Microsoft Proposes PC Health Certificate for Internet Access

| News

Scott Charney, Corporate Vice President of Microsoft’s Trustworthy Computing division, has proposed a radical solution to the problem of virus-infected PCs. Mr. Charney believes that infected computers should be quarantined from the Internet, and that PCs have to prove themselves clean with a digital health certificate in order to access the Internet.

In a blog post, Mr. Charney laid out the proposal, which he also presented in a speech on Tuesday at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany. His vision is to look at cyber health as a global problem, and to implement a, “global collective defense of Internet health.”

Scott Charney, Microsoft VP

Scott Charney
Corporate Vice President of Microsoft’s Trustworthy Computing division

“Just as when an individual who is not vaccinated puts others’ health at risk,” he wrote, “computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.” He argues that in the physical world there are national and international agencies tasked with, “identifying, tracking and controlling the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.”

He infers that the risks presented by botnets of PCs that are controlled by criminal organization (he does not infer that there are botnets controlled by nation-states) are just as important and just as great as the risks involved with uncontrolled epidemics and pandemics. By taking a global, unified approach to the problem, the good guys would find it easier to stop the spread of viruses and malware used by the bad guys to take over PCs and use them to disseminate spam, attack corporate and governmental computer systems, and other nefarious deeds.

“To realize this vision,” he said, “there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.”

At the heart of his proposal is the idea of requiring digital health certificates on PCs that certify they are running current antivirus software, are patched with the latest OS patches, and are otherwise clean and free of malware or viruses. Without a valid certificate, those PCs would not be able to access the Internet, though he offers detailed exemptions for being able to download patches and contact emergency services in order to make the system palatable to the public.

He also laid out the following five central points that must be considered as key to any such solution:

  • The risk that botnets present to Internet users and critical infrastructures must be addressed.
  • Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats.
  • A public health model can empower consumers and improve Internet security.
  • Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced.
  • Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health. In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.

Microsoft has published a White Paper from Mr. Charney on the subject titled, Collective Defense: Applying Public Health Models to the Internet.

Comments

BurmaYank

Wouldn’t it be a lot easier to just block all Windows computers from accessing the net, than to try to employ a properly functioning block (i.e. - a blocking regimen which either is not inevitably utterly corrupted and thoroughly hacked, or else is catastrophically lethal) to +/-99% of all the Chinese, Indian, Russian, African, etc. Windows computers currently accessing the net?

Jamie

Or they could stop using Windows. wink

Wishful thinking, I know, but seriously, when is Microsoft going to step up and accept responsibility? It isn’t their users’ fault their software is broken.

I am also pretty much at the end of my rope with corporate concepts that amount to jettisoning the freedom we have online. Sigh. I have no doubt that all of these guys stroke hairless cats and laugh evilly in their board meetings.

geoduck

The trouble with any centrally run system such as this is there will be fraud. I suspect if you did a search today after this new story hit the web there are likely already fake ‘digital health certificates’ running around.

To carry the medical analogy in another direction:

The idea of quarantining people with a disease is rather quaint but not used much. In reality more diseases are prevented by stopping the vector. Malaria was not controlled in the first world by quarantining people with Malaria, it was by controlling the mosquitos. Salmonella was not controlled by quarantining those with ‘the stomach flu’ it is controlled by making sure places where food is prepared are clean.

I’d suggest a more effective strategy would be to packet sniff all the traffic as it goes through the backbone of the internet for known malware. Keeping it from getting to the individual would be more effective than trying to clean up infections after the fact.

daddy

Is this guy serious?  The minute that this “health certificate” goes into effect is the minute when 60% of the world corporate computers suddenly go offline.

Hey, that’s not half bad - think of the bandwidth that we Mac users will enjoy!

This also leads to the conclusion that all the IT PC weenies will be getting lots of overtime pay cleaning their firm’s PCs.

What a deal for Apple Enterprise to walk in and unveil “Microsoft Certified Digital Health Certificated” Macs out of the box.  Goo-bye Dell, HP, Asus, etc.

vpndev

An alternative would be to have one internet for Windows boxen and one for all of us others.

Microsoft could even run it as “Windows Live” or whatever.

It would be *really* nice if we didn’t have to worry so much about compromised Windows systems spewing junk at us.

vpndev

Microsoft might be working now on “Trustworthy Computing” but the rest of the world has to deal for years and years yet with decades of unbelievable indifference to security.

