsoft is one of the bad guys.

I still have a no longer supported copy of Win98 running on one system, quite happily and safely. I'm sure that Microsoft would love to pop up a message saying that since they no long want to support my old OSs that I can't use them to connect to the Internet any longer.