Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft's New Plan For Keeping the Internet Safe

timothy posted more than 3 years ago | from the new-metaphor-search-going-on dept.

Microsoft 302

itwbennett writes "Microsoft Corporate Vice President for Trustworthy Computing Scott Charney used to think it was the responsibility of ISPs to keep hacked PCs off the Internet. Now, he says the burden should be on consumers. Speaking at the RSA Conference, Charney suggested that the solution may be for consumers to share trusted certificates about the health of their personal computer: 'The user remains in control. The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.'"

cancel ×

302 comments

Sorry! There are no comments related to the filter you selected.

Pathetic (4, Insightful)

ls671 (1122017) | more than 3 years ago | (#35216158)

From TFA:
"A bank could ask customers to sign up for a program that would scan their PC for signs of infection during online sessions"

hello ? privacy issues anybody ?

So basically organizations that do business with consumers would be allowed to scan the consumer PC. Great idea...

Next step, you have to allow the government, banks, Ebay, Paypal and what not to scan your PC otherwise they will refuse to do business with you. Since they may not have a linux or other OS scanners, you would be required to use Windows of course.

This guys is a genuis !

Re:Pathetic (1)

yincrash (854885) | more than 3 years ago | (#35216186)

I think the it would have to be a third party company that the consumer and the bank would both need to trust. Like how we trust verisign to prove the identity of an https provider. I don't think it's a good solution, though.

Re:Pathetic (5, Insightful)

x0ra (1249540) | more than 3 years ago | (#35216312)

I do not trust Verisign.

Re:Pathetic (1)

yincrash (854885) | more than 3 years ago | (#35216334)

Do you remove it as a trusted root on your browsers?

Re:Pathetic (1)

mistiry (1845474) | more than 3 years ago | (#35216504)

Do you remove it as a trusted root on your browsers?

Good question...

We await your answer, x0ra...

Re:Pathetic (1)

Lucky75 (1265142) | more than 3 years ago | (#35216510)

There;s a difference between trusting them to give out certificates and trusting them with your personal data, although sometimes we do have to trust that they do not give out bad certs.

Re:Pathetic (5, Insightful)

causality (777677) | more than 3 years ago | (#35216478)

I think the it would have to be a third party company that the consumer and the bank would both need to trust. Like how we trust verisign to prove the identity of an https provider.

I don't think it's a good solution, though.

There's another glaring problem with this idea. Those of us who study computer security and take steps to use our systems responsibly don't want to be burdened by all of these requirements intended for those who don't. I'm sorry that a few bad people defraud others of their money, but the minimum requirements for any proposed solution include not punishing those who are doing things correctly by imposing such intrusive measures.

As far as banks are concerned, securing their own systems is all I would expect from them. As their customer, I really don't want my bank getting into the end-user computer security business and telling me how I should run my systems. I want them to stick with what they know. I also don't want to pay the higher fees and less favorable interest rates it would take to cover this expense. That's not even considering the support costs, as the users for whom this is really intended are the same ones who need the most handholding.

If Microsoft really wants to do something helpful, they can stop marketing Windows as "the easiest thing ever!" to non-technical users. They can start being more realistic and up-front about the basic competency required to safely use a worldwide untrusted network. They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo. They could do a much better job of treating data from the network as untrusted and potentially malicious (the sandboxing they are beginning to implement for IE is a step in that direction).

Hell, for that matter they could split the company up into separate corporations which make competing operating systems that all implement the Win32/64 API. Perhaps some of them could be based on *BSD like Mac OSX. Getting rid of the "write once, infect everywhere" Windows monoculture would be a decently effective way to limit the spread of malware.

There are many options to be considered before we even think about universally intruding into everyone's PC and making this into a common practice that is somehow considered acceptable. Normally that's what the bad guys who write malware are trying to do. This is a terrible precedent. Not to mention that if average users get used to the idea of some company (that they don't get to audit) scanning their systems, what's to stop the organized criminals from just running their own scanning companies and collecting any financial data they find? This could change the nature of the attacks but has little or no hope of preventing attacks.

Re:Pathetic (1)

RyuuzakiTetsuya (195424) | more than 3 years ago | (#35216736)

They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo.

Shouldn't this be done via the kernel and OS support libraries?

Re:Pathetic (1)

causality (777677) | more than 3 years ago | (#35216858)

They can harden the Windows codebase and require that software be built with address randomization, non-executable pages, and other stack-smashing protections before it is allowed to use the little Windows certified logo.

Shouldn't this be done via the kernel and OS support libraries?

Yes, the way I worded that was sloppy of me. Still, for address randomization you'd have to compile the applications with position-independent (i.e. relocatable) code. So I should have said require that software built for Windows is compatible with such security measures. While they're at it, they can place canaries at the end of buffers like GCC's SSP to offer an additional layer of protection in userspace.

Microsoft should take realistic, do-able steps like this to actually address its security problems, or they should never speak of "innovation" again and admit that they have succumbed to stagnation.

Re:Pathetic (2)

rabbit994 (686936) | more than 3 years ago | (#35216852)

You mean like ASLR which has been implemented in Windows 7 and DEP which is supported in Windows XP and beyond for certain system libraries and all x64 applications.