Their concern is admirable and this idea might be OK. But the rest of us are still cleaning the Aegean stables. MS needs to step up with more since they are the ones who enabled the problem.

fezzie

thank god for Windows… 98% of infections are Windows boxes
certificate? We don’t need no stinkin’ certificates…

echo7

This whole proposal makes no sense.  How can a person clean the system, if they do not have access to the internet to download tools to remove the infection?  Instead of requiring people to prove that their OS is clean, how about the software companies build more secure software.  Punishing customers for a company?s own short comings is not a very well thought out strategy.

vasic

Echo7:

What you are saying is simply unrealistic and na?ve. It is simply impossible to build an operating system that is unhackable. Somewhere some hacker will find a way to hack an OS. Botnets are very big criminal business. A lot of money is revolving around it, so it bankrolls hackers to find most efficient ways to infect.

The digital health certificate sounds like a good idea, but there is simply one major problem. It is still only going to be a piece of software sitting on a PC. Nothing prevents hackers from trying to ‘fake’ the certificate, or fool that software into thinking that the PC is in fact ‘healthy’.

We already have similar software: antivirus tools are supposed to tell us when a malicious file enters our file system, regardless of how (external disk, network file transfer, web, e-mail, IM…). Unfortunately, this simply doesn’t work every time, and it never can. It is a continuous cat-and-mouse game, which cat continues to win.

webjprgm

My university already does this.  In order to access the student wireless network (not the throttled guest network) you have to have a scanner (made by Cisco?) decide that you do indeed have anti-virus software installed.  I assume it maps this to a MAC address in some database, since it only asks once.  (Mac computers don’t have to bother.) If you fail, they tell you to use the Guest network to download free anti-virus software.

My fear is that ISPs will start doing this and making all kinds of heavy-handed, stupid, and hard to work around decisions that limit our ability to use the internet even if we are completely virus-free.  Especially if they start insisting that Macs are scanned too, since there’s no way I want any corporate scanning program to touch my computer. 

(And what about Wii, X-Box, and PS3 devices connecting to the internet?  What about NAT and router boxes that could interfere with the ISP’s methods and so they start to ban certain types of middle boxes like that, or insist on using their brand of switch? So on and so forth.)

Bosco (Brad Hutchings)

One day, we’ll all have to decide if we’re with the terrorists, thieves, scammers, and mail order Viagra dealers or if we’re with the information Nazis. The first rule of security is “don’t make it a tough choice”. This joker is making it a tough choice.

xmattingly

This methodology sounds like Civil War-era battlefield medicine, to me.

b9bot

That’s easy, get a Mac and anything running Windows is banned from the internet, problem solved!!!!!!!

That’s the dumbest idiotic stupid idea yet to come from Microsoft.

bigPaise

This idea is like having to get a note from your doctor certifying “STD free” in order to visit a whorehouse.

realist

bigPalse,

It’s more like getting a note from your penis in order to visit a whorehouse.

VaughnSC

This sounds ludicrous - especially the patches and upgrades requirement. What if I have a specific reason (compatibility issues with my budget among them) to NOT upgrade my OS? Then what? Banishment?

This is an patently unworkable pipe-dream (pipe-nightmare?) conceived to let MS turn a liability into an extortion cash-cow (forced upgrades and patches that ‘incidentally’ expose ‘non-Genuine Windows’, etc, etc), causing all kinds of headaches and ‘false-positives’ for legitimate users and even Mac users who shouldn’t be subject to this ill-conceived bullhooey in the first place.

Quoting Ben Franklin for the bazillionth time this month, it seems:

“Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety”

Cale

Wouldn?t it be a lot easier to just block all Windows computers from accessing the net

MACs aren’t any safer than Windows machines, they’re just a smaller target.

vasic

No. They are safer. Target size is irrelevant; there are millions of Macs; more than Android phones, yet there are viruses for Android, and none yet for Macs.

Bosco (Brad Hutchings)

There goes vasic, making crap up as usual. Reference on viruses that affect Android, please?

ilikeimac

My university already does this.

My brother’s university did this too, and their brainless IT department had no solution for letting Macs on the network, so what did he do? He set up a proxy on an old PC so his and any other rogue computers could surf away! And suddenly we start continue to see why the health certificate idea would fail miserably.

Has anyone made a form letter for replying to proposals that claim to be a solution to viruses/malware/botnets? You know, similar to this: http://craphound.com/spamsolutions.txt

Cale

No. They are safer. Target size is irrelevant; there are millions of Macs; more than Android phones, yet there are viruses for Android, and none yet for Macs.

From a PC vs. MAc POV, you’re half right:

http://www.macobserver.com/tmo/article/Symantec_Mac_Virus_Hacker_Attacks_on_the_Rise/

vasic

Bosco:

Here you go.

(for now; I only had 30 seconds for googling). There are more, but I just don’t have time to dig them up.

