Vulnerabilities / Threats
2/15/2011
12:39 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

RSA: Microsoft Revises Computer Quarantine Proposal

Scott Charney now believes users should present claims about the health of their computers without the involvement of ISPs.

At the RSA conference in San Francisco, Calif., on Tuesday Scott Charney, Microsoft's corporate vice president for trustworthy computing, revised his controversial call to apply the public health model to cybersecurity.

Charney had previously proposed that computers should be required to present cryptographically signed claims to ISPs about their health -- as measured by the absence of infectious malware -- before being granted network access.

But rather than push for an authoritarian approach in which infected machines could be quarantined and kept offline, Charney has come to believe that a community-based paradigm, in which users present machine health claims directly to Web services, without the involvement of ISPs, presents a more workable path.

"What's really changed is that as we started thinking more about the identity model, where you pass claims about your identity, we realized a better model is to pass claims about machine health, where the user controls the claims," he said in an interview last week.

Charney acknowledged that his message -- presented under the theme "Collective Defense" -- is not really a new one. He and his company remain interested in leveraging identity as a means of enhancing network security -- primarily through its Windows CardSpace identity system -- without doing away with the possibility of anonymity.

Identity, says Charney, is even more important as we shift toward a cloud computing model because so much information can be accessed through the network. But Charney now sees value in putting users rather than ISPs in control of the security-related claims process.

"It's not about gating people's access to the Internet," he said. "It's really about taking preventive measures to ensure they have a healthy experience on the Internet."

When Charney first proposed applying the public health model to cybersecurity last year, Electronic Frontier Foundation legal director Cindy Cohn urged caution in using the public health model for computer security until the implications are more fully understood. Her concern was that users could find themselves denied network access without adequate safeguards.

Part of what has prompted Charney to revise his suggestion is the extent to which the Internet has become indispensable. "Increasingly around the world, access to the Internet is being viewed as a fundamental right," he said. "That's an important change in perception."

Charney acknowledges that we have other fundamental rights, like freedom of speech, and says that while these rights are not absolute, they're of such importance that you want to be sure that security needs don't impact those rights in an unreasonable or unnecessary way.

"This model of passing health claims is actually what companies do today with network access protection," he said," where you pass a machine claim that your antivirus and your patches are up to date. And if not, your CIO and your company help remediate your machine. We realized with a claims-based model, that could scale to the public as well."

"The beauty of this model is the user remains in control," said Charney in his keynote address.

Charney argued that finally the social, political, economic, and IT spheres are aligning to make collaborative cybersecurity more workable. He suggested that rather advancing one cybersecurity policy, we need four: one for cybercrime, one for economic espionage, one for military espionage, and one for cyber warfare.

The first three, he said, are problems with precedents. We can harmonize laws to better address cybercrime, use diplomacy to press for international behavioral standards to limit economic espionage, and accept that we're not going to get rid of military espionage, which has persisted for centuries. Cyber warfare he sees as uncharted territory since it's not clear how nations should respond to the theft or destruction of data.

Justifying his advocacy of a public health model for computer security, Charney suggested considering other shared environments like public schools, where children are required to be vaccinated. "We need to make sure that people understand this is a shared and integrated domain," he said.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio