Microsoft's New Plan For Keeping the Internet Safe

itwbennett writes "Microsoft Corporate Vice President for Trustworthy Computing Scott Charney used to think it was the responsibility of ISPs to keep hacked PCs off the Internet. Now, he says the burden should be on consumers. Speaking at the RSA Conference, Charney suggested that the solution may be for consumers to share trusted certificates about the health of their personal computer: 'The user remains in control. The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.'"

Pathetic

[ls671]

From TFA:
"A bank could ask customers to sign up for a program that would scan their PC for signs of infection during online sessions"

hello ? privacy issues anybody ?

So basically organizations that do business with consumers would be allowed to scan the consumer PC. Great idea...

Next step, you have to allow the government, banks, Ebay, Paypal and what not to scan your PC otherwise they will refuse to do business with you. Since they may not have a linux or other OS scanners, you would be required to use Windows of course.

This guys is a genuis !

Re:Pathetic

[Homburg]

So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted? Presumably he also thinks banks should employ people to stand at the front door and ask "are you a bankrobber?" rather than employing security guards.

Re:Pathetic

[x0ra]

I do not trust Verisign.

Re:Pathetic

[Obfuscant]

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not? Because this is the computational equivalent.

Not really. It's more like letting potential partners draw a couple of test-tubes of blood and run them through the local medical lab to see if you have any diseases, and maybe get a stool and urine sample for good measure.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

ROTFL.

Re:Pathetic

[blair1q]

It is perfectly reasonable for anyone to whom you can not prove you are sanitary to tell you to go fuck yourself.

Re:Pathetic

[commodore6502]

>>>coming in virtual contact with your data to request that you prove that your data is sanitary.

Then you don't mind if I sit in my bankofamerica.com cubicle, and review the naked photos of your wife (or possibly daughter) that I just scraped off your/her machine?

Re:Pathetic

[Black+Gold+Alchemist]

your data is sanitary.

The solution is plain text. While it is possible to insert malware in word, excel, html and maybe even opendocument files via scripting, it is not possible to insert viruses into plain text and CSV files. It just can't be done. Do not accept files that are not plain text and the problem of "unsanitary data" goes away.

Re:Pathetic

[causality]

I think the it would have to be a third party company that the consumer and the bank would both need to trust. Like how we trust verisign to prove the identity of an https provider.

I don't think it's a good solution, though.

There's another glaring problem with this idea. Those of us who study computer security and take steps to use our systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their money, but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures.

As far as banks are concerned, securing their own systems is all I would expect from them. As their customer, I really don't want my bank getting into the end-user computer security business and telling me how I should run my systems. I want them to stick with what they know. I also don't want to pay the higher fees and less favorable interest rates it would take to cover this expense. That's not even considering the support costs, as the users for whom this is really intended are the same ones who need the most handholding.

If Microsoft really wants to do something helpful, they can stop marketing Windows as "the easiest thing ever!" to non-technical users. They can start being more realistic and up-front about the basic competency required to safely use a worldwide untrusted network. They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo. They could do a much better job of treating data from the network as untrusted and potentially malicious (the sandboxing they are beginning to implement for IE is a step in that direction).

Hell, for that matter they could split the company up into separate corporations which make competing operating systems that all implement the Win32/64 API. Perhaps some of them could be based on *BSD like Mac OSX. Getting rid of the "write once, infect everywhere" Windows monoculture would be a decently effective way to limit the spread of malware.

There are many options to be considered before we even think about universally intruding into everyone's PC and making this into a common practice that is somehow considered acceptable. Normally that's what the bad guys who write malware are trying to do. This is a terrible precedent. Not to mention that if average users get used to the idea of some company (that they don't get to audit) scanning their systems, what's to stop the organized criminals from just running their own scanning companies and collecting any financial data they find? This could change the nature of the attacks but has little or no hope of preventing attacks.

Re:Pathetic

[causality]

Wait.

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not?

Because this is the computational equivalent.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

Yes, it's always "for the children", "to prevent terrorism", and "for your safety" isn't it? Since you have nothing to hide, why would you possibly object to a full cavity search every time you enter any building? Do you want the evil terrorists/criminals/hackers to win or something? This is the computational equivalent.

