Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Eyes PC Isolation Ward To Thwart Botnets

timothy posted more than 3 years ago | from the but-you-said-no-malware dept.

Security 413

CWmike writes "In a paper published Wednesday (PDF), Scott Charney, who heads Microsoft's trustworthy computing group, spelled out a concept of 'collective defense' that he said was modeled after public health measures like vaccinations and quarantines. The aim: To block botnet-infected computers from connecting to the Internet. Under the proposal, PCs would be issued a 'health certificate' that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet."

cancel ×

413 comments

A better PC health idea (4, Insightful)

h4rr4r (612664) | more than 3 years ago | (#33831538)

I have a simpler pc health idea, stop installing the disease that is windows.

Re:A better PC health idea (-1, Troll)

negRo_slim (636783) | more than 3 years ago | (#33831598)

Lol, what's the alternative an archaic CLI with shell?

Re:A better PC health idea (5, Interesting)

Jeremiah Cornelius (137) | more than 3 years ago | (#33831704)

I tried to get the idea of "Network Access Protection" for the Internet on the agenda, at Microsoft, for 2 years. We already had the client mechanisms for evaluating health-status, and the signed messages for communicating that status.

  I was working with big eCommerce and online finance companies. In my proposal, enforcement would be at site logon. Infected machines could not access account services or cart/profiles, etc. They'd get a re-direct to a clearing-house that would disassociate the online brand from the notice of infection. That protection site would have remediation resources.

In the end, we had some great discussions - but MS can't execute - and no one trusts 'em.

Now, Charney waves this thing around. AND WANTS ISPs TO BLACKHOLE clients! Way to go. I see this as another stealth control measure to create a defacto model for denying service. Today, it is a ZeuS infection - tomorrow an HDCP patched player or WikiLeaks cookie.

You get the idea. Stuff this genie back into the bottle.

Re:A better PC health idea (4, Informative)

postbigbang (761081) | more than 3 years ago | (#33831804)

They've been championing 'network admittance control' for a long time. It's pretty difficult to do, especially in a heterogeneous OS network. Add smartphones and other possible attack vectors, and it's nigh impossible.

Yet it's a nice idea to block machines that probe servers on ssh ports with logon names like 'oracleadmin' and so on. Isolating suspect systems has to be coupled with a method to vet systems, and therein lies the rub. Unless you use pattern matching to watch system traffic for phone-homes and wierd characterizations, it's simply too tough to get anything but a homogeneous (read Microsoft clients only) network intrusion detection system to work.

Re:A better PC health idea (1, Interesting)

h4rr4r (612664) | more than 3 years ago | (#33831874)

You can use scanning software like nessus + vlans to do basically this in a very heterogeneous environment add in a simple intrusion detection system and you pretty much have your bases covered.

Sure this is not 100%, but nothing is. Another thing most places get wrong is not everyone needs to be able to talk to everything, even internally. White list not black list.

Re:A better PC health idea (5, Insightful)

postbigbang (761081) | more than 3 years ago | (#33831944)

I double dog dare you to vet a wifi-connected smartphone. No bases covered *at all*. Your idea only works on flat networks, rather than multi-tiered, as well. It isn't as easy as it looks.

And when you get close, your help desk lines light up with people that can't get logged on because you set your criteria too tightly and they don't have remediation for their Ubuntu 10.10.... or even their freaking Macs. The whole rubric here is to sell more Microsoft stuff underneath the perceived goodwill proffered by trying to vet then shackle machines whose state is unknown.

Re:A better PC health idea (1)

h4rr4r (612664) | more than 3 years ago | (#33832092)

The wifi network should not be allowed to talk to anything internal at all that can be avoided. Like I said whitelist only, so only open port 80 to your web servers from them and so on.

Re:A better PC health idea (1)

postbigbang (761081) | more than 3 years ago | (#33832172)

You're presuming that there's such a thing as a trusted perimeter. There simply is not. Each device needs to have a protection state. But how do you do this with a half-dozen client OSes and a half-dozen major smartphone OSes, etc? Answer: you don't.

Re:A better PC health idea (1)

h4rr4r (612664) | more than 3 years ago | (#33832190)

No, I am stating that every damn machine be kept apart from every other one that it does not need to talk to. That is all you can do.

Also avoid running the OS that has the most in the wild exploits, that helps a lot.

Re:A better PC health idea (5, Insightful)

Jeremiah Cornelius (137) | more than 3 years ago | (#33831980)

"Microsoft only clients" pretty much adequately describes the malware-bearing portion of the Internet!

