Microsoft Eyes PC Isolation Ward To Thwart Botnets 413
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
IPV6's Killer App! (Score:4, Interesting)
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
Gov vs Corp (Score:5, Interesting)
Microsoft's real motive (Score:4, Interesting)
while bot-infected PCs might be barred from the Internet.
Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.
Re:A better PC health idea (Score:5, Interesting)
I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.
I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.
In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.
Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.
You get the idea. Stuff this genie back into the bottle.
This is just a lockout for OSS (Score:4, Interesting)
They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.
Wow. (Score:5, Interesting)
Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.
A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.
Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.
Re:A better PC health idea (Score:2, Interesting)
2003 called, they want their FUD back.
Re:A better PC health idea (Score:2, Interesting)
You can use scanning software like nessus + vlans to do basically this in a very heterogeneous environment add in a simple intrusion detection system and you pretty much have your bases covered.
Sure this is not 100%, but nothing is. Another thing most places get wrong is not everyone needs to be able to talk to everything, even internally. White list not black list.
Re:File under "Dumb Ideas" (Score:4, Interesting)
Non-OS X *N?X users were automatically whitelisted (which also meant that any tech-savvy user could simply spoof running Linux to avoid running the utility).
A few problems... (Score:4, Interesting)
I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.
Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.
How about .... (Score:3, Interesting)
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.
Re:A better PC health idea (Score:3, Interesting)
Re:A better PC health idea (Score:2, Interesting)
Why in the devil do you have ssh available to the world?
Re:Microsoft's real motive (Score:5, Interesting)
I'm sure Linux and other systems will just spoof the certificate.
Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.
On a practical scale, how can this even work?
Re:How is this like vaccinations? (Score:3, Interesting)
Not quite. Vaccinations are mandatory in several situations. Some jurisdictions require them for public health workers, police and first responders, etc. And I think almost all schools require them.
Here's a good stupid story about required vaccinations. Last winter I had an academic hold placed on my record because I never bothered to provide evidence of a measles vaccination. Apparently being enrolled in an online-only program, and not being within a thousand miles of the campus in 40 years doesn't mean I'm not a terrible threat.
Re:File under "Dumb Ideas" (Score:4, Interesting)
The whole point of the system is basically to require people that don't know better to run virus protection software, while staying out of the way of people that do know better. If you know enough to get around they system, then they are not particularly worried about you anyway.
My school did this as well (requires virus software for windows users, whitelists everyone else automatically) and it worked out rather well.
Re:A better PC health idea (Score:3, Interesting)
I have been in the botnet warrooms of som BIG .coms.
When dealing with non-targeted attacks on massive scale (Think ZeuS) then the non-Windows computers are rounding errors.
IE is, itself, north of 85% of the online business - no matter what is reported about overall market share.
You asked... (Score:4, Interesting)
Why in the devil do you have ssh available to the world?
I almost automatically moderated this up, but decided instead to respond.
ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.
So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.
One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...
Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords [ubuntuforums.org], for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.
Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.
Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.
Re:ahem (Score:3, Interesting)
Re:A better PC health idea (Score:5, Interesting)
Well, I'm a MS employee, and on my machines joined to the relevant company domains, they _do_ have NAP and it does wreck your day if your machine isn't compliant. Maybe there's a way around it. Maybe there isn't. I've never bothered to look because I just want to get my job done.
As part of the "security push that never ended", that led to XPSP2 and all of the "we thought a little about security for a change" work that MS has done since, there was finally a shift in opinion internally.
The people at MS who _had_ been thinking about security usually stuck to the immutable laws, and were continuing to think about things in absolute terms, i.e. "well, they can get root, so all bets are off"
But what changed was that someone got practical instead of ideological and said, "look, the 80 hojillion windows PCs out there don't need absolute protection against a supreme attacker with infinite time. If they could get _basic_ protection against what's getting them 80% of the time, that's progress"
And so I think you need to think about NAP and most future MS security efforts in the same way. There may not be a way to keep the most brilliant / lucky / dedicated attacker from succeeding once. But there is almost always a way to keep inelegant attacks from being successful widely and repeatably. And the #1 problem on the public internet right now is NOT all of the high profile deep penetrations against single well researched targets, it's the legions of automated remote-compromises that turn Grandma's PC into a botslave.
A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever, it has to point windows neophytes at a black-holed page that has all the patches and scanners and removal tools they need to get healthy before they go out to play for the day.
In summary: the point isn't to create Sauron's eye. The point is to tell people to put on their seat belt.
Re:A better PC health idea (Score:3, Interesting)
I had that idea around 3 years back when one of the major UK service providers asked me if I want to be the security director for their Internet ops (in an hindsight I should have taken the job).
There is a big problem with the idea in this "proactive" manner. You cannot certify PCs to connect because they do not connect to the Internet. They connect to a network behind a CPE or a router which in the administrative domain of whoever connects them. That person is not implementing it any time soon. It is _HIS_ network.
Re:A better PC health idea (Score:5, Interesting)
Look at who authored that paper and who proofread it and Guess again.
Why do the IPTV and Media center people have such a large say in this? It's real goal is to force TPM down our throats. This is about protecting media companies from pirates rather than protecting the internet at large. The fact that this plan edges out alternative Operating Systems is just a side benefit. No certificate, no access and where would I get a certificate for my Debian Workstation?
If this were about Network Protection Microsoft could simply enforce this locally on the PC and not worry about the network. No patches? No access to anything but Windows Update. Simple and doesn't involve any changes to network infrastructure.