Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Security Microsoft The Internet Windows Technology

Microsoft Eyes PC Isolation Ward To Thwart Botnets 413

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
This discussion has been archived. No new comments can be posted.

Microsoft Eyes PC Isolation Ward To Thwart Botnets

Comments Filter:
  • by h4rr4r ( 612664 ) on Thursday October 07, 2010 @08:10PM (#33831538)

    I have a simpler pc health idea, stop installing the disease that is windows.

    • by Moryath ( 553296 ) on Thursday October 07, 2010 @08:17PM (#33831610)

      While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.

      "Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

      Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...

    • by vtcodger ( 957785 ) on Thursday October 07, 2010 @08:26PM (#33831698)

      If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?

      File under "Dumb Ideas"

      • by MightyMartian ( 840721 ) on Thursday October 07, 2010 @08:30PM (#33831746) Journal

        Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".

      • by h4rr4r ( 612664 )

        DING DING DING, we have a winner. Everyone else can now go home.

      • No kidding. That program would be worth more than Microsoft.
      • by by (1706743) ( 1706744 ) on Thursday October 07, 2010 @08:47PM (#33831888)
        My alma mater did this, and it seemed to work out quite well -- any MAC address which had been shown (by their free Mac+Windows utility) to have run the anti-virus scanner (included in the aforementioned utility) was then whitelisted, and given access to the 'net.

        Non-OS X *N?X users were automatically whitelisted (which also meant that any tech-savvy user could simply spoof running Linux to avoid running the utility).
      • Re: (Score:3, Insightful)

        by pspahn ( 1175617 )

        Thank you for being the one to say it.

        I almost never use AV software. In the past, when I suspected an infection, I would run something that told me I was infected, and I would just backup-reformat-reinstall.

        I know that malware of today tends to be much more inconspicuous. It is not always obvious that malware is present. I run this risk will full knowledge of potential consequences. One of the consequences is that my machine isn't always bogged down by some crappy AV suite that will tell me I'm infected,

    • Re: (Score:3, Insightful)

      by jc42 ( 318812 )

      I have a simpler pc health idea, stop installing the disease that is windows.

      Except that if you aren't running Windows, your machine will be declared totally infected and not allowed any access at all.

      Remember that it'll be Microsoft software doing the checking.

    • Re: (Score:3, Insightful)

      by Nyder ( 754090 )

      I have a simpler pc health idea, stop installing the disease that is windows.

      I'm a gamer, so what should I do then?

      • Re: (Score:3, Informative)

        buy a Wii, like the rest of us!
    • I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configur

  • I presume that fully patched disqualifies anything that doesn't use Windows Update, yes?

    • Re:ahem (Score:4, Insightful)

      by marcello_dl ( 667940 ) on Thursday October 07, 2010 @08:20PM (#33831658) Homepage Journal

      I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".

      • Re: (Score:2, Insightful)

        Actually, I see it as a way to stop people from using pirated Windows. Oh, you can't pass the Windows Genuine Advantage (or whatever it is called these days), so you can't properly update your machine. Since your machine isn't updated, that means no internet for you. That would be a big disincentive to pirates everywhere.
        • Re:ahem (Score:4, Insightful)

          by similar_name ( 1164087 ) on Thursday October 07, 2010 @09:16PM (#33832082)
          At least in the U.S. it's hard to see how MS can justify anything because of pirates. Unless you build your own PC you are paying for Windows anyway. Even if you specifically look for a prebuilt PC without Windows it's hard (it is a small fraction of the market) to find one where you don't pay for Windows whether or not it's already installed. It is a travesty how hard they make it for legitimate users to reinstall Windows.

          In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.

          My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box :) ) and then one day came up with the WGA crap. He typed in his valid COA key on the bottom and Vista rejected.

          Now I have a few options to help him.

          Call MS for support I should never need to activate a valid license.

          Install a cracked version of Windows

          Give him another reason to use Linux.

          Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.
          • Re: (Score:3, Interesting)

            by phantomfive ( 622387 )
            In the old days, before Microsoft had all that DRM garbage, people would build a few machines and install the same copy on all of them. In the 90s (and moreso the 80s) it was standard operating procedure. People figured it was ok, you paid for the software after all. So Microsoft started doing the DRM stuff, learned how to write better EULAs, and a few vendors got together and gave employees an incentive to rat out their ex-bosses to the BSA, and suddenly it wasn't ok to install one copy on multiple compute
  • WTF (Score:2, Insightful)

    by Anonymous Coward

    M$ should be bared from the Internet.

