Again - see my earlier references on this thread to Microsoft as a "Stalking Horse" for COICA type legislation and the "Obama Internet Kill Switch".
Tuesday, I get to be in an audience of security pros, being addressed by Bill Clinton. I have already heard Richard Clarke, on a number of occasions. I suspect that his messaging will be an intelligent and warm, friendly advocacy for increased controls on Internet access - in the name of financial and national security.
This is an inevitable push. Our digital technologies will be turned against our civil liberties - under the guise of defending our financial stability. The best we can hope for is a "Digital Singapore" - versus a "Digital East Germany".
The difference between Government control of Internet access in China and the US/EU? In China the state is a mechanism to enforce the mandate of a Party elite. In the US/EU Government is a mechanism to enforce the will of elite Oligarchal capitalists. This business elite deflect the unpopularity of social control from themselves towards the straw-man of "big government", which they pretend to oppose, but secretly employ towards their objectives.
It is no mistake that "the Big Dog" is being brought out to address this issue, at a time when "government control" of Internet access is being pushed as an urgent contingency.
NAP is a "health" technology - not defense against a rogue operator or the trump in malware arms races.
In an enterprise, signing based on AD membership is the technology for attesting authenticity of health certificates and preventing replay, spoofing, etc.
I do not see an obvious root for this trust in the Internet model, versus the AD model.
In the model I'd proposed earlier, we assumed signing keychains from the participating banks, merchants, etc. Not perfect defense - but again, that's not the objective of the exercise. Without signing, or an equivalent validation, a NAP scheme could just as easily turn into a DoS method.
With signing, you can begin to federate. "Ah. I trust AmeX's signing of the health certificate that this client presented, so I'll admit them to Amazon's shopping cart function, without re-running a check." This is again, an ELECTIVE participation by providers and vendors - and not a policy mandate defining classes of general network access. Network access is not what should be quarantined by vendors - but application access is reasonable.
Quarantine should NOT be to impose any restrictions on a class of client as an end-in-itself! It's objective in an Internet model is to raise awareness of clients in maintaining computer hygiene and creating a public-interest consortium for making updates and protections available.
"For in spite of computers and advanced psychology Behaviour patterns are still a mystery I predict the future of this earthly human race Is that having made a mess of Earth They'll move to outer space Well there goes the neighbourhood Totally, completely, absolutely, irrevocably, highly illogical!"
No. No advocacy for tracking machines - no advocacy for hardware-based "Palladium" keying.
Just a way for your machine to communicate it's AV and patch-level health state, to those you do business with.
Then, they can look at the assertion of health and say:
"OK - now log in"
OR
"If you don't update, you are likely to get rooted, and your accounts stolen. Try again, in a few minutes after getting this AV update. BTW: here's a list of free updates that our consumer interest group is making available."
That's A LOT different than: "You are denied access to the Internet. I hope you didn't need to pay a bill or renew your vehicle registration, today."
It's the difference between someone not answering your phone call - or turning off your line.
BTW. NGSCB or Palladium, or whatyouwannacallit is coming. We can't do much about it, except be glad it will have as many laws as any complex system. This is a future where every aspect of your hardware and software are signed with digital keys - of which you are not the owner.
This has worked "well" for XBox 360 and iTunes. It creates a protected marketplace, with certain reliability in use cases and safety - at the expense of economic and civil liberty. Think of these as digital "Singapore".
Intel wants to be at the root of this - instead of Microsoft, who'd proposed this PC architecture in 2002. They have a better chance of acceptance than do MS. They will provide kits - at a price - for enterprises and individuals to build their own signed spaces.
"Here's my "Cloud" - with these signing rules to participate in one of a number of roles." Not quite as inherently evil a vision as Microsoft NGSCB - but fraught with potential in terms of unintended consequences, and peppered with multiple disastrous points-of-failure.
You don't believe it is happening? I am SURE that's why Intel bought McAfee for the incredible price they paid.
"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!
You only need to block access to a protected resource - who's management ELECTS this level of defense.
The real play is NOT to protect the Online Bank or Payment Portal.
It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.
Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.
Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.
They all see this as a problem with Microsoft - if not at fault - at its hub.
Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.
Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"
I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.
I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.
In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.
Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.
You get the idea. Stuff this genie back into the bottle.
Jaguar just unveiled the C-X75 concept Grand Tourer at the Paris Auto Show. Because of "instant torque", it blows doors off of conventionally fueled Ferraris. Goes to 205 MPh. Range: 500 Miles.
How? Two gas-turbine jet engines, which run a recharging system, on board. The fuel tank is less than 14 gallons - and the system is pressurised for ALL of the fuels: Biodiesel, Diesel, Gasoline or LPG. Fuel as you chose, and plug into your home mains, as well.
Yeah. And small, fast planes can move 'em, too!
If you define your movement as descent on a vertical axis... :-)
Microsoft is allowed to do this because Government doesn't want a heterogeneous Internet, allowing arbitrary use cases and communications.
Government doesn't want this because the people who bought it, lock stock and barrel, are threatened by this.
Who bought Government? That's another thread.
Suffice it to say - those who see this issue in TECHNOLOGY terms miss the point. It is not a technology issue, but rather one of POLICY.
Again - see my earlier references on this thread to Microsoft as a "Stalking Horse" for COICA type legislation and the "Obama Internet Kill Switch".
Tuesday, I get to be in an audience of security pros, being addressed by Bill Clinton. I have already heard Richard Clarke, on a number of occasions. I suspect that his messaging will be an intelligent and warm, friendly advocacy for increased controls on Internet access - in the name of financial and national security.
This is an inevitable push. Our digital technologies will be turned against our civil liberties - under the guise of defending our financial stability. The best we can hope for is a "Digital Singapore" - versus a "Digital East Germany".
The difference between Government control of Internet access in China and the US/EU? In China the state is a mechanism to enforce the mandate of a Party elite. In the US/EU Government is a mechanism to enforce the will of elite Oligarchal capitalists. This business elite deflect the unpopularity of social control from themselves towards the straw-man of "big government", which they pretend to oppose, but secretly employ towards their objectives.
It is no mistake that "the Big Dog" is being brought out to address this issue, at a time when "government control" of Internet access is being pushed as an urgent contingency.
Keep watching what develops.
NAP is a "health" technology - not defense against a rogue operator or the trump in malware arms races.
In an enterprise, signing based on AD membership is the technology for attesting authenticity of health certificates and preventing replay, spoofing, etc.
I do not see an obvious root for this trust in the Internet model, versus the AD model.
In the model I'd proposed earlier, we assumed signing keychains from the participating banks, merchants, etc. Not perfect defense - but again, that's not the objective of the exercise. Without signing, or an equivalent validation, a NAP scheme could just as easily turn into a DoS method.
With signing, you can begin to federate. "Ah. I trust AmeX's signing of the health certificate that this client presented, so I'll admit them to Amazon's shopping cart function, without re-running a check." This is again, an ELECTIVE participation by providers and vendors - and not a policy mandate defining classes of general network access. Network access is not what should be quarantined by vendors - but application access is reasonable.
Quarantine should NOT be to impose any restrictions on a class of client as an end-in-itself! It's objective in an Internet model is to raise awareness of clients in maintaining computer hygiene and creating a public-interest consortium for making updates and protections available.
They belong to the same cartel.
Superbly executed, yes. And a principal exhibit in the argument that the comic be renamed from XKCD to OCD.
"until 2007 when activity drops off."
Ha!
I want to see this graph for the SLASHCODE.
"Until 2003, when Rob loses the will to live." :-)
Hawking is proof that one's having all the intelligence in the world, cannot remedy an individual of his primary idiocy.
The man is fundamentally thick - and cannot clearly distinguish between the semantics of "how" from those of "why" - among other flaws in perception.
