Slashdot Mirror
Microsoft Eyes PC Isolation Ward To Thwart Botnets
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
I have a simpler pc health idea, stop installing the disease that is windows.
I presume that fully patched disqualifies anything that doesn't use Windows Update, yes?
another good approach to censorship.
M$ should be bared from the Internet.
And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?
Shh.
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.
Ask me about repetitive DNA
This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.
If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!
It's called BSOD :-)
RUN NORTON OR NO INTERNET
If those are my only two choices, I'll take NO INTERNET please.
RIP America
July 4, 1776 - September 11, 2001
Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.
There is no cure for stupid.
while bot-infected PCs might be barred from the Internet.
Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.
Seven puppies were harmed during the making of this post.
This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?
File under "Dumb Ideas"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license
The best test environment is production. - Me
chrome://browser/content/browser.xul
They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.
Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.
A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.
Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.
First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?
Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.
Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"
Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.
Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.
I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
Or you can just use anything like nessus, vlans and some simple scripting.
My way has the advantage of being way more cross platform.
Vaccinations are voluntary, at least in the free world. They don't shut the door to the hospital if you haven't had one.
[Please don't start about health insurance now, that's not mentioned in the article.]
You get what you deserve. Next time, don't drink the Microsoft (spiked) kool-aid
I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.
Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.
Just coding a real OS, with real security, with real support?
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.
Domestic spying is now "Benign Information Gathering"
Who gets to decide what constitutes "fully patched", I guess Microsoft? So if I refuse the WGA patch, my machine will be quarantined?
Of course, to make this work, program doing the detecting (ie Windows) must be running on a trusted base. Um, didn't we heard something like this before, like Trusted Computing?
We all know this is not about security. This is about control, MS just wants to have its own walled garden, seeing how profitable Apple's garden is.
Oliver.
Now! Download your Microsoft Health Advantage certification application! (Note, validation required.)
Those are my principles, and if you don't like them... well, I have others.
It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.
The Attitude Adjuster, I hate me, you can too.
the new attack of the future denial of health certificate
"... while bot-infected PCs might be barred from the Internet."
So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...
I often find the internet vital to download the latest updates to programs like Spy Bot, how am I going to do that (and get rid of the infection) if my computer is banned from the net?
At an ISP level, it wouldn't be just the infected machine.
And what about wireless hot spots?
=================
Unix is very user friendly, it's just picky about who its friends are.
Wait, it's actually sort of obvious. It won't work for its intended purpose, it will annoy users and keep them from getting work done, and people will exploit the system to knock computers offline.
Pay me money to certify your computer, or you can't access the Internet. I won't guarantee anything, mind you.
So systems not runing a M$ os will be locked out?
will they also say when windows 8 comes out that all xp, vista, and 7 systems will be locked out?
Let me get this straight M$ designed and still releases operating systems that are riddled with security issues. M$ charges more or less the same amount for their OS no matter which country it is sold in. It takes the consumer on the average wage this many years in countries such as China (20 years) and India(40 years) - (this has reduced in more recent years with office workers in China now taking much less), providing they lived on air, and saved every bit of money they earned, in order to save up enough money and purchase a legitimate copy of M$ Windoze. M$ issued WGA to identify machines that were installed without an authentic license. Once identified as non genuine, M$ refused security updates to those machines to protect them from infection through vulnerability. These machines get compromised by malware due largely through lack of adequate security protection and are then used for malicious purposes on the internet. M$ answer is to deny these user access to the internet.
The funny thing about this... older versions of Windows are being exploited less and far fewer malwarez are currently being written that even support them. So, if I have a windows 2K box that I only play game "X" on, then I would not qualify for a "health certificate". Patch that, Charney!
Secondly, what about non-M$ OSes?
I hope no one at M$ is making the determination as to how secure my nix distro is. They can't secure their own OS, much less mine.
