Microsoft wants to ban 'sick' PC's from net

The Need for Global Collective Defense on the Internet

 

Interesting but ridiculous.

How about we outlaw and ban murderers, rapist, child molesters and other criminals from society. These are real, physical threats, like life threatening threats.

I don't know how you can make people secure their PC, short of switching to Mac or Linux and, if they did, you'd start to see increased malware affecting those operating systems.

Since Windows is the dominant OS, maybe MS ought to look at some kind of automatic, hands free type of protection for the drones who can't figure out how to keep their security updated and/or current.

 

Exactly my thoughts.

Comparing an infected computer to an ill person is just damn ridiculous... Ridiculous is not even the right word... I just am not allowed to say others... So...

Why not improve security? Why not educate those people? Microsoft could well, in partnership with Governments, and then these with City Halls, etc., to arrange free courses to educate people about these sort of threats and how to keep O.S and applications updated, to be careful, etc.

This is what I'd like to see happening.

 

Well, MSE is a bit of a start! LOL

 

The only method of doing this would be to verify the existence of some running services etc. If you aren't running the service, you are not protected, you get no internet.

What then if you are not a boob, and don't need nor want the said service which means you are compliant and problem free? Well, no internet for you, because you don't have the correct service running.

And what happens when the said magical service that verifies your computer is bug free becomes compromised and exploited? Do all the drones who are accessing the net and using this service become exploited? Sounds a lot like Blaster.

This is a pipe dream. Likely someone wants to lobby the governments so they can make some $$ or some governments want to line thier pockets, so it is thier idea.

What is the word they use so often now? Epic Fail..?

There is a saying, "You can't fix stupid".

Sul.

 

So what about Mac and Linux users? Are we supposed to use this "service" (no doubt designed by M$)? I know you are in agreement this wont work, but the whole idea is ridiculous.

 

Um, you mean we don't already?

I imagine traffic pattern analysis is also an option.

 

Scan with an AV and every other malware scan you can think of and this will not mean that the machine is not sick.

The medical analogy is not equivalent as the biological human machine is infinitely more complex than the computer one. Yet the analogy makes it easy to understand the same problem--false positives.

The simple concept is that one can be sick without any obvious symptoms, again similar with computers. Even if there were an online scan that would vouch for a computer to get online could not assure that it is not --sick--. Sickness demands resources to fight it.

The same with malware--resources must be put forward to mitigate the problem. In this sense malware is --good.

 

Microsoft continues push for infected computers to be quarantined

 

This is something that, back then, I totally missed:

Why not being aggressive towards the ISPs so that they provide additional security to their costumers? Some offer none, at all. Why not filter known bad traffic, just like what happens with Norton DNS, ClearCloud DNS, etc? Why not provide content filtering as well? All that when the user/client buys the connection device and installs it; why not? It would make them work more...

Why not doing that? After all, ISPs are selling a product, Internet connection, and they must ensure this product doesn't endanger the client/mitigate endangering threats.

Why bother, right? Just outcast the user who doesn't know any better!

And, Microsoft provides an O.S that's based on convenience... What do they expect? A miracle? How about Microsoft works harder to patch security vulnerabilities, rather than letting pass more than a year to fix them? How about that?

 

While the idea may sound good on paper (for some people), I doubt the implementation would be good enough and that it would help to a large extent. There are way too many variables that can go wrong. A few examples:

a) FPs from AV. What if your AV churns out a FP and then your PC is identified as 'infected' when in reality, it's not? No worries....we'll cut off the net for you and the better sake of the ecosystem.
b) No AV but still malware-free? Nay...you can't possible be. No worries....we'll cut off the net for you and the better sake of the ecosystem.
c) Damn - you're infected. But never mind - your 3 AVs installed on the system says you're clean. Full access to the net....FREEDOM.
d) You've got no software firewall installed. All you're depending on is your hardware router. Or maybe you disabled your firewall for a temporary period of time for whatever legitimate reason you can think of. No worries....we'll cut off the net for you and the better sake of the ecosystem.
e) You're late in installing patches. Maybe because you're an IT guy who needs to test updates before deploying it to your company PCs? Maybe because that particular update last week conflicted with something on your PC and hence, you chose to delay any further updates/patches? No worries....we'll cut off the net for you and the better sake of the ecosystem.

Does any one of the above sounds good to you? Maybe c) but the rest?

Sarcasm aside, one must also take into account the costs of having such a system (which would then affect us end-users). Furthermore, would it's end-results justify it's value?

And let's say we assume the modus operandi would be perfect or smooth-going, do you really think punishing users would cure the problem at hand?

All-in-all, if this is an optional movement, then feel free to go ahead with it. But don't bother shoving it down everyone's throats....

 

Bandwidth sucking Botnets are easily detected by your ISP, and ISP's often shut down internet service to such machines. If Microsoft can detect botnets as accurately as ISP's then it would be beneficial to shut the machine down and make the user reformat. Normal users wouldn't be affected, it would be pc illiterate people running extremely infected machines.

 

The thing is: Microsoft wants to convict and ban the illiterate user from the Internet, if their systems become problematic.

