Microsoft Eyes PC Isolation Ward To Thwart Botnets 413
CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."
A better PC health idea (Score:4, Insightful)
I have a simpler pc health idea, stop installing the disease that is windows.
Re:A better PC health idea (Score:5, Insightful)
While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.
"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."
Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...
Re:A better PC health idea (Score:4, Insightful)
Obviously not an American ISP.
File under "Dumb Ideas" (Score:5, Insightful)
If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?
File under "Dumb Ideas"
Re:File under "Dumb Ideas" (Score:5, Insightful)
Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".
Re:File under "Dumb Ideas" (Score:5, Insightful)
Re: (Score:2)
DING DING DING, we have a winner. Everyone else can now go home.
Re: (Score:2)
Re:File under "Dumb Ideas" (Score:4, Interesting)
Non-OS X *N?X users were automatically whitelisted (which also meant that any tech-savvy user could simply spoof running Linux to avoid running the utility).
Re:File under "Dumb Ideas" (Score:4, Interesting)
The whole point of the system is basically to require people that don't know better to run virus protection software, while staying out of the way of people that do know better. If you know enough to get around they system, then they are not particularly worried about you anyway.
My school did this as well (requires virus software for windows users, whitelists everyone else automatically) and it worked out rather well.
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
Thank you for being the one to say it.
I almost never use AV software. In the past, when I suspected an infection, I would run something that told me I was infected, and I would just backup-reformat-reinstall.
I know that malware of today tends to be much more inconspicuous. It is not always obvious that malware is present. I run this risk will full knowledge of potential consequences. One of the consequences is that my machine isn't always bogged down by some crappy AV suite that will tell me I'm infected,
Re: (Score:3, Insightful)
I have a simpler pc health idea, stop installing the disease that is windows.
Except that if you aren't running Windows, your machine will be declared totally infected and not allowed any access at all.
Remember that it'll be Microsoft software doing the checking.
Re: (Score:3, Insightful)
I have a simpler pc health idea, stop installing the disease that is windows.
I'm a gamer, so what should I do then?
Re: (Score:3, Informative)
Re: (Score:3, Informative)
> He said gamer, not grandmother.
Then buy a PS3.
If Lemmings didn't put up with being fed shit on a shingle for more than 20 years we would not have this mess.
cure worse than the problem (Score:3, Insightful)
I don't keep my systems "up to date". The system I'm posting this from is still on XP SP1. And there is a good reason for that. I've only ever had one problem with anything that I got from the Internet. That one thing was a "Microsoft Security Update" that apparently managed to rewrite my NIC start-up parameters (all modern NICs have flash memory) in such a way that any OS that trusted the NICs start-up settings would be unable to use the interface. And guess what, Windows didn't trust the start-up configur
Re:A better PC health idea (Score:5, Interesting)
I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.
I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.
In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.
Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.
You get the idea. Stuff this genie back into the bottle.
Re:A better PC health idea (Score:5, Informative)
They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.
Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.
Re: (Score:2, Interesting)
You can use scanning software like nessus + vlans to do basically this in a very heterogeneous environment add in a simple intrusion detection system and you pretty much have your bases covered.
Sure this is not 100%, but nothing is. Another thing most places get wrong is not everyone needs to be able to talk to everything, even internally. White list not black list.
Re:A better PC health idea (Score:5, Insightful)
I double dog dare you to vet a wifi-connected smartphone. No bases covered *at all*. Your idea only works on flat networks, rather than multi-tiered, as well. It isn't as easy as it looks.
And when you get close, your help desk lines light up with people that can't get logged on because you set your criteria too tightly and they don't have remediation for their Ubuntu 10.10.... or even their freaking Macs. The whole rubric here is to sell more Microsoft stuff underneath the perceived goodwill proffered by trying to vet then shackle machines whose state is unknown.
Re: (Score:2)
The wifi network should not be allowed to talk to anything internal at all that can be avoided. Like I said whitelist only, so only open port 80 to your web servers from them and so on.
Re:A better PC health idea (Score:5, Insightful)
Re:A better PC health idea (Score:4, Insightful)
Sounds good on paper.
Now user Magee needs to access his email on his iPad. First, there's the pop3 account. Then there's gmail. He surfs. A complex page cites more than a dozen (often dozens and dozens) of other IP addresses.
You gonna shut him down? I don't think so.