You only need to block access to a protected resource - who's management ELECTS this level of defense.

The real play is NOT to protect the Online Bank or Payment Portal.

It is to create a "forcing function" by which the customer remedies his client - also to helpfully cooperate on making those remedies accessible.

Why? Because Internet business models rely heavily on trust and reputation. As occurrences like "account takeover" and fraudulent transactions become more common, consumer trust in online modes for business and commerce will erode.

Your AmEx's, Amazon's and Turbo Tax's (Names from a hat - not my customers) are vested in margins that are supportable through online delivery. Their CSOs are charged with not only safeguarding their own applications and infrastructure, but mitigating the negative effects of client vulnerability on the online business model. This is a big enough problem that it drives enterprises together, at the CSO and CTO levels. They want a solution that raises the general level of trust and confidence in Internet uses.

They all see this as a problem with Microsoft - if not at fault - at its hub.

Now, Corporate Microsoft wants to use this reasonable, cooperative approach to deny service in the broadest possible way. In light of this week's failure of the Internet blacklist bill (COICA) to be ratified, without vote, in committee? I smell an agenda.

Microsoft are just the stalking-horse for Congressional supporters of COICA to use: "See, if we don't act with responsible legislation, then Industry will take the matters into its own hands!"

Trust me. I have seen how these guys work.

Re:A better PC health idea (3, Informative)

postbigbang (761081) | more than 3 years ago | (#33832130)

Ah, were it true. While I follow your logic on COICA, it's not just Microsoft whose software can be swiss-cheesed, given enough attempts.

Today, one of my servers was under attack. I sent complaints to vsnl.in and their abuse and postmaster accounts bounce. No one is at the switch... or perhaps they're sleeping. So I tried to characterize the attacker. It's a Linux box running an old version of CentOS. As I write this, it's dutifully trying to logon with single letter logon names.

Yet Microsoft Windows users represent not just the statistically largest attacking surface, but the one with the most plentiful cracks that have botted machines. Bots come in all sizes, shapes and characterizations. They're not exclusive to Microsoft, just the most statistically significant.

There are better ways to prevent attacks, and better kill switches to partition-out attackers. We just have to agree on how to deploy them, rather than give the enemies of genuine freedom the tools to kill the friendlies.

Re:A better PC health idea (1, Interesting)

h4rr4r (612664) | more than 3 years ago | (#33832204)

Why in the devil do you have ssh available to the world?

Re:A better PC health idea (2, Interesting)

adjuster (61096) | more than 3 years ago | (#33832088)

NAP / NAC without trusted computing platforms on the client nodes is a stupid, pointless idea. Unless the client can be trusted not to lie about its "health status" there's no guarantee that the client isn't simply infected with something that's smart enough to hide from "health scans".

Re:A better PC health idea (1)

postbigbang (761081) | more than 3 years ago | (#33832166)

And how long does it take to employ a method that says: I'm ok, my virus defs are cool, I'm patched to your favorite level, so gimme the IPSec connection and credentials for this user: trusteddomainadminJoey?

You're right that trusted systems would help. One day....

Re:A better PC health idea (2, Insightful)

h4rr4r (612664) | more than 3 years ago | (#33831738)

If by archaic you mean what windows finally got via powershell only about 30 years late, then yes. Exactly that, or one of many other GUI environments.

Re:A better PC health idea (1, Interesting)

icebraining (1313345) | more than 3 years ago | (#33831756)

2003 called, they want their FUD back.

Re:A better PC health idea (5, Insightful)

Moryath (553296) | more than 3 years ago | (#33831610)

While your response was flip, I can see a number of ISPs - who already have policies of "sorry all we support is Windows" if you call in because of trouble on the line, and who have script-following Indian monkeys who will demand to know your OS before talking about anything else to replace ACTUAL customer service - using this at Microsoft's behest.

"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

Maybe Apple would be able to cry foul and get their systems allowed too, but home Linux users would pretty much be out of luck. And so much for anyone who responsibly has a home system with a hardware NAT and their ports properly firewalled too...

Re:A better PC health idea (0)

Anonymous Coward | more than 3 years ago | (#33831830)

There's a few Linux supporting companies who would probably fight for Linux in there as well. Red Hat, Ubuntu, and Novell are the first that come to mind. IBM might not be too happy about it either. I wouldn't count Linux out. But it's still balls.

