Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

A better PC health idea

[h4rr4r]

I have a simpler pc health idea, stop installing the disease that is windows.

Re:A better PC health idea

[Moryath]

While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.

"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...

Re:A better PC health idea

[Jeremiah+Cornelius]

I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.

  I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.

In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.

Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.

You get the idea. Stuff this genie back into the bottle.

Re:A better PC health idea

[postbigbang]

They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.

Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.

Re:A better PC health idea

[jc42]

I have a simpler pc health idea, stop installing the disease that is windows.

Except that if you aren't running Windows, your machine will be declared totally infected and not allowed any access at all.

Remember that it'll be Microsoft software doing the checking.

Re:A better PC health idea

[postbigbang]

I double dog dare you to vet a wifi-connected smartphone. No bases covered *at all*. Your idea only works on flat networks, rather than multi-tiered, as well. It isn't as easy as it looks.

And when you get close, your help desk lines light up with people that can't get logged on because you set your criteria too tightly and they don't have remediation for their Ubuntu 10.10.... or even their freaking Macs. The whole rubric here is to sell more Microsoft stuff underneath the perceived goodwill proffered by trying to vet then shackle machines whose state is unknown.

Re:A better PC health idea

[Jeremiah+Cornelius]

"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!

You only need to block access to a protected resource - who's management ELECTS this level of defense.

The real play is NOT to protect the Online Bank or Payment Portal.

It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.

Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.

Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.

They all see this as a problem with Microsoft - if not at fault - at its hub.

Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.

Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"

Trust me. I have seen how these guys work.

Re:A better PC health idea

[postbigbang]

Ah, were it true. While I follow your logic on COICA, it's not just Microsoft whose software can be swiss-cheesed, given enough attempts.

Today, one of my servers was under attack. I sent complaints to vsnl.in and their abuse and postmaster accounts bounce. No one is at the switch... or perhaps they're sleeping. So I tried to characterize the attacker. It's a Linux box running an old version of CentOS. As I write this, it's dutifully trying to logon with single letter logon names.

Yet Microsoft Windows users represent not just the statistically largest attacking surface, but the one with the most plentiful cracks that have botted machines. Bots come in all sizes, shapes and characterizations. They're not exclusive to Microsoft, just the most statistically significant.

There are better ways to prevent attacks, and better kill switches to partition-out attackers. We just have to agree on how to deploy them, rather than give the enemies of genuine freedom the tools to kill the friendlies.

Re:A better PC health idea

[bloodhawk]

isolating different machines has never been a problem, the problem is that isolation is not what people are after, they want to read documents and access their apps on their portable devices, they want to use whatever they prefer external to the organisation and still have their connectivity. isolating and blocking is easy, safely permitting is the problem here.

Re:A better PC health idea

[postbigbang]

Sounds good on paper.

Now user Magee needs to access his email on his iPad. First, there's the pop3 account. Then there's gmail. He surfs. A complex page cites more than a dozen (often dozens and dozens) of other IP addresses.

You gonna shut him down? I don't think so.

Re:A better PC health idea

[technos]

They've seen the horrible uptake numbers from Vista continue with Windows 7.

Step 1. Convince everyone to get behind the idea of black-holing insecure or infected machines.
Step 2. End support for all versions of Windows other than the current.
Step 3. Wait for a new remote vulnerability in older versions.
Step 4. Refuse to patch the issue.
Step 5. Profit as everyone either has to buy a new PC or a newer operating system to access the internet.

Just think about it. Something like two thirds of machines running a Microsoft operating system are still running the end-of-life Windows XP.

Re:A better PC health idea

[DAldredge]

Windows 7 isn't have "horrible uptake numbers" It is actually doing very well.

Re:A better PC health idea

[Moryath]

Obviously not an American ISP.

Re:A better PC health idea

[Your.Master]

After three years? Are you posting from a time warp? Windows 7 general availability was October 22, 2009. It hasn't even been 1 year. And yet its install base is about a third of a product that has been on sale for almost *9* years, of which for less than 3 of those years there was another OS product (which did not do so well in the marketplace).

