Microsoft Eyes PC Isolation Ward To Thwart Botnets

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

A better PC health idea

[h4rr4r]

I have a simpler pc health idea, stop installing the disease that is windows.

Re:A better PC health idea

[Moryath]

While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.

"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...

Re:A better PC health idea

[Jeremiah+Cornelius]

I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.

  I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.

In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.

Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.

You get the idea. Stuff this genie back into the bottle.

Re:A better PC health idea

[postbigbang]

They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.

Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.

Re:A better PC health idea

[postbigbang]

I double dog dare you to vet a wifi-connected smartphone. No bases covered *at all*. Your idea only works on flat networks, rather than multi-tiered, as well. It isn't as easy as it looks.

And when you get close, your help desk lines light up with people that can't get logged on because you set your criteria too tightly and they don't have remediation for their Ubuntu 10.10.... or even their freaking Macs. The whole rubric here is to sell more Microsoft stuff underneath the perceived goodwill proffered by trying to vet then shackle machines whose state is unknown.

Re:A better PC health idea

[Jeremiah+Cornelius]

"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!

You only need to block access to a protected resource - who's management ELECTS this level of defense.

The real play is NOT to protect the Online Bank or Payment Portal.

It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.

Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.

Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.

They all see this as a problem with Microsoft - if not at fault - at its hub.

Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.

Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"

Trust me. I have seen how these guys work.

Re:A better PC health idea

[bloodhawk]

isolating different machines has never been a problem, the problem is that isolation is not what people are after, they want to read documents and access their apps on their portable devices, they want to use whatever they prefer external to the organisation and still have their connectivity. isolating and blocking is easy, safely permitting is the problem here.

Re:A better PC health idea

[DAldredge]

Windows 7 isn't have "horrible uptake numbers" It is actually doing very well.

Re:A better PC health idea

[Your.Master]

After three years? Are you posting from a time warp? Windows 7 general availability was October 22, 2009. It hasn't even been 1 year. And yet its install base is about a third of a product that has been on sale for almost *9* years, of which for less than 3 of those years there was another OS product (which did not do so well in the marketplace).

Even if you decided to change the subject by combining Vista and Windows 7, they combine to well over 1/3 of XP's marketshare in well under 3 years.

So let's replace that by something that makes more sense:

"Failing to replace more than a third of a previous OS product before 1 year".

I'd say that this does not contradict doing well *at all*.

Re:A better PC health idea

[bmajik]

Well, I'm a MS employee, and on my machines joined to the relevant company domains, they _do_ have NAP and it does wreck your day if your machine isn't compliant. Maybe there's a way around it. Maybe there isn't. I've never bothered to look because I just want to get my job done.

As part of the "security push that never ended", that led to XPSP2 and all of the "we thought a little about security for a change" work that MS has done since, there was finally a shift in opinion internally.

The people at MS who _had_ been thinking about security usually stuck to the immutable laws, and were continuing to think about things in absolute terms, i.e. "well, they can get root, so all bets are off"

But what changed was that someone got practical instead of ideological and said, "look, the 80 hojillion windows PCs out there don't need absolute protection against a supreme attacker with infinite time. If they could get _basic_ protection against what's getting them 80% of the time, that's progress"

And so I think you need to think about NAP and most future MS security efforts in the same way. There may not be a way to keep the most brilliant / lucky / dedicated attacker from succeeding once. But there is almost always a way to keep inelegant attacks from being successful widely and repeatably. And the #1 problem on the public internet right now is NOT all of the high profile deep penetrations against single well researched targets, it's the legions of automated remote-compromises that turn Grandma's PC into a botslave.

A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever, it has to point windows neophytes at a black-holed page that has all the patches and scanners and removal tools they need to get healthy before they go out to play for the day.

In summary: the point isn't to create Sauron's eye. The point is to tell people to put on their seat belt.

Re:A better PC health idea

[gmack]

Look at who authored that paper and who proofread it and Guess again.

Why do the IPTV and Media center people have such a large say in this? It's real goal is to force TPM down our throats. This is about protecting media companies from pirates rather than protecting the internet at large. The fact that this plan edges out alternative Operating Systems is just a side benefit. No certificate, no access and where would I get a certificate for my Debian Workstation?

If this were about Network Protection Microsoft could simply enforce this locally on the PC and not worry about the network. No patches? No access to anything but Windows Update. Simple and doesn't involve any changes to network infrastructure.

Pay for it?

[headkase]

And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?

Re:Pay for it?

[X0563511]

Perhaps it's MS that should be cordoned off from the net at large...

Oohh, doesn't sound like such a good idea now, does it MS?

Modelling real disease?

[gringer]

If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.

Re:Modelling real disease?

[girlintraining]

Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....

And nothing will change except you'll be paying more.

Great idea!

[Legion303]

This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.

Re:"Running Security software"

[AnonymousClown]

RUN NORTON OR NO INTERNET

If those are my only two choices, I'll take NO INTERNET please.

Gov vs Corp

[Dutchmaan]

Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.

Further proof

[Darkenole]

There is no cure for stupid.

Re:WTF

[The+Archon+V2.0]

M$ should be bared from the Internet.

Why do you make me think of naked Ballmer? What did I ever do to you?

File under "Dumb Ideas"

[vtcodger]

If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?

File under "Dumb Ideas"

Re:File under "Dumb Ideas"

[MightyMartian]

Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".

Re:File under "Dumb Ideas"

[adjuster]

It's worse than that. The idea is to introduce pervasive and potentially legally-mandated "trusted computing".

This is just a lockout for OSS

They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.

Wow.

Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.

A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.

Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.

This would get abused

[erroneus]

Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"

Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.

Predicated on "trusted computing"...

[adjuster]

It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.

Re:Microsoft's real motive

[cgenman]

I'm sure Linux and other systems will just spoof the certificate.

Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.

On a practical scale, how can this even work?

Two Words: "Microsoft's trustworthy"

[tomhudson]

They lost me at "Microsoft's trustworthy $INSERT_ANYTHING".

Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."

The only right response to both is "Drop dead!"

-- Barbie

Re:Two Words: "Microsoft's trustworthy"

[Hylandr]

What this really boils down to is:

We are sorry, XP is no longer supported and a patch is not available. You will not be allowed to connect to the Internet. Here's a $7 Rebate for Windows 7.

- Dan.