Lastly, WHO is going to be in charge of this? The government? ISPs? M$? The FCC? Not one of those sounds even a little qualified to do the job.
Why can't we go back to using jumpers to configure slot adapter cards? Why? I say!
In other news, suddenly no Linux machines can connect to Windows servers.
Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."
The only right response to both is "Drop dead!"
-- Barbie
Two roads diverged in a wood, and I - I took the one less travelled by. (Robert Frost, 1916)
Why in the devil do you have ssh available to the world?
I almost automatically moderated this up, but decided instead to respond.
ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.
So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.
One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...
Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords, for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.
Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.
Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Let's take a trip back in the eayback machine, all the way to 1996. Remember the "good times virus"? The hoax email that kept getting forwarded around because the very idea of a virus you could catch through email was funny?
Am I REALLY supposed to take security advice coming from the organization that actually turned that joke into nightmarish reality seriously?
It's not as if nobody predicted that their foolish conflation of opening a document and running a program would result in disaster. Pretty much everyone not waving the MS flag predicted it loudly.
If we're REALLY serious about cleaning up the viruses, ban Windows from the net until they rip that abominable idea out of their OS by the roots.
Because fully patched pcs, with updated antivirus, running a firewall, never get compromised right?
May require a bit of a portability layer to run on some systems.
#!/bin/sh ;; ;;
case "$(uname -s)" in
Cygwin )
echo "dive for the network cable and yank it out, as fast as you can!"
echo "also, flip the wireless switch to off!"
exit 1
* )
echo "good to go"
exit 0
esac
"No thank you"
This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.
Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.
I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.
By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.
Microsoft created all of these issues. They know it's not profitable to actually solve them.
There is an Open Source alternative to Microsoft's proprietary system, called PacketFence.
Systems not running a M$ OS will be fine as long as there is either an exception established, or a NAP agent Installed: Microsoft has promised to make the technology available so people can develop NAP agents for Linux and MacOS.
UNETsystem announced NAP compatible versions of their AnyClick product for Linux and Macintosh OS X operating systems.
I don't think this is really intended to lock other OSes out, although it may make things more expensive, be a slight annoyance, and more annoying (with no real benefit for these other OSes), if you have to buy some proprietary product for them.....
And it can also be a unique problem for the likes of Knoppix... won't fit well into a NAP scheme. Thus forcing Linux on the network to have some of Windows' inflexibilities, unless you set aside special IP address ranges for Linux boxes and exclude them from the NAP scheme.
--
--Mysid__2010 1007 bcf68101-61e9-32b5-bd2a-e671f9d2f379
Even if you buy the premise that this would work the way described and actually "increase" security and "decrease" the botnet problem, and even if it works 100% of the time, and even if they somehow also do this so that OSX, Ubuntu, and 1000 other operating system variants can take advantage of it, and even if you then do not run into the problem of the computer behind the computer/router having been certified (remember NAT?) being infected ...
Even then, do you really think that if this infrastructure were pervasively implemented, it would not then get used for something entirely different? I mean, you are already looking deeply into the system, you are already cutting off internet access permanently ... Why not simply check for Limewire while you are at it? Or uTorrent? I am sure the right lobby could persuade Microsoft to do that with a wad of cash or some juicy contracts for their media division ... And really, LibreOffice is not certified secure (all those homeless, stinky hackers working on it for free never really got a proper Microsoft Certified Security Expert badge, they probably don't even know what security is all about ... so better not allow subversive freeloader-stuff like that to run, either. Oracle OpenOffice is OK, after all, they are a big company and MS really needs that patent exchange deal with their database folks, right? ... Surely facebook can secure their stuff (they can pay MS Security experts with badges to secure their Windows servers, after all), but twitter? Those guys don't even have a revenue stream. Better to just cut off access to that as well.