Issue with Windows security isn't technical issues, it's trying to maintain compatibility and ease of use with compatibility being biggest hold up. I bet if they behaved like Mac and Linux did, doing the whole "I'm sorry your older program doesn't work with newest libraries, tough shit. Get program updated."

At work, I'm still dealing with customer using FoxPro application which the developer flat out told me he had no intention of recoding in a new language.

Re:Pathetic (5, Insightful)

Homburg (213427) | more than 3 years ago | (#35216250)

So, this guy wants to run a program on an untrusted machine, which will report back to a website on whether or not the machine should be trusted? Presumably he also thinks banks should employ people to stand at the front door and ask "are you a bankrobber?" rather than employing security guards.

Re:Pathetic (1)

HomelessInLaJolla (1026842) | more than 3 years ago | (#35216674)

When you're homeless they leave the money in front of you and won't allow you near the exit until you pick it up--then they insist that you are a bankrobber.

What reasonable setup bothers to ask?

Re:Pathetic (-1)

blair1q (305137) | more than 3 years ago | (#35216288)

Wait.

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not?

Because this is the computational equivalent.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

Re:Pathetic (0)

Anonymous Coward | more than 3 years ago | (#35216302)

And if it isn't and you know it, it's just common courtesy to set the evil bit on all your packets.

Re:Pathetic (5, Insightful)

Obfuscant (592200) | more than 3 years ago | (#35216352)

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not? Because this is the computational equivalent.

Not really. It's more like letting potential partners draw a couple of test-tubes of blood and run them through the local medical lab to see if you have any diseases, and maybe get a stool and urine sample for good measure.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

ROTFL.

Re:Pathetic (2, Funny)

blair1q (305137) | more than 3 years ago | (#35216388)

It is perfectly reasonable for anyone to whom you can not prove you are sanitary to tell you to go fuck yourself.

You've never been laid, right? (5, Informative)

khasim (1285) | more than 3 years ago | (#35216594)

The problem is that this isn't about "proving" that you're clean.

This is about proving that you have, in the past, purchased condoms (anti-virus).

And that you are currently wearing a condom (anti-virus is running).

NOT that you don't have a disease.
Or that you have any symptoms.
Or that anyone you've had sex with had a disease.

The BANKS are the ones that should be dealing with whether they can sanitize anything they receive from you (and anyone else) AND verify that it really is you initiating the transaction.

Sex is NOTHING like an on-line purchase. Try it and see.

Re:Pathetic (2, Informative)

commodore6502 (1981532) | more than 3 years ago | (#35216394)

>>>coming in virtual contact with your data to request that you prove that your data is sanitary.

Then you don't mind if I sit in my bankofamerica.com cubicle, and review the naked photos of your wife (or possibly daughter) that I just scraped off your/her machine?

Re:Pathetic (1)

blair1q (305137) | more than 3 years ago | (#35216578)

All they need is to DL and run a checker that reports Pass/Fail and nothing more. Uploading my data en masse or spelunking my files with their eyes would not be reasonable. Nor would it be at all profitable for them to do it.

Re:Pathetic (1)

causality (777677) | more than 3 years ago | (#35216764)

All they need is to DL and run a checker that reports Pass/Fail and nothing more.

Do you intend to audit all of the network traffic to ensure that "pass/fail" is all it's reporting? Do you think an average user who can't be bothered to learn basic secure practices has the skill or the inclination to do that? This is assuming of course that the traffic isn't encrypted -- it would probably use SSL for the communications to ensure that no one has tampered with the results.

 

Uploading my data en masse or spelunking my files with their eyes would not be reasonable. Nor would it be at all profitable for them to do it.

It wouldn't be done en masse. Dishonest companies could target specific items that are small and have recognizable patterns, such as credit card numbers and bank account numbers. They're scanning your files anyway; the rest is basic pattern matching. That could be quite profitable, not to mention such data could be sold to other criminals so that the ones collecting it are not the ones using it, lending them some plausible deniability. If I can think of that in a few minutes I would assume that the real criminals can think of something more insidious (they're evil but they're definitely not stupid).

Also, what kind of scanning would this perform that decent AV software couldn't? What makes you think malware wouldn't be crafted to evade this just as malware is currently crafted to evade AV software? This has all the markings of a bad solution: it doesn't do much to address the problem it intends to solve and it also introduces new problems that have no simple solutions.

Re:Pathetic (1)

marcello_dl (667940) | more than 3 years ago | (#35216436)

I consider a violation of privacy if a guy comes into my house looking everywhere to see if i have the state approved remedy for a disease regardless of my utter absence of symptoms or the existence of better cures.
"virtual contact with your data"? there is transmission so the receiver must sanitize all incoming data, not scan the official source which is insufficient, for obvious reasons.

Re:Pathetic (2)

Black Gold Alchemist (1747136) | more than 3 years ago | (#35216474)

your data is sanitary.

The solution is plain text. While it is possible to insert malware in word, excel, html and maybe even opendocument files via scripting, it is not possible to insert viruses into plain text and CSV files. It just can't be done. Do not accept files that are not plain text and the problem of "unsanitary data" goes away.