Re:A better PC health idea (0)

Anonymous Coward | more than 3 years ago | (#33832210)

>"Ohh, sorry. You're running OSX or Linux? We can't scan those for their patches so we're just going to block you off. Come back when you have a nice Win7 box. Oh, you signed a contract for a year of service? If you read the 4-point fonted small type on page 37 you'll see it clearly states in paragraph 18 line 3 that only systems with fully updated Windows 7 and an active virus scan package from an approved vendor such as Symantec or McAfee will be allowed access to the internet in order to keep the service trouble-free..."

OTOH you could always opt for an ISP like mine, who actually run Linux themselves, and who also maintain a large un-metered mirror of OSS for you to enjoy free of any charge whatsoever.

File under "Dumb Ideas" (5, Insightful)

vtcodger (957785) | more than 3 years ago | (#33831698)

If Microsoft or anyone else were capable of certifying a computer to be malware free, and being right about it, malware wouldn't be much of a problem, now would it?

File under "Dumb Ideas"

Re:File under "Dumb Ideas" (5, Insightful)

MightyMartian (840721) | more than 3 years ago | (#33831746)

Not if the core idea is to cripple any competing operating system by depriving them of Internet access, under the guise of "security".

Re:File under "Dumb Ideas" (5, Insightful)

adjuster (61096) | more than 3 years ago | (#33832096)

It's worse than that. The idea is to introduce pervasive and potentially legally-mandated "trusted computing".

Re:File under "Dumb Ideas" (1)

h4rr4r (612664) | more than 3 years ago | (#33831764)

DING DING DING, we have a winner. Everyone else can now go home.

Re:File under "Dumb Ideas" (1)

straponego (521991) | more than 3 years ago | (#33831880)

No kidding. That program would be worth more than Microsoft.

Re:File under "Dumb Ideas" (3, Interesting)

by (1706743) (1706744) | more than 3 years ago | (#33831888)

My alma mater did this, and it seemed to work out quite well -- any MAC address which had been shown (by their free Mac+Windows utility) to have run the anti-virus scanner (included in the aforementioned utility) was then whitelisted, and given access to the 'net.

Non-OS X *N?X users were automatically whitelisted (which also meant that any tech-savvy user could simply spoof running Linux to avoid running the utility).

Re:File under "Dumb Ideas" (1)

h4rr4r (612664) | more than 3 years ago | (#33832136)

Mac address is a very bad metric, very easy to spoof. Switchport is the correct level to do this at.

Re:A better PC health idea (3, Insightful)

jc42 (318812) | more than 3 years ago | (#33831884)

I have a simpler pc health idea, stop installing the disease that is windows.

Except that if you aren't running Windows, your machine will be declared totally infected and not allowed any access at all.

Remember that it'll be Microsoft software doing the checking.

ahem (1)

shentino (1139071) | more than 3 years ago | (#33831544)

I presume that fully patched disqualifies anything that doesn't use Windows Update, yes?

Re:ahem (3, Insightful)

marcello_dl (667940) | more than 3 years ago | (#33831658)

I don't think they are after linux but after XP equipped old pcs, whose users are more likely to buy a new pc if they have issues with "health certificates".

Re:ahem (2, Insightful)

Literaryhero (1379743) | more than 3 years ago | (#33831896)

Actually, I see it as a way to stop people from using pirated Windows. Oh, you can't pass the Windows Genuine Advantage (or whatever it is called these days), so you can't properly update your machine. Since your machine isn't updated, that means no internet for you. That would be a big disincentive to pirates everywhere.

Re:ahem (0)

Anonymous Coward | more than 3 years ago | (#33832008)

The pirates themselves are using fully patched Win7 Ultimate/Enterprise boxes. It's the people who buy the el-cheapo computers with a pirated windows (automatic updates disabled of course) that are the problem; they don't always know their version of windows isn't legal (hence MS used to offer them a free copy if they 'inform' on their supplier).

Re:ahem (3, Insightful)

similar_name (1164087) | more than 3 years ago | (#33832082)

At least in the U.S. it's hard to see how MS can justify anything because of pirates. Unless you build your own PC you are paying for Windows anyway. Even if you specifically look for a prebuilt PC without Windows it's hard (it is a small fraction of the market) to find one where you don't pay for Windows whether or not it's already installed. It is a travesty how hard they make it for legitimate users to reinstall Windows.

In countries where MS doesn't already have a contract to license Windows for every PC sold by a company it's hard to argue that people would pay for Windows separately if they couldn't pirate it.

My roommates laptop came with Vista Home. It has a COA key sticker on the bottom. Unfortunately he didn't make a restore disk before his computer crashed. He got a Vista Home CD from a friend. It installed fine(fine meaning I had to find wireless drivers that would work. Ubuntu sees it out of the box :) ) and then one day came up with the WGA crap. He typed in his valid COA key on the bottom and Vista rejected.