Even if you decided to change the subject by combining Vista and Windows 7, they combine to well over 1/3 of XP's marketshare in well under 3 years.

So let's replace that by something that makes more sense:

"Failing to replace more than a third of a previous OS product before 1 year".

I'd say that this does not contradict doing well *at all*.

Re:A better PC health idea

[bmajik]

Well, I'm a MS employee, and on my machines joined to the relevant company domains, they _do_ have NAP and it does wreck your day if your machine isn't compliant. Maybe there's a way around it. Maybe there isn't. I've never bothered to look because I just want to get my job done.

As part of the "security push that never ended", that led to XPSP2 and all of the "we thought a little about security for a change" work that MS has done since, there was finally a shift in opinion internally.

The people at MS who _had_ been thinking about security usually stuck to the immutable laws, and were continuing to think about things in absolute terms, i.e. "well, they can get root, so all bets are off"

But what changed was that someone got practical instead of ideological and said, "look, the 80 hojillion windows PCs out there don't need absolute protection against a supreme attacker with infinite time. If they could get _basic_ protection against what's getting them 80% of the time, that's progress"

And so I think you need to think about NAP and most future MS security efforts in the same way. There may not be a way to keep the most brilliant / lucky / dedicated attacker from succeeding once. But there is almost always a way to keep inelegant attacks from being successful widely and repeatably. And the #1 problem on the public internet right now is NOT all of the high profile deep penetrations against single well researched targets, it's the legions of automated remote-compromises that turn Grandma's PC into a botslave.

A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever, it has to point windows neophytes at a black-holed page that has all the patches and scanners and removal tools they need to get healthy before they go out to play for the day.

In summary: the point isn't to create Sauron's eye. The point is to tell people to put on their seat belt.

Re:A better PC health idea

[mysidia]

however you can restrict it to known-good hosts

That's no good, when you need to connect to your machines from your laptop in the hotel room or coffee shop wireless.

Remote management technologies are for remote management.

Of course public key / certificate based authentication is the proper mechanism to use for remote access using SSH, and you need the server's public keys pre-installed on your client as well.

But it really does no good to limit SSH to known hosts, when you actually can't know what IP address you will be accessing from a-priori.

Re:A better PC health idea

[gmack]

Look at who authored that paper and who proofread it and Guess again.

Why do the IPTV and Media center people have such a large say in this? It's real goal is to force TPM down our throats. This is about protecting media companies from pirates rather than protecting the internet at large. The fact that this plan edges out alternative Operating Systems is just a side benefit. No certificate, no access and where would I get a certificate for my Debian Workstation?

If this were about Network Protection Microsoft could simply enforce this locally on the PC and not worry about the network. No patches? No access to anything but Windows Update. Simple and doesn't involve any changes to network infrastructure.

Pay for it?

[headkase]

And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?

Re:Pay for it?

[X0563511]

Perhaps it's MS that should be cordoned off from the net at large...

Oohh, doesn't sound like such a good idea now, does it MS?

IPV6's Killer App!

[TheNarrator]

Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...

Modelling real disease?

[gringer]

If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.

Re:Modelling real disease?

[girlintraining]

Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....

And nothing will change except you'll be paying more.

Great idea!

[Legion303]

This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.

Re:"Running Security software"

[AnonymousClown]

RUN NORTON OR NO INTERNET

If those are my only two choices, I'll take NO INTERNET please.

Gov vs Corp

[Dutchmaan]

Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.

Re:Gov vs Corp

[Alsee]

Can you imagine the hysterics if the government had proposed this!

I regret to inform you that the government has been proposing this every year for at least the last ten years.

It seems to have disappeared from the internet, but I saved a copy of a PDF from the December 4&5 2001 Global Tech Summit in Washington D.C. It contains the keynote speech from Richard Clarke, Special Advisor to the President for Cyberspace Security. He literally cited Osama bin Laden in his call to secure the internet. Here are some snippets from that keynote speech:

I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.

TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough. It's a good beginning, but it's not enough.

It is not beyond the wit of this industry to figure out a way of forcing down patches.

ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.

If you check the PDF on this story, the plan is explicitly based on TPM Trust Enforcement Chips being built into computers as part of forcing down these patches and controlling internet access. "TPM" is the modern name for TCPA.

The US Government has been pushing this crap harder and harder each year in the "National Plan to Secure Cyberspace" and the plans to "Secure the National Information Infrastructure" and in every other Capitalized Plan And Policy And Strategy Regarding The Internet. The government has been funneling tens of millions of dollars of grants every year into developing this crap. Starting in 2006 the US Army mandated Trust Enforcement Chips be included in all new computer purchaces, I think(?) this policy been science extended to all military computer purchases, and the government has been seriously discussing making it mandatory for all government computer purchases. The really fun is that the explicitly stated purpose for this government policy. The purpose is to use government buying power to fund and manipulate the manufacturing industry. The declared purpose is fabricate a commercial demand to ramp up production of these chips, and for these chips to be included by default in ALL new consumer PCs. The government has been increasingly pushing this agenda in international relations and in bodies under the UN. Unfortunately the European Union has, if anything, become even more eager than the US in their grand plans to in promoting the new Information Economy and the new Information Society. Yay for more Capitalized Plans from our European brothers. There has been increasing activity from all parties on plans for instituting Internet Governance. It's interesting to note that the world's most repressive regiems are most enthusiastic. They are just drooling over the surveillance, control, tracking, law enforcement, repression, and censorship that comes along with locking down computers and locking down the internet internet access and internet communications.

Just to link a single example of recent government work product, Slashdot reported on White House Unveils Plans For "Trusted Identities In Cyberspace" from the President's Cyberspace Policy Review. And lets have a Capitalized Yay for the Capitalized Identity Ecosystem it wants impose on us. If you actually get down into the proposal it is the same crap to lock down our computers with these Trust Enforcement Chips. Not only can these chips preform Health Checks to grant or deny you access to the internet, these chips will lock down our digital identities and manage our privacy. If you read the fine PDF in that link, page 4 has an "Envision it!" box explaining how this Identity

Further proof

[Darkenole]

There is no cure for stupid.

Microsoft's real motive

[Dunbal]

while bot-infected PCs might be barred from the Internet.

      Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.

Re:Microsoft's real motive

[cgenman]

I'm sure Linux and other systems will just spoof the certificate.

Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.

On a practical scale, how can this even work?

Re:Microsoft's real motive

[Dr_Barnowl]

This comes from the MS Treacherous Computing group, so spoofing the certificate may not be easy.

A certificate would be composed of a hash of all your critical OS components, constructed and signed by the TPM chip on your motherboard.

This would be a form of Remote Attestation. MS, and their real customers in the media cartels, would love to get the thin end of this wedge into Windows, because it would mean that you could e.g. provide streaming media servers while being sure that the client is an official approved client, running an approved software stack that hasn't been tampered with to do naughty things like dump the stream to disk.

Using it to keep virus-infected machines off the internet is just a piece of spin - the real reason for wanting this is the usual - a general purpose computer is a powerful tool, and many powerful interests feel nervous about them being under the full control of their owners.

Re:ahem

[marcello_dl]

I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".

Re:WTF

[The+Archon+V2.0]

M$ should be bared from the Internet.

Why do you make me think of naked Ballmer? What did I ever do to you?

File under "Dumb Ideas"

[vtcodger]

If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?

File under "Dumb Ideas"

Re:File under "Dumb Ideas"

[MightyMartian]

Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".

Re:File under "Dumb Ideas"

[by+(1706743)]

My alma mater did this, and it seemed to work out quite well -- any MAC address which had been shown (by their free Mac+Windows utility) to have run the anti-virus scanner (included in the aforementioned utility) was then whitelisted, and given access to the 'net.

Non-OS X *N?X users were automatically whitelisted (which also meant that any tech-savvy user could simply spoof running Linux to avoid running the utility).

