Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

How Far Should Microsoft Go To Improve Security?

Joe Wilcox suggests today that hackers are actually Microsoft competitors, and they should be obliterated like Microsoft obliterated Netscape oh-so-many years ago.

Interesting way of looking at it.

In his article, he suggests that Microsoft should work with ISPs to identify malware infested computers and block them from the Internet. His argument in a sense compares the situation to the way we deal with criminals in real life. We don't (usually) allow them to roam free and keep committing crimes, we separate them form the rest of society. So why shouldn't we do the same thing for malware-infested computers wreaking havoc on the net? 

There are a couple ways this could happen:

  1. After several unsuccessful attempts to clean a computer, Windows Defender could automatically shut off Windows Firewall and force the user to take the computer in for repair.
  2. Same as #1, only Defender sends a message to the ISP to shut off the Internet connection to the subscriber.
  3. Force developers writing apps to have their programs go through some kind of certification process, at the end of which the program would be issued a keycode that allowed it to access the Internet. Then, the ISP could filter out keyed and non-keyed communication by having the app key add authorization date to each IP packet.

The problem with #1 is that Windows Firewall is programmable, and it would be easy for the malware to intercept/override this call. #2 is a bit extreme, and #3 might be too difficult to implement.

So, would people actually put up with these kinds of measures? It seems to me like the only thing this does is punish the victims, since most users don't know their computer has been zombie-fied.

Now, it does seem to make sense that the ISP could block certain TYPES of traffic based on the infection state. For example, most botnets are used to send out hoards of spam. In that scenario, Defender could send reports to the ISP, and if the problem can't be cleaned, then the ISP could block SMTP traffic for that subscriber.

So, dear readers, should Microsoft start punishing the few to protect the many?



  • Poodle said:

    Uhh, no. That would be crazy.

    December 19, 2006 5:38 PM
  • List244 said:

    I actually disagree with you in part here, Robert. I think this could work pretty well. There is only one major problem I could think of... The number of things which would then attack windows in order to disable people's internet connections. If you could get around this, it is a good idea.

    I wouldn't call it punishment, if you are infected, chances are you are better off without internet. This limits the number of things the malware can do. I would actually prefer my internet be disabled if a problem is found. Plus, this would allow security developers to write bootable virus programs which can then fix these problems which Windows could not. These programs could work in combination with your Windows CD or possibly Windows Update Server to reinstall files which could not be cleaned.

    Of course, these hopes are far-fetched, and I doubt any such thing be done.

    December 19, 2006 5:47 PM
  • Tomer Chachamu said:

    #3 is "difficult to implement"? Robert, you're going crazy. Whatever happened to our freedoms?

    December 19, 2006 5:52 PM
  • azz0r said:

    All three suck. The whole concept sucks.

    The ideal solution is to track the hackers and punish them. Not the victim.

    December 19, 2006 7:03 PM
  • "For example, most botnets are used to send out hoards of spam. In that scenario, Defender could send reports to the ISP, and if the problem can't