Now I have a few options to help him.

Call MS for support I should never need to activate a valid license.

Install a cracked version of Windows

Give him another reason to use Linux.

Why would MS even create a situation where 2 and 3 look like the least hassle? In the many closed vs open debates that go on here I often see people ask why anyone would complain about a system that is closed and marketed as such. I don't care how it's marketed closed proprietary systems are bad for technology and society. No matter how you market cigarettes they are bad for you. No matter how you market closed proprietary systems they are bad for society. Won't anyone think of the children? Our culture is being DRM'd, manipulated, and controlled by the golden calf instead of by people.

Re:ahem (1)

Archangel Michael (180766) | more than 3 years ago | (#33832188)

Responding to undo accidental "redundant" mod ... I meant "insightful" Sorry

Re:ahem (0)

Anonymous Coward | more than 3 years ago | (#33831918)

Eh. We have a system like this at my university. Not sure exactly how it works (I run Linux), but apparently if they detect you aren't patched or aren't running AV, there's some way that it boots you off the network. If you don't run Windows, the rule is 'don't cause problems, or else.'...in other words, it doesn't apply to you.

intent? (1)

lx93 (1618927) | more than 3 years ago | (#33831546)

another good approach to censorship.

"Running Security software" (0)

Anonymous Coward | more than 3 years ago | (#33831552)

RUN NORTON OR NO INTERNET

Re:"Running Security software" (4, Funny)

AnonymousClown (1788472) | more than 3 years ago | (#33831630)

RUN NORTON OR NO INTERNET

If those are my only two choices, I'll take NO INTERNET please.

WTF (2, Insightful)

Anonymous Coward | more than 3 years ago | (#33831556)

M$ should be bared from the Internet.

Re:WTF (5, Funny)

The Archon V2.0 (782634) | more than 3 years ago | (#33831684)

M$ should be bared from the Internet.

Why do you make me think of naked Ballmer? What did I ever do to you?

Pay for it? (5, Insightful)

headkase (533448) | more than 3 years ago | (#33831560)

And who exactly is going to pay for this? If your system is not infected can you be exempted from a "monthly fee" or is it punishing everyone when Windows is the majority of infections? Maybe Microsoft should pay for it all?

Re:Pay for it? (4, Funny)

X0563511 (793323) | more than 3 years ago | (#33831768)

Perhaps it's MS that should be cordoned off from the net at large...

Oohh, doesn't sound like such a good idea now, does it MS?

Re:Pay for it? (2, Insightful)

sqldr (838964) | more than 3 years ago | (#33832128)

I'm more worried about the implications. On one hand it's great to not have loads of unpatched computers bent over with their arseholes facing the internet sending me spam, DOSing stuff and distributing child porn. Then again, "you cannot go online unless you download this patch from microsoft".. what if the patch contains something I don't like?

IPV6's Killer App! (3, Interesting)

TheNarrator (200498) | more than 3 years ago | (#33831604)

Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...

Re:IPV6's Killer App! (1)

X0563511 (793323) | more than 3 years ago | (#33831788)

Trusted Computing for the lose.

if this DOES happen, lets have a betting pool for how long it takes to fuck it HDCP-style

Re:IPV6's Killer App! (2, Insightful)

plover (150551) | more than 3 years ago | (#33831986)

I have a cheaper implementation. Just set the evil bit [wikipedia.org] upon boot up, then clear it once the PC passes a health check. And it's even IPv4 compatible!

Re:IPV6's Killer App! (1)

Jurily (900488) | more than 3 years ago | (#33832080)

Every connected device will be mandated to have the bottom 64 bits of its ipv6 address store a pc health certification identifier which will link to their owner's unique citizen identifier. I told you this was coming...


Specifically, your plan fails to account for

(X) Lack of centrally controlling authority
(X) Open relays in foreign countries
(X) Asshats
(X) Jurisdictional problems
(X) Armies of worm riddled broadband-connected Windows boxes
(X) Joe jobs and/or identity theft

Modelling real disease? (4, Informative)

gringer (252588) | more than 3 years ago | (#33831608)

If you want to model how our body recognises and deals with disease, you need to concentrate on whitelists, rather than blacklists. Vaccinations are similar to a community blacklist, but for most pathogens our own immune system can work out what things are appropriate to reject.

Re:Modelling real disease? (5, Insightful)

girlintraining (1395911) | more than 3 years ago | (#33831750)

Sigh. They don't want vaccinations. They want their client base spending money on half-baked security solutions. So in addition to the license, you have to pay for a certificate, pay for software certification (goodbye open source), pay for the software, pay for the bandwidth to keep your system online all the time, pay pay pay pay pay....