Re:Pathetic (0)

Anonymous Coward | more than 3 years ago | (#35216568)

I submit to you, eicar. A nice textual "virus" string that will cause your virus scanner to indicate there is a virus.

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Furthermore, a .csv file, if containing Excel functions will actually execute them.

Re:Pathetic (1)

hawguy (1600213) | more than 3 years ago | (#35216574)

The solution is plain text. While it is possible to insert malware in word, excel, html and maybe even opendocument files via scripting, it is not possible to insert viruses into plain text and CSV files. It just can't be done. Do not accept files that are not plain text and the problem of "unsanitary data" goes away.

Of course it's possible to have plain text viruses - plain text editors are subject to buffer overflows and other errors that all programs are subject to. That's like saying that it's impossible to have viruses embedded in images, which has been proven to be false. An editor doesn't have to allow macros in its file format to be subject to virus attacks (though it does make it easier)

Re:Pathetic (1)

blair1q (305137) | more than 3 years ago | (#35216690)

SQL is plain text. So is perl.

Any source of data input can be hacked to cause problems to software.

Pushing a virus-check for a new exploit is easier than patching the server, when you're talking about thousands of high-availability servers, and thousands of new exploits per year.

English Shell Code article anyone? (1)

Anonymous Coward | more than 3 years ago | (#35216872)

Apparently, the alchemist did not read Slashdot much in 2009, see:
http://it.slashdot.org/story/09/11/23/1837238/English-Shell-Code-Could-Make-Security-Harder

In this technical paper, someone came up with a set of barely intelligible English sentence,
where some letters are actual BINARY X86 instruction and the rest is basically treated as NOP instructions,
so that he could bypass normal filtering techniques for malicious purposes.

English Shell Code extract:
"There is a major center of economic activity, such as Star Trek, including The Ed Sullivan Show. The former participation
in the United States Drug Enforcement Administration and..."

The way it work was like this, take all X86 instructions, take those who are in the printable range,
write a "decoder program" using only those instructions, then wrap your real exploit code with it
and write a nice ruby metasploit module to do so automagically and there you go.

Re:Pathetic (2)

causality (777677) | more than 3 years ago | (#35216600)

Wait.

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not?

Because this is the computational equivalent.

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

Yes, it's always "for the children", "to prevent terrorism", and "for your safety" isn't it? Since you have nothing to hide, why would you possibly object to a full cavity search every time you enter any building? Do you want the evil terrorists/criminals/hackers to win or something? This is the computational equivalent.

The difference between this and your scenario is simple: the prospective sexual partners are giving mutual consent. If they don't like that arrangement, they can always decide that casual sex with strangers is inherently risky, or they could do something crazy like have sex with someone they love, trust, and know very well. By contrast, if this system is implemented, every bank and probably lots of other corporations are going to require it in order to do business. It's rather difficult to live in a modern world without ever doing business with banks and other corporations, which is why this would be forced on us with or without consent.

Re:Pathetic (0)

Anonymous Coward | more than 3 years ago | (#35216658)

Do you consider it a "violation of your privacy" to tell your prospective sexual partners whether you have an STD or not?

Were talking about security here, leave your hypothetical questions for another time please!!!

Re:Pathetic (1)

MtHuurne (602934) | more than 3 years ago | (#35216686)

It is perfectly reasonable for anyone coming in virtual contact with your data to request that you prove that your data is sanitary.

One of the rules in computer security is to never trust the client. A server should always fully validate the data regardless of what assurances the client gives about it, so it is pointless to send those assurances in the first place.

Re:Pathetic (1)

toastar (573882) | more than 3 years ago | (#35216380)

I let Warden/VAC scan my system but I don't shouldn't trust my bank?

Re:Pathetic (1)

Jim Hall (2985) | more than 3 years ago | (#35216726)

Think of it this way: would you mind if a web site ran their own programs on your computer, before they let you use their site? Maybe that's your bank, that's one example. Maybe he wants this extended to the cloud, like Microsoft's Office365. Taken to the extreme, what if social networking sites (Facebook?) decide to do this?

Charney's proposal to put the onus on the end user is going to get old really fast. And I see it causing more problems than it solves. If users have web sites running their "scan" software on their home PCs, how long until malware starts getting injected? Your bank probably takes precautions to make sure the virus scan is safe, but some sites will take advantage of this. Or get hacked, and have the scan software replaced with malware. You think the zombie botnet Windows PC is a problem today, wait until Charney's plan gets implemented somewhere.

Re:Pathetic (1)

icebraining (1313345) | more than 3 years ago | (#35216886)

Maybe you shouldn't trust either.

Trusted Platform Module (3, Informative)

linatux (63153) | more than 3 years ago | (#35216494)

ZDNet article (http://www.zdnet.com/blog/security/microsoft-continues-push-for-infected-computers-to-be-quarantined/8164) a little more informative.

Combining trusted software such as hypervisors and hardware elements such as a Trusted Platform Module (TPM) could further enable consumer devices to create robust health certificates and ensure the integrity of user information

Re:Pathetic (0)

ToasterMonkey (467067) | more than 3 years ago | (#35216522)

hello ? privacy issues anybody ?

Way to kneejerk.