Re:File under "Dumb Ideas"

[adjuster]

It's worse than that. The idea is to introduce pervasive and potentially legally-mandated "trusted computing".

Re:File under "Dumb Ideas"

[Sir_Lewk]

The whole point of the system is basically to require people that don't know better to run virus protection software, while staying out of the way of people that do know better. If you know enough to get around they system, then they are not particularly worried about you anyway.

My school did this as well (requires virus software for windows users, whitelists everyone else automatically) and it worked out rather well.

This is just a lockout for OSS

They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.

Wow.

Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.

A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.

Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.

ok, then: a couple questions

[Dhrakar]

First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?

    Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.

This would get abused

[erroneus]

Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"

Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.

Re:This would get abused

[znerk]

You do know that Linux has security issues too? Don't you?

I am aware that a few Linux security issues exist, but I haven't seen anything even remotely like the Windows exploits' proliferation. Can you point me at a website or other documentation that shows some in-the-wild exploits for Linux-based systems? I swear I'm not trolling, I just really don't see the parallel.

To be honest, I read something along the lines of "Tens of thousands of new Windows malwares (virus, trojan, adware/spyware, etc) in the wild every day, 25 proven exploits of Linux in the last 15 years (only 2 of which were ever in the wild)", but I can't recall where I read it. I would welcome some information that contradicts that. No, really.

Again: This is not a troll, this is a serious inquiry.

A few problems...

[Todd+Knarr]

1. Define "fully patched". On my systems the version numbers often have nothing whatsoever to do with what patches have been applied to them. Sometimes the patchlevel's updated, but many simply don't bother updating the version. And what would they update it to, anyway? There may be thousands of permutations of applied patches, there's no way to assign versions to them.
2. What security software? I don't know of any "security software" vendors who make anything for my systems. And frankly I'd consider a system that needed security software to be fatally buggy and I'd be replacing it ASAP with something more secure.
3. Firewall? That's something I run on the border routers to control access to my network. Internally firewalls are verbotten, they cause too many technical problems. Untrusted machines get access via wireless (everything connecting by wireless is by definition untrusted, it's not nailed down permanently to the wiring), with client isolation turned on and access to the internal network only via IPSec VPN. If your machine needs a local firewall to be safe, over on the wireless segment it goes without VPN access so it can't endanger my network.
4. Malware-free, that's the normal state of my machines. Malware is a hazard to be blocked at the edge of the network, and my systems do a pretty good job of it.

I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.

Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.

Predicated on "trusted computing"...

[adjuster]

It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.

Re:ahem

[similar_name]

At least in the U.S. it's hard to see how MS can justify anything because of pirates. Unless you build your own PC you are paying for Windows anyway. Even if you specifically look for a prebuilt PC without Windows it's hard (it is a small fraction of the market) to find one where you don't pay for Windows whether or not it's already installed. It is a travesty how hard they make it for legitimate users to reinstall Windows.

In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.

My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box :) ) and then one day came up with the WGA crap. He typed in his valid COA key on the bottom and Vista rejected.

Now I have a few options to help him.

Call MS for support I should never need to activate a valid license.

Install a cracked version of Windows

Give him another reason to use Linux.

Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.

Two Words: "Microsoft's trustworthy"

[tomhudson]

They lost me at "Microsoft's trustworthy $INSERT_ANYTHING".

Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."

The only right response to both is "Drop dead!"

-- Barbie

Re:Two Words: "Microsoft's trustworthy"

[Hylandr]

What this really boils down to is:

We are sorry, XP is no longer supported and a patch is not available. You will not be allowed to connect to the Internet. Here's a $7 Rebate for Windows 7.

- Dan.

You asked...

[znerk]

Why in the devil do you have ssh available to the world?

I almost automatically moderated this up, but decided instead to respond.

ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.

So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.

One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...

Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords, for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.

Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.

In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.

Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.

Geez!

[The+Wild+Norseman]

Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.

WHAT ELSE DOES MICROSOFT WANT FROM ME?!?!