And everybody knows people get their viruses and worms via social networks, especially the newfangled ones like Ping or newcomers
Granted, I need to patch some holes in my tinfoil hat, but is it really so far-fetched to assume MS or whoever were to be in charge of it would not abuse it? And if they are all ethical, reasonable people who will not at all abuse their power when given the chance, do you really think they could secure their own services so that they are beyond reproach? Why develop a botnet to take down Amazon.com when you can simply flip a switch and take half the planet offline?
.
Questions that need to be answered:
Instead, how about a class action lawsuit against MS for all this nonsense? (ya ya..I know...eula says they can abuse me..but just sayin!) For the all the sys admins who have worked all night to fix infected servers..over and over. For all the customers who waited for the sys admins to fix their infected servers. For all the money spent on nonsense like anti virus programs, spybot cleaners and malware removers that don't work. For all the businesses who spend millions and endure downtime during insane repetitive patching that never ends, and never will end. For all the people who had to deal with a infected home PC by enlisting Geek Squad geeks or others, over and over. For all the computer geeks who continually get called to family and friends houses to fix infected windows PC's At even 10$ per hour spent on all this nonsense worldwide, you could instead feed all the hungry on the planet and have money left over. Are we so accustomed to this insanity that everyone has given up and just accepts this status quo? Is there no one else, but me, who feels this way ?
SharePoint is the shit! Not figuratively, literally. Heaping mounds of steaming shit.
Damping absorbs vibrations. Dampening is caused by moisture.
Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.
WHAT ELSE DOES MICROSOFT WANT FROM ME?!?!
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
"To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
I'm sure the machine will have to run windows to get the health certificate.
So how are these Windows PCs going to download the patches if they are banned from connecting in the first place?
Microsoft's trustworthy computing group
Be seeing you...
I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configuration stored in the NIC but Linux did!
After that experience I decided that I was better of not trusting Microsoft to not deliberately muck up my hardware any way that they could. Of course, many others have suffered other ways in adopting Microsoft patches, or even have them forced on them without consent. I'll continue to trust my own ability to defend against the bad guys on the Internet, as far as I'm concerned Microsoft is one of the bad guys.
I still have a no longer supported copy of Win98 running on one system, quite happily and safely. I'm sure that Microsoft would love to pop up a message saying that since they no long want to support my old OSs that I can't use them to connect to the Internet any longer.
I'm an American. I love this country and the freedoms that we used to have.
Perhaps crooks are quite happy with a more homogenous (and still "open", wink wink) MS OS landscape. All systems will be provided with the latest patch (read "new hole").
Bert
They sell a product called Cisco NAC, formerly known as "Clean Access," which requires a host to prove it has Antivirus installed and running and the latest patches.
How does it handle a Linux client? Will it accept ClamAV and some sort of indication of my kernel version?
How about we just tell the new internet version of the SS to go fly a kite?
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
I like the idea of cutting all those Windows boxes off the net. It would be very interesting to see what all those millions of users do once they realize Microsoft has sold them crap that they cant use on the internet because its a steaming pile of security holes. Today most people wont notice their computer have been owned, cutting them off would change that pretty clearly.
TPM etc are just thrown in by Microsoft to use this as a way of cutting non-windows systems.
The way this would better security isnt that the computers are cut off the net. It would work by making Microsofts users start to see clearly the downsides of bad security and start demanding better security from Microsoft instead of todays lipservice. A couple of million users without access to the internet wont accept Microsoft sidestepping the blame with UAC, they will demand them fixing the underlying issues.
HTTP/1.1 400
Next time you hear a politician talking about "securing the Internet" through legislation, remind them of this:
Granny's medic alert device failing to summon help from Symantec's "beg for mercy" captive portal would make a dynamite campaign ad, wouldn't it?
http://bit.ly/adEngl
So unless US politicians really want to shut off the home internet on a majority the voters, every Netgear, every Linksys, every tablet and iPod, every Wii and Playstation, every home alarm system, every voip phone, every digital picture frame, you name it, which is made before this "grand solution" can imposed will end up with a blanket exemption.
