back to article Microsoft wants to put infected PCs in rubber room

A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users. The informal proposal, made Tuesday by Microsoft Vice President of Trustworthy Computing Scott Charney, was short on specifics, such as who would be responsible for …

COMMENTS

This topic is closed for new posts.
  1. heyrick Silver badge
    FAIL

    Dumbass...

    He might have a point if the owners of quarantined computers were ones upon which the virus was written that infected itself... but they're often just as innocent as other potential victims. His analogy sucks, and with thinking like that, I don't want to hear about "the cloud" from him.

    FAIL.

    1. Number6

      But...

      At least they'd discover the problem and could seek help to fix it and be educated in how to avoid it in the future. The problem with most infected PCs is because the owners are unaware and probably not techie enough to think to check.

      I have no problem with the rubber room concept provided there's a helpful man in a white coat who can assist you to get out. Now, who pays for it is another argument entirely...

      1. heyrick Silver badge

        The rubber room concept...

        ...makes sense, provided you understand what is going on. Explain that to somebody that thinks IE is "the Internet".

        Thanks to Microsoft's EU-mandated update, I have a bunch of grannies asking my advice regarding the choice of browser. My advice? Ignore it, carry on as you were.

        You might be screaming at me for letting them carry on with IE, however of those I installed Firefox for, the usual response is "No, this doesn't work like it used to, put the old one back".

        Now, you'll explain a mandatory quarantine HOW?

  2. Steve Evans
    Gates Horns

    Maybe...

    Maybe If M$ didn't distribute system knobbling software like WGA, maybe those machines would have stayed on auto update and be patched against a lot of the exploits that are currently doing the rounds... But no, you didn't want people using your software illegally, and now there are countries full of machines which haven't had an update since XP SP2.

    Thanks so much.

    Personally I think ISPs should do a bit of monitoring... A machine suddenly making 100 SMTP connections to multiple servers over the course of an hour should make alarm bells start ringing.

    Surely not too hard to spot, when you've finished checking for P2P connections of course.

    1. The Original Steve

      Huh?

      WGA has no impact on automatic security updates.

      For the whole lifecycle of the product Microsoft provides free security updates. Pirated or legal copy of the OS.

      You can take off your tin foil hat now.

    2. Sean Timarco Baggaley
      FAIL

      Huh?

      So people *steal* a commercial OS, and then whine when said OS' vendor—a company that has never made any secret about wanting to be *paid* for its work—tells you to piss off and *buy* a copy when you demand they give you updates they've developed at their own expense for *free*? Seriously? Do you have any idea how f*cked-up that sounds?

      Why the hell do you expect *any* business to act like a charity, just because you have a misplaced sense of entitlement? Is your business and / or personal data really so worthless that you can't afford £60 to buy a *legal* copy of Windows?

      If you really don't think Windows is worth the price, sod off and buy Linux. There's no shortage of people wanking on here about how awesome it is.

    3. heyrick Silver badge

      100 SMTP connections per hour...

      My ISP blocks all outgoing SMTP servers. I have to use the orange one. It is quick, reliable, and doesn't care who I claim to be (I usually set up accounts and then just say "use orange SMTP").

      I would imagine it would only start to interfere if I posted to many CCs and/or fired off a mass of mails from the same IP.

  3. Pete 2 Silver badge

    a faulty paradigm

    > You don't have the right to infect your neighbour

    Except in cases where one person deliberately infects another (with, say AIDS) we tend to forgive people who pass on coughs and sneezes. We also tend not to know where we get other diseases from - probably just as well, otherwise the "no win no fee" parasites would have a field day. The point about this is that we're quite good at healing ourselves, so any ill effects are soon cured.

    What this guy seems to forget is that operating systems (one variety at least) are hopeless at defending themselves against attack. In evolutionary terms, they'd have died off before the dinosaurs. Probably the very first time their hosts ate a slightly unripe berry. Maybe MS should spend the money we've paid them in developing a product that has the resilience to deal with attacks and if not cure themselves, then at least mitigate an attacks effect to the level of a sneeze, rather than bubonic plague.