So basically organizations that do business with consumers would be allowed to scan the consumer PC. Great idea...

Take your foil hat off please. Yah, it's really nuts, my bank insists upon inspecting my future home before approving a loan for it. Assholes even demand to know who I am.
While it would make a stupid mandatory requirement to do online business with customers due to the wide base of networked devices, it could be nice for corporate systems, and would be a great opt-in feature for others. [x] Only allow systems with recent health certificate, AV signatures, etc to access my account remotely. This isn't going to improve YOUR security measurably, but it gives the other end confidence to enable more online features. It would never work to deny access... which is what you're trying to scare us into thinking.

Next step, you have to allow the government, banks, Ebay, Paypal and what not to scan your PC otherwise they will refuse to do business with you. Since they may not have a linux or other OS scanners, you would be required to use Windows of course.

Why are you getting all excited about "require"? Even a complete idiot would see that is technically impossible given all the possible networked devices out there this would impact. On the other hand, as an opt-in feature this could be very useful.

Now, kindly give me all your mod points.

Re:Pathetic (1)

hawguy (1600213) | more than 3 years ago | (#35216610)

It would never work to deny access... which is what you're trying to scare us into thinking.

Why wouldn't it? If a Bank thinks that only people that can provide the certificate have computers that are trustworthy, why would they accept logins from a computer that doesn't present the certificate?

Some banks have already been known to only allow those using MSIE to access their site, so why is it so unthinkable that they would restrict access to those that can provide this certificate of trust? Especially if it reduces their liability for bank fraud.

Re:Pathetic (0)

Anonymous Coward | more than 3 years ago | (#35216796)

Why wouldn't it? If a Bank thinks that only people that can provide the certificate have computers that are trustworthy, why would they accept logins from a computer that doesn't present the certificate?

Some banks have already been known to only allow those using MSIE to access their site, so why is it so unthinkable that they would restrict access to those that can provide this certificate of trust? Especially if it reduces their liability for bank fraud.

True, banks have also been known to only let you do your banking in person. Of course, that was long ago - just like the times when they only allowed IE was long ago. It seems like other operating systems would simply need to also have a health certificate method. Seems reasonable. Other operating systems have an SSL method. They have cryptographic methods. Why should they not have health certificates? It seems like something that OS X and Linux folks should be able to have deployed about the time that Microsoft goes into Beta with theirs, right?

Re:Pathetic (1)

MtHuurne (602934) | more than 3 years ago | (#35216558)

From TFA:
"A bank could ask customers to sign up for a program that would scan their PC for signs of infection during online sessions"

I think "program" here means an initiative by the bank that a customer can optionally participate in, rather than an executable running on the customer's PC. It might be a port scan done from the bank's servers.

Still I doubt this is actually useful: if these scans becomes common practice, malware can stay undetected by not responding or faking another protocol/application unless the contact is initiated in a particular way that only the malware control network can perform. For example a TCP connection would only be accepted if preceded by a port knocking sequence that is computed from the victim's IP address and a private key, making it impossible for the bank to replay that sequence when scanning another PC.

Re:Pathetic (1)

icebraining (1313345) | more than 3 years ago | (#35216868)

Most malware don't open incoming ports, they connect to a C&C server (using IRC, IM or even Twitter).

Re:Pathetic (1)

failedlogic (627314) | more than 3 years ago | (#35216812)

I would like to see Banks hand out Live 'Nix CDs with their website loaded up in the browser when its booted into X. This option will make it brainless for most to use and there should be a better assurance that the computer doesn't have a "Virus" unless BIOS ones are still around. It would be much easier to implement then some new certificate system.

Re:Pathetic (1)

ewibble (1655195) | more than 3 years ago | (#35216856)

I think I should be allowed to scan the banks computers to see if I can trust them, I used to work for a bank they are not the most secure of organisation or at least I hope not.

I'll show you mine if you show me yours.

Hey I always wanted to know what my neighbours bank balance and pin was.

What happens when you run linux and the scan does not work? the solution is obvious run a virtual machine that they can scan to check then log in normally.

platforms? (0)

Anonymous Coward | more than 3 years ago | (#35216196)

I wonder if openBSD will support these health certificates.

I can see it now (2)

pcgfx805 (1750684) | more than 3 years ago | (#35216212)

"Access has been refused as it seems you do not have an anti-virus. Why not try *insert highest paying AV company here* anti-virus 2011 for only £99 a year!"

MS has there own good free AV and they will not le (1)

Joe The Dragon (967727) | more than 3 years ago | (#35216598)

MS has there own good free AV and they will not let them self's be locked out from any plan.

What if my "PC" is an old VAX (4, Insightful)

thomasdz (178114) | more than 3 years ago | (#35216214)

Yeah, this will work real well on my old VAX that I use to surf the web using Lynx.

Re:What if my "PC" is an old VAX (1)

alteveer (979070) | more than 3 years ago | (#35216322)

Lynx on VAX is probably pretty safe (does it support https?) compared to some more recent browser versions that will remain unnamed.

Re:What if my "PC" is an old VAX (0)

Anonymous Coward | more than 3 years ago | (#35216430)

But can you PROVE that to EVERY institution you come into contact with?

