Microsoft's New Plan For Keeping the Internet Safe

itwbennett writes "Microsoft Corporate Vice President for Trustworthy Computing Scott Charney used to think it was the responsibility of ISPs to keep hacked PCs off the Internet. Now, he says the burden should be on consumers. Speaking at the RSA Conference, Charney suggested that the solution may be for consumers to share trusted certificates about the health of their personal computer: 'The user remains in control. The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.'"

Pathetic

[ls671]

From TFA:
"A bank could ask customers to sign up for a program that would scan their PC for signs of infection during online sessions"

hello ? privacy issues anybody ?

So basically organizations that do business with consumers would be allowed to scan the consumer PC. Great idea...

Next step, you have to allow the government, banks, Ebay, Paypal and what not to scan your PC otherwise they will refuse to do business with you. Since they may not have a linux or other OS scanners, you would be required to use Windows of course.

This guys is a genuis !

What if my "PC" is an old VAX

[thomasdz]

Yeah, this will work real well on my old VAX that I use to surf the web using Lynx.

Naturally.

[damn_registrars]

The responsibility goes to the consumer, when Microsoft is assigning responsibility (blame). After all, the highly vulnerable operating system clearly has nothing to do with it, hence the company behind said vulnerable operating system shouldn't have any liability either.

Re:Pathetic

[Homburg]

So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted? Presumably he also thinks banks should employ people to stand at the front door and ask "are you a bankrobber?" rather than employing security guards.

Re:Microsoft's next step

[Cryacin]

Drop windows 7 from the list, and you see their plan.

Re:Pathetic

[x0ra]

I do not trust Verisign.

Their definition of "security" isn't yours or mine

[ron_ivi]

When Microsoft talks about "security" they're talking about securing the property&rights of digital rights owners (BSA, MPAA, etc) from the untrustworthy users who licensed the software and DVD.

It's not at all about keeping the computer user safe.

It's about keeping data safe from the computer user.

Re:Pathetic

[Obfuscant]

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not? Because this is the computational equivalent.

Not really. It's more like letting potential partners draw a couple of test-tubes of blood and run them through the local medical lab to see if you have any diseases, and maybe get a stool and urine sample for good measure.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

ROTFL.

Re:What if my "PC" is an old VAX

[e9th]

I think that's the point. Unless you're running a "supported" OS that will cheerfully phone home with its patch/AV status, (like, oh I don't know, Windows), you're not to be trusted.

Disproportionate burden

[Palestrina]

If you require positive proof of system health then this will penalize every minority operating system or device that does not have the scanning software/certificate available for it yet. But aren't these minority systems the ones that are least risky, compared to the millions of zombie WinXP boxes?

Sure, Microsoft systems will be supported by the bank (using the example given in the article) but what about everyone else (and I do mean everyone). Do we really want a presumption of "disconnect" or "limit"?

How do they know a machine is safe?

[hawguy]

If they have a magic scanning technology that tells them if a machine is "safe", then why doesn't Microsoft just deploy that technology to everyone? When I managed a helpdesk, I saw many fully patched machines with updated antivirus machines still manage to become infected by Malware. I didn't know we were already past the age of Zero-day exploits

Re:Pathetic

[causality]

I think the it would have to be a third party company that the consumer and the bank would both need to trust. Like how we trust verisign to prove the identity of an https provider.

I don't think it's a good solution, though.

There's another glaring problem with this idea. Those of us who study computer security and take steps to use our systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their money, but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures.

As far as banks are concerned, securing their own systems is all I would expect from them. As their customer, I really don't want my bank getting into the end-user computer security business and telling me how I should run my systems. I want them to stick with what they know. I also don't want to pay the higher fees and less favorable interest rates it would take to cover this expense. That's not even considering the support costs, as the users for whom this is really intended are the same ones who need the most handholding.

If Microsoft really wants to do something helpful, they can stop marketing Windows as "the easiest thing ever!" to non-technical users. They can start being more realistic and up-front about the basic competency required to safely use a worldwide untrusted network. They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo. They could do a much better job of treating data from the network as untrusted and potentially malicious (the sandboxing they are beginning to implement for IE is a step in that direction).

Hell, for that matter they could split the company up into separate corporations which make competing operating systems that all implement the Win32/64 API. Perhaps some of them could be based on *BSD like Mac OSX. Getting rid of the "write once, infect everywhere" Windows monoculture would be a decently effective way to limit the spread of malware.

There are many options to be considered before we even think about universally intruding into everyone's PC and making this into a common practice that is somehow considered acceptable. Normally that's what the bad guys who write malware are trying to do. This is a terrible precedent. Not to mention that if average users get used to the idea of some company (that they don't get to audit) scanning their systems, what's to stop the organized criminals from just running their own scanning companies and collecting any financial data they find? This could change the nature of the attacks but has little or no hope of preventing attacks.

The user can say I don't want to run Windows

[Odinlake]

The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.

The user can say I don't want to run Windows. There may be consequences, but you can do it.

There fixed that for you, M$.

(Oh, did we forget to mention that that health certificate, de facto, requires you to run M$ Windows? That although there are Linux solutions around, 95% of ISPs don't support it?)

Re:What if my "PC" is an old VAX

[Jim Hall]

That's an important point - Charney probably expects this to apply to Windows only, because that's all he sees. What about Linux? What about Mac?

More importantly, what about iPads, or smartphones, or tablets, etc that are increasingly used to access the web? Will Charney's plan work for all these devices? Apple doesn't like third-party apps to execute on the iPad - so good luck getting this to work with iPads. And if all it takes to "bypass" the scan is to fake your browser's user agent string to that of an iPad Safari browser, this won't be very effective.

Re:Pathetic

[Belial6]

Wrong. Backward compatibility is a red herring. MS bought VirtualPC, so they have a PC emulator. MS could have very easily written Windows 7 with zero compatibility to any previous version, ported their VM to it, modified the UI so that appeared integrated (like VMWare's Unity) and included a copy of WinXP. This would have allowed MS to start with a completely clean slate security wise, while still keeping their OS 99.9% backwards compatible.

MS obviously does not consider backward compatibility a defining feature for many users anyway. After all, XP mode is only available with the business versions of Windows 7. Most copies of Windows sold to consumers have copies of Windows that have specifically and intentionally left out a great deal of XP compatibility that MS is sitting on the code for.

So, No. Backward compatibility has NOTHING to do with any security problems Windows may or may not have.