Microsoft Eyes PC Isolation Ward To Thwart Botnets 413
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
Modelling real disease? (Score:5, Informative)
If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.
Re:A better PC health idea (Score:5, Informative)
They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.
Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.
Re:Further proof (Score:3, Informative)
40 grains cures it just fine...
Has anybody else had this problem... (Score:3, Informative)
Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.
I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.
Re:This is just a lockout for OSS (Score:3, Informative)
Well, Debian has debsums, but it's not useful for security purposes, only as a corruption check.
Re:A better PC health idea (Score:4, Informative)
Ah, were it true. While I follow your logic on COICA, it's not just Microsoft whose software can be swiss-cheesed, given enough attempts.
Today, one of my servers was under attack. I sent complaints to vsnl.in and their abuse and postmaster accounts bounce. No one is at the switch... or perhaps they're sleeping. So I tried to characterize the attacker. It's a Linux box running an old version of CentOS. As I write this, it's dutifully trying to logon with single letter logon names.
Yet Microsoft Windows users represent not just the statistically largest attacking surface, but the one with the most plentiful cracks that have botted machines. Bots come in all sizes, shapes and characterizations. They're not exclusive to Microsoft, just the most statistically significant.
There are better ways to prevent attacks, and better kill switches to partition-out attackers. We just have to agree on how to deploy them, rather than give the enemies of genuine freedom the tools to kill the friendlies.
Re:A better PC health idea (Score:2, Informative)
When you're in the US, it's either the one monopolistic dickwad company on your area (cocks, comcrap, time waster, etc), or some combination of one of them with some equally crappy DSL company (verysucky, American Titty&Twister, etc) that equals a duopoly, or some really crappy dialup or satellite service with absolutely suck-tastic lag and lousy bandwidth.
We don't have competition, so therefore, we don't have any choice. And the Republicrats and Demicans, may they both rot in fucking hell, don't do what's necessary to fix it because they're both in the pockets of the aforementioned monopolies.
Re:Further proof (Score:3, Informative)
There is no cure for stupid.
death.
Re:This would get abused (Score:4, Informative)
You do know that Linux has security issues too? Don't you?
I am aware that a few Linux security issues exist, but I haven't seen anything even remotely like the Windows exploits' proliferation. Can you point me at a website or other documentation that shows some in-the-wild exploits for Linux-based systems? I swear I'm not trolling, I just really don't see the parallel.
To be honest, I read something along the lines of "Tens of thousands of new Windows malwares (virus, trojan, adware/spyware, etc) in the wild every day, 25 proven exploits of Linux in the last 15 years (only 2 of which were ever in the wild)", but I can't recall where I read it. I would welcome some information that contradicts that. No, really.
Again: This is not a troll, this is a serious inquiry.
Re:A better PC health idea (Score:3, Informative)
Re:Microsoft's real motive (Score:4, Informative)
This comes from the MS Treacherous Computing [wikipedia.org] group, so spoofing the certificate may not be easy.
A certificate would be composed of a hash of all your critical OS components, constructed and signed by the TPM chip on your motherboard.
This would be a form of Remote Attestation. MS, and their real customers in the media cartels, would love to get the thin end of this wedge into Windows, because it would mean that you could e.g. provide streaming media servers while being sure that the client is an official approved client, running an approved software stack that hasn't been tampered with to do naughty things like dump the stream to disk.
Using it to keep virus-infected machines off the internet is just a piece of spin - the real reason for wanting this is the usual - a general purpose computer is a powerful tool, and many powerful interests feel nervous about them being under the full control of their owners.
Re:A better PC health idea (Score:2, Informative)
He said gamer, not grandmother.
Re:A better PC health idea (Score:3, Informative)
> He said gamer, not grandmother.
Then buy a PS3.
If Lemmings didn't put up with being fed shit on a shingle for more than 20 years we would not have this mess.
Re:This would get abused (Score:3, Informative)
"Remote execution/privilege-escalation exploit" is the category of issue you're thinking of, not security exploits in general.
Linux has plenty of security advisories that may be exploited, but almost every last one requires physical access to the machine to do serious damage. However, Linux has almost no credible remote execution threats; there are a handful from useful apps that are installed on Linux, such as Apache. It's simply not the situation where anyone sitting halfway around the world can poke at your ports a little and root your Linux server through no fault of your own (and by "fault", I mean failing to choose a strong password and keep it secure).