The difference between this and your scenario is simple: the prospective sexual partners are giving mutual consent. If they don't like that arrangement, they can always decide that casual sex with strangers is inherently risky, or they could do something crazy like have sex with someone they love, trust, and know very well. By contrast, if this system is implemented, every bank and probably lots of other corporations are going to require it in order to do business. It's rather difficult to live in a modern world without ever doing business with banks and other corporations, which is why this would be forced on us with or without consent.

Re:Pathetic

[rabbit994]

You mean like ASLR which has been implemented in Windows 7 and DEP which is supported in Windows XP and beyond for certain system libraries and all x64 applications.

Issue with Windows security isn't technical issues, it's trying to maintain compatibility and ease of use with compatibility being biggest hold up. I bet if they behaved like Mac and Linux did, doing the whole "I'm sorry your older program doesn't work with newest libraries, tough shit. Get program updated."

At work, I'm still dealing with customer using FoxPro application which the developer flat out told me he had no intention of recoding in a new language.

Re:Pathetic

[WrongSizeGlass]

Why not have each computer replace some of the most important Windows API calls with a random string during installation? The software would work on the installed computer but a non-installed exe or dll that hasn't been 'mapped' to the specific computer's random list wouldn't run.

Re:Pathetic

[EdIII]

Any source of data input can be hacked to cause problems to software.

I don't believe that is true, at least with SQL Injection attacks. I work with the stuff all day long and as long you VALIDATE THE GODDAMN DATA you're in the clear. Obviously, I cannot understate V.A.L.I.D.A.T.I.O.N.

If you are just passing values into an SQL statement, you are asking, nay begging, for an ass raping by some random sociopath out there.

I always, always, always, take each individual value and validate it. Strip out weird characters. Enforce value ranges where appropriate. Then there is a BLOB field too. Anything that would break SQL can always be stored in a BLOB field with a heck of a lot less risk of SQL Injection attacks. Heck, even converting some of the stuff to Base 64 is a pretty good and cheap method of making it SQL/XML safe without having to jump through a lot of hoops. Yeah, it uses a little more space, but the trade offs are worth it in some situations because Base 64 does not contain any of the typical characters used as delimiters and qualifiers. Any "crap" boxes you have on the website where people tend to paste anything they want in it is a perfect candidate for it. Plenty of times ignorant users are posting weirdly formatted and tagged text that contains characters that would break the XML document it gets transported in. CDATA is not fool proof. By converting the fields to Base 64 before being added to the SQL statement you make SQL Injection attacks impossible with that field.

As for the buffer overflow exploits on a web server........... yeah..... the programmers need be on top of that and you need to make sure you are updating. Protection from SQL Injection attacks is far from hopeless though. In fact, I think it is easy.

Re:Pathetic

[Alsee]

"So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted?"

No, you're missing what they are actually proposing.

They are proposing that everyone must have a Trust chip locking down their computer. This Trust chip is most commonly known as a Trusted Platform Module or TPM. The Trust chip contains a unique identity code (PubEK) that can be used to securely track your computer and your identity. The Trust chip contains a master key (PrivEK) to lock down identity control. You are FORBIDDEN to know your own master key locking down your identity. This key is REQUIRED to be securely locked down inside the chip to deny the owner knowledge or control of this key. The chip also contains a key (RSK) to lock down files on your computer. You are FORBIDDEN to know your own master storage key. This key is REQUIRED to be securely locked down inside the chip to deny the owner the ability to read or modify his own files, except as permitted by the Trust chip. The Trust chip also scans the software you run on your computer, and it does this for two purposes:
(1) It spies on and logs the software running on your computer in order to send over the internet Trusted spy reports (Remote Attestation) telling other people exactly what hardware and software you are running. For example a website can ask for a Remote Attestation spy report to check if you're running any sort of Ad Blocker. If you have any sort of Ad Blocker, or if you're running an unapproved web browser, or if you are runing an unapproved operating system, or if you don't have a Trust chip, or if you refuse to send the spy report, then you are blocked from viewing the web pages.
(2) It logs exactly what software you are running in order to DENY YOU THE ABILITY TO READ OR MODIFY YOUR OWN FILES unless you are running the exact unmodified software that is APPROVED for reading or modifying the files. For example the Trust chip can make it impossible to play music downloads unless you play them with the exact unmodified RIAA Approved DRM-enforcing music player. The Trust chip can also make it impossible to view streaming video unless you are running the exact unmodified MPAA Approved DRM-enforcing web browser. Other people can store and modify data on your computer, but it's impossible for you to read or modify that data except to outright delete it. Of course, deleting the files will cause stuff on your computer to stop working.

