Slashdot Mirror
Microsoft's New Plan For Keeping the Internet Safe
itwbennett writes "Microsoft Corporate Vice President for Trustworthy Computing Scott Charney used to think it was the responsibility of ISPs to keep hacked PCs off the Internet. Now, he says the burden should be on consumers. Speaking at the RSA Conference, Charney suggested that the solution may be for consumers to share trusted certificates about the health of their personal computer: 'The user remains in control. The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.'"
I like how all of Microsoft's solutions to this Internet-wide problem assume that absolutely everybody is using their software. Honestly, half the problem would go away if everybody stopped using their software.
Need a Python, C++, Unix, Linux develop
So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted? Presumably he also thinks banks should employ people to stand at the front door and ask "are you a bankrobber?" rather than employing security guards.
I do not trust Verisign.
When Microsoft talks about "security" they're talking about securing the property&rights of digital rights owners (BSA, MPAA, etc) from the untrustworthy users who licensed the software and DVD.
It's not at all about keeping the computer user safe.
It's about keeping data safe from the computer user.
Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not? Because this is the computational equivalent.
Not really. It's more like letting potential partners draw a couple of test-tubes of blood and run them through the local medical lab to see if you have any diseases, and maybe get a stool and urine sample for good measure.
It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.
ROTFL.
I think the it would have to be a third party company that the consumer and the bank would both need to trust. Like how we trust verisign to prove the identity of an https provider.
I don't think it's a good solution, though.
There's another glaring problem with this idea. Those of us who study computer security and take steps to use our systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their money, but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures.
As far as banks are concerned, securing their own systems is all I would expect from them. As their customer, I really don't want my bank getting into the end-user computer security business and telling me how I should run my systems. I want them to stick with what they know. I also don't want to pay the higher fees and less favorable interest rates it would take to cover this expense. That's not even considering the support costs, as the users for whom this is really intended are the same ones who need the most handholding.
If Microsoft really wants to do something helpful, they can stop marketing Windows as "the easiest thing ever!" to non-technical users. They can start being more realistic and up-front about the basic competency required to safely use a worldwide untrusted network. They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo. They could do a much better job of treating data from the network as untrusted and potentially malicious (the sandboxing they are beginning to implement for IE is a step in that direction).
Hell, for that matter they could split the company up into separate corporations which make competing operating systems that all implement the Win32/64 API. Perhaps some of them could be based on *BSD like Mac OSX. Getting rid of the "write once, infect everywhere" Windows monoculture would be a decently effective way to limit the spread of malware.
There are many options to be considered before we even think about universally intruding into everyone's PC and making this into a common practice that is somehow considered acceptable. Normally that's what the bad guys who write malware are trying to do. This is a terrible precedent. Not to mention that if average users get used to the idea of some company (that they don't get to audit) scanning their systems, what's to stop the organized criminals from just running their own scanning companies and collecting any financial data they find? This could change the nature of the attacks but has little or no hope of preventing attacks.
It is a miracle that curiosity survives formal education. - Einstein
The problem is that this isn't about "proving" that you're clean.
This is about proving that you have, in the past, purchased condoms (anti-virus).
And that you are currently wearing a condom (anti-virus is running).
NOT that you don't have a disease.
Or that you have any symptoms.
Or that anyone you've had sex with had a disease.
The BANKS are the ones that should be dealing with whether they can sanitize anything they receive from you (and anyone else) AND verify that it really is you initiating the transaction.
Sex is NOTHING like an on-line purchase. Try it and see.
"So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted?"
No, you're missing what they are actually proposing.
They are proposing that everyone must have a Trust chip locking down their computer. This Trust chip is most commonly known as a Trusted Platform Module or TPM. The Trust chip contains a unique identity code (PubEK) that can be used to securely track your computer and your identity. The Trust chip contains a master key (PrivEK) to lock down identity control. You are FORBIDDEN to know your own master key locking down your identity. This key is REQUIRED to be securely locked down inside the chip to deny the owner knowledge or control of this key. The chip also contains a key (RSK) to lock down files on your computer. You are FORBIDDEN to know your own master storage key. This key is REQUIRED to be securely locked down inside the chip to deny the owner the ability to read or modify his own files, except as permitted by the Trust chip. The Trust chip also scans the software you run on your computer, and it does this for two purposes:
(1) It spies on and logs the software running on your computer in order to send over the internet Trusted spy reports (Remote Attestation) telling other people exactly what hardware and software you are running. For example a website can ask for a Remote Attestation spy report to check if you're running any sort of Ad Blocker. If you have any sort of Ad Blocker, or if you're running an unapproved web browser, or if you are runing an unapproved operating system, or if you don't have a Trust chip, or if you refuse to send the spy report, then you are blocked from viewing the web pages.