Two Words: "Microsoft's trustworthy" (Score:5, Insightful)
Sorry, but Microsoft lost my trust more than a decade ago. Microsoft is like an abusive boyfriend who says "Trust me - I've changed, this time is really different ..."
The only right response to both is "Drop dead!"
-- Barbie
Re:Two Words: "Microsoft's trustworthy" (Score:5, Insightful)
We are sorry, XP is no longer supported and a patch is not available. You will not be allowed to connect to the Internet. Here's a $7 Rebate for Windows 7.
- Dan.
Re:A better PC health idea (Score:5, Insightful)
"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!
You only need to block access to a protected resource - who's management ELECTS this level of defense.
The real play is NOT to protect the Online Bank or Payment Portal.
It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.
Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.
Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.
They all see this as a problem with Microsoft - if not at fault - at its hub.
Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.
Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"
Trust me. I have seen how these guys work.
Re:A better PC health idea (Score:4, Informative)
Ah, were it true. While I follow your logic on COICA, it's not just Microsoft whose software can be swiss-cheesed, given enough attempts.
Today, one of my servers was under attack. I sent complaints to vsnl.in and their abuse and postmaster accounts bounce. No one is at the switch... or perhaps they're sleeping. So I tried to characterize the attacker. It's a Linux box running an old version of CentOS. As I write this, it's dutifully trying to logon with single letter logon names.
Yet Microsoft Windows users represent not just the statistically largest attacking surface, but the one with the most plentiful cracks that have botted machines. Bots come in all sizes, shapes and characterizations. They're not exclusive to Microsoft, just the most statistically significant.
There are better ways to prevent attacks, and better kill switches to partition-out attackers. We just have to agree on how to deploy them, rather than give the enemies of genuine freedom the tools to kill the friendlies.
Re: (Score:3, Interesting)
I have been in the botnet warrooms of som BIG .coms.
When dealing with non-targeted attacks on massive scale (Think ZeuS) then the non-Windows computers are rounding errors.
IE is, itself, north of 85% of the online business - no matter what is reported about overall market share.
You asked... (Score:4, Interesting)
Why in the devil do you have ssh available to the world?
I almost automatically moderated this up, but decided instead to respond.
ssh is Secure Shell. It is supposed to be a secure method of accessing a system (remote or otherwise). It does this job well.
So well, in fact, that there are computers out there whose job it is to bounce username/password combos off machines, slowly, in order to attempt to compromise them. Some (most?) of these machines are simply poorly secured systems that have been previously compromised, and are now doing the bidding of an outside force. Many of these "compromised hosts" can act in concert, spreading the attacks out not only over time, but also over IPs, making them difficult to detect and/or block.
One solution is to watch vigilantly for these attacks, and block the IP addresses of those machines from your ssh port, or (as is more common) to block them from touching your network at all. Those machines will get lonely, eventually...
Another solution is to implement some other form of security, either replacing the default security (using ssh keys instead of passwords [ubuntuforums.org], for example), or augmenting (read: hiding) it (using port-knocking, non-standard ssh ports, etc). These methods can be combined, to make an even more secure system.
Unfortunately for all of these methods, the average user is unable or unwilling to perform them, due to complexity. Unfortunately for all of us, the moment it becomes simple enough for the average user to figure out (and thus use) these methods, there will be an exploit that attacks the newly-simplified access method.
In short, having sshd open to the world, on the standard port, is probably an indication that a system can be broken into more easily than one which does not appear to be running sshd on the standard port. This really says not much about the security of the system itself, and the only reason to secure your ssh more than the default configuration already is (valid username/password required) is to keep from having huge log files full of failed attempts to crack into your system.
Personally, I use a combination of several of the ideas I offered above, because I am lazy and hate reading logfiles, especially when it seems critical that I must do so (30 attempts to crack my ssh key in an hour? bad monkey, no cheeto!) It is much easier, less stressful, and not time-consuming in the slightest to have my firewall simply drop all packets destined for port 22.
Re: (Score:3, Insightful)
however you can restrict it to known-good hosts
That's no good, when you need to connect to your machines from your laptop in the hotel room or coffee shop wireless.
Remote management technologies are for remote management.
Of course public key / certificate based authentication is the proper mechanism to use for remote access using SSH, and you need the server's public keys pre-installed on your client as well.
But it really does no good to limit SSH to known hosts, when you actually can't know what
Re: (Score:3, Interesting)
Re:A better PC health idea (Score:5, Interesting)
Well, I'm a MS employee, and on my machines joined to the relevant company domains, they _do_ have NAP and it does wreck your day if your machine isn't compliant. Maybe there's a way around it. Maybe there isn't. I've never bothered to look because I just want to get my job done.