  • Pay for it? (Score:5, Insightful)

    by headkase ( 533448 ) on Thursday October 07, 2010 @08:12PM (#33831560)
    And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?
    • by X0563511 ( 793323 ) on Thursday October 07, 2010 @08:34PM (#33831768) Homepage Journal

      Perhaps it's MS that should be cordoned off from the net at large...

      Oohh, doesn't sound like such a good idea now, does it MS?

    • Re: (Score:3, Insightful)

      by sqldr ( 838964 )
      I'm more worried about the implications. On one hand it's great to not have loads of unpatched computers bent over with their arseholes facing the internet sending me spam, DOSing stuff and distributing child porn. Then again, "you cannot go online unless you download this patch from microsoft".. what if the patch contains something I don't like?
  • IPV6's Killer App! (Score:4, Interesting)

    by TheNarrator ( 200498 ) on Thursday October 07, 2010 @08:17PM (#33831604)

    Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...

    • Trusted Computing for the lose.

      if this DOES happen, lets have a betting pool for how long it takes to fuck it HDCP-style

    • Re: (Score:3, Insightful)

      by plover ( 150551 ) *

      I have a cheaper implementation. Just set the evil bit [] upon boot up, then clear it once the PC passes a health check. And it's even IPv4 compatible!

    • by Jurily ( 900488 )

      Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...

      Specifically, your plan fails to account for

      (X) Lack of centrally controlling authority
      (X) Open relays in foreign countries
      (X) Asshats
      (X) Jurisdictional problems
      (X) Armies of worm riddled broadband-connected Windows boxes
      (X) Joe jobs and/or identity theft

  • by gringer ( 252588 ) on Thursday October 07, 2010 @08:17PM (#33831608)

    If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.

    • by girlintraining ( 1395911 ) on Thursday October 07, 2010 @08:31PM (#33831750)

      Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....

      And nothing will change except you'll be paying more.

  • Great idea! (Score:5, Funny)

    by Legion303 ( 97901 ) on Thursday October 07, 2010 @08:17PM (#33831614) Homepage

    This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.

  • by santax ( 1541065 ) on Thursday October 07, 2010 @08:17PM (#33831618)
    If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!
  • Gov vs Corp (Score:5, Interesting)

    by Dutchmaan ( 442553 ) on Thursday October 07, 2010 @08:19PM (#33831638) Homepage
    Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.
    • Re:Gov vs Corp (Score:4, Informative)

      by Alsee ( 515537 ) on Friday October 08, 2010 @02:46PM (#33839084) Homepage

      Can you imagine the hysterics if the government had proposed this!

      I regret to inform you that the government has been proposing this every year for at least the last ten years.

      It seems to have disappeared from the internet, but I saved a copy of a PDF from the December 4&5 2001 Global Tech Summit in Washington D.C. It contains the keynote speech from Richard Clarke, Special Advisor to the President for Cyberspace Security. He literally cited Osama bin Laden in his call to secure the internet. Here are some snippets from that keynote speech:

      I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.

      TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough. It's a good beginning, but it's not enough.

      It is not beyond the wit of this industry to figure out a way of forcing down patches.

      ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.

      If you check the PDF on this story, the plan is explicitly based on TPM Trust Enforcement Chips being built into computers as part of forcing down these patches and controlling internet access. "TPM" is the modern name for TCPA.

      The US Government has been pushing this crap harder and harder each year in the "National Plan to Secure Cyberspace" and the plans to "Secure the National Information Infrastructure" and in every other Capitalized Plan And Policy And Strategy Regarding The Internet. The government has been funneling tens of millions of dollars of grants every year into developing this crap. Starting in 2006 the US Army mandated Trust Enforcement Chips be included in all new computer purchaces, I think(?) this policy been science extended to all military computer purchases, and the government has been seriously discussing making it mandatory for all government computer purchases. The really fun is that the explicitly stated purpose for this government policy. The purpose is to use government buying power to fund and manipulate the manufacturing industry. The declared purpose is fabricate a commercial demand to ramp up production of these chips, and for these chips to be included by default in ALL new consumer PCs. The government has been increasingly pushing this agenda in international relations and in bodies under the UN. Unfortunately the European Union has, if anything, become even more eager than the US in their grand plans to in promoting the new Information Economy and the new Information Society. Yay for more Capitalized Plans from our European brothers. There has been increasing activity from all parties on plans for instituting Internet Governance. It's interesting to note that the world's most repressive regiems are most enthusiastic. They are just drooling over the surveillance, control, tracking, law enforcement, repression, and censorship that comes along with locking down computers and locking down the internet internet access and internet communications.