(2) It logs exactly what software you are running in order to DENY YOU THE ABILITY TO READ OR MODIFY YOUR OWN FILES unless you are running the exact unmodified software that is APPROVED for reading or modifying the files. For example the Trust chip can make it impossible to play music downloads unless you play them with the exact unmodified RIAA Approved DRM-enforcing music player. The Trust chip can also make it impossible to view streaming video unless you are running the exact unmodified MPAA Approved DRM-enforcing web browser. Other people can store and modify data on your computer, but it's impossible for you to read or modify that data except to outright delete it. Of course, deleting the files will cause stuff on your computer to stop working.
This is the "Security System" Microsoft originally codenamed Palladium. This is the "Security System" the government has been talking about for the last several years to secure the National Information Infrastructure. This is the "Security System" that underlies the Trusted Identity System that the White House has been talking about for the last several years. This is the "Security System" that Microsoft has been promoting to secure corporate networks. This is the "Security System" that the copyright industries have been pushing to lock down music and video and book and websites and to enable a "rental" model for software.
The subject of the article is that Microsoft is backing off on the idea of having ISP's DENY YOU INTERNET ACCESS unless you have a Trust chip and run an Approved operating system along with Mandatory Approved software to "secure" your computer. The argument is that this is a "Health Check", and that if you fail the "health Check" then you computer might be infected by a virus, and that it is appropriate for ISPs to shut off your internet access if you have an infected or vulnerable machine. See? Doesn't that sound wonderful? The system comes wrapped in a bright shiny box advertising it as a GOOD thing to protect you and everyone else on the internet against viruses.
The article here is merely saying that Microsoft noticed that some people (like me) have been calling out this evil Trust chip plan, in particular pointing out the blatantly evil step of having ISPs deny you internet access if you resist. The ar
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
That simply means you need a "trusted" box to reply to the challenge. It doesn't have to be THE box. This sounds like something a Windows VM and some packet sniffing/injection could very easily defeat
Nope. The entire point of Trusted Computing is to make exactly that sort of thing impossible. It's impossible to virtualize the Trust chip unless you know the master keys locked inside the silicon. No amount of packet sniffing/injection will enable you to forge a Trusted communication. They are cryptographically signed by keys inside the chip. Trying to run a normal computer plus a second box to reply to challenges generally does you no good because everything gets encrypted or signed. The second box won't sign the stuff you need signed, and it won't decrypt what you need decrypted. The master keys are locked inside the silicon, and the lower level keys are generally encrypted before they leave the chip and only decrypted when they are loaded back into the Trust chip.
Trying to use a two-box setup would be extremely difficult and it wouldn't achieve much. Lets say your ISP wants a Trusted Health Check on your computer before giving you a connection. You use the Trust box to authenticate. During the authentication the ISP sends an encrypted internet session key. It is encrypted in such a way that it can only be decrypted by the Trust chip, INSIDE the Trust chip, using the a decryption key locked inside the Trust chip. You can't sniff the internet session key because it's been encrypted with the Trust chip's key, which you don't know. You now connect your "real" box and try to use your internet connection. Except now your ISP expects some or all of your outbound packets to have a validation code embedded. These validations codes can only be generated using the secret internet session key. You can't send packets because your "real" box doesn't know the internet session key needed to validate those packets, and your secondary Trust box refuses to validate them for you.
Do not underestimate Trusted Computing. I'm a programmer, I've read the 300+ page technical specification on this chip, I know DRM is impossible and the reasons it Always Fails. Trust me, software attacks are almost completely nullified. Any successful software attack is generally confined to temporarily exploiting localized bug affecting specific data belonging to that specific affected program, and they can FORCE down patches fixing the bug. It is essentially impossible to fundamentally defeat the system with any software attack. Only a hardware attack will truly defeat the system, and they are moving the Trust chip INSIDE THE CPU ITSELF. Not even the god of all modchips and motherboard hacks can do squat when the Trust chip is inside the CPU.
The only way to break the system is to literally rip open the CPU itself. That will indeed blow the Trust system wide ope, but then there's another problem. You have to be insanely careful never to allow them to detect that you have beaten the system and that you can do stuff you're not supposed to be able to do. Almost anything you do can be traced back to the the specific Trust identity code involved. If they ever detect you doing anything you shouldn't, then that identity code goes on a revocation list. You can still access the data you've already broken, but for all practical purposes that computer is dead. It can no longer access any new Trusted data, and all other Trusted devices will refuse to speak to it.
By revoking the hacked identity key they can make it cost you (up to) the price of an entire new computer, plus the difficulty of physically dissecting the new CPU chip to extract a new set of keys. You have to do this each and every time they catch anything anomalous relating to your cracked system.
And you're really screwed if you have to use your real identity during the Certificate Authority process required to enable a new chip. They may refuse to let you activate a new system, or they may send the feds to arrest you for violating the DMCA o
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.