As part of the "security push that never ended", that led to XPSP2 and all of the "we thought a little about security for a change" work that MS has done since, there was finally a shift in opinion internally.
The people at MS who _had_ been thinking about security usually stuck to the immutable laws, and were continuing to think about things in absolute terms, i.e. "well, they can get root, so all bets are off"
But what changed was that someone got practical instead of ideological and said, "look, the 80 hojillion windows PCs out there don't need absolute protection against a supreme attacker with infinite time. If they could get _basic_ protection against what's getting them 80% of the time, that's progress"
And so I think you need to think about NAP and most future MS security efforts in the same way. There may not be a way to keep the most brilliant / lucky / dedicated attacker from succeeding once. But there is almost always a way to keep inelegant attacks from being successful widely and repeatably. And the #1 problem on the public internet right now is NOT all of the high profile deep penetrations against single well researched targets, it's the legions of automated remote-compromises that turn Grandma's PC into a botslave.
A network protection scheme doesn't have to verify that Macs, ubuntus etc etc are "compliant", because those are noise in the signal as a percentage of customer endpoint equipment. A network protection scheme has to keep people who want to continue running MS stuff up to date and patched. It doesnt' ahve to keep windows power users from getting on the internet if they can read about registry hacks or whatever, it has to point windows neophytes at a black-holed page that has all the patches and scanners and removal tools they need to get healthy before they go out to play for the day.
In summary: the point isn't to create Sauron's eye. The point is to tell people to put on their seat belt.
Re:A better PC health idea (Score:5, Interesting)
Look at who authored that paper and who proofread it and Guess again.
Why do the IPTV and Media center people have such a large say in this? It's real goal is to force TPM down our throats. This is about protecting media companies from pirates rather than protecting the internet at large. The fact that this plan edges out alternative Operating Systems is just a side benefit. No certificate, no access and where would I get a certificate for my Debian Workstation?
If this were about Network Protection Microsoft could simply enforce this locally on the PC and not worry about the network. No patches? No access to anything but Windows Update. Simple and doesn't involve any changes to network infrastructure.
Re:A better PC health idea (Score:4, Insightful)
They've seen the horrible uptake numbers from Vista continue with Windows 7.
Step 1. Convince everyone to get behind the idea of black-holing insecure or infected machines.
Step 2. End support for all versions of Windows other than the current.
Step 3. Wait for a new remote vulnerability in older versions.
Step 4. Refuse to patch the issue.
Step 5. Profit as everyone either has to buy a new PC or a newer operating system to access the internet.
Just think about it. Something like two thirds of machines running a Microsoft operating system are still running the end-of-life Windows XP.
Re:A better PC health idea (Score:5, Insightful)
Re:A better PC health idea (Score:5, Insightful)
After three years? Are you posting from a time warp? Windows 7 general availability was October 22, 2009. It hasn't even been 1 year. And yet its install base is about a third of a product that has been on sale for almost *9* years, of which for less than 3 of those years there was another OS product (which did not do so well in the marketplace).
Even if you decided to change the subject by combining Vista and Windows 7, they combine to well over 1/3 of XP's marketshare in well under 3 years.
So let's replace that by something that makes more sense:
"Failing to replace more than a third of a previous OS product before 1 year".
I'd say that this does not contradict doing well *at all*.
Re: (Score:3, Interesting)
I had that idea around 3 years back when one of the major UK service providers asked me if I want to be the security director for their Internet ops (in an hindsight I should have taken the job).
There is a big problem with the idea in this "proactive" manner. You cannot certify PCs to connect because they do not connect to the Internet. They connect to a network behind a CPE or a router which in the administrative domain of whoever connects them. That person is not implementing it any time soon. It is _HIS_
Re: (Score:3)
Like the patch that breaks your HDCP workaround...
It's not YOUR computer, if someone else sets policy for it.
Re: (Score:3, Insightful)
If by archaic you mean what windows finally got via powershell only about 30 years late, then yes. Exactly that, or one of many other GUI environments.
Re: (Score:2, Interesting)
2003 called, they want their FUD back.
ahem (Score:2)
I presume that fully patched disqualifies anything that doesn't use Windows Update, yes?
Re:ahem (Score:4, Insightful)
I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".