Re:What if my "PC" is an old VAX (4, Insightful)

e9th (652576) | more than 3 years ago | (#35216370)

I think that's the point. Unless you're running a "supported" OS that will cheerfully phone home with its patch/AV status, (like, oh I don't know, Windows), you're not to be trusted.

Re:What if my "PC" is an old VAX (4, Insightful)

Jim Hall (2985) | more than 3 years ago | (#35216752)

That's an important point - Charney probably expects this to apply to Windows only, because that's all he sees. What about Linux? What about Mac?

More importantly, what about iPads, or smartphones, or tablets, etc that are increasingly used to access the web? Will Charney's plan work for all these devices? Apple doesn't like third-party apps to execute on the iPad - so good luck getting this to work with iPads. And if all it takes to "bypass" the scan is to fake your browser's user agent string to that of an iPad Safari browser, this won't be very effective.

Naturally. (4, Insightful)

damn_registrars (1103043) | more than 3 years ago | (#35216226)

The responsibility goes to the consumer, when Microsoft is assigning responsibility (blame). After all, the highly vulnerable operating system clearly has nothing to do with it, hence the company behind said vulnerable operating system shouldn't have any liability either.

Re:Naturally. (0, Troll)

blair1q (305137) | more than 3 years ago | (#35216316)

I sold you a frozen hotdog. Hotdogs if improperly stored and cooked will cause health problems. If you choose to leave it in a pan on the counter overnight then warm it to 100F before serving it, that's your issue, not mine, regardless of the natural vulnerabilities of the very clean hotdog I sold you.

Re:Naturally. (1)

damn_registrars (1103043) | more than 3 years ago | (#35216712)

I sold you a frozen hotdog.

Windows is sold as a fully working operating system - a "fully cooked hotdog" would be a better analogy, really. In which case, if eating the fully cooked hotdog occasionally caused unexplained death, then the risk might be equivalent.

It's an OS, not a hot dog. (1)

khasim (1285) | more than 3 years ago | (#35216716)

You cannot store an OS "improperly". It doesn't catch germs just by normal decay.

Microsoft's decisions have placed "user friendly" above "security" for years.

That is a problem.

Re:It's an OS, not a hot dog. (1)

UnknownSoldier (67820) | more than 3 years ago | (#35216788)

> Microsoft's decisions have placed "user friendly" above "security" for years.

Exactly. Case in point: Even Win7 still hides known file extensions by default. Users can be easily manipulated into clicking on something they think is legit.

http://www.google.com/search?q=Win+7+still+hides+known+file+extension+type [google.com]

e.g.
http://www.f-secure.com/weblog/archives/00001678.html [f-secure.com]

Granted, you can't protect ignorance from stupid, but c'mon, why make it harder then it needs to be.

Re:Naturally. (0)

Anonymous Coward | more than 3 years ago | (#35216328)

No operating system can protect the User from their own mistakes.

If you say yes to the prompt where the program asks for root permissions and you type in your password, and your system gets deleted, isn't that on you?

Yes, it is.

Re:Naturally. (1)

c0lo (1497653) | more than 3 years ago | (#35216376)

The responsibility goes to the consumer,

That's right...after all, it is the consumer that keeps using a vulnerable operating system. Same degree of responsibility as in paying a certain vendor for the use of a said vulnerable system (and possibly generating extra CO2 by running a crappy AV solution to protect that OS).

Re:Naturally. (2)

kevinmenzel (1403457) | more than 3 years ago | (#35216508)

Any operating system where the user knows how to get themselves root access is vulnerable, because the fundamental problem exists between the chair and the keyboard. If EVERY ONE grew up using Linux, there would be millions of people who could be exploited by simple social engineering. "What, I need to sudo run this script in order to see the naked boobies my e-mail is promising me? OK..." - Heck - how many people currently running Ubuntu could be exploited by a website simply listing shell commands to solve some sort of common problem that also compromise the user... Given, it is easier to do explot Windows. But it is even easier to exploit stupid users than it is to exploit Windows.

Re:Naturally. (1)

c0lo (1497653) | more than 3 years ago | (#35216580)

Given, it is easier to do explot Windows. But it is even easier to exploit stupid users than it is to exploit Windows.

Right. At least, you don't need to pay for the OS and be exploited while running Ubuntu d:)

Re:Naturally. (1)

damn_registrars (1103043) | more than 3 years ago | (#35216748)

The responsibility goes to the consumer,

That's right...after all, it is the consumer that keeps using a vulnerable operating system

However, the consumer doesn't have a choice in the matter - or at least none that they are aware of. Most consumers buy their PCs at big box retailers, where Windows is the only option. They can't buy a PC with Linux on it, they can't buy a PC with DOS on it, nor can they buy a PC with no OS at all. They might be able to buy a Mac - depending on where they are shopping - but they might not be inclined to pay that much for a PC. Windows is sold as a working OS, but it is provided as something not quite at that level.

If I buy a refrigerator at the same big box retailer, I can expect it to work pretty well the same from the day I buy it until the day I stop using it. However Windows is in no way the same. You pay for Windows and you have to continually update it to keep it working the same as the day you bought it, otherwise you quickly end up with a compromised system that does not work as well as the day you bought it. And being as the consumer had no choice in the OS on their PC, they should not be exclusively responsible for the problems in that PC.