My question is: Why not force ISPs to provide security to their costumers, by allowing the client to filter malicious domains and content filtering, as what happens with services like Norton DNS, ClearCloud DNS, OpenDNS, etc?

Why doesn't Microsoft provide an applications repository, from where Windows users can safely download applications, and from where they'd be automatically updated?

Why doesn't Microsoft work harder to patch security vulnerabilities, rather than letting pass more than a year to fix them?

Why aren't ISPs forced to bring down websites known to be engaged in malware distribution?

etc... etc...

If little steps are taken to protect illiterate users from being infected, in the first place, then they wouldn't have to be out-casted from a service they're paying for. Worse, having to pay other people to clean their systems.

Considering most people are illiterate in what comes to computers, you can see the scenario.

 

Very nice!

 

I think Comcast users used to get free copies of Norton. All ISP's that I'm aware of provide a DNS service that blocks malicious sites. IE and Firefox warn for malicious sites. Probably not as well as Norton DNS, ClearCloud, etc. But they do try. DNS services are limited in what they can do, a DNS service can't keep up with the number of malicious websites that pop up daily.

Microsoft has Windows update where you can dl and update all MS apps. Donating bandwidth for customers to download other applications or update them is against their business interests.

Most vulnerabilities are pretty easily mitigated and updated in a reasonable time line, the real question is why don't more users update?

Because they pop up faster than you could possibly keep up with, also they are in the business of providing ISP service not attempting to secure the internet, which is impossible anyway. If a botnet is constantly phoning home and is a bandwidth sucking, malware distributing machine, then the only people they are helping are the malware writers and I see no controversy in 'banning' these machines from the net, whether its from MS or the ISP.

 

Bottom line: Microsoft has a track record of designing insecure operating systems and now the chickens have come home to roost. Yes, Windows 7 is an improvement but the old mindset from the 95/98/ME/XP days has never went away. That is, even with Windows 7's built-in security features, the average user turns most of them off because they want to do things "the way they've always been done."

And then you have the problem of not having a central repository for users to securely and safely download applications. This means your average user is scouring the Internet (on likely dangerous sites) to install apps. I see no way for this to ever change because, as one poster pointed out, MS is not going to host applications from other vendors. Therefore, a user has to update most of his apps individually which is both time consuming and confusing. The open-source world does not have this problem (since no one is really competing in this regard).

And then you have the often slow patch turn around time. Some serious vulnerabilities are public knowledge for years before MS ever gets around to patching them. Yes, this is not the norm, but it does happen.

This whole idea of quarantining PC's rubs me the wrong way because it seems MS is being extremely arrogant; somehow they think they are the Internet's overlords. What they fail to recognize is that not all Internet machines run Windows. So, why should those of us who refuse their products be forced to suffer under their rules?

 

From Microsoft has a change of heart on how to keep Internet safe:

 

Well, you're luckier than us here. None of ours ISPs provide any security; only lousy and expensive services. lol

Yes, DNS services are limited in what they can do, which is why I never mentioned it to be the only tool, but one more tool that many lack, unfortunately.

[...]

Yes, vulnerabilities are pretty easily mitigated, for those who know the mechanisms to achieve such. Define reasonable time line for providing updates - 17 months? A few months? A few years, as mentioned by one other user, before Microsoft even decides to patch them?

Heck, it took them all this time to realize Autorun is dangerous. lol

Now, that's an interesting question. Perhaps, those users simply get annoyed by updates that, for some reason, ruined their O.S? Or prevents other apps from working OK? It seems the recent updates are preventing VMWare app from working properly (-http://www.h-online.com/security/news/item/Windows-7-Patch-Tuesday-security-udpates-break-VMware-software-1188165.html).
[/quote]

If ISPs do their own efforts to investigate domains, then for sure they can help the Internet be a bit safer for everyone.

So, following this ratiocination, car manufacturers are not in the business to secure automobiles either; only to provide a way for people to move around.

Maybe when someone finally sees the Internet has being both good and bad, governments will be forcing ISPs to their share.

 

Some ridiciulous remarks here in the thread but some quotes from the articles are even worse

First to you guys (you know who you are)
Obligatory Windows bashing, how creative. It's about on the level of screaming "FIRST"...
No, botnets don't exist because MS can't write software. The main problem is the user, always has, always will and we can't scan, patch, update or redesign them.
Btw, a non trivial quantity of Linux servers is infected, serving malware, relaying traffic, sending spam and worse. Since they often have better connectivity than desktop systems and reach more targets since they already are publicly facing servers this is a serious problem.

Secondly:
It was never about banning or punishing anyone. Quarantine means isolate and then treat the "patient", not let them die in agony. Or is it??

Now to the last article right above

= let them into your house, snoop around to evaluate your credit rating or something like that
Sod off!

I'm all for notifying customers who are known to send spam or are used in DDoSs, if they don't react in time I'm also for a forced disconnect but having people run scans on their computer which report back to who knows whom? Only over my dead body.