Local exploits are simply not the same class of risk as remote exploits. It's so very much more difficult for purveyors of malware who want to convince your computer to join their botnet when they have to break into your house to root your system, or to trick you into signing-up your system to distribute their worm voluntarily through your own stupidity.
The problem with Windows and Microsoft's integrated applications such as IE is that remote execution/privilege-escalation exploits are everywhere. Try connecting a computer running Windows XP SP1a directly to the internet. It'll get pwned before you can even navigate to the M$ site in order to download the security updates it needs. Fortunately, Windows isn't quite that XPloitable anymore, but it's still pretty bad when you visit a website, and that website (which may have an otherwise reputable operator aside from having their database injected with malware) exploits your browser, which in turn hijacks Windows. This is the problem: there's not sufficient compartmentalization between the "untrusted" area of the computer that runs applications that venture into risky territory, local userspace (which is not infallible, but generally not malicious), and the system's inner sanctum. In effect, Windows security is generally so poor that it just allows internet traffic to wander right into that inner sanctum, largely unchecked. It's inconvenient for users to encounter locked-doors or security checkpoints, but if trusted users aren't subjected to such inconvenient and unsightly things, then unauthorized/untrusted users aren't subjected to them either.
You trust the window latches in your home or the deadbolt on your front door to keep random, unauthorized strangers who you don't trust from entering your home, stealing your stuff, or setting-up a webcam in your bedroom. You presumably already trust the people in your home or office who are going to be able to just sit-down at your computer, so local exploits are largely moot. If you can't trust your operating system to not let strangers from the internet have full access to system files and resources, it's not trustworthy computing.
Re:Gov vs Corp (Score:4, Informative)
Can you imagine the hysterics if the government had proposed this!
I regret to inform you that the government has been proposing this every year for at least the last ten years.
It seems to have disappeared from the internet, but I saved a copy of a PDF from the December 4&5 2001 Global Tech Summit in Washington D.C. It contains the keynote speech from Richard Clarke, Special Advisor to the President for Cyberspace Security. He literally cited Osama bin Laden in his call to secure the internet. Here are some snippets from that keynote speech:
I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.
TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough. It's a good beginning, but it's not enough.
It is not beyond the wit of this industry to figure out a way of forcing down patches.
ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.
If you check the PDF on this story, the plan is explicitly based on TPM Trust Enforcement Chips being built into computers as part of forcing down these patches and controlling internet access. "TPM" is the modern name for TCPA.
The US Government has been pushing this crap harder and harder each year in the "National Plan to Secure Cyberspace" and the plans to "Secure the National Information Infrastructure" and in every other Capitalized Plan And Policy And Strategy Regarding The Internet. The government has been funneling tens of millions of dollars of grants every year into developing this crap. Starting in 2006 the US Army mandated Trust Enforcement Chips be included in all new computer purchaces, I think(?) this policy been science extended to all military computer purchases, and the government has been seriously discussing making it mandatory for all government computer purchases. The really fun is that the explicitly stated purpose for this government policy. The purpose is to use government buying power to fund and manipulate the manufacturing industry. The declared purpose is fabricate a commercial demand to ramp up production of these chips, and for these chips to be included by default in ALL new consumer PCs. The government has been increasingly pushing this agenda in international relations and in bodies under the UN. Unfortunately the European Union has, if anything, become even more eager than the US in their grand plans to in promoting the new Information Economy and the new Information Society. Yay for more Capitalized Plans from our European brothers. There has been increasing activity from all parties on plans for instituting Internet Governance. It's interesting to note that the world's most repressive regiems are most enthusiastic. They are just drooling over the surveillance, control, tracking, law enforcement, repression, and censorship that comes along with locking down computers and locking down the internet internet access and internet communications.
Just to link a single example of recent government work product, Slashdot reported on White House Unveils Plans For "Trusted Identities In Cyberspace" [slashdot.org] from the President's Cyberspace Policy Review. And lets have a Capitalized Yay for the Capitalized Identity Ecosystem it wants impose on us. If you actually get down into the proposal it is the same crap to lock down our computers with these Trust Enforcement Chips. Not only can these chips preform Health Checks to grant or deny you access to the internet, these chips will lock down our digital identities and manage our privacy. If you read the fine PDF in that link, page 4 has an "Envision it!" box explaining how this Identity