Vulnerabilities / Threats
2/15/2011
12:39 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

RSA: Microsoft Revises Computer Quarantine Proposal

Scott Charney now believes users should present claims about the health of their computers without the involvement of ISPs.

At the RSA conference in San Francisco, Calif., on Tuesday Scott Charney, Microsoft's corporate vice president for trustworthy computing, revised his controversial call to apply the public health model to cybersecurity.

Charney had previously proposed that computers should be required to present cryptographically signed claims to ISPs about their health -- as measured by the absence of infectious malware -- before being granted network access.

But rather than push for an authoritarian approach in which infected machines could be quarantined and kept offline, Charney has come to believe that a community-based paradigm, in which users present machine health claims directly to Web services, without the involvement of ISPs, presents a more workable path.

"What's really changed is that as we started thinking more about the identity model, where you pass claims about your identity, we realized a better model is to pass claims about machine health, where the user controls the claims," he said in an interview last week.

Charney acknowledged that his message -- presented under the theme "Collective Defense" -- is not really a new one. He and his company remain interested in leveraging identity as a means of enhancing network security -- primarily through its Windows CardSpace identity system -- without doing away with the possibility of anonymity.

Identity, says Charney, is even more important as we shift toward a cloud computing model because so much information can be accessed through the network. But Charney now sees value in putting users rather than ISPs in control of the security-related claims process.

"It's not about gating people's access to the Internet," he said. "It's really about taking preventive measures to ensure they have a healthy experience on the Internet."

When Charney first proposed applying the public health model to cybersecurity last year, Electronic Frontier Foundation legal director Cindy Cohn urged caution in using the public health model for computer security until the implications are more fully understood. Her concern was that users could find themselves denied network access without adequate safeguards.

Part of what has prompted Charney to revise his suggestion is the extent to which the Internet has become indispensable. "Increasingly around the world, access to the Internet is being viewed as a fundamental right," he said. "That's an important change in perception."

Charney acknowledges that we have other fundamental rights, like freedom of speech, and says that while these rights are not absolute, they're of such importance that you want to be sure that security needs don't impact those rights in an unreasonable or unnecessary way.

"This model of passing health claims is actually what companies do today with network access protection," he said," where you pass a machine claim that your antivirus and your patches are up to date. And if not, your CIO and your company help remediate your machine. We realized with a claims-based model, that could scale to the public as well."

"The beauty of this model is the user remains in control," said Charney in his keynote address.

Charney argued that finally the social, political, economic, and IT spheres are aligning to make collaborative cybersecurity more workable. He suggested that rather advancing one cybersecurity policy, we need four: one for cybercrime, one for economic espionage, one for military espionage, and one for cyber warfare.

The first three, he said, are problems with precedents. We can harmonize laws to better address cybercrime, use diplomacy to press for international behavioral standards to limit economic espionage, and accept that we're not going to get rid of military espionage, which has persisted for centuries. Cyber warfare he sees as uncharted territory since it's not clear how nations should respond to the theft or destruction of data.

Justifying his advocacy of a public health model for computer security, Charney suggested considering other shared environments like public schools, where children are required to be vaccinated. "We need to make sure that people understand this is a shared and integrated domain," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.