      Just to link a single example of recent government work product, Slashdot reported on White House Unveils Plans For "Trusted Identities In Cyberspace" [] from the President's Cyberspace Policy Review. And lets have a Capitalized Yay for the Capitalized Identity Ecosystem it wants impose on us. If you actually get down into the proposal it is the same crap to lock down our computers with these Trust Enforcement Chips. Not only can these chips preform Health Checks to grant or deny you access to the internet, these chips will lock down our digital identities and manage our privacy. If you read the fine PDF in that link, page 4 has an "Envision it!" box explaining how this Identity

  • Further proof (Score:5, Insightful)

    by Darkenole ( 149792 ) on Thursday October 07, 2010 @08:19PM (#33831644)

    There is no cure for stupid.

    • Re: (Score:3, Informative)

      by X0563511 ( 793323 )

      40 grains cures it just fine...

      • 40 grains cures it just fine...

        Wrong website. Although, I am curious about how many computer geeks get this reference. Most of the ones I encounter (I'm in academia) would assume that you've misspelled "grams" and were talking about a mood stabilizing drug.

        • by h4rr4r ( 612664 )

          I think he just is not using enough. 165-190 grains at about 3000ft/sec might be more likely to solve the problem.

    • Re: (Score:3, Informative)

      by Nyder ( 754090 )

      There is no cure for stupid.


  • by Dunbal ( 464142 ) * on Thursday October 07, 2010 @08:20PM (#33831656)

    while bot-infected PCs might be barred from the Internet.

          Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.

    • by cgenman ( 325138 ) on Thursday October 07, 2010 @09:46PM (#33832286) Homepage

      I'm sure Linux and other systems will just spoof the certificate.

      Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.

      On a practical scale, how can this even work?

      • by Dr_Barnowl ( 709838 ) on Friday October 08, 2010 @04:26AM (#33833886)

        This comes from the MS Treacherous Computing [] group, so spoofing the certificate may not be easy.

        A certificate would be composed of a hash of all your critical OS components, constructed and signed by the TPM chip on your motherboard.

        This would be a form of Remote Attestation. MS, and their real customers in the media cartels, would love to get the thin end of this wedge into Windows, because it would mean that you could e.g. provide streaming media servers while being sure that the client is an official approved client, running an approved software stack that hasn't been tampered with to do naughty things like dump the stream to disk.

        Using it to keep virus-infected machines off the internet is just a piece of spin - the real reason for wanting this is the usual - a general purpose computer is a powerful tool, and many powerful interests feel nervous about them being under the full control of their owners.

  • by SilverHatHacker ( 1381259 ) on Thursday October 07, 2010 @08:25PM (#33831692)
    This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.
  • by brenddie ( 897982 ) on Thursday October 07, 2010 @08:26PM (#33831702)
    computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license
    • Re: (Score:3, Insightful)

      by djdanlib ( 732853 )

      Computers don't get infected? They sure do. Like those SCADA systems infected by Stuxnet, for example. Yes, Windows is an infection /vector/ for them, but they don't run Windows and if you manage them from another OS, you can still inject the same code. How about hypervisor viruses, and things that otherwise push malware into the BIOS or other flashable EEPROMs? Heard of the ones where they can compromise your car's electronic control systems? What about the ATM exploits that were demoed this year? Oh, how

  • by Anonymous Coward on Thursday October 07, 2010 @08:28PM (#33831718)

    They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.

    • Re: (Score:3, Informative)

      Well, Debian has debsums, but it's not useful for security purposes, only as a corruption check.

  • Wow. (Score:5, Interesting)

    by Anonymous Coward on Thursday October 07, 2010 @08:28PM (#33831720)

    Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.

    A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.

    Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.

  • by Dhrakar ( 32366 ) on Thursday October 07, 2010 @08:29PM (#33831726)

    First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
    Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
    Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?

        Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.