And nothing will change except you'll be paying more.

Re:Modelling real disease? (1)

X0563511 (793323) | more than 3 years ago | (#33831798)

Oh no, something will change.

We'll get our own private internet to use our OSS in. I'm sure I'm not the only one who would do what they could to put an "alternate" backbone in alongside the Microshit one (at it's expense, of course)

Re:Modelling real disease? (1)

izomiac (815208) | more than 3 years ago | (#33831962)

That's not quite how our immune system works, but I agree with the idea. IMHO a good measure would be to enforce a whitelist for system changes and permitted executables. Wanna change the wallpaper, that's whitelisted for "*" so go ahead. Wanna add an autorun, oops, it's not on the list, the registry key (or shortcut, or service, or system task, or line in a config file, etc.) cannot be created. Large businesses can run their own whitelist, home users can pick one (or none) that they like, e.g. the "keep crapware from slowing stuff down" list, or the "don't let me change/delete anything important since I'm a noob" list.

Re:Modelling real disease? (1)

gringer (252588) | more than 3 years ago | (#33832048)

That's not quite how our immune system works, but I agree with the idea.

I consider the whitelist to be equivalent to the process of selection against autoimmune antibodies, mentioned at the end of this section [wikipedia.org] . B cells won't ordinarily progress through to maturation if they generate antibodies with affinity for self signatures.

Re:Modelling real disease? (-1, Troll)

Anonymous Coward | more than 3 years ago | (#33832142)

What racist bullshit. WHITELISTs and BLACKLISTs. Are you serious? How about ALLOWED and DISALLOWED? Much more clear and less racist or colloquial. Get with the political correctness, man!

and if you run Linux (0)

Anonymous Coward | more than 3 years ago | (#33831612)

Certification is only open to M$FT licensed computers, the rest of us can sit in spam h*ll.

Great idea! (4, Funny)

Legion303 (97901) | more than 3 years ago | (#33831614)

This is a not-at-all-terrible idea that will ensure people are up to date with such security patches as WGA. Bravo, Microsoft, bravo.

What he really means is (2, Insightful)

santax (1541065) | more than 3 years ago | (#33831618)

If those darn pirates of our lovely and very safe OS that can't update due to our policy of finding income more important than safety on the web could be disconnected, we could make even more profit!

Already a mechanism for that (1)

courteaudotbiz (1191083) | more than 3 years ago | (#33831626)

It's called BSOD :-)

Gov vs Corp (4, Interesting)

Dutchmaan (442553) | more than 3 years ago | (#33831638)

Can you imagine the hysterics if the government had proposed this! But it's a company, so I'm sure it's all OK.

Further proof (5, Insightful)

Darkenole (149792) | more than 3 years ago | (#33831644)

There is no cure for stupid.

Re:Further proof (2, Informative)

X0563511 (793323) | more than 3 years ago | (#33831814)

40 grains cures it just fine...

Re:Further proof (1)

onionman (975962) | more than 3 years ago | (#33832018)

40 grains cures it just fine...

Wrong website. Although, I am curious about how many computer geeks get this reference. Most of the ones I encounter (I'm in academia) would assume that you've misspelled "grams" and were talking about a mood stabilizing drug.

Re:Further proof (1)

h4rr4r (612664) | more than 3 years ago | (#33832076)

I think he just is not using enough. 165-190 grains at about 3000ft/sec might be more likely to solve the problem.

Re:Further proof (1)

onionman (975962) | more than 3 years ago | (#33832224)

Okay, that's two!

(Yeah, 40gr seems a bit lite to me, but it is sufficient... and substantially cheaper for practice purposes than your suggestions.)

Microsoft's real motive (3, Interesting)

Dunbal (464142) | more than 3 years ago | (#33831656)

while bot-infected PCs might be barred from the Internet.

      Or rather, machines that don't have the right "health certificate". You know, like ones running discontinued operating systems, or "unsupported" operating systems.

Padded jackets and (0)

Tablizer (95088) | more than 3 years ago | (#33831668)

padded chairs.

Catch 22 (0)

Anonymous Coward | more than 3 years ago | (#33831680)

So I don't patch my system because Microsoft's all knowing patch breaks my line of business app. So now I'm out of business whether I am patched and have no apps but can get on the internet, or I have my business app but can't contact my customers

Way to go MS

Re:Catch 22 (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33831864)

You get what you deserve. Next time, don't drink the Microsoft (spiked) kool-aid

Stating the Obvious (2, Funny)

SilverHatHacker (1381259) | more than 3 years ago | (#33831692)

This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.