That's pretty much everything with an ethernet port or wifi.
Except, of course, those systems from Microsoft and any other vendors that might go along with the plan. But look out! If their big power play is successful, they've won themselves the ability to f*** with their customers' network connections!
Way to go guys, let us know how that works out for ya.
and to whom to complain about false positives?
every time we have a story about this I've mentioned this idea. Botnets have specific behaviour. They do things which are bot-like. They send mass amounts of e-mails, connect in certain ways, etc. It should actually not be that difficult for an ISP to determine if one of their customers is infected by checking logs for certain patterns.
The solution to botnets, spammers, and others like that has always been very simple. Cut them off.
Then have the "good" ISPs who cut these people off blacklist any ISP that won't do it. If someone wants to be a haven for spammers and malware distributors I can't really see the need of doing business with them.
This shouldn't be a pre-emptive thing. it should be responsive. Give people the benefit of the doubt. Let them make whatever choices they want. But if it appears they're infected with a bot net, give them a chance to either clean it up, or cut them off. It's trivial to add that customer to an automatic group whose only access is to a local intranet where they're given a choice of a wide variety of free and paid applications (along with all recent definitions) to clean up their machine. After doing so, they can be moved back into the general public.
The whole idea reminds me of "Data Execution Prevention": http://en.wikipedia.org/wiki/Data_Execution_Prevention and "restore points", etc.. :rolleyes:
yeah, that worked great
Sounds like their chasing their dream of dictating what you install & run on your PC, and who is "allowed" to connect to the internet. Think we all know where they can stick that certificate.
Good to see that almost no-one on here has any confidence that the ostensible purpose of this suggestion is the real one.
This time it's gonna be different, trust me.
I have discovered a truly marvelous proof of killer sig, which this margin is too narrow to contain.
We should promote a policy that any Windows systems that are not fully patched be automatically upgraded to run Linux. That nicely solves the problem of them joining botnets and means that MS doesn't ever have to worry about those systems again. MS shouldn't care because they've already made all the money they are getting from these systems anyway (since the owners have demonstrated that they are not going to ever pay for an upgrade). This way, older systems would eventually all convert to Linux, a much safer thing for the internet,
And this idea blows up as soon as spammers/phishers/bot herders just start building fake "your computer has been infected" homepage redirects that take clueless users to their own fake "here's the tools you need to install" page.
There is no software in the world that will cure stupid.
The Digital Sorceress
Deny internet access because you're not fully patched? That's never going to fly!
In several regulated fields (such as for medical software) you can't install a patch before testing the regulated software on a patched test system. If the tests pass, then you can install the patches on the production system.
They expect us to run a battery of tests everytime MS releases a patch just so the system can keep its internet access?
~Syberz
Systems like these already exist from vendors like Cisco and Trend Micro. Besides.. My PC is already protected with Antivirus 2009 and Windows reports that I'm fully protected!
Something like six years ago... It essentially sat between the DHCP server and the client, requiring that you had the a certain patch level and virus protection/firewall settings before you were allowed on the network. Seemed like about as much of a pain as most security products are, but it worked for the general case. Malicious people could still bypass it, but if random marketing guy plugged in his vulnerable laptop it generally kept it from infecting anything.
ENDFORCE was the name of the company then, but there were other competitors out there.
I believe that the capability already exists in Active Directory to isolate systems that do not pass muster when it comes to security patches and a recent malware scan showing the system to be clean. All that is required is for ISPs to mandate that their users be joined to an AD forest maintained by the ISP in order to get "full" internet service. If your system fails the security checks, it gets shunted to a walled off network where the only thing you can do is download WSUS updates and antimalware definitions updates and removal tools, until such time as you have installed them and can recertify that your system is safe to be on the real network once again.
