Vulnerabilities / Threats
2/15/2011
12:39 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

RSA: Microsoft Revises Computer Quarantine Proposal

Scott Charney now believes users should present claims about the health of their computers without the involvement of ISPs.

At the RSA conference in San Francisco, Calif., on Tuesday Scott Charney, Microsoft's corporate vice president for trustworthy computing, revised his controversial call to apply the public health model to cybersecurity.

Charney had previously proposed that computers should be required to present cryptographically signed claims to ISPs about their health -- as measured by the absence of infectious malware -- before being granted network access.

But rather than push for an authoritarian approach in which infected machines could be quarantined and kept offline, Charney has come to believe that a community-based paradigm, in which users present machine health claims directly to Web services, without the involvement of ISPs, presents a more workable path.

"What's really changed is that as we started thinking more about the identity model, where you pass claims about your identity, we realized a better model is to pass claims about machine health, where the user controls the claims," he said in an interview last week.

Charney acknowledged that his message -- presented under the theme "Collective Defense" -- is not really a new one. He and his company remain interested in leveraging identity as a means of enhancing network security -- primarily through its Windows CardSpace identity system -- without doing away with the possibility of anonymity.

Identity, says Charney, is even more important as we shift toward a cloud computing model because so much information can be accessed through the network. But Charney now sees value in putting users rather than ISPs in control of the security-related claims process.

"It's not about gating people's access to the Internet," he said. "It's really about taking preventive measures to ensure they have a healthy experience on the Internet."

When Charney first proposed applying the public health model to cybersecurity last year, Electronic Frontier Foundation legal director Cindy Cohn urged caution in using the public health model for computer security until the implications are more fully understood. Her concern was that users could find themselves denied network access without adequate safeguards.

Part of what has prompted Charney to revise his suggestion is the extent to which the Internet has become indispensable. "Increasingly around the world, access to the Internet is being viewed as a fundamental right," he said. "That's an important change in perception."

Charney acknowledges that we have other fundamental rights, like freedom of speech, and says that while these rights are not absolute, they're of such importance that you want to be sure that security needs don't impact those rights in an unreasonable or unnecessary way.

"This model of passing health claims is actually what companies do today with network access protection," he said," where you pass a machine claim that your antivirus and your patches are up to date. And if not, your CIO and your company help remediate your machine. We realized with a claims-based model, that could scale to the public as well."

"The beauty of this model is the user remains in control," said Charney in his keynote address.

Charney argued that finally the social, political, economic, and IT spheres are aligning to make collaborative cybersecurity more workable. He suggested that rather advancing one cybersecurity policy, we need four: one for cybercrime, one for economic espionage, one for military espionage, and one for cyber warfare.

The first three, he said, are problems with precedents. We can harmonize laws to better address cybercrime, use diplomacy to press for international behavioral standards to limit economic espionage, and accept that we're not going to get rid of military espionage, which has persisted for centuries. Cyber warfare he sees as uncharted territory since it's not clear how nations should respond to the theft or destruction of data.

Justifying his advocacy of a public health model for computer security, Charney suggested considering other shared environments like public schools, where children are required to be vaccinated. "We need to make sure that people understand this is a shared and integrated domain," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.