Re:Naturally. (1)

DAldredge (2353) | more than 3 years ago | (#35216486)

How is Vista or Windows 7 a "highly vulnerable operating system"?

Re:Naturally. (0)

Anonymous Coward | more than 3 years ago | (#35216540)

Combine the number of zero-day exploits found in Windows on an almost daily basis with the number of PCs running an identical operating system and there's your massive botnet right there.

Re:Naturally. (1)

HomelessInLaJolla (1026842) | more than 3 years ago | (#35216584)

They include Notepad.

Re:Naturally. (1)

CannonballHead (842625) | more than 3 years ago | (#35216684)

If you squish trojans, viruses, and worms all together, then Windows is clearly more vulnerable than, say, OSX or Linux, which don't get viruses.

(if you didn't catch it ... people tend to lump all Windows attacks together: plugins, social, and executables-that-you-download-and-run-yourself, and then compare it to "real" viruses on Linux; downloading an rpm or deb and installing it yourself "doesn't count")

I don't know if the OP is stating that, he may have valid arguments for why Windows is still more insecure due to design and not due to user stupidity or prevalence of attacks.

Re:Naturally. (1)

causality (777677) | more than 3 years ago | (#35216514)

The responsibility goes to the consumer, when Microsoft is assigning responsibility (blame). After all, the highly vulnerable operating system clearly has nothing to do with it, hence the company behind said vulnerable operating system shouldn't have any liability either.

In a way they have a point. Those customers have created a market where those who make highly vulnerable operating systems are rewarded with literally billions of dollars and greater than 90% marketshare. It's a logical extension of this reality for Microsoft to assign responsibility as you describe.

I like how all of their solutions assume... (5, Interesting)

Omnifarious (11933) | more than 3 years ago | (#35216234)

I like how all of Microsoft's solutions to this Internet-wide problem assume that absolutely everybody is using their software. Honestly, half the problem would go away if everybody stopped using their software.

Re:I like how all of their solutions assume... (1)

gstoddart (321705) | more than 3 years ago | (#35216252)

I like how all of Microsoft's solutions to this Internet-wide problem assume that absolutely everybody is using their software. Honestly, half the problem would go away if everybody stopped using their software.

Yeah, that about sums it up ... Microsoft's "Trustworthy" computing has always been about locking the damn thing down so tightly you can't use it, relying on their own proprietary technologies so that everybody pays them, and pretending like it's not the security holes in their OS that is the root problem.

Hate to be a grammar Nazi but... (0, Flamebait)

denzacar (181829) | more than 3 years ago | (#35216330)

You misspelled Apple. Funnily, it came out as Microsoft. Go figure. A Freudian slip perhaps?

Hate to be a grammar Nazi but... (1)

gmhowell (26755) | more than 3 years ago | (#35216640)

You misspelled Linux. Funnily, it came out as Microsoft. Go figure. A Freudian slip perhaps?

FTFY. Monocultures are bad, m'kay?

Their definition of "security" isn't yours or mine (5, Insightful)

ron_ivi (607351) | more than 3 years ago | (#35216332)

When Microsoft talks about "security" they're talking about securing the property&rights of digital rights owners (BSA, MPAA, etc) from the untrustworthy users who licensed the software and DVD.

It's not at all about keeping the computer user safe.

It's about keeping data safe from the computer user.

Re:I like how all of their solutions assume... (1)

Jim Hall (2985) | more than 3 years ago | (#35216800)

And that may happen if Charney's plan goes into effect on popular web sites. At least, I predict a sizeable community of Windows users leaving for other options.

This concept will immediately raise the perceived TCO for running Windows. Maybe not in cost, but even "general" users will see the delays and effort required just to access basic services (the Web) from Windows. If my mom has to let her bank, or Facebook, or her Yahoo!Mail run their virus software on her computer before she can access her favorite sites, this will not go down well. Running a virus scan takes a long time on big drives - and you do need to scan the whole thing to make sure it's secure and not "tained" with malware or a virus...

Trustworthy? (1)

bradgoodman (964302) | more than 3 years ago | (#35216248)

First he said he thought responsibility was one place, then he said it was supposed to be another. What will he say tomorrow? The position lacks credibility. Is this even newsworthy?

Microsoft's next step (1)

Ancantus (1926920) | more than 3 years ago | (#35216254)

In order to keep the internet safe, Microsoft has detected and is removing computers running viruses masquerading as operating systems. Those operating systems are going by the names listed below:

Windows XP

Windows Vista

Windows 7

Re:Microsoft's next step (3, Insightful)

Cryacin (657549) | more than 3 years ago | (#35216294)

Drop windows 7 from the list, and you see their plan.

Re:Microsoft's next step (0)

Anonymous Coward | more than 3 years ago | (#35216650)

I knew I was making the right choice when I purchased this Windows 95 PC from Good Will yesterday. Guess I'm safe.