Mac is safer. No amount of condescending, arrogant, offensive responses will make them any less so.

Is there a reason why you simply cannot be civil in your discussion? You don’t see anyone else here consistently wrapping their opinion in such impolite and disrespectful tone. You don’t know anyone here; you have no idea how old we all are, what we do for a living, how much experience, knowledge and wisdom we possess (not that any of that matters). Normally, children are taught to respect others. At least, to respect elders. You show no respect for anyone. Why?

Tyler

I love all of these “Get a Mac” type messages.. Why do you think the hackers go after Windows PC’s vs Mac’s?
Maybe because there are so many more of them…
If we all went to Mac’s then the hackers and the like would just move on over to hacking Mac’s.  Problems back, and then what, get rid of Mac?

Now for all of you who think I hate Mac’s, I don’t.  They are great computers, and this isn’t a anti-Mac post, it’s simply a THINK PEOPLE!!! post.

Apple’s are what, less than 5% of the Computer market right now?  So according to you posters, you think that makeing it 90%+ of the market will just fix everything.  HA, Ha, ha…
The same thing that happened to the Windows box’s will happen to Mac’s, they will become a target.

You have to remember, the hackers and others that are putting this stuff out there avoid Mac’s because of the amount of them out there, not because they aren’t going to go after them.

vasic

Aaaah, the old ‘security by obscurity’ myth, alive and quite well…

There is malware for software platforms significantly smaller than Mac. Someone even wrote malware for linux running on an iPod (a few dozen devices, at most). Several dozen viruses, worms and trojans for Linux (much smaller market share than Mac OS X).

There is only ONE main reason why there aren’t ANY pieces of malware for Mac OS X: it is much more difficult to write and distribute malware on Mac than on Windows. That’s it. Nothing else. Today’s malware is written for one sole purpose: illegal business (building and renting botnets for malicious activity). Targeting Mac makes little sense if you can easily penetrate Windows with very little effort.

d'nomder

Everyone here had better know that defeats/cracks/etc. for MS’s wonderful PC Health Cert will be widely available before the product itself ever hits the market.

Not to mention there WILL be a botched update from MS that locks everyone’s PC off the Internet.

The cat & mouse game will continue, just in a different arena.  There’s too much money involved for anyone to seriously expect organized crime to just give up.

xmattingly

Now for all of you who think I hate Mac?s, I don?t.? They are great computers, and this isn?t a anti-Mac post, it?s simply a THINK PEOPLE!!! post.

Apple?s are what, less than 5% of the Computer market right now?? So according to you posters, you think that makeing it 90%+ of the market will just fix everything.? HA, Ha, ha?
The same thing that happened to the Windows box?s will happen to Mac?s, they will become a target.

I don’t think you thought through your “think” post.

First, that tired cliche that “Macs are too small to bother writing viruses for” is older than dirt. That’s what they said when Mac OS X debuted and the virus comparison started. Then that’s what they said five years ago. And to this day, in spite of Apple’s very long reach with their iOS devices and growing computer market share, some people are STILL clinging to that excuse.

And second: Most of Apple’s customer base are middle class and above: ie. well-to-do people with lots of credit. And you believe that malware programmers have overlooked this?

BurmaYank

Apple?s are what, less than 5% of the Computer market right now??

As of last April, Gartner noted for US sales, “Apple Earns 8% PC Market Share on 34% YoY Growth

As of last June, when “Macs climbed 32.4 percent year-over-year... (this) gave Apple 3.4 percent market share of all computer sales worldwide...”

And, if Mac users actually always do keep using their Macs much longer than any other PC’s users do, then the Mac percentage of total PCs actually being used should always be higher than the the Market Share numbers would indicate.

Intruder

Here you go.

Trojan. Not virus. The press screws that up all the time.

And there are Trojans for the Mac.

//just sayin’

Bosco (Brad Hutchings)

And the user has to give that Trojan explicit permission to install and send SMS messages. Apparently you’ve never seen the install permissions screen on an Android phone. It’s scary. With bright orange text. It’s a hell of lot more information than my Mac gives me about software I install. And yet, you claim Macs are “safer”.

Like I said, making crap up.

vasic

Mr. Hutchings:

Is there a reason why you simply cannot be civil in your discussion? You don?t see anyone else here consistently wrapping their opinion in such impolite and disrespectful tone. You don?t know anyone here; you have no idea how old we all are, what we do for a living, how much experience, knowledge and wisdom we possess (not that any of that matters). Normally, children are taught to respect others. At least, to respect elders. You show no respect for anyone. Why?

