Slashdot Mirror
Microsoft Eyes PC Isolation Ward To Thwart Botnets
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
I have a simpler pc health idea, stop installing the disease that is windows.
M$ should be bared from the Internet.
And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?
Shh.
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.
Ask me about repetitive DNA
This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.
If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!
RUN NORTON OR NO INTERNET
If those are my only two choices, I'll take NO INTERNET please.
RIP America
July 4, 1776 - September 11, 2001
Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.
There is no cure for stupid.
while bot-infected PCs might be barred from the Internet.
Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.
Seven puppies were harmed during the making of this post.
I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.
Funny may not give karma, but +5 Informative never made anyone snort coffee out their nose.
If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?
File under "Dumb Ideas"
You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license
The best test environment is production. - Me
chrome://browser/content/browser.xul
They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.
Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.
A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.
Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.
First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?
Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.
Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"
Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.
Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.
I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.
Who is this that even the wind and the waves obey Him? Surely this computer must submit also!
Actually, I see it as a way to stop people from using pirated Windows. Oh, you can't pass the Windows Genuine Advantage (or whatever it is called these days), so you can't properly update your machine. Since your machine isn't updated, that means no internet for you. That would be a big disincentive to pirates everywhere.
I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.
Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.
Just coding a real OS, with real security, with real support?
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.
Domestic spying is now "Benign Information Gathering"
It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.
The Attitude Adjuster, I hate me, you can too.
At least in the U.S. it's hard to see how MS can justify anything because of pirates. Unless you build your own PC you are paying for Windows anyway. Even if you specifically look for a prebuilt PC without Windows it's hard (it is a small fraction of the market) to find one where you don't pay for Windows whether or not it's already installed. It is a travesty how hard they make it for legitimate users to reinstall Windows.
:) ) and then one day came up with the WGA crap. He typed in his valid COA key on the bottom and Vista rejected.
In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.
My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box
Now I have a few options to help him.
Call MS for support I should never need to activate a valid license.
Install a cracked version of Windows
Give him another reason to use Linux.
Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.
"... while bot-infected PCs might be barred from the Internet."
So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...
I often find the internet vital to download the latest updates to programs like Spy Bot, how am I going to do that (and get rid of the infection) if my computer is banned from the net?
At an ISP level, it wouldn't be just the infected machine.
And what about wireless hot spots?
=================
Unix is very user friendly, it's just picky about who its friends are.
Not quite. Vaccinations are mandatory in several situations. Some jurisdictions require them for public health workers, police and first responders, etc. And I think almost all schools require them.
Here's a good stupid story about required vaccinations. Last winter I had an academic hold placed on my record because I never bothered to provide evidence of a measles vaccination. Apparently being enrolled in an online-only program, and not being within a thousand miles of the campus in 40 years doesn't mean I'm not a terrible threat.
John
Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."
The only right response to both is "Drop dead!"
-- Barbie
Why in the devil do you have ssh available to the world?
I almost automatically moderated this up, but decided instead to respond.
ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.
So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.
One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...
Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords, for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.
Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.
Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.
Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.
I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.
By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.
Microsoft created all of these issues. They know it's not profitable to actually solve them.
In the old days, before Microsoft had all that DRM garbage, people would build a few machines and install the same copy on all of them. In the 90s (and moreso the 80s) it was standard operating procedure. People figured it was ok, you paid for the software after all. So Microsoft started doing the DRM stuff, learned how to write better EULAs, and a few vendors got together and gave employees an incentive to rat out their ex-bosses to the BSA, and suddenly it wasn't ok to install one copy on multiple computers. Strange how norms change.
Qxe4
Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.
WHAT ELSE DOES MICROSOFT WANT FROM ME?!?!
"A government is a body of people usually -- notably -- ungoverned." -Shepherd Book
I do remember that. Security is an ongoing process. The difference is that the metamail problem wasn't a deliberate design decision ignoring a loud chorus of NOs. It was also fixed rather than stubbornly maintaining that it's the way of the future.
Mistakes happen. They're made all the time. It's refusal to admit it was a mistake in the face of a mountain of contrary evidence that creates the real problems.
But yes, not making that particular huge mistake doesn't mean we get to go to sleep now.
I only showed my daughter's vaccination in grade school. She and I both went through middle, high and college without having to show. I have never in my life shown vaccination proof for a job. Other than grade school, you're blowing it out your ass.
I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configuration stored in the NIC but Linux did!
After that experience I decided that I was better of not trusting Microsoft to not deliberately muck up my hardware any way that they could. Of course, many others have suffered other ways in adopting Microsoft patches, or even have them forced on them without consent. I'll continue to trust my own ability to defend against the bad guys on the Internet, as far as I'm concerned Microsoft is one of the bad guys.
I still have a no longer supported copy of Win98 running on one system, quite happily and safely. I'm sure that Microsoft would love to pop up a message saying that since they no long want to support my old OSs that I can't use them to connect to the Internet any longer.
I'm an American. I love this country and the freedoms that we used to have.
Well, I might have a way, but it only works on a semi spherical planet in a vacuum.