It's already here, in terms of capabilities; it just remains to be implemented. There's plenty of business and political obstacles to that happening in non-corporate environments like residential ISPs, but my hunch is that it's all but certain it'll just take a cyber-9/11 event to get the necessary laws passed to overcome those obstacles.
You see? You see? Your stupid minds! Stupid! Stupid!
A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever,
If this is client-side, what stops malware from performing those same "registry hacks or whatever" automatically on behalf of the user?
Good idea, but will still fail....because, once the culprits who write the malware know what the certs are, and how to fake or manipulate them, we are just back to square 1. I have said once before, the main spam problem can only be rectified one way...by charging per email, .01 cent! with a cap of about 50$. That's it, your ISP provider will send you off a bill at the end of the month, of which if you hit 50$, you know you are infected seeing as you have not sent any mail, you will disconnect yourself, and bring your pc to a tech who will clean it for you, or install legit windows for you, and then you will be back on the internet.
Once back on the internet, if it happens again, you will know next bill. Not only will this help pay the ISP for all the bandwidth they are loosing, but also make it impossible for spammers to spam legitimately....it would be too expensive, and the reason most malware exist, is to send spam, so if you block the spam, then there is not much profit to be had if you can not send your emails, or are disconnected from the botnet.
I guess that if my ISP's servers ever got infected, then either they would cut their ownselves off the internet or the backbone to which they are connected would do that for the rest of the world? All ideas of disconnecting people from the internet because they are "infected" are trash. We're only treating a symptom of a problem: lack of security in application development.
Well this is a great idea (replete with sarcasm), well at least for Microsoft to regain control over the whole PC market. They would get to decide whose PC is worthy of Internet access. WOW, Wonderful, Robotic Overlords, who needs them when Microsoft gets to say who can access what. Hm why am I seeing a requirement for access being Windows running on the machine?
Kosh: "Understanding is a 3 edged sword, your side, their side, the Truth."
Nothing particularly new under the sun, and then it's just the MS way... They've been incorporating this kind of things for quite a while now. About a year ago, I attended the offical MS cryptography class 2821A, aka PKI environment managing and setup. The tutor was a very bright guy, great instructor AND seller of MS-related stuff. He was also kind enough to share that some of the bleeding edge stuff they were currently doing was just like what the article announces. The weird part? It was done in Kosovo of all places on the face of Earth... It begs to differ but this reminds me of the opportunities that disaster capitalism offers to, hm, MS innovators. Being able to implement a Layer 1 or Layer 2 discriminatory network that doesn't let a single PC plugin to a simple router and get on the network without all the patches to the OS and the Antivirus soft already present - whoa, that is a whole new level of paranoia. But yet again, it was work done for their banking and financial systems - literrary being recreated from scratch, that recently had to bleed some upper management staff, due to misappropriations and money laundering. Given the ripe atmosphere of rogue law-less-ness, no wonder those boys didn't want to share the pie with some - with any - script kiddies. ;)
Now, Make Your WISE Move...
If you're deemed unworthy and internet privileges revoked... how does one get the required updates and patches to get back online? I presume they - the ISPs - would allow you access to certain websites like windows update or mcafee patch central (whatever it's called) - so how do you get on the list of allowed sites? who controls that list?
I find myself wondering exactly what it should take to get a "health certificate" for any system that could operate as a NAT router.
How frequently should health certificates be rechecked?
You'd need the active equivalent of an SSL session with every device to make substituting your real computer after validation at least a little harder, maybe even as hard as it is to crack DRM now.
That's for people who want to plug arbitrary devices onto the Internet. Auntie chatting and tubing and filling out marketing surveys would have to stay current on whatever OS could get a key.
As always, all IMO. Insert "I think" everywhere grammatically possible.