"For in spite of computers and advanced psychology
Behaviour patterns are still a mystery
I predict the future of this earthly human race
Is that having made a mess of Earth They'll move to outer space
Well there goes the neighbourhood
Totally, completely, absolutely, irrevocably, highly illogical!"
I submitted this a week ago. It's been burned-out on Reddit and the boards, by now.
No. No advocacy for tracking machines - no advocacy for hardware-based "Palladium" keying.
Just a way for your machine to communicate it's AV and patch-level health state, to those you do business with.
Then, they can look at the assertion of health and say:
"OK - now log in"
OR
"If you don't update, you are likely to get rooted, and your accounts stolen. Try again, in a few minutes after getting this AV update. BTW: here's a list of free updates that our consumer interest group is making available."
That's A LOT different than: "You are denied access to the Internet. I hope you didn't need to pay a bill or renew your vehicle registration, today."
It's the difference between someone not answering your phone call - or turning off your line.
BTW. NGSCB or Palladium, or whatyouwannacallit is coming. We can't do much about it, except be glad it will have as many laws as any complex system. This is a future where every aspect of your hardware and software are signed with digital keys - of which you are not the owner.
This has worked "well" for XBox 360 and iTunes. It creates a protected marketplace, with certain reliability in use cases and safety - at the expense of economic and civil liberty. Think of these as digital "Singapore".
Intel wants to be at the root of this - instead of Microsoft, who'd proposed this PC architecture in 2002. They have a better chance of acceptance than do MS. They will provide kits - at a price - for enterprises and individuals to build their own signed spaces.
"Here's my "Cloud" - with these signing rules to participate in one of a number of roles." Not quite as inherently evil a vision as Microsoft NGSCB - but fraught with potential in terms of unintended consequences, and peppered with multiple disastrous points-of-failure.
You don't believe it is happening? I am SURE that's why Intel bought McAfee for the incredible price they paid.
Like the patch that breaks your HDCP workaround...
It's not YOUR computer, if someone else sets policy for it.
Do you kiss your children "good night" with that filthy mouth? :-)
I have been in the botnet warrooms of som BIG .coms.
When dealing with non-targeted attacks on massive scale (Think ZeuS) then the non-Windows computers are rounding errors.
IE is, itself, north of 85% of the online business - no matter what is reported about overall market share.
"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!
You only need to block access to a protected resource - who's management ELECTS this level of defense.
The real play is NOT to protect the Online Bank or Payment Portal.
It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.
Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.
Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.
They all see this as a problem with Microsoft - if not at fault - at its hub.
Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.
Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"
Trust me. I have seen how these guys work.
If it were China, Russia, Iran or even Japan - they wouldn't pussyfoot around with "Country X". But?
If you needed a better confirmation of the Rick Sanchez allegations, look no further.
I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.
I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.
In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.
Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.
You get the idea. Stuff this genie back into the bottle.
'Nuff Said!
They turned him in, fearing a crude "gotcha" sting.
O'BRIEN, CUE THE TELESCREEN
It's "Two Minutes Hate", My Favourite Reality Series!
Jaguar just unveiled the C-X75 concept Grand Tourer at the Paris Auto Show. Because of "instant torque", it blows doors off of conventionally fueled Ferraris. Goes to 205 MPh. Range: 500 Miles.
How? Two gas-turbine jet engines, which run a recharging system, on board. The fuel tank is less than 14 gallons - and the system is pressurised for ALL of the fuels: Biodiesel, Diesel, Gasoline or LPG. Fuel as you chose, and plug into your home mains, as well.
http://www.wired.com/autopia/2010/09/paris-auto-show-jaguar-cx75/
Arrivederci, Italia!
"Some Virii are MORE EQUAL than others!"
Bloody solipsist! Talking to yourself, again... It a'int normal I tell you!
Wait. Microsoft wants to buy Second Life?
Don't they need to get a first life, first?
No. He disproved the ability to perceive reality.
When "Everything" is defined for certain values of "Kurt Godel"...