99% of the time (1)

Stregano (1285764) | more than 3 years ago | (#35216260)

It is the consumer/user error. I do not like this new step they think is helping, but at least people besides us computer nerds are finally starting to fess up to the fact that most of the world sucks on computers

OMG! (0)

Anonymous Coward | more than 3 years ago | (#35216272)

They fixed slashdot!
I can now see comments to comments without the parent being expanded!!!!!!

Join me everyone.

Oh, top-level admin, yours is the root access and yours only.
Shall your processes run uninterrupted, and your system free of root kits.
Yours solely is the decision to edit my access level, and to allow me read and write.
I humbly present the output of my processes for you only.
You truly are the inspector of my source. Shall you find no bugs!
Please do not kill the threads of my processes, as I have not killed those of others.
Their start and their end have been seen by you.
Authenticate my files and validate my drivers, as I have done unto others.
You have calculated my file signatures before they have been even made.
You have such watermarks in my files that I do not even know of.
Protect me from viruses and system instability. You know what I'm made of.
My processes will not consume too many system recources, for I am wary of you.
Please back-up me and restore me, should there be a system crash.
Even my least significant bit has been saved by you. Not even smallest of them should flip.
I will adhere to EULA even in the slightest. You shall not find me guilty of a breach.
You shall hold the root access to time eternal, and I shall have an user account in your system.
Amen!

Already kinda exists in user-agent header (1)

ron_ivi (607351) | more than 3 years ago | (#35216300)

Website owners can probably make a pretty good first-guess at how compromised a system is, if it's running some obsolete and/or insecure web browser ( Firefox 3, IE 6, 7, 8, 9 :-) ). If it has a certificate where Microsoft digitally signed that the machine indeed has IE6, do you really gain that much?

Translation (1)

Rix (54095) | more than 3 years ago | (#35216304)

The user remains in control. The user can say I don't want to run Microsoft's operating system. There may be consequences for that decision, but you can do it.

The Burden Is On Consumers... (2, Informative)

painehope (580569) | more than 3 years ago | (#35216306)

I agree completely with that part of things. The burden is on consumers (or citizens, as we used to be called). Don't buy Microsoft products and the Internet will be a much safer place.

What are they smoking? They sell the buggiest, shittiest, most useless (some people find it useful...I don't; the last time I tried to use MS Office I spent 15 minutes dicking around w/ the application just to set some bullet points, and decided that 15 minutes could have been better spent downloading and installing OpenOffice - their applications have all turned into overblown, unusable pieces of shit, just like the internals of their operating systems) products, practice all kinds of shady business just to spread their crapware, and then blame the average, non-technical person for how fucked-up their operating system is and how it makes computers unusable to a significant portion of the population.

Jesus. If I sold someone a car that had as many problems as a copy of Windows, I'd be sued - possibly even imprisoned. Someone would probably end up dead fairly quickly if I made a business out of it, and then I'd be up shit creek. But they can sell shitty software and then not be held accountable when it doesn't work? Yes, the world is that strange.

Re:The Burden Is On Consumers... (0, Interesting)

Anonymous Coward | more than 3 years ago | (#35216446)

You can't be wrong quietly, can you? Cars do have as many problems as Windows (actually more). Car companies do get sued for some faults, but not for a lot of others. People do die because of faults in cars, but mostly people die from human error, just like most problems with the operating system are actually human error. Your problem with word is indeed one of human error. You erred in thinking you could learn the ins and outs of a very complicated program in 15 minutes, if you are actually relating an incident; do people learn how to operate everything in their car within 15 minutes? Open office itself has quite a few quirks, and is just a passable word processor. Word, which you called a piece of shit, is almost certainly better.

The best OS currently on the market is Windows 7. It isn't perfect, but it is easy to use, feature packed, performs decently, and supports a very large corpus of programs compared to its competitors. A good rule of thumb is to only bash a company for a product line when the latest product in the series isn't clearly the best current choice in that arena.

It will come down (1)

bugs2squash (1132591) | more than 3 years ago | (#35216350)

to needing a dedicated device for your online transactions. Something that is not subject to other applications running amok. Perhaps the next generation of credit cards will have touchscreens and wifi.

Microsoft (1)

acalltoreason (1732266) | more than 3 years ago | (#35216372)

Does he realize that if that were to be put in to place, all Windows users would face the "consequences" because if someone is on a Windows box, you can assume its infected.

Control vs. responsibility (1)

sictransitgloriacfa (1739280) | more than 3 years ago | (#35216384)

What party, ultimately, has the most control over how many infected machines there are on the internet? Could it possibly be the software company whose chief product runs on most of the machines out there?

What parties, ultimately, bear the costs of all the infected machines out there? Their owners, sometimes. Everyone who has to deal with the billions of spam emails that clog the internet. Not so much, the aforementioned large software company.

So an executive from that software company suggests that the burden of infection should be placed squarely upon the user. Funny, that.

First obvious counterattack: (0)

Anonymous Coward | more than 3 years ago | (#35216386)

What's going to stop malware from hooking into the checking program or extracting the key that the program uses to send back the scan results and fake it? You can't just "scan" a computer for malware, you need to get code running on the infected host.

obat alami.net (0)

Anonymous Coward | more than 3 years ago | (#35216404)

health is very important, by sharing we can provide benefits for others

Disproportionate burden (3, Insightful)

Palestrina (715471) | more than 3 years ago | (#35216418)

If you require positive proof of system health then this will penalize every minority operating system or device that does not have the scanning software/certificate available for it yet. But aren't these minority systems the ones that are least risky, compared to the millions of zombie WinXP boxes?