This is the "Security System" Microsoft originally codenamed Palladium. This is the "Security System" the government has been talking about for the last several years to secure the National Information Infrastructure. This is the "Security System" that underlies the Trusted Identity System that the White House has been talking about for the last several years. This is the "Security System" that Microsoft has been promoting to secure corporate networks. This is the "Security System" that the copyright industries have been pushing to lock down music and video and book and websites and to enable a "rental" model for software.

The subject of the article is that Microsoft is backing off on the idea of having ISP's DENY YOU INTERNET ACCESS unless you have a Trust chip and run an Approved operating system along with Mandatory Approved software to "secure" your computer. The argument is that this is a "Health Check", and that if you fail the "health Check" then you computer might be infected by a virus, and that it is appropriate for ISPs to shut off your internet access if you have an infected or vulnerable machine. See? Doesn't that sound wonderful? The system comes wrapped in a bright shiny box advertising it as a GOOD thing to protect you and everyone else on the internet against viruses.

The article here is merely saying that Microsoft noticed that some people (like me) have been calling out this evil Trust chip plan, in particular pointing out the blatantly evil step of having ISPs deny you internet access if you resist. The ar

Re:Pathetic

[HermMunster]

I swear, this guy will do anything to get the spotlight off Microsoft, even if it means he has to turn off his brain while taking the Glen Beck approach to his outcry.

Come on Microsoft, the problem is you. I see it every day in my shop. Stop blaming the customer.

This Microsoft guy is so out of touch with the consumer.

Re:Pathetic

[TENTH+SHOW+JAM]

How about if banks hand out tokens? Mine does. I log on with a username\Password\token number that changes once every 30 seconds. So if the hacker has managed to get the https traffic unencrypted in record time, they only get 30 seconds to play.

The other feature is the "transfer money" feature requires re entry of the token number.

Re:Pathetic

[Belial6]

Wrong. Backward compatibility is a red herring. MS bought VirtualPC, so they have a PC emulator. MS could have very easily written Windows 7 with zero compatibility to any previous version, ported their VM to it, modified the UI so that appeared integrated (like VMWare's Unity) and included a copy of WinXP. This would have allowed MS to start with a completely clean slate security wise, while still keeping their OS 99.9% backwards compatible.

MS obviously does not consider backward compatibility a defining feature for many users anyway. After all, XP mode is only available with the business versions of Windows 7. Most copies of Windows sold to consumers have copies of Windows that have specifically and intentionally left out a great deal of XP compatibility that MS is sitting on the code for.

So, No. Backward compatibility has NOTHING to do with any security problems Windows may or may not have.

Re:Pathetic

[rubycodez]

I don't trust Verisign with my private data, they broke DNS for .net and .com back in 2003 as part of a profit scheme. Root certificates are another issue, but I do trust it means some schmuck paid verisign money, and they probably are the same schmucks presenting the certificate versign made them. SSL can be broken, just compute-intensive.

Re:Pathetic

[TheSpoom]

I love that they keep trying to bring this up. It's their Pinky and the Brain-style take over the world plan. The TCPA FAQ, while somewhat old by now, is still relevant (and shows just how long they've been trying this).

Re:Pathetic

[tqk]

As far as banks are concerned, ...

Where do I start? The banking system has a secure network backbone that's not connected to the Internet. Still, wire transfers across that secure network take 1-3 days, the transaction is often verified via Fax (!?!) transmissions. If it's not there when you expect it to be there, they'll look into it (you pay the fee).

Why do 21st Century banks not know about crypto-signed email in the 21st Century? Crypto-signed wired money transfers, ca. 5 seconds, done.

They don't have to know. Why should they care about esoterica like this?!?

Bloody hell.

Re:Pathetic

[Alsee]

That simply means you need a "trusted" box to reply to the challenge. It doesn't have to be THE box. This sounds like something a Windows VM and some packet sniffing/injection could very easily defeat

Nope. The entire point of Trusted Computing is to make exactly that sort of thing impossible. It's impossible to virtualize the Trust chip unless you know the master keys locked inside the silicon. No amount of packet sniffing/injection will enable you to forge a Trusted communication. They are cryptographically signed by keys inside the chip. Trying to run a normal computer plus a second box to reply to challenges generally does you no good because everything gets encrypted or signed. The second box won't sign the stuff you need signed, and it won't decrypt what you need decrypted. The master keys are locked inside the silicon, and the lower level keys are generally encrypted before they leave the chip and only decrypted when they are loaded back into the Trust chip.

