Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

Gov vs Corp

[Dutchmaan]

Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.

Re:A better PC health idea

[Jeremiah+Cornelius]

I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.

  I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.

In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.

Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.

You get the idea. Stuff this genie back into the bottle.

This is just a lockout for OSS

They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.

Wow.

Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.

A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.

Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.

Re:Microsoft's real motive

[cgenman]

I'm sure Linux and other systems will just spoof the certificate.

Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.

On a practical scale, how can this even work?

Re:A better PC health idea

[bmajik]

Well, I'm a MS employee, and on my machines joined to the relevant company domains, they _do_ have NAP and it does wreck your day if your machine isn't compliant. Maybe there's a way around it. Maybe there isn't. I've never bothered to look because I just want to get my job done.

As part of the "security push that never ended", that led to XPSP2 and all of the "we thought a little about security for a change" work that MS has done since, there was finally a shift in opinion internally.

The people at MS who _had_ been thinking about security usually stuck to the immutable laws, and were continuing to think about things in absolute terms, i.e. "well, they can get root, so all bets are off"

But what changed was that someone got practical instead of ideological and said, "look, the 80 hojillion windows PCs out there don't need absolute protection against a supreme attacker with infinite time. If they could get _basic_ protection against what's getting them 80% of the time, that's progress"

And so I think you need to think about NAP and most future MS security efforts in the same way. There may not be a way to keep the most brilliant / lucky / dedicated attacker from succeeding once. But there is almost always a way to keep inelegant attacks from being successful widely and repeatably. And the #1 problem on the public internet right now is NOT all of the high profile deep penetrations against single well researched targets, it's the legions of automated remote-compromises that turn Grandma's PC into a botslave.

A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever, it has to point windows neophytes at a black-holed page that has all the patches and scanners and removal tools they need to get healthy before they go out to play for the day.

In summary: the point isn't to create Sauron's eye. The point is to tell people to put on their seat belt.

Re:A better PC health idea

[gmack]

Look at who authored that paper and who proofread it and Guess again.

Why do the IPTV and Media center people have such a large say in this? It's real goal is to force TPM down our throats. This is about protecting media companies from pirates rather than protecting the internet at large. The fact that this plan edges out alternative Operating Systems is just a side benefit. No certificate, no access and where would I get a certificate for my Debian Workstation?

If this were about Network Protection Microsoft could simply enforce this locally on the PC and not worry about the network. No patches? No access to anything but Windows Update. Simple and doesn't involve any changes to network infrastructure.