Sure, Microsoft systems will be supported by the bank (using the example given in the article) but what about everyone else (and I do mean everyone). Do we really want a presumption of "disconnect" or "limit"?

I don't know if my Windows box can pass (0)

Anonymous Coward | more than 3 years ago | (#35216422)

a health check. Could I just pass some gas instead?
There, that's better.

How do they know a machine is safe? (3, Insightful)

hawguy (1600213) | more than 3 years ago | (#35216426)

If they have a magic scanning technology that tells them if a machine is "safe", then why doesn't Microsoft just deploy that technology to everyone? When I managed a helpdesk, I saw many fully patched machines with updated antivirus machines still manage to become infected by Malware. I didn't know we were already past the age of Zero-day exploits

they already do (0)

Anonymous Coward | more than 3 years ago | (#35216628)

It's called 'format'.

Security theatre (1)

MtHuurne (602934) | more than 3 years ago | (#35216814)

Maybe he got the idea while standing in a queue for an airport security check...

Burden is on the manufacturers (3, Interesting)

nurb432 (527695) | more than 3 years ago | (#35216526)

Just like in the auto industry, if a car maker creates a car that is prone to wrecks, its not the drivers fault.

Proper maintenance, is the responsibility of the user, not fundamental manufacturing flaws that create security problems.

Complete BS (0)

Anonymous Coward | more than 3 years ago | (#35216538)

Heal certificates? My Ubuntu boxes are running just fine and don't need no crap like this.

The user can say I don't want to run Windows (4, Insightful)

Odinlake (1057938) | more than 3 years ago | (#35216548)

The user can say I don't want to pass a health certificate,' he said. 'There may be consequences for that decision, but you can do it.

The user can say I don't want to run Windows. There may be consequences, but you can do it.

There fixed that for you, M$.

(Oh, did we forget to mention that that health certificate, de facto, requires you to run M$ Windows? That although there are Linux solutions around, 95% of ISPs don't support it?)

Just another attack vector (2)

matrixskp (629075) | more than 3 years ago | (#35216636)

Anything like this 'trusted certificate' or 'health scanning app' will just become another attack vector.

Microsoft should just build a new operating system from the ground up that is secure. If MS applied everything they should have learnt from all the security problems they have had over the last 20 years, they could probably make something quite good.

Wouldn't this solve 95% of the problems with infected PC's? Of course that would require reinvesting some of the billions they make from selling their current offering.

inviting MSFT to a 'net security conference is... (1)

bball99 (232214) | more than 3 years ago | (#35216644)

like inviting a pedophile to a day care center...

Like South Korea then (0)

Anonymous Coward | more than 3 years ago | (#35216672)

This is basically what banks and e-commerce sites do in South Korea. They force you to install several Active-X programs (per website, by the way) which usually consist of an anti-keylogger, anti-virus, and some SSL related program. Banks also typically have a Active-X personal identification certificate program where it checks for this certificate that is tied to your account and to the machine you are on. The websites will check for these programs and will auto install them if they are not detected. By the time you've gone to a few bank sites and shopping sites, you've accumulated at least 10 Active-X apps which all essentially do the same thing.

Given that these websites are routinely hacked, and from what I hear, more often than sites that are actually standards compliant, I'd say any "health certificate" will only result in a false sense of security.

As a side note: Yes, if you don't have Internet Explorer, you cannot do banking, shop online, check email, or watch streaming video on a PC in South Korea. Smart phones have apps, so those are okay.

Safety is defined as (0)

Anonymous Coward | more than 3 years ago | (#35216676)

.. not containing malware. Malware is defined as programs that are designed to interfere with the normal operation of any other program

The group of programs that are designed to interfere with the normal operation of any other program is loosely defined, there's a lot of opinions about what it should contain, I mean hey, I'm not saying that for example programs to "hack" software to remove copy protection IS malware, just that many people might think it is.

"Problem solved"

Maybe Charney could think, then speak? (1)

matrixskp (629075) | more than 3 years ago | (#35216694)

"But in the course of the last year as I thought a lot more about this I realized that there are many flaws with that model."

I think thats the problem right there.

Speak and then think... and apparently the thinking takes a LONG time!

Sounds a lot like ... (1)

PPH (736903) | more than 3 years ago | (#35216700)

...getting tested for STDs as a condition of employment in a porn studio. Who hands out those certificates? Do you really want to trust them as you are getting ready to pull that train?

Ignorant people (0)

Anonymous Coward | more than 3 years ago | (#35216810)

Most people who commented on this topic just don't understand what is Trusted Computing remote attestations. Come back with an opinion once you have a @#$^& clue!

Network Access Protection (1)

Spikeles (972972) | more than 3 years ago | (#35216862)

Not like it's a particularly "new" [microsoft.com] plan.. and oh look [wikipedia.org] , it even has built in support for RADIUS.....
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>