Trying to use a two-box setup would be extremely difficult and it wouldn't achieve much. Lets say your ISP wants a Trusted Health Check on your computer before giving you a connection. You use the Trust box to authenticate. During the authentication the ISP sends an encrypted internet session key. It is encrypted in such a way that it can only be decrypted by the Trust chip, INSIDE the Trust chip, using the a decryption key locked inside the Trust chip. You can't sniff the internet session key because it's been encrypted with the Trust chip's key, which you don't know. You now connect your "real" box and try to use your internet connection. Except now your ISP expects some or all of your outbound packets to have a validation code embedded. These validations codes can only be generated using the secret internet session key. You can't send packets because your "real" box doesn't know the internet session key needed to validate those packets, and your secondary Trust box refuses to validate them for you.

Do not underestimate Trusted Computing. I'm a programmer, I've read the 300+ page technical specification on this chip, I know DRM is impossible and the reasons it Always Fails. Trust me, software attacks are almost completely nullified. Any successful software attack is generally confined to temporarily exploiting localized bug affecting specific data belonging to that specific affected program, and they can FORCE down patches fixing the bug. It is essentially impossible to fundamentally defeat the system with any software attack. Only a hardware attack will truly defeat the system, and they are moving the Trust chip INSIDE THE CPU ITSELF. Not even the god of all modchips and motherboard hacks can do squat when the Trust chip is inside the CPU.

The only way to break the system is to literally rip open the CPU itself. That will indeed blow the Trust system wide ope, but then there's another problem. You have to be insanely careful never to allow them to detect that you have beaten the system and that you can do stuff you're not supposed to be able to do. Almost anything you do can be traced back to the the specific Trust identity code involved. If they ever detect you doing anything you shouldn't, then that identity code goes on a revocation list. You can still access the data you've already broken, but for all practical purposes that computer is dead. It can no longer access any new Trusted data, and all other Trusted devices will refuse to speak to it.

By revoking the hacked identity key they can make it cost you (up to) the price of an entire new computer, plus the difficulty of physically dissecting the new CPU chip to extract a new set of keys. You have to do this each and every time they catch anything anomalous relating to your cracked system.

And you're really screwed if you have to use your real identity during the Certificate Authority process required to enable a new chip. They may refuse to let you activate a new system, or they may send the feds to arrest you for violating the DMCA o

Re:Pathetic

[Spad]

It's hard to trust locks from a company that hand out copies of the key to anyone who says "that's my lock" and gives them $50.

Re:Pathetic

[AmonTheMetalhead]

You can not download a checker that reports PASS or FAIL for several reasons:
- If the system is already compromised, you can not trust anything an application says inherently, the execution of the downloaded checker can be altered
- A checker will not know about every possible running program in existence, in order to truly validate a system, you need to work with white lists, not blacklists
- There is no checker that will run on all possible operating systems
- You still need to trust the checker itself

Your suggestion is ridiculous.

Re:Pathetic

[Kjella]

So now Microsoft can put me on the untrusted database for using linux and banks will not want to give me a loan. I'm so building my next computer from scratch.

Nobody will stop you from NOT getting a certificate by installing an "untrusted" OS on "trusted" hardware and you probably won't get non-trusted hardware just like you can't get a monitor without HDCP (over DVI/HDMI/DP) or a DVD/BluRay player without CSS/AACS.

The point is that they're pushing to make this a requirement for using any major corporate or government service and turn you into a digital caveman. You will get a top-to-bottom locked down system because it's the only thing that'll work. And because it's signed all the way down to hardware, your Linux box will never be able to reverse engineer or emulate it. It's the One Microsoft Way or the highway.

Re:Pathetic

[JasterBobaMereel]

The problem with trusted computing is that you the owner of the computer is not trusted, and the service providers and government are ...

The companies and governments think this is a good idea .... but it will not actually cure any of the problems it claims to ...

It will be a very bad idea for computer users, it will make the system more expensive and less flexible (no alternative OS, no self authored apps.... etc ..) and you will not longer have full access to your own computer, but other people will ..... a brilliant idea!