Bosco (Brad Hutchings)

vasic: Just don’t spout mindless crap and nobody will refute you. It’s that simple. I certainly respect all here enough to believe that they are capable of filtering mindless crap from their obvious biases, even if they sometimes fall short.

On so-called Android Viruses, see the update at the bottom of this Fast Company story. If you’ve ever used an Android phone and the Marketplace, you would know at least at an intuitive level that Android combats malware problems with information. You are warned what phone resources the app uses. There are comments and ratings that warn of particular problems to watch out for. If you’ve dug into the technical aspects of Android, you’d also know that it would be very difficult for a virus to install itself. Much like the old joke about viruses on Mac OS, they require the user to install them.

On another respect angle… I respect all of you enough to just want to help you save some money. There are a lot of very, very nice products by companies other than Apple (including Adobe, Microsoft, Dell, Google, ASUS, HTC, Motorola, etc.) that 5 years ago, you would have considered truly *magical*. Just because Steve Jobs didn’t give them his blessing doesn’t mean they are crappy. But recognizing that starts with abandoning mindless crap like “only Apple products are free from malware”.

vasic

Just don?t spout mindless crap

There you go again. I have no issue with you (or anyone else) refuting arguments, even though you clearly show massive bias. That’s the essence of debate; you say what you think, I say what I think, you argue your case, I argue mine.

My issue (as well as, most likely, everyone else’s here, who engage in civilised debate) is the arrogance and lack of respect. Regardless of the substance of my (or anyone else’s) argument. Regardless of any perceived biases. Regardless of ANYTHING.

So, once again (third time):

Is there a reason why you simply cannot be civil in your discussion? You don?t see anyone else here consistently wrapping their opinion in such impolite and disrespectful tone. You don?t know anyone here; you have no idea how old we all are, what we do for a living, how much experience, knowledge and wisdom we possess (not that any of that matters). Normally, children are taught to respect others. At least, to respect elders. You show no respect for anyone. Why?

Bosco (Brad Hutchings)

@vasic, Even Intruder pointed out to you that the “virus” you cited on Android was a “trojan”, of which there are many you can download straight to your Mac from trusted sites such as MacUpdate.com. Hell, you can even use software I’ve written as spyware without so much as a warning to the target. I’d prefer you didn’t—but if you do, it’s equally workable on Mac or Windows.

So yes, what you wrote was completely mindless. And it was crap. I simply abbreviated that as “mindless crap”. Strive to do better next time.

But since you’re hung up on respect, how about if you just admit you were spewing mindless crap and I’ll get off your lawn. Deal?

VaughnSC

Of course, I just may get jumped on by both parties (ain’t that always the case?), but it seems this squabble has jumped threads.

Analogy: I come from a creative background. When speculating about solutions and strategies, especially when dealing with unknowns (like ‘what does ‘competitor’ have up its sleeve for next year?) we’d ‘brainstorm,’ which means to get together and basic spout every hare-brained idea and write them down.

Surprisingly enough, leaving ‘common sense’ out of the equation leads to notions that can later develop into unprecendented solutions.

The interchange of ideas and viewpoints, good and bad, is precious; even those I call ‘brain-farts’ (‘smells like shite, but has no substance’). Let’s not hamper it with knee-jerk reactions.

Brad, you could certainly eliminate the ‘ad hominem’ component and refute the idea, not vilify the speaker.

vasic, you could cool down and not rise to the bait, even if it is a repeat offense. In fairness, I have seen you take your own pot-shots even when Brad is not participating.

Can we get back on topic?

Partsmutt

MACs aren?t any safer than Windows machines, they?re just a smaller target.

I think smaller target is a misused and inaccurate reason.  Linux is a smaller target too and is disproportionately attacked compared to Macs.  Without getting too far off topic I’ll just say that the Mac is a less appealing target because Apple isn’t seen as “The Man” and Microsoft is.  (Though really, Apple moving into the mainstream consumer electronics market is changing that status daily).  As someone who makes a living hacking (legally) I can tell you with 100% certainty that a properly patched up to date Mac OSX system is not more secure than a properly patched up to date Windows system.  However Security and Safety are 2 different things, and I do believe the Mac system is MUCH safer.  Viruses, malware etc are only one attack vector.  Attacks through websites, installation of rootkits and other methods are possible as well.  User intelligence goes a long way to keeping secure.

Bryan Chaffin

So yes, what you wrote was completely mindless. And it was crap. I simply abbreviated that as ?mindless crap?. Strive to do better next time.

But since you?re hung up on respect, how about if you just admit you were spewing mindless crap and I?ll get off your lawn. Deal?