    1. Quxy
      FAIL

      Worse, M$ wants the rest of us to pay for it

      Unfortunately, this clown is proposing a universal Internet Tax to pay for the rubber rooms, rather than using Microsoft profits to fix Microsoft problems:

      http://www.itworld.com/software/98522/microsofts-charney-suggests-net-tax-clean-computers

      1. Rob Moir

        and...?

        Who would pay, then, if a bunch of Linux machines got taken out by a worm?

        1. Anonymous Coward
          Anonymous Coward

          @ Rob Moir

          That's a good point. Under the scheme of taxing people to quarantine them, everyone could be quarantined in the knowledge that they had paid for it. How could someone suggest that the company which actually wants this scheme implemented, rather than the public which doesn't give a shit, should pay for it? Imagine that some freeloader is using FreeBSD when they get to have their Internet connection cut off completely free of charge! Bloody thieving bastards!

  4. Bilgepipe
    Thumb Up

    A Better Idea

    Here's a better idea: rather than quarantine malware-infested computers, why not do the owners a favour and give them an operating system that isn't a steaming pile of fresh manure, such as...... well, anything other than Windows. That way, they get a better computing experience and the internet becomes a better place.

    1. Anonymous Coward
      Flame

      How many times...

      obscurity != security

      Go look up pwn to own.

      1. The BigYin

        He may have meant...

        ...a more open OS. You know, one where you could go and look at the code if you wanted.

        The people who rely on obscurity are the likes of MS and their shills.

      2. Bilgepipe
        FAIL

        Pwn to Own

        Pwn to Own is a bunch of self-congratulatory 1337 haxxors trying to get a free laptop and represents nothing to do with the real world. Try again.

  5. Geoff Mackenzie

    Put Microsoft in a rubber room

    and the problem of malware infected PCs will go away by itself.

    1. Big-nosed Pengie
      Linux

      You beat me to it.

      Just block all Windwoes PCs from the Internet. Problem solved.

  6. The Cube
    Thumb Up

    "You don't have the right to infect your neighbor"

    Really?

    What about all those diseased gits on the train being "heroes" and going to work "even though" they are sick, coughing their germs all over everyone else and infecting half the population then? Can we throw them off the train?

    More importantly can we throw infected Windows machines out of the nearest window?

    1. Anonymous Coward
      Anonymous Coward

      I'd rather

      throw the gits off the train...along with all the twats shouting into their mobiles. A moving train, that is.

      Meanwhile, if "You have a right to infect and give yourself illness. You don't have the right to infect your neighbor. Computers are the same way", what was the reason for banging up people for dope again?

    2. Cameron Colley

      'being "heroes" '?

      I think you mean "not loosing their jobs". You may be lucky enough to work somewhere where "I feel like shit and am coughing my guts up" is a valid reason for being off work but not all of us do. Some of us work places where you are questioned about each and every day you take off and told things like "sometimes you feel bad in the morning but get better later on, so perhaps you could come in and see how you feel?".

      1. Anonymous Coward
        Anonymous Coward

        Take a stand...

        Every time you are off you should have a back to work interview, and as part of H&S best practice they should ask if work was the cause. Tell them it was, as there is a policy of discouraging people from takeing time off ill. Get a few people to do it and it won't be long untill the HR droids are knocking on your bosses door (If you work for a half way ethical company, if not get the hell out).

  7. jake Silver badge

    So, essentially ...

    Microsoft is proposing an intranet for computers running Microsoft software, thus leaving the rest of us alone? Sounds good to me!

  8. Anonymous Coward
    Anonymous Coward

    So, just quarantine all the PCs running Windows

    job's a good 'un.

  9. LenH
    Alert

    Security Patches

    Why not allow security patches to be installed even on pirated copies of Windows? That would take down a lot of surface area for malware.

    1. The Original Steve

      You can

      Microsoft doesn't stop Windows update from getting security patches because of WGA failure.

    2. A J Stiles
      Pirate

      Whiskey Tango Foxtrot?

      "Why not allow security patches to be installed even on pirated copies of Windows?" -- what have you been smoking?

      Pirate copies of Windows are pirate copies of Windows, and whoever is running them needs busting for copyright violation -- *not* encouraging to leech off others as though that was normal behaviour. If a malware infection is traced to a compromised PC and it turns out to be running an unauthorised copy of Windows, the owner should get the book thrown at them.

      Look, if you don't want to pay for software, that's fine -- just don't use software you are supposed to pay for. How freakin' hard is that already?

  10. Anonymous Coward
    Paris Hilton

    Ah... a shame?

    bout time too?

  11. Anonymous Coward
    Stop

    How to clean

    Most of these Implementations would leave people with no way to fix their infected PC (other than to ship it off to be fixed.) So you can place all your data into the cloud, but then microsoft gets to lock you out until you get a new PC? This is assuming they are behind a NAT, and so they will likely be forced to block all devices on that same NAT. Also that paid repair is going to cost more than a replacing the PC.

  12. Anonymous Coward
    Thumb Down

    an aside

    "U-Prove is being used to help the German government roll out its electronic ID card system" - interesting, presumably the cuddly Kim Cameron we're-on-your-side-ID-mongers (http://www.identityblog.com/, http://msdn.microsoft.com/en-us/library/aa983293.aspx, http://www.theregister.co.uk/2006/03/28/infocard_identity/, etc ad nauseum) will be selling this to uk.gov?

  13. Mark 65

    Really?

    "A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users."

    Can of worms meet opener.

    1. Anonymous Coward
      Anonymous Coward

      Oh yes!

      While you couldn't really blame Microsoft for vulnerabilities that are fixed ASAP, they'd sure warrant severe penalties for the ones they don't fix in any sort of a hurry!

      Then we have to look at vulnerabilities in Microsoft that products that exist because they had the choice of making something that would sell more/quicker or something that was secure. Most of these owners of infected machines, are, precisely because Microsoft skimped on security for profit. Into which category also you could include tacitly releasing 'beta' products, i.e. Windows This, Windows That, Windows TheOther, for testing on the customer.

      Can of worms indeed!

      Ha ha ha!

  14. Frozen Ghost

    You don't have the right to infect your neighbour

    I thought most malware was spread through compromised webservers, dodgy downloads and stupid people. With most people behind a NAT nowadays I cannot believe that a malware infection on a normal PC could attack others and spread unless they were on a local network - which rather defeats the point of banning them from the internet.

  15. Stephen Bungay

    ISPs can't be trusted...

    I run a Linux shop, no Windows PCs anywhere. Imagine my suprise when I got an automated message informing me that I had to visiti my ISPs security page, download and install their security suite, and clean my computers or they would cut me off. So much for the ISP being able to do the job.

    1. Anonymous Coward
      Thumb Down

      Do you know they were clean because

      You run linux, or you checked? If its the first then your system may well be riddled with the stuff, because linux is not a 100% proof against infection. If its the second then you are unfairly having a go at MS.

      1. Anonymous Coward
        Anonymous Coward

        I think ...

        I think the "security suite" they made him download and run is probably a Windows thing. They won't let him use the service until their software reports back to them from the Windows machine they forced him to install it on. But I could be wrong.

  16. zedee
    Thumb Up

    Metronet

    Metronet (smaller UK ISP which got bought by the Plusnet borg) was doing this back in 2005.

    Infected by a bot, spewing spam traffic?

    Automated port blocking, with browse redirection to a helpful page.

    Tidy.

  17. Anonymous Coward
    Anonymous Coward

    MOT-esque Process?

    What if, every six months or so, you just had to prove to your ISP that your OS and popular Internet-facing apps had the latest security patches applied? (that's _security_patches_, not feature updates)

    Then, if you're found to be running software with known security flaws, you are prompted to update the software before being allowed unfettered access to the Internet.

    Oh, and anyone who is stupid enough to install a fake "ISP validation tool" would be banned from the Internet forever.

    1. Anonymous Coward
      Anonymous Coward

      More Bad Analogies

      The MOT isn't a bad idea as such, but why prove it to your ISP? It should never be up to the ISP to police the internet. Governments are proving very slow to catch up with things online, but every country really should have a single agency that has oversight of the internet. No, not OFCON, we need something that has some teeth.

      1. Paul 4

        What about...

        people who know what they are doing? People who don't want to up-date with some patches? MS are well known for braking things with iffy patches, thats why you have the choice too...

    2. heyrick Silver badge

      Sounds good...

      ...so long as the ISP can prove to me that the places I may visit and the files that may be cached on my system will be virus free.

      Given that my site was compromised a while back, and two friends have had theirs compromised more recently, not to mention the current F1=pwn, it might be interesting to know:

      1. What is the dispersal rate between email viri and nasty stuff lurking in web pages.

      2. Is lurking web page stuff able to autoinfect, or does it need user interaction?

      3. Is email stuff able to autoinfect, or does it need user interaction?

      My personal feeling is that the quarantine is a solution looking for an outdated problem, and that the more likely current risk is malicious content which resides on various servers and NOT a case of user machine to user machine cross infection, which is kinda '90s...

  18. Treacle
    FAIL

    By what means "detect", exactly?

    "mandatory quarantines for computers with malware infections"

    Sounds great (if impossible). But how to start? Since no one anti-malware software can detect everything, and new viruses appear regularly that evade even a collection of scanners, by what possible mechanism could we determine if a machine has the latest botnet beastie swimming around in it's boot sector, infecting it's neighbors?

    Besides, even if we were able to "rubber room" all currently infected PCs, by jove, we'd likely have half the Windows PCs off the Net tomorrow! If not more!

    Yes, please give us a way to effectively combat the insane tide of Windows-infective virus material out there -- we sysadmins are getting the piss taken out of us currently.

  19. This post has been deleted by its author

  20. This post has been deleted by its author

  21. Peter 39
    Alert

    presumption of innocence ?

    I'd start by including ALL Windows machines in the rubber room.

    Let out the ones that can pass a cleanliness check.

    @AC: the rubber room can let owners onto fix-up places. They don't have to be denied absolutely every access. This is well-understood technology. And the NAT issue is soluble too.

  22. amanfromMars 1 Silver badge

    Quip of the Week so Far.

    ""A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users."

    Can of worms meet opener." ... Mark 65 Posted Tuesday 2nd March 2010 23:27 GMT

    That had me a'tittering, Mark 65. Thanks ..... a'Titter is Good for You.

  23. Flocke Kroes Silver badge

    Old half idea - still waiting for the other half

    Decades ago some ISP's tried contacting their customers with infected PC's and helping them deal with their problems. The result was often a happy customer not wasting the ISP's bandwidth with spam. The other possibility was an angry customer wasting a competitor's bandwidth with spam. I am not sure it would still work - malware is smarter and customers are more computer illiterate.

    ISP's compete hard on price. If they put up there prices a little and offer a discount for not running malware then there is a chance customers will make an effort to keep their machines clean.

    Incorporate Microsoft's BSD licensed source code today and get hit for patent infringement tomorrow. Even a PHB can see that one coming.

  24. Simon Neill

    Patches and diseases...

    "Why not allow security patches to be installed even on pirated copies of Windows? That would take down a lot of surface area for malware."

    They do. Even pirate copies can install critical updates, its the less important bug fixes and usability they miss out on.

    As for forgiving people for sneezing on us, yes we do. However people do tend to get rather annoyed when someone phones them 6 months later to tell you to get a HIV test. Perhaps the people being quarantined ARE victims, but the quarantine would then make them take their computer to someone to get fixed surely, thus they stop being a victim.

  25. The BigYin

    Hmm...

    ...I have no issue with infected PCs being blocked by the ISP (after their own scanning, or someone alerting them) and the owner being made to cover all costs incurred (including clean-up - they can take it to a certified engineer if needs be). People need to wise-up to their on-line responsibilities.

    But for MS to propose such measures is a bit beyond the pale. If their OS was not SO EASY to infect and subvert, we would not have these issues. *nixes (and I include OS X) are not immune, but they are a shit-load harder to subvert with the tricks that work on Windows. They are also a heterogeneous and compatible environment, so it would be extremely hard for one piece of malware to infect more than a subset of machines.

    Often it is not the OS that is actually infected, but some application (e.g. MS Office) that is bent to the will of the hacker. If you are lucky, MS will update this on a random Tuesday. But what if it was a non-MS app? You've got little help unless you actively seek our the patch/new version.

    The update mechanism on any modern Linux distro (I don't know about OS X, sorry) is vastly superior than the one on Windows; it takes care not only of the OS and ancillary systems, but also all applications that have been installed via the certified repositories (or whatever your particular brand on Linux happens to call them). No need to go looking, your system will check for updates once a day (or whatever you set it to).

    One side effect is that you may get a batch of updates every day. This is a "Good Thing"(tm) as you get the fix as soon as it is ready and don't have to wait for that special Tuesday. Reboots are rare due to how *nix deals with files and it is all over in a few mouse clicks (or a few terminal commands if you prefer). And yes, you can modify how all this works for the corporate environment).

    If the world moved to Linux (or OS X, BSD, Haiku...) tomorrow, viruses, rootkits, trojans etc would not vanish, but they would become much, much harder to forge given the reasons above. The only losers would be Symantec et al.

    So, by all means, block infected machines, but ask yourself why such measures should be necessary. If the internet is the "information super highway", then Windows PCs are unfit for the road and fail their MOT (or TUV or...)

  26. Richard Porter
    Thumb Down

    @a better idea

    No, quarantining all MS computers wouldn't be a good idea because the miscreants will then go after other OSs. How do you keep flies out of the kitchen? - put a bucket of shit in the living room. M$ is the bucket of shit. We have to be thankful for Tesco because it keeps the riff-raff out of Sainsbury's (and Sainsbury's keeps hoi polloi out of Waitrose). In other words we need lots of people to use Windows, get themselves infected, give away all their banking details etc so the rest of us can have a bit of peace.

    1. A J Stiles
      Linux

      Not true

      "quarantining all MS computers wouldn't be a good idea because the miscreants will then go after other OSs" -- but you're forgetting that other OSs tend to have such concepts baked in as privilege separation, non-executable files and running on different architectures beside 80x86, making them inherently *much* harder to attack than Windows.

    2. jake Silver badge

      No flies here ...

      "How do you keep flies out of the kitchen?"

      If you don't give them anything to eat and/or lay their eggs on, they will leave you alone. In other words, cleanliness is next to flylessness ... My kitchens are at a horse ranch, and the kitchens/living quarters (and most of the AI/foaling barn/mare motel) are the ONLY places that we don't have fly issues during the summer, without chemical help. I'll leave it as an exercise to the reader how to apply this to modern operating systems.

      As a side note, if you have a fly or flies annoying you indoors, close all the curtains & open a window/door to the outside. The flies will always move from dark to light ... At night, turn out the house lights, open a door, and turn on a car/bike headlight outside. The flies will leave of their own accord. Don't laugh ... try it.

  27. Richard Porter
    FAIL

    @a faulty paradigm

    No, it's not like catching a cold. It's more like leaving your front door wide open and then complaining if you get burgled.

  28. Anonymous Coward
    Pint

    @Metronet (RIP)

    I see someone else beat me to it wrt to the small but perfectly formed (and afaik internally Windows-free and Redback-free and Cisco-free) UK ISP Metronet, who had automated mechanisms to spot infested punters and isolate them.

    Paresh, Alex, James, and the other half dozen or so of you (there weren't many staff but they punched way above their weight), where are you now, your country needs you (and your Support Wiki) more than it ever did.

    Sniff.

  29. Anonymous Coward
    Thumb Up

    alternative method

    Simply use a decent malware scanner, firewall and dont generally be a thick twat (hint: if a web pop up tells you that you have a virus and need to install their scanner to remove it, dont), then let everyone else that doesnt, have their pc just die.

  30. Anonymous Coward
    Anonymous Coward

    So....

    ....what they are talking about is essentially implementing NAC across the interwebs? Not only is there the issue of the cost of such a system, but there is the even bigger issue of getting every nation in the world to put in place the necessary legislation. Good luck with that. WTF is the point of having the law in place only in the US?

    The analogy is crap anyway. Smoking? Yes there is evidence that you can become ill as a result of breathing second hand smoke having an infected PC is not like smoking in public. Having an infected PC is like having a cold, so in effect he is saying that the EPA should pass a law quarantining every single human being with any form of infectious illness. What a fucktard.

    When it comes to buiding an analogy he should get a clue from the word virus. It's been in use for decades in IT because it works as an analoy. A biological virus is a pretty good analogue of self proporating malware. If he stuck to the tried and tested analogy rather than inventing his own he'd realise that most of the rest of his diatribe is nonsense.

  31. Rich 27

    I love this concept!!

    I think he's right.

    The OS should be a first defense against most if not all of the crap thats floating around on the net. It can at least detect if malware prevention systems are in place / active and up to date. If they're not kill port 80 :) that alone would nicely annoy almost everyone. While at the same time giving us techs a nice little side earner fixing stuff like that.

    But the serious point of preventing the spreading of malware around the net to others I reckon is spot on. We need more ideas like this!!!

  32. Remy Redert

    re: @a better idea

    Except for the part where if we can make it sufficiently hard on the malware devs, the effort required will outweigh the potential profits. At that point we can go back to malware the way it used to be. The occasional serious pest released by a bunch of mischievous coders, that can cause a variety of annoyances up to and including bricking the OS.

  33. Shane Kent

    MS has given up...

    MS wants to give up filling pot holes, and hoping to make "their" life easier by closing streets. You ever get the feeling you are driving a LAN car on the WAN highway?

  34. Anonymous Coward
    Coat

    "driving a LAN car on the WAN highway"

    Microsoft are WAN cars.

  35. Anonymous Coward
    Flame

    Stating the OBVIOUS

    MS might try creating a SECURE operating system and applications, but that is hard and MS is incompetent at security . . . so now they want to compensate for their ineptitude by quarantine from the dark ages.

  36. heyrick Silver badge

    I've been thinking about this...

    I think the concept of "cloud" has to trancend operating systems entirely. Network applications should run in a sandbox (think Java-like). This will be useful as the client will only need basic access rights as cloud will host much of the data.

    Then, data needs to be downgraded to data. Just... data. Not "document with scripting" or any of those other woeful security fails, just data. Interpreted by the cloud application, which is sandboxed. If it is well-designed, download/use times could be mitigated by making it modular with the user downloading sort-of on demand the bits they need to get a job done. Think of the RISC OS module scheme applied to a word processor. Why download all the code for laying out tables if the majority of documents you create won't contain them?

    This will require (and forgive me for using the expression) a paradigm shift in the way applications are written.

    So the question is not so much "how secure is your computer in the cloud" but rather how secure is the cloud going to make itself? Along with this abstraction from current principles (and hulking applications like any number of office suites) will be an abstraction from actual operating systems, so in the end the base hardware does not really matter, but it a Win7 PC, a Mac, an ARM tablet, or a clever hack to an aging Amiga...

    There's no "ding!" lightbulb icon.

This topic is closed for new posts.

Other stories you might like