Re:Pathetic

[Alsee]

I understand that they're cryptographically signed however that still doesn't answer the previous posts' point about why spoofing the correct authentication that the chip should provide the server with wouldn't work.

That is difficult but possible with a hardware hack in between the Trust chip and the CPU, but it won't work if the Trust chip is inside the CPU. There are a lot of layers and technical details, but I'll try to boil it down to the key steps. I'm going to gloss over a lot.

First step: The Trust chip watches the software that gets loaded. It logs the BIOS, the operating system, and drivers. Microsoft or some Third Party examines that list and certifies your system as Trusted, and they set up a secret key that's locked inside the chip. You basically do this once. If you make any unapproved system changes then the Chip sees those changes when the system starts up, and it refuses to use that secret key. You're dead in the water because you can't decrypt or sign anything.

Next, you run an application. The Chip watches this application get loaded and generates a hash for it. Any attempt to modify the application will generate a different hash. This hash gets signed by the chip and transmitted. If you send the wrong hash the computer at the other end drops the connection. So you MUST be running the exact unmodified software that the other person wants you to be running, or you're dead in the water.

The Trust chip uses the application hash to generate an internal crypto key. If you make any change to your Trusted operating system, or if you try to substitute a different piece of software, or if you attempt to modify the specific program, the Trust chip generates a different (and useless) key. That key can only be used by that exact unmodified piece of software on an approved Trusted system. The Trust chip will only permit that exact unmodified program to use that key to decrypt or sign data related to that program.

A website can check if you have a Trusted system, and it can ask exactly what web browser you are running. They can check that you're not running an ad-blocker and check that the browser is properly DRM-enforcing. If you pass those checks, the website sends an encrypted version of the webpage. The page can only be decrypted by that exact key inside that exact chip while running that exact webbrowser. If the Trust chip is inside the CPU, then the webpage only gets decrypted inside the CPU. In fact a Trusted CPU can even encrypt RAM, meaning that even a hardware hack to access memory gets you nothing but encrypted garbage. They also plan to have Trust chips built into monitors, and the main computer Trust chip sets up a secret key with the monitor Trust chip. So the webpage only gets decrypted and processed inside the CPU itself, and then the CPU re-encrypts the text+video image going to the monitor.

Trying to work on a normal system while using a Trusted system to authenticate for you gets you nothing. The Trusted system will not authenticate just because you ask it to - it will only authenticate when it's actually running a Trusted webbrowser, and it will only authenticate web-requests coming from that Trusted webbrowser, and the webpage you receive will only be decrypted inside the CPU, and then reencrypted to send to the monitor. It won't authenticate any web requests coming from your other computer, and your other computer can't fake and requests, and your other computer can't decrypt any of the incoming data.

The most you can do is have your other computer robotically punch keys on the Trusted keyboard for you, robotically move the Trusted mouse for you, and then use a video camera pointed at the Trusted monitor to capture an image of the rendered webpage. Trying to use two computers achieves zero.

If your ISP does Health Check to get internet access, well then your ISP owns your computer and everything depends upon the Health Check software they make you run. That software can serve as a firewall/gateway decrypting a

I can see it now

[pcgfx805]

"Access has been refused as it seems you do not have an anti-virus. Why not try *insert highest paying AV company here* anti-virus 2011 for only £99 a year!"

What if my "PC" is an old VAX

[thomasdz]

Yeah, this will work real well on my old VAX that I use to surf the web using Lynx.

Re:What if my "PC" is an old VAX

[e9th]

I think that's the point. Unless you're running a "supported" OS that will cheerfully phone home with its patch/AV status, (like, oh I don't know, Windows), you're not to be trusted.

Re:What if my "PC" is an old VAX

[Jim+Hall]

That's an important point - Charney probably expects this to apply to Windows only, because that's all he sees. What about Linux? What about Mac?

More importantly, what about iPads, or smartphones, or tablets, etc that are increasingly used to access the web? Will Charney's plan work for all these devices? Apple doesn't like third-party apps to execute on the iPad - so good luck getting this to work with iPads. And if all it takes to "bypass" the scan is to fake your browser's user agent string to that of an iPad Safari browser, this won't be very effective.

Naturally.

[damn_registrars]

The responsibility goes to the consumer, when Microsoft is assigning responsibility (blame). After all, the highly vulnerable operating system clearly has nothing to do with it, hence the company behind said vulnerable operating system shouldn't have any liability either.

Re:Naturally.