Brad, it was a minor mistake, far from mindless crap. As Intruder also noted, people mix and match trojans, malware, and viruses all the time. A simple correction, as Intruder politely made, would have sufficed.

We have great people here, including you (and you know how much I respect you), but I want everyone keeping things civil.

vasic

Trojans/worms/viruses = malware. I can’t believe we’re actually arguing over how precisely to call the malware!! It has been widely accepted, even in the IT industry, that when you say ‘virus’, it also implies other kind of malware. Anti-virus software doesn’t only work against viruses, you know; it catches trojans, worms and many other types of malware.

Once again, your language continues to be offensive, condescending and arrogant. I’m sure you’re absolutely convinced that you are correct, but again, that is NOT RELEVANT.

Will you ever answer my question, WHY are you arrogant, condescending and offensive? Nobody on this forum has done or said anything to you, or anyone else, to offend you in any way. So, for the FOURTH TIME, WHY???

Bryan Chaffin

Vasic, the difference is more than semantic.  Every platform has malware and trojans. Convince someone to download and open or install malware, and no platform can be secure as we understand computing today.

A virus, though, is malicious code that can self-propagate and spread itself to other computers.

It was viruses that gave Microsoft so many headaches in the late 1990s and early 2000s, and it’s viruses that Macs have been almost entirely immune to all this time.  But there are trojans targeting every platform that I know about, including Mac OS X and iOS (and Android and Windows and Linux, ad nauseum).

Thus the distinction matters.

Bosco (Brad Hutchings)

Vaughn nailed it. There are a few here, vasic is one, who have no problem repeatedly dishing personal venom with names attached in previous threads, and get their panties in a bunch when it comes back at them. See, there he goes again, this time pretending to be innocent while extending the ad-hominem! Hilarious.

vasic

Good bye everyone. Brad, you win.

Bryan Chaffin

You’re right, Brad, far more ad hominem attacks have been aimed at you over the years than have come from you. For that, I’m embarrassed.

I personally enjoy the way your posts challenge all of us to think differently about things (and I often disagree with you), and I’ve always understood that many people find such challenges threatening.

So I’ve usually let it go when things get a little overheated, because let’s be honest and acknowledge that a discourteous conversation in our forums and comments would pass for a glorious day of civil discourse at most sites!

But I let the envelope get pushed too far back by too many parties, and for that I apologize. The vitriol has risen to unacceptable levels from too many people, and it’s time I put a stop to that. We have smart adults here, and I want to keep it that way.

So I am officially (re)demanding that everyone be civil. Everyone.

VaughnSC

Well, I say Scott Charney is ‘spewing mindless crap’ smile

You know, the ‘man and his pet idea’ that this story was about.

Next, he’ll want to quarantine keyboards with pet hair, for fear of fleas.

Bryan Chaffin

Ha

Well, I say Scott Charney is ?spewing mindless crap?

Ha! That’s pretty funny, Vaughn. smile

I’ve certainly spewed plenty of ad hominem and vicious attacks in my columns, and I’m totally OK with people writing similar editorials about me.

I’m even OK with readers calling me an idiot, or worse, but when discussing issues within the comments, we need to be respectful and courteous to each other, even when vehemently disagreeing.

Bosco (Brad Hutchings)

Vaughn nails it again. I’m starting to realize that Apple isn’t exceptionally evil, they’ve just lowered themselves to the level of some of their competition of late. I mean, just when Microsoft starts to look acceptable with Windows 7, they let this guy out in public.

Bryan, you have nothing to be embarrassed about.

Intruder

Unfortunately, to succeed you sometimes have to get your hands dirty. I think sometimes Apple goes a bit overboard, but considering they’ve been labeled “beleaguered” far longer than they’ve been labeled successful, you can’t really blame them for overreacting occasionally. Evil? No. Becoming more ruthless and protective? Yep.

More on topic, what the esteemed Mr. Charney is proposing is doomed to failure from the start. First and foremost it puts all the onus on the computer user (keep up to date, etc.) and doesn’t address the main causes. Active pursuit of botnets and those who control them, active prosecution of phishers, spammers and malware producers and possibly a complete redoing of the core of Windows (which is the largest and most vulnerable target for a number of reasons), would be much more effective than a “health certificate” that would be hacked weeks before it is even rolled out.

The man is dreaming. Or delusional.

Chicago Car Accident Lawyer

This is not a solution to the problem as someone will come up with a way of doing a fake certificate. The problem is substantial and effects many people in this struggling economy who are not financially able to simply replace their infected laptops. Perhaps a free clinc for ill laptops? Stefanie H., Chicago Car Accident Lawyer

Log-in to comment