Re:Stating the Obvious (1)

thestudio_bob (894258) | more than 3 years ago | (#33832170)

This would be really ugly for Linux, BSD, and possible OS X boxen, but I would expect Apple to play along while proclaiming that their certificates are better because they come stamped with a big shiny sticker.

I know your joking, but Apple is pretty adamant about not placing stickers on any of their products. Case-in-point "Intel Inside" stickers.

computers or windows installations? (2, Insightful)

brenddie (897982) | more than 3 years ago | (#33831702)

computers don't get infected. Windows installations are usually the problem. Besides, I dont need no internet driving license

This is just a lockout for OSS (4, Interesting)

Anonymous Coward | more than 3 years ago | (#33831718)

They just want to lock out Open-Source OSes, which won't have such a procedure due to the fact that it doesn't use binary-only distros with checksums built into the low-level OS.

Re:This is just a lockout for OSS (2, Informative)

icebraining (1313345) | more than 3 years ago | (#33831932)

Well, Debian has debsums, but it's not useful for security purposes, only as a corruption check.

Re:This is just a lockout for OSS (0)

Anonymous Coward | more than 3 years ago | (#33832112)

debian and other deb repos serve cryptographically signed packages too.

Wow. (5, Interesting)

Anonymous Coward | more than 3 years ago | (#33831720)

Where is the USDOJ when you need them to remind Microsoft about their recent trip down anti-trust lane? Not to mention a nasty little thing called "collusion" - whichever AV and PKI vendors are selected naturally benefit, and I imagine all the ISPs will have to agree to enforce this as well or suffer some consequence.

A framework like this makes two assumptions that spell doom for future innovation by free thinkers: Microsoft Windows on every consumer device that connects to the Internet and every device using "Microsoft approved/recognized security software." Not a bad approach at first blush since that describes a large part of the marketplace and at least 100% of the problem, but honestly - there are better ways to solve this than trying to fit the future Internet ecosystem into Ballmer's limited imagination.

Read the paper. Please. And look for it soon as a key exhibit at the next anti-trust action against Microsoft.

But you missed something. (0)

Anonymous Coward | more than 3 years ago | (#33832234)

The recent court decision that allows corporations to make unlimited "donations" to politicians.

ok, then: a couple questions (3, Insightful)

Dhrakar (32366) | more than 3 years ago | (#33831726)

First; who will be administering this program? Under what authority could an organization possibly 'certify' systems that are located around the world?
Next; How often would these certificates need to be updated? Every time a vendor issues a new patch?
Third; What kind of crazy-ass DRM would be needed to keep folks from just spoofing the certificates?

    Unfortunately, this is the kind of simplistic easy-to-follow proposal that our congress-critter really go for... yeesh.

Re:ok, then: a couple questions (2, Insightful)

MightyMartian (840721) | more than 3 years ago | (#33831844)

In one respect it reminds me of all those really stupid anti-spam proposals like SPF that started rolling off the assembly line of dumb-ass ideas about six or seven years ago.


Moron: Yeah, you see, everyone with a legitimate mail server will have this TXT record that says "I'm legit, you can trust mail from me!"

Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the SPF TXT record? What happens when a server with an SPF record is hacked?

Moron: Um, well, you know, we need to add some sort of certificate... Yeah, that's it, a cert, and that will make it a-okay. You'll be able to automatically tell the good stuff from the spam.

Guy With Actual Experience: Uh huh. So what happens when the spammers start buying up domains, putting in the DKIM record? What happens when a server with an DKIM record is hacked?

Moron: Um, well, um... um.. UM... <BOOM... HEAD EXPLODES>

I think this idea sits in the same category of simplistic idea put forward by morons who really haven't got the foggiest idea what the fuck they're talking about.

Cisco already does this... (0)

Anonymous Coward | more than 3 years ago | (#33831794)

They sell a product called Cisco NAC [cisco.com] , formerly known as "Clean Access," which requires a host to prove it has Antivirus installed and running and the latest patches. If it doesn't, it is only allowed on to a remediation network to get up to date.

Re:Cisco already does this... (1)

h4rr4r (612664) | more than 3 years ago | (#33831820)

Or you can just use anything like nessus, vlans and some simple scripting.

My way has the advantage of being way more cross platform.

This would get abused (5, Insightful)

erroneus (253617) | more than 3 years ago | (#33831796)

Being anti-virus protected and updated sounds like a great idea until you ask questions like "which vendors of antivirus are excluded?" and "which updates will Microsoft push as critical that are just another piece of crapware or something that would break compatibility with something important to the user?"

Microsoft should be responsible. They should push out adblockers and javascript blockers. It makes browsing a lot safer. Oh no... commercial interests would be pissed and we know those interests are of more importance/significance than the end users are... remember Vista and all that DRM encumbered crap? We all know they had the consumer in mind when they did that.

Re:This would get abused (0)

Anonymous Coward | more than 3 years ago | (#33831950)

They should push out adblockers and javascript blockers.

Or, perhaps they could stop making an operating system with an attack surface the size of Goatse-man's anus so that users didn't HAVE to disable half the internet just to be safe. Just a thought.

Has anybody else had this problem... (2, Informative)

skogs (628589) | more than 3 years ago | (#33831816)

Old SMS client -- System Management Console --- Is supposed to be automatically updated via sms push to the new client -- Configuration Control/Console or whatever.

I've seen computers fall off the 'good' list and onto the 'naughty' list quite frequently. They don't generally patch themselves and make it up to the 'good' list on their own...though that is specifically the idea. M$ hasn't gotten it right for the last decade...so obviously they are going to patent the process and make more money off other people that DO make it work.

How is this like vaccinations? (1)

drdrgivemethenews (1525877) | more than 3 years ago | (#33831846)

Vaccinations are voluntary, at least in the free world. They don't shut the door to the hospital if you haven't had one.

[Please don't start about health insurance now, that's not mentioned in the article.]

Re:How is this like vaccinations? (1)

EmagGeek (574360) | more than 3 years ago | (#33832160)

You must not be talking about the US, where you cannot attend school, university, or get a job if you have not had your government mandated mind contr^H^H^H^H^H^H^H^H^H^H^H^H vaccines.

A few problems... (3, Interesting)

Todd Knarr (15451) | more than 3 years ago | (#33831898)

  1. Define "fully patched". On my systems the version numbers often have nothing whatsoever to do with what patches have been applied to them. Sometimes the patchlevel's updated, but many simply don't bother updating the version. And what would they update it to, anyway? There may be thousands of permutations of applied patches, there's no way to assign versions to them.
  2. What security software? I don't know of any "security software" vendors who make anything for my systems. And frankly I'd consider a system that needed security software to be fatally buggy and I'd be replacing it ASAP with something more secure.
  3. Firewall? That's something I run on the border routers to control access to my network. Internally firewalls are verbotten, they cause too many technical problems. Untrusted machines get access via wireless (everything connecting by wireless is by definition untrusted, it's not nailed down permanently to the wiring), with client isolation turned on and access to the internal network only via IPSec VPN. If your machine needs a local firewall to be safe, over on the wireless segment it goes without VPN access so it can't endanger my network.
  4. Malware-free, that's the normal state of my machines. Malware is a hazard to be blocked at the edge of the network, and my systems do a pretty good job of it.

I've been running since the early 80s, and have yet to have anything of that sort found on any machine under my control. Which is more than I can say for the networks I've seen "protected" by the major security vendors, every single one of them has regular problems with malware infections. So, when Microsoft can show me a network that's been running under their system for say 5 years with no machine on it ever needing to be cleaned of malware, then I'll take their recommendations seriously. Until then, well, I'll stick with the procedures and policies that've given me a 25+-year clean track record.

Oh, and one of those policies? No Microsoft software unless absolutely necessary, and when necessary it's use should be heavily controlled and restricted to only those things it's necessary for.

great idea, no need for IP6 after all (0)

Anonymous Coward | more than 3 years ago | (#33831920)

Just like Detroit, no more traffic jams!

Actually not a bad idea... if it's not all corp. (0)

Anonymous Coward | more than 3 years ago | (#33831924)

Everybody's complaining about Microsoft being Big Brother here, but I'm reading this differently. It's more like a proposal for something like the W3C, which is a collective body of organizations. W3C's purpose is standardization (they own HTML and XML). This body's purpose would be to quarantine infected systems... so as long as infected != (insert your operating system here), it's good.

Think about it: this sounds like blacklisting specific computers, not blacklisting a whole class of computers or whitelisting another class.

Honestly, if this proposal had come from Red Hat, would you be so quick to throw darts at the company proposing it?

And I suppose they... (0)

Anonymous Coward | more than 3 years ago | (#33831960)

And I suppose they check whether your PC is healthy enough to go on the internet.....via an internet connection? A chain is only as strong as its weakest link.

A better public health model (0)

Anonymous Coward | more than 3 years ago | (#33831974)

Perhaps Micro$oft hasn't heard the story of Typhoid Mary (http://en.wikipedia.org/wiki/Typhoid_Mary). It's a much better security model to apply here.

How about .... (2, Interesting)

AHuxley (892839) | more than 3 years ago | (#33832012)

Just coding a real OS, with real security, with real support?
Copy what works in OS X, Linux, Unix and any bespoke or research OS.
Put all that wasted outside effort into a new clean MS OS, port/code over the Office/productivity/games and release low cost consumer dev tools.
Like a big console for todays next gen Intel/AMD/ARM based hardware.
As every product is an app and gets 'tested', most of the basic legacy MS malware should be cleaned out.
Drivers are written for the OS under strict new testing and NDA controls.
A shorter list of new hardware. No more "Linux" ports or other strange license options, quality DRM is a must. Apps can be free (code free so the young can learn to make apps and later earn from their efforts in the MS way), small cost or consumer/prosumer ect.
Call it MS ~ Newstart, add the new "BIOS" efforts so it starts real quick.
Add some subsidised Youth Allowance and MS Study so the young and university staff can be guided into code and app development.
For countries with populations where cash flow is still an issue, roll out MSAid ~ MS Agreement for International Development.
Well funded local community plans to ensure the generational use of MS products.

Another guise for Trusted Computing (1)

khchung (462899) | more than 3 years ago | (#33832054)

Who gets to decide what constitutes "fully patched", I guess Microsoft? So if I refuse the WGA patch, my machine will be quarantined?

Of course, to make this work, program doing the detecting (ie Windows) must be running on a trusted base. Um, didn't we heard something like this before, like Trusted Computing?

We all know this is not about security. This is about control, MS just wants to have its own walled garden, seeing how profitable Apple's garden is.

This (0)

Anonymous Coward | more than 3 years ago | (#33832056)

Is retarded. What about the people like myself who don't fully patch up our systems? The number one safeguard against viruses and exploits are safe computing. If you aren't retarded about what you do on the internet, you probably won't have many problems. On an older machine of mine, installing the service packs and supporting patches just slows down the machine and causes annoyances.

First requirement for health check... (0)

Anonymous Coward | more than 3 years ago | (#33832060)

...PC must be running the latest greatest version of windows. None of that dubious "open source" stuff. But of course there's no self-interest here, nononosireee(ms)bob.

What do you bet... (1)

TechForensics (944258) | more than 3 years ago | (#33832072)

Now! Download your Microsoft Health Advantage certification application! (Note, validation required.)

Predicated on "trusted computing"... (5, Insightful)

adjuster (61096) | more than 3 years ago | (#33832078)

It seems like most everybody doesn't understand (or notice footnote 14 on page 5) that, in order for this to work, all the subject devices must have trusted processing capability. That means "TPM" chips, signed OS kernels / hypervisors, and the inability to run untrusted root-level code. Take a second to laugh at the idea that anyone will be able to introduce a bug-free hypervisor / TPM environment that can't run unsigned and untrusted code. After you're done laughing at that I'd recommend being angered at the notion of such a thing, since it will effectively eliminate control of the devices owned by consumers.. turning every device with a "clean bill of health" into a walled-garden appliance. As long as consumers own and control their general purpose devices there will never be a way to do what this paper describes. Frankly, I'm alright with that. We'd do a lot better to just assume that every device is untrusted and act accordingly.

anlny (1, Insightful)

Anonymous Coward | more than 3 years ago | (#33832108)

the new attack of the future denial of health certificate

Imagine a world without Windows... (2)

geekmux (1040042) | more than 3 years ago | (#33832120)

"... while bot-infected PCs might be barred from the Internet."

So, with the three Windows computers left on the Internet after this happens, I wonder what it'll be like...

Wait, WTF?! (2, Insightful)

wbav (223901) | more than 3 years ago | (#33832154)

I often find the internet vital to download the latest updates to programs like Spy Bot, how am I going to do that (and get rid of the infection) if my computer is banned from the net?

At an ISP level, it wouldn't be just the infected machine.

And what about wireless hot spots?

What could possibly go wrong? (1)

kurokame (1764228) | more than 3 years ago | (#33832174)

Wait, it's actually sort of obvious. It won't work for its intended purpose, it will annoy users and keep them from getting work done, and people will exploit the system to knock computers offline.

Very Profitable (1)

MarkvW (1037596) | more than 3 years ago | (#33832220)

Pay me money to certify your computer, or you can't access the Internet. I won't guarantee anything, mind you.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...