    • Re: (Score:3, Insightful)

      In one respect it reminds me of all those really stupid anti-spam proposals like SPF that started rolling off the assembly line of dumb-ass ideas about six or seven years ago.

      Moron: Yeah, you see, everyone with a legitimate mail server will have this TXT record that says "I'm legit, you can trust mail from me!"

      Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the SPF TXT record? What happens when a server with an SPF record is hacked?

      Moron: Um, well,

  • by erroneus ( 253617 ) on Thursday October 07, 2010 @08:37PM (#33831796) Homepage

    Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"

    Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.

  • by skogs ( 628589 ) on Thursday October 07, 2010 @08:38PM (#33831816) Journal

    Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.

    I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last obviously they are going to patent the process and make more money off other people that DO make it work.

  • Vaccinations are voluntary, at least in the free world. They don't shut the door to the hospital if you haven't had one.

    [Please don't start about health insurance now, that's not mentioned in the article.]
    • Re: (Score:3, Interesting)

      by plover ( 150551 ) *

      Not quite. Vaccinations are mandatory in several situations. Some jurisdictions require them for public health workers, police and first responders, etc. And I think almost all schools require them.

      Here's a good stupid story about required vaccinations. Last winter I had an academic hold placed on my record because I never bothered to provide evidence of a measles vaccination. Apparently being enrolled in an online-only program, and not being within a thousand miles of the campus in 40 years doesn't mea

  • A few problems... (Score:4, Interesting)

    by Todd Knarr ( 15451 ) on Thursday October 07, 2010 @08:48PM (#33831898) Homepage
    1. Define "fully patched". On my systems the version numbers often have nothing whatsoever to do with what patches have been applied to them. Sometimes the patchlevel's updated, but many simply don't bother updating the version. And what would they update it to, anyway? There may be thousands of permutations of applied patches, there's no way to assign versions to them.
    2. What security software? I don't know of any "security software" vendors who make anything for my systems. And frankly I'd consider a system that needed security software to be fatally buggy and I'd be replacing it ASAP with something more secure.
    3. Firewall? That's something I run on the border routers to control access to my network. Internally firewalls are verbotten, they cause too many technical problems. Untrusted machines get access via wireless (everything connecting by wireless is by definition untrusted, it's not nailed down permanently to the wiring), with client isolation turned on and access to the internal network only via IPSec VPN. If your machine needs a local firewall to be safe, over on the wireless segment it goes without VPN access so it can't endanger my network.
    4. Malware-free, that's the normal state of my machines. Malware is a hazard to be blocked at the edge of the network, and my systems do a pretty good job of it.

    I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.

    Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.

  • How about .... (Score:3, Interesting)

    by AHuxley ( 892839 ) on Thursday October 07, 2010 @09:04PM (#33832012) Journal
    Just coding a real OS, with real security, with real support?
    Copy what works in OS X, Linux, Unix and any bespoke or research OS.
    Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
    Like a big console for todays next gen Intel/AMD/ARM based hardware.
    As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
    Drivers are written for the OS under strict new testing and NDA controls.
    A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
    Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
    Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
    For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
    Well funded local community plans to ensure the generational use of MS products.
  • Who gets to decide what constitutes "fully patched", I guess Microsoft? So if I refuse the WGA patch, my machine will be quarantined?

    Of course, to make this work, program doing the detecting (ie Windows) must be running on a trusted base. Um, didn't we heard something like this before, like Trusted Computing?

    We all know this is not about security. This is about control, MS just wants to have its own walled garden, seeing how profitable Apple's garden is.

  • Now! Download your Microsoft Health Advantage certification application! (Note, validation required.)

  • by adjuster ( 61096 ) on Thursday October 07, 2010 @09:15PM (#33832078) Homepage Journal
    It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.
  • by geekmux ( 1040042 ) on Thursday October 07, 2010 @09:21PM (#33832120)

    "... while bot-infected PCs might be barred from the Internet."

    So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...

  • Security theater (Score:3, Insightful)

    by Dracos ( 107777 ) on Thursday October 07, 2010 @10:41PM (#33832590)

    This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.

    Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.

    I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.

    By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.

    Microsoft created all of these issues. They know it's not profitable to actually solve them.

  • Geez! (Score:4, Funny)

    by The Wild Norseman ( 1404891 ) <> on Thursday October 07, 2010 @11:18PM (#33832806)

    Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.


Some people carve careers, others chisel them.