[kevinmenzel]

Any operating system where the user knows how to get themselves root access is vulnerable, because the fundamental problem exists between the chair and the keyboard. If EVERY ONE grew up using Linux, there would be millions of people who could be exploited by simple social engineering. "What, I need to sudo run this script in order to see the naked boobies my e-mail is promising me? OK..." - Heck - how many people currently running Ubuntu could be exploited by a website simply listing shell commands to solve some sort of common problem that also compromise the user... Given, it is easier to do explot Windows. But it is even easier to exploit stupid users than it is to exploit Windows.

Re:Naturally.

[calmofthestorm]

It's pretty amazing how they've managed to get their customers to swallow the line that it's reasonable to be expected to pay a third party for "anti-virus" software to fix their errors and vulnerabilities.

I like how all of their solutions assume...

[Omnifarious]

I like how all of Microsoft's solutions to this Internet-wide problem assume that absolutely everybody is using their software. Honestly, half the problem would go away if everybody stopped using their software.

Re:Microsoft's next step

[Cryacin]

Drop windows 7 from the list, and you see their plan.

The Burden Is On Consumers...

[painehope]

I agree completely with that part of things. The burden is on consumers (or citizens, as we used to be called). Don't buy Microsoft products and the Internet will be a much safer place.

What are they smoking? They sell the buggiest, shittiest, most useless (some people find it useful...I don't; the last time I tried to use MS Office I spent 15 minutes dicking around w/ the application just to set some bullet points, and decided that 15 minutes could have been better spent downloading and installing OpenOffice - their applications have all turned into overblown, unusable pieces of shit, just like the internals of their operating systems) products, practice all kinds of shady business just to spread their crapware, and then blame the average, non-technical person for how fucked-up their operating system is and how it makes computers unusable to a significant portion of the population.

Jesus. If I sold someone a car that had as many problems as a copy of Windows, I'd be sued - possibly even imprisoned. Someone would probably end up dead fairly quickly if I made a business out of it, and then I'd be up shit creek. But they can sell shitty software and then not be held accountable when it doesn't work? Yes, the world is that strange.

Their definition of "security" isn't yours or mine

[ron_ivi]

When Microsoft talks about "security" they're talking about securing the property&rights of digital rights owners (BSA, MPAA, etc) from the untrustworthy users who licensed the software and DVD.

It's not at all about keeping the computer user safe.

It's about keeping data safe from the computer user.

Disproportionate burden

[Palestrina]

If you require positive proof of system health then this will penalize every minority operating system or device that does not have the scanning software/certificate available for it yet. But aren't these minority systems the ones that are least risky, compared to the millions of zombie WinXP boxes?

Sure, Microsoft systems will be supported by the bank (using the example given in the article) but what about everyone else (and I do mean everyone). Do we really want a presumption of "disconnect" or "limit"?

Re:Disproportionate burden

[VortexCortex]

If you require positive proof of system health then this will penalize every minority operating system or device that does not have the scanning software/certificate available for it yet.

I get your point, however, I must point out two things:
1) Zero Day exploits occur frequently.
2) An infected machine can obviously not be trusted.

Infected machines especially can not be trusted to scan themselves and report on their state of infection. Suppose you run a completely different machine in order to check the validity of another. Could not the machine doing the scan also be infected? Would not the validation apparatus be required to have a signing key somewhere within it? Would not simply extracting such a key, and forging your own certificates also be an option?

The only thing reliable about Windows security is that it has been, and will continue to be broken.

Honestly, MS does not have a good track record when it comes to cryptographically signing the system & software in order to validate that the machine is genuine... WGA certified my Linux machine as "Genuine Microsoft Windows", this is odd to me because I entirely switched to Linux after suffering a WGA false positive (no, my hardware had not been changed / upgraded).

TFA Assumes that MS can deliver a system capable of detecting insecurities -- Forgive me if I'm sceptical -- If so, would not Windows itself just do this and no longer be vulnerable at all?

AV: Are there any viruses in this directory?
Rootkit: Nope, I'm not in this directory.
AV [to bank]: All clear!
AV [to user]: Proceed to enter your banking credentials!

TL;DR: If ( ( Linux || Rootkit ) == false_negative && MS_defective_spyware == false_positive ) { MS_Plan != Secure }

How do they know a machine is safe?