I am surprised that ISPs haven't already built up terminal service farms and started renting out thin clients to grandmas. You get a thin client computer installed and setup by a tech, a fully managed desktop with most of the common software you need to get on the Internet plus they can sell you space to store your family photos. Grandma doesn't need anything more than a web browser, Office Online, and the Microsoft freebie sites. An ISP could do the same with an LTSP solution and Google Crome and Google Docs but it is just way easier to find people who have set up Citrix/terminal server farms. An even better solution would be thin provisioned virtual machines. If the ISP controlled so many of the computers I feel you would get that 100 Mbit link a whole lot faster. Back to the mainframe days. And yes, I know there are lots of barriers to this type of solution and it severely restricts grandma from running all the stupid apps she thinks she needs, but that is not the point. The point is why aren't ISPs looking to tap this market? It is there.
I like it. First Microsoft invents an OS that is easily infected with whatever plague one can invent, now they are trying to decide whether the system is defended enough. A number of products such as antivirus tools, firewalls etc are NOT properly recognized by Windows. The result is obvious - if you use, say, ClamWin which is free and NOT recognized by Windows, you will be blocked from Internet. I hope this idiotic proposal will make some people switch from Windows to anything else, more sane. Botnet problem has the only solution: exterminate Windows as class, that's for a start. Microsoft was and is pormoting the idea that any incompetent user should be able to use computers. Now we see the consequences of that.
It's not the viruses per se, but the user that lets them in the door. Are you using a mail client that defaults to HTML view and allowing JS to run? Do you click on that popup you've never noticed before that says your system is infected? Do you ever empty your temp folder (either system or user)? Do you have a decent system monitor (SysInternals procexp is good) to detect which app might be causing weird bahavior? Do you ever look in the drivers folder, sys32 or other known hangouts of "potential bad guy" files? Ever check the registry (another plug for SI, autoruns can be quite useful) to see what's happening at startup?.
This is a downward spiral. Some bright kid will make a patch to override M$'s disabling of the TCP stack. M$ will issue a patch to override that. Rinse & repeat. As usual, they're using a sledgehammer where a scalpel is preferred.
Perhaps Windoze should just incorporate Git & cron; every 5 seconds you make a hash of the hard drive, with 2 weeks of reversion available. Just click on the smiley-face & viri be gone! (Along with any recent emails, documents, installed apps. What price security?)
Oh, you *are* running the latest i7 with 16 gigs of memory on WinDoze, aren't you? Would be quite hardware intensive to keep up with such a frenetic backup schedule. Be prepared for a constant hourglass.
Then we have Intel building security into their processors, and Microsoft decides not to use it. A while later Microsoft and Intel decide native code writers cannot be trusted and provide system-wide controls to keep "non-managed code" from running.
Computers being certified to be free of malware is like hookers being certified to be free of STDs. The certification is good for a few minutes, and then you are back to square one.
The healthiest thing we could do for the Internet would be to ban all Windows machines until Microsoft can prove that their operating systems are robust enough to survive on the Internet. If Microsoft operating systems need anti-virus enhancements, I think Microsoft should pay for that. After several years of paying for Symantec, the anti-virus software has costed more than the computer did to begin with.
And of course what makes this even more scary is Microsoft's demonstrated ability to wag around the US Government and get whatever they want. The decision to store public data in a proprietary format continues to astound me.
And others here have mentioned the fact that a company that cannot produce a secure operating system should not be trusted to judge the health of anyone else's systems.
I have had a healthy computer since 1998 ... no virus checkers needed. My family has been running Linux since then for the Internet.
The first comment above is right on. Everyone would be best to abandon operating systems like Windows that can carry viruses.
Ian Soutar
Vancouver Island
I can see it now....
Me: "Hello Comcast I have a problem
Comcast: Give me the certificate number...
Me: I run Gentoo and emerged the entire world yesterday
Comcast: Sorry we only work on windows and I can now see that you used a P2P download -- the download police are on their way.
Truth is stranger than fiction, but it is because Fiction is obliged to stick to possibilities; Truth isn't. Mark Twain.