Re: (Score:2, Insightful)
Re:ahem (Score:4, Insightful)
In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.
My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box
Now I have a few options to help him.
Call MS for support I should never need to activate a valid license.
Install a cracked version of Windows
Give him another reason to use Linux.
Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.
Re: (Score:3, Interesting)
WTF (Score:2, Insightful)
M$ should be bared from the Internet.
Re:WTF (Score:5, Funny)
M$ should be bared from the Internet.
Why do you make me think of naked Ballmer? What did I ever do to you?
Pay for it? (Score:5, Insightful)
Re:Pay for it? (Score:5, Funny)
Perhaps it's MS that should be cordoned off from the net at large...
Oohh, doesn't sound like such a good idea now, does it MS?
Re: (Score:3, Insightful)
IPV6's Killer App! (Score:4, Interesting)
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
Re: (Score:2)
Trusted Computing for the lose.
if this DOES happen, lets have a betting pool for how long it takes to fuck it HDCP-style
Re: (Score:3, Insightful)
I have a cheaper implementation. Just set the evil bit [wikipedia.org] upon boot up, then clear it once the PC passes a health check. And it's even IPv4 compatible!
Re: (Score:2)
Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...
Specifically, your plan fails to account for
(X) Lack of centrally controlling authority
(X) Open relays in foreign countries
(X) Asshats
(X) Jurisdictional problems
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Joe jobs and/or identity theft
Modelling real disease? (Score:5, Informative)
If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.
Re:Modelling real disease? (Score:5, Insightful)
Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....
And nothing will change except you'll be paying more.
Re: (Score:2)
Oh no, something will change.
We'll get our own private internet to use our OSS in. I'm sure I'm not the only one who would do what they could to put an "alternate" backbone in alongside the Microshit one (at it's expense, of course)
Re: (Score:2)
We did it ourselves [wikipedia.org] before everything got ruined by the internet
http://en.wikipedia.org/wiki/Blue_Wave [wikipedia.org] ftw
Re: (Score:2)
That's not quite how our immune system works, but I agree with the idea.
I consider the whitelist to be equivalent to the process of selection against autoimmune antibodies, mentioned at the end of this section [wikipedia.org]. B cells won't ordinarily progress through to maturation if they generate antibodies with affinity for self signatures.
Great idea! (Score:5, Funny)
This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.
What he really means is (Score:3, Insightful)
Already a mechanism for that (Score:2)
Gov vs Corp (Score:5, Interesting)
Re:Gov vs Corp (Score:4, Informative)
Can you imagine the hysterics if the government had proposed this!
I regret to inform you that the government has been proposing this every year for at least the last ten years.
It seems to have disappeared from the internet, but I saved a copy of a PDF from the December 4&5 2001 Global Tech Summit in Washington D.C. It contains the keynote speech from Richard Clarke, Special Advisor to the President for Cyberspace Security. He literally cited Osama bin Laden in his call to secure the internet. Here are some snippets from that keynote speech:
I think we need to decide that from now on IT security functionality will be built in to what we do, to the products that we bring to market.
TCPA, the Trusted Computing Platform Alliance, is an example of bringing hardware and software manufacturers together. But TCPA is not enough. It's a good beginning, but it's not enough.
It is not beyond the wit of this industry to figure out a way of forcing down patches.
ISPs and carriers can insist that when cable modems and DSL hookups are made, firewalls are installed. It is not enough for an ISP or carrier to say, oh, and by the way, you might want to think about a firewall.
If you check the PDF on this story, the plan is explicitly based on TPM Trust Enforcement Chips being built into computers as part of forcing down these patches and controlling internet access. "TPM" is the modern name for TCPA.
The US Government has been pushing this crap harder and harder each year in the "National Plan to Secure Cyberspace" and the plans to "Secure the National Information Infrastructure" and in every other Capitalized Plan And Policy And Strategy Regarding The Internet. The government has been funneling tens of millions of dollars of grants every year into developing this crap. Starting in 2006 the US Army mandated Trust Enforcement Chips be included in all new computer purchaces, I think(?) this policy been science extended to all military computer purchases, and the government has been seriously discussing making it mandatory for all government computer purchases. The really fun is that the explicitly stated purpose for this government policy. The purpose is to use government buying power to fund and manipulate the manufacturing industry. The declared purpose is fabricate a commercial demand to ramp up production of these chips, and for these chips to be included by default in ALL new consumer PCs. The government has been increasingly pushing this agenda in international relations and in bodies under the UN. Unfortunately the European Union has, if anything, become even more eager than the US in their grand plans to in promoting the new Information Economy and the new Information Society. Yay for more Capitalized Plans from our European brothers. There has been increasing activity from all parties on plans for instituting Internet Governance. It's interesting to note that the world's most repressive regiems are most enthusiastic. They are just drooling over the surveillance, control, tracking, law enforcement, repression, and censorship that comes along with locking down computers and locking down the internet internet access and internet communications.
Just to link a single example of recent government work product, Slashdot reported on White House Unveils Plans For "Trusted Identities In Cyberspace" [slashdot.org] from the President's Cyberspace Policy Review. And lets have a Capitalized Yay for the Capitalized Identity Ecosystem it wants impose on us. If you actually get down into the proposal it is the same crap to lock down our computers with these Trust Enforcement Chips. Not only can these chips preform Health Checks to grant or deny you access to the internet, these chips will lock down our digital identities and manage our privacy. If you read the fine PDF in that link, page 4 has an "Envision it!" box explaining how this Identity
Further proof (Score:5, Insightful)
There is no cure for stupid.
Re: (Score:3, Informative)
40 grains cures it just fine...
Re: (Score:2)
40 grains cures it just fine...
Wrong website. Although, I am curious about how many computer geeks get this reference. Most of the ones I encounter (I'm in academia) would assume that you've misspelled "grams" and were talking about a mood stabilizing drug.
Re: (Score:2)
I think he just is not using enough. 165-190 grains at about 3000ft/sec might be more likely to solve the problem.
Re: (Score:3, Informative)
There is no cure for stupid.
death.
Microsoft's real motive (Score:4, Interesting)
while bot-infected PCs might be barred from the Internet.
Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.
Re:Microsoft's real motive (Score:5, Interesting)
I'm sure Linux and other systems will just spoof the certificate.
Which brings up the bigger question of "how do you supply a health certificate?" You can't expect the computer to respond properly, because any virus would just spoof the right answer. You *might* be able to have the local machine certified by a remote machine, but IP addresses change constantly, and then it's just a question of spoofing to the certifying machine.
On a practical scale, how can this even work?
Re:Microsoft's real motive (Score:4, Informative)
This comes from the MS Treacherous Computing [wikipedia.org] group, so spoofing the certificate may not be easy.
A certificate would be composed of a hash of all your critical OS components, constructed and signed by the TPM chip on your motherboard.
This would be a form of Remote Attestation. MS, and their real customers in the media cartels, would love to get the thin end of this wedge into Windows, because it would mean that you could e.g. provide streaming media servers while being sure that the client is an official approved client, running an approved software stack that hasn't been tampered with to do naughty things like dump the stream to disk.
Using it to keep virus-infected machines off the internet is just a piece of spin - the real reason for wanting this is the usual - a general purpose computer is a powerful tool, and many powerful interests feel nervous about them being under the full control of their owners.
Stating the Obvious (Score:3, Funny)
computers or windows installations? (Score:3, Insightful)
Re: (Score:3, Insightful)
Computers don't get infected? They sure do. Like those SCADA systems infected by Stuxnet, for example. Yes, Windows is an infection /vector/ for them, but they don't run Windows and if you manage them from another OS, you can still inject the same code. How about hypervisor viruses, and things that otherwise push malware into the BIOS or other flashable EEPROMs? Heard of the ones where they can compromise your car's electronic control systems? What about the ATM exploits that were demoed this year? Oh, how
This is just a lockout for OSS (Score:4, Interesting)
They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.
Re: (Score:3, Informative)
Well, Debian has debsums, but it's not useful for security purposes, only as a corruption check.
Re: (Score:3, Insightful)
Yes, and I wouldn't use any of them if I couldn't choose to modify them at will - and get myself kicked off the internet in the process...
Nothing against distros - they're wonderful. But, the whole idea of FOSS is that the computer OWNER gets to choose what to run.
Wow. (Score:5, Interesting)
Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.
A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.
Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.
ok, then: a couple questions (Score:4, Insightful)
First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?
Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.
Re: (Score:3, Insightful)
In one respect it reminds me of all those really stupid anti-spam proposals like SPF that started rolling off the assembly line of dumb-ass ideas about six or seven years ago.
Moron: Yeah, you see, everyone with a legitimate mail server will have this TXT record that says "I'm legit, you can trust mail from me!"
Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the SPF TXT record? What happens when a server with an SPF record is hacked?
Moron: Um, well,
This would get abused (Score:5, Insightful)
Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"
Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.
Re:This would get abused (Score:4, Informative)
You do know that Linux has security issues too? Don't you?
I am aware that a few Linux security issues exist, but I haven't seen anything even remotely like the Windows exploits' proliferation. Can you point me at a website or other documentation that shows some in-the-wild exploits for Linux-based systems? I swear I'm not trolling, I just really don't see the parallel.
To be honest, I read something along the lines of "Tens of thousands of new Windows malwares (virus, trojan, adware/spyware, etc) in the wild every day, 25 proven exploits of Linux in the last 15 years (only 2 of which were ever in the wild)", but I can't recall where I read it. I would welcome some information that contradicts that. No, really.
Again: This is not a troll, this is a serious inquiry.
Re: (Score:3, Informative)
"Remote execution/privilege-escalation exploit" is the category of issue you're thinking of, not security exploits in general.
Linux has plenty of security advisories that may be exploited, but almost every last one requires physical access to the machine to do serious damage. However, Linux has almost no credible remote execution threats; there are a handful from useful apps that are installed on Linux, such as Apache. It's simply not the situation where anyone sitting halfway around the world can poke at
Has anybody else had this problem... (Score:3, Informative)
Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.
I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.
How is this like vaccinations? (Score:2)
[Please don't start about health insurance now, that's not mentioned in the article.]
Re: (Score:3, Interesting)
Not quite. Vaccinations are mandatory in several situations. Some jurisdictions require them for public health workers, police and first responders, etc. And I think almost all schools require them.
Here's a good stupid story about required vaccinations. Last winter I had an academic hold placed on my record because I never bothered to provide evidence of a measles vaccination. Apparently being enrolled in an online-only program, and not being within a thousand miles of the campus in 40 years doesn't mea
Re: (Score:3, Insightful)
A few problems... (Score:4, Interesting)
I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.
Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.
How about .... (Score:3, Interesting)
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.
Another guise for Trusted Computing (Score:2)
Who gets to decide what constitutes "fully patched", I guess Microsoft? So if I refuse the WGA patch, my machine will be quarantined?
Of course, to make this work, program doing the detecting (ie Windows) must be running on a trusted base. Um, didn't we heard something like this before, like Trusted Computing?
We all know this is not about security. This is about control, MS just wants to have its own walled garden, seeing how profitable Apple's garden is.
What do you bet... (Score:2)
Now! Download your Microsoft Health Advantage certification application! (Note, validation required.)
Predicated on "trusted computing"... (Score:5, Insightful)
Imagine a world without Windows... (Score:3)
"... while bot-infected PCs might be barred from the Internet."
So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...
Security theater (Score:3, Insightful)
This is another episode of Microsoft's security theater. While they'll portray this as making Windows more secure, it actually won't have much, if any, real benefit (a la UAC), and is actually designed to stifle other operating systems.
Apple, Oracle, and other big OS vendors will be given the opportunity to buy their way on board, but all the small players, including Linux distros, will be shut out.
I have a saying about Windows, and I've been accused of trolling with it: Windows is designed to be sold, not designed to be used.
By sold, I don't necessarily mean the retail box sale or the initial rollout of a service contract, I mean every dollar and minute spent to maintain Windows as well. From your tech-illiterate uncle taking his PC to Geek Squad, all the way to this blatant (to the people who know what to look for) extortion scheme.
Microsoft created all of these issues. They know it's not profitable to actually solve them.
Geez! (Score:4, Funny)
Every single time I see the stupid little popup telling me my Windows machine is possibly infected, I click on it.
WHAT ELSE DOES MICROSOFT WANT FROM ME?!?!
Re:"Running Security software" (Score:4, Funny)
RUN NORTON OR NO INTERNET
If those are my only two choices, I'll take NO INTERNET please.
Re: (Score:2)
Or you can just use anything like nessus, vlans and some simple scripting.
My way has the advantage of being way more cross platform.
Re: (Score:3, Insightful)
I do remember that. Security is an ongoing process. The difference is that the metamail problem wasn't a deliberate design decision ignoring a loud chorus of NOs. It was also fixed rather than stubbornly maintaining that it's the way of the future.
Mistakes happen. They're made all the time. It's refusal to admit it was a mistake in the face of a mountain of contrary evidence that creates the real problems.
But yes, not making that particular huge mistake doesn't mean we get to go to sleep now.