[hawguy]

If they have a magic scanning technology that tells them if a machine is "safe", then why doesn't Microsoft just deploy that technology to everyone? When I managed a helpdesk, I saw many fully patched machines with updated antivirus machines still manage to become infected by Malware. I didn't know we were already past the age of Zero-day exploits

Trusted Platform Module

[linatux]

ZDNet article (http://www.zdnet.com/blog/security/microsoft-continues-push-for-infected-computers-to-be-quarantined/8164) a little more informative.

Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information

Burden is on the manufacturers

[nurb432]

Just like in the auto industry, if a car maker creates a car that is prone to wrecks, its not the drivers fault.

Proper maintenance, is the responsibility of the user, not fundamental manufacturing flaws that create security problems.

The user can say I don't want to run Windows

[Odinlake]

The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.

The user can say I don't want to run Windows. There may be consequences, but you can do it.

There fixed that for you, M$.

(Oh, did we forget to mention that that health certificate, de facto, requires you to run M$ Windows? That although there are Linux solutions around, 95% of ISPs don't support it?)

You've never been laid, right?

[khasim]

The problem is that this isn't about "proving" that you're clean.

This is about proving that you have, in the past, purchased condoms (anti-virus).

And that you are currently wearing a condom (anti-virus is running).

NOT that you don't have a disease.
Or that you have any symptoms.
Or that anyone you've had sex with had a disease.

The BANKS are the ones that should be dealing with whether they can sanitize anything they receive from you (and anyone else) AND verify that it really is you initiating the transaction.

Sex is NOTHING like an on-line purchase. Try it and see.

Re:You've never been laid, right?

While playing the I-want-what-I-won't-ever-get game, how about the BANK has to allow ME to scan their own servers, to prove it isn't infected with malware. How bout let me view the site in FireFox while we are at it too.

Bank of America for one had their website performing drive by downloads of malware for an entire weekend not even a year back.

The Bank of England (I think that was the one. Apologies if I'm remembering the name wrong) did the same for a number of hours when one of their affiliates got hacked, and took advantage of some poor cross site scripting vulnerability a couple years ago.

A lot of banks still force you to use the accept-virus-without-question browser Internet Explorer and lock out any secure standards compliant browser.

Once they try to prove to me they are clean, I might consider wanting to prove the same of myself to them...

Just another attack vector

[matrixskp]

Anything like this 'trusted certificate' or 'health scanning app' will just become another attack vector.

Microsoft should just build a new operating system from the ground up that is secure. If MS applied everything they should have learnt from all the security problems they have had over the last 20 years, they could probably make something quite good.

Wouldn't this solve 95% of the problems with infected PC's? Of course that would require reinvesting some of the billions they make from selling their current offering.

You didn't go far enough.

[khasim]

What makes you think malware wouldn't be crafted to evade this just as malware is currently crafted to evade AV software?

More to the point, there isn't a single AV product available today that catches 100% of the mal-ware currently out there.

AV is a reactive process.
First comes the mal-ware.
Then comes the infections.
Then comes the signature file.
Then comes the download of the signature file.
Then comes the protection.

Saying that an AV scan found nothing on your computer is really pretty meaningless.

Remember the Sony root kit fiasco? There was ONE anti-virus product that detected it.

ONE!

And it wasn't McAfee or Norton.

Re:Translation

[calmofthestorm]

So let me get this straight...in order to buy or sell anything I need to bear the mark of Microsoft on my hardware...

Re:Nice troll attempt.

[Tom]

You're funny. I've been doing security as a profession since times when "windows" referred to the glassy panes you have in your house. I've also had one system of mine compromised in that entire time. But contrary to you, I don't believe that I should be responsible for installing the brakes, airbag, ABS and safety belts in my car, even if I happen to be a mechanic. If the car is inherently unsafe, it's not because the owner failed to install his own brakes, it's because cars ought to have brakes.

And if you think rwx is the pinacle of security principles, there's nothing I can do for you, because you would need years of study in order to appreciate what's out there. Meanwhile, remind me why a user has exactly one set of permissions and why every file he opens, every program he runs and everything else he does needs to inherit the very same set of permissions. As if we had never invented roles, domains, RBAC, MAC, MLS and two dozen other concepts.

Re:Problem

[TaoPhoenix]

You're really on to something. Take it up a concept class.
"Those of us who study (Airport) security and take steps to use our (Airport) systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their (Flight Safety), but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures."

One of the best descriptions of the TSA problem I've ever seen!