Microsoft's New Plan For Keeping the Internet Safe 302
itwbennett writes "Microsoft Corporate Vice President for Trustworthy Computing Scott Charney used to think it was the responsibility of ISPs to keep hacked PCs off the Internet. Now, he says the burden should be on consumers. Speaking at the RSA Conference, Charney suggested that the solution may be for consumers to share trusted certificates about the health of their personal computer: 'The user remains in control. The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.'"
I like how all of their solutions assume... (Score:5, Interesting)
I like how all of Microsoft's solutions to this Internet-wide problem assume that absolutely everybody is using their software. Honestly, half the problem would go away if everybody stopped using their software.
Re:The Burden Is On Consumers... (Score:0, Interesting)
You can't be wrong quietly, can you? Cars do have as many problems as Windows (actually more). Car companies do get sued for some faults, but not for a lot of others. People do die because of faults in cars, but mostly people die from human error, just like most problems with the operating system are actually human error. Your problem with word is indeed one of human error. You erred in thinking you could learn the ins and outs of a very complicated program in 15 minutes, if you are actually relating an incident; do people learn how to operate everything in their car within 15 minutes? Open office itself has quite a few quirks, and is just a passable word processor. Word, which you called a piece of shit, is almost certainly better.
The best OS currently on the market is Windows 7. It isn't perfect, but it is easy to use, feature packed, performs decently, and supports a very large corpus of programs compared to its competitors. A good rule of thumb is to only bash a company for a product line when the latest product in the series isn't clearly the best current choice in that arena.
Burden is on the manufacturers (Score:4, Interesting)
Just like in the auto industry, if a car maker creates a car that is prone to wrecks, its not the drivers fault.
Proper maintenance, is the responsibility of the user, not fundamental manufacturing flaws that create security problems.
Re:Disproportionate burden (Score:4, Interesting)
If you require positive proof of system health then this will penalize every minority operating system or device that does not have the scanning software/certificate available for it yet.
I get your point, however, I must point out two things:
1) Zero Day exploits occur frequently.
2) An infected machine can obviously not be trusted.
Infected machines especially can not be trusted to scan themselves and report on their state of infection. Suppose you run a completely different machine in order to check the validity of another. Could not the machine doing the scan also be infected? Would not the validation apparatus be required to have a signing key somewhere within it? Would not simply extracting such a key, and forging your own certificates also be an option?
The only thing reliable about Windows security is that it has been, and will continue to be broken.
Honestly, MS does not have a good track record when it comes to cryptographically signing the system & software in order to validate that the machine is genuine... WGA certified my Linux machine as "Genuine Microsoft Windows" [slashdot.org], this is odd to me because I entirely switched to Linux after suffering a WGA false positive [zdnet.com] (no, my hardware had not been changed / upgraded).
TFA Assumes that MS can deliver a system capable of detecting insecurities -- Forgive me if I'm sceptical -- If so, would not Windows itself just do this and no longer be vulnerable at all?
AV: Are there any viruses in this directory?
Rootkit: Nope, I'm not in this directory.
AV [to bank]: All clear!
AV [to user]: Proceed to enter your banking credentials!
TL;DR: If ( ( Linux || Rootkit ) == false_negative && MS_defective_spyware == false_positive ) { MS_Plan != Secure }
Re:Pathetic (Score:5, Interesting)
"So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted?"
No, you're missing what they are actually proposing.
They are proposing that everyone must have a Trust chip locking down their computer. This Trust chip is most commonly known as a Trusted Platform Module or TPM. The Trust chip contains a unique identity code (PubEK) that can be used to securely track your computer and your identity. The Trust chip contains a master key (PrivEK) to lock down identity control. You are FORBIDDEN to know your own master key locking down your identity. This key is REQUIRED to be securely locked down inside the chip to deny the owner knowledge or control of this key. The chip also contains a key (RSK) to lock down files on your computer. You are FORBIDDEN to know your own master storage key. This key is REQUIRED to be securely locked down inside the chip to deny the owner the ability to read or modify his own files, except as permitted by the Trust chip. The Trust chip also scans the software you run on your computer, and it does this for two purposes:
(1) It spies on and logs the software running on your computer in order to send over the internet Trusted spy reports (Remote Attestation) telling other people exactly what hardware and software you are running. For example a website can ask for a Remote Attestation spy report to check if you're running any sort of Ad Blocker. If you have any sort of Ad Blocker, or if you're running an unapproved web browser, or if you are runing an unapproved operating system, or if you don't have a Trust chip, or if you refuse to send the spy report, then you are blocked from viewing the web pages.
(2) It logs exactly what software you are running in order to DENY YOU THE ABILITY TO READ OR MODIFY YOUR OWN FILES unless you are running the exact unmodified software that is APPROVED for reading or modifying the files. For example the Trust chip can make it impossible to play music downloads unless you play them with the exact unmodified RIAA Approved DRM-enforcing music player. The Trust chip can also make it impossible to view streaming video unless you are running the exact unmodified MPAA Approved DRM-enforcing web browser. Other people can store and modify data on your computer, but it's impossible for you to read or modify that data except to outright delete it. Of course, deleting the files will cause stuff on your computer to stop working.
This is the "Security System" Microsoft originally codenamed Palladium. This is the "Security System" the government has been talking about for the last several years to secure the National Information Infrastructure. This is the "Security System" that underlies the Trusted Identity System that the White House has been talking about for the last several years. This is the "Security System" that Microsoft has been promoting to secure corporate networks. This is the "Security System" that the copyright industries have been pushing to lock down music and video and book and websites and to enable a "rental" model for software.
The subject of the article is that Microsoft is backing off on the idea of having ISP's DENY YOU INTERNET ACCESS unless you have a Trust chip and run an Approved operating system along with Mandatory Approved software to "secure" your computer. The argument is that this is a "Health Check", and that if you fail the "health Check" then you computer might be infected by a virus, and that it is appropriate for ISPs to shut off your internet access if you have an infected or vulnerable machine. See? Doesn't that sound wonderful? The system comes wrapped in a bright shiny box advertising it as a GOOD thing to protect you and everyone else on the internet against viruses.
The article here is merely saying that Microsoft noticed that some people (like me) have been calling out this evil Trust chip plan, in particular pointing out the blatantly evil step of having ISPs deny you internet access if you resist. The ar
Re:You've never been laid, right? (Score:2, Interesting)
While playing the I-want-what-I-won't-ever-get game, how about the BANK has to allow ME to scan their own servers, to prove it isn't infected with malware. How bout let me view the site in FireFox while we are at it too.
Bank of America for one had their website performing drive by downloads of malware for an entire weekend not even a year back.
The Bank of England (I think that was the one. Apologies if I'm remembering the name wrong) did the same for a number of hours when one of their affiliates got hacked, and took advantage of some poor cross site scripting vulnerability a couple years ago.
A lot of banks still force you to use the accept-virus-without-question browser Internet Explorer and lock out any secure standards compliant browser.
Once they try to prove to me they are clean, I might consider wanting to prove the same of myself to them...
Re:Problem (Score:4, Interesting)
You're really on to something. Take it up a concept class.
"Those of us who study (Airport) security and take steps to use our (Airport) systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their (Flight Safety), but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures."
One of the best descriptions of the TSA problem I've ever seen!