 

More often than not those "services"
-break DNS functionality (NXDOMAIN)
-serve (behavioural, see below) ads
-sell customer data to 3rd parties

 

Not really. MS Windows has always been designed with the "point and click" user in mind, and a lot of security features that other OS's had for decades were not implemented so as not to confuse the user. Even though some of these problems were fixed with Vista/7, the user still has the same mindset of the bad old days. (I don't need no stinkin' user account).

No, these servers were cracked by attackers directly targeting them. They were not compromised by malware itself. Big difference. And these servers (which are an insignificant minority in the first place) are often running extremely outdated kernels and being administered by incompetent people that should never be running a server in the first place. Also notice, how these few compromised *nix servers are a nuisance to no one but Windows users.

The problem I have with it is the ISP's often get it wrong; that is, they accuse people of being spam bots when they're not. Why? Probably because their method of tracking who owned which IP on what date is far from perfect. IP's change all the time, even for broadband users.

To whom? Well, to one of the many AV vendors, of course. For just a small monthly fee they will be sure to "process" your scan results as quickly as possible to ensure your Internet connection is not disconnected. And for just a few dollars more, they will clean any infections if your scan happens to show up positive. If Windows users want this "service" they can have at it. Leave us *nix users alone!

On that we can agree.

 

It was designed with the threat model of that time and that means no or only limited network access. UNIX has some advantages here because it was not meant for single "home PCs" but for networked multi user shellaccounts. Now as Linux is also used among "mainstream" home users its becoming more and more like poin n click and people use one account: a wheel account. sudo as used in Ubuntu is a terrible concept and very vulnerable to social engeneering privilege escalation.
It's in this regard on the level of XP and older and not Vista up because of how insecure Xorg is: It has no secure desktop, no ctrl+alt-del and so on.
But even if it had all these features it still would be vulnerable like Vista/7 is when you don't use separate user accounts but instead one account that runs with limited rights but can elevate within this environment without any security boundaries.
(If you are interested in details, there are a few threads here worth reading, just ask if you want me to link them).

SSH brute forcing is done automatically on a large scale, it's not a "direct attack" and it's done by bots, i.e. "malware".
Same goes for php exploits, sql insertions...
Guess from where these bots are attacking

Yes, telnet, dead simple passwords, world writeable ftp, VNC, php, sql... outdated kernels are the least problem (though it comes in handy once you have code execution on the target)
The same could be said about "workstations" and home networks. "People shouldn't be their own network and sysadmin". Someone needs to help those poor chaps. Oh, why not remotely admin their system for a small fee? Seems like a great idea. [/s]
See, there's the problem. If the problem was easy and there was a simple solution we wouldn't have the problem in the first place.

Spam and DoS is a big problem for Linux mail servers, websites hosted on Linux and thereby for all the (Linux) users using these services. A compromised server containing source code/revision control systems for open source software is a potentially devastating problem. sourceforge was recently hacked and they had to check all software for tampering. A proftp development server was hacked and a backdoor sneaked into the source. That's the stuff we know - I don't want to know what else we don't know...

I think that is becoming less and less of a problem, I just say data retention. ISPs in a lot of places already have to keep exact logs on dynamic IP allocations for months to spy^h^h^h protect the children...

^^

(what I meant by "notifying" is calling/snail-mail* the customers themselves
*because their email is no longer a reliable comunication channel, not to mention, people getting hacked like that probably don't check that regularly anyway)

 

OK... now you lost me...

How is that ISPs running their own DNS services will break DNS functionality?

How will it serve ads?

How will ISPs sell customer data to third-parties?

I truly don't get it.

 

The intention probably doesn't look like it. But I can't help but to believe that the resulting effects from the actions will, when and if this is forced down upon users....

For one, I don't pay for my net subscription only to be cut off the net just because my PC is identified as 'sick'. Even if I feel morally responsible for affecting the rest, then sure I'll do that on my own if and when I want to - not when someone else tells me so. Secondly, this 'service' wouldn't come and appear out of thin air for free, right? Guess where the $$$ would come from? Directly or indirectly, it will come from our pockets. Thirdly, a "FP" (loosely used for the lack of a better term) would get the innocent having his net cut off for nothing - that can bring upon agony too, mind you...

If you don't call that punishing the users, then so be it - up to the individual to judge it the way they see it as.

Simply said, I think I'm on the side that opposes the idea....you don't cut a tiger at its tail, you chop off it's head.

 

When you enter a domain into the address bar of the web browser which doesn't exist you usually get something like: "Server not found"
Some DNS providers, for example OpenDNS, instead redirect you to a search machine that serves ads relevant to the entered domain (but even in the case of common misspellings don't even offers you a link to the real site).

This kind of works for webbrowsers, they even claim it enhances the user experience, but it can break other applications that rely on the DNS server to tell them that this domain doesn't exist or they'll go in a bad loop and stall at 100% CPU or something. This reply "Non-Existent Domain" is called NXDOMAIN.

Oh, lol, I didn't actually had to type it all: it's all here:
http://en.wikipedia.org/wiki/DNS_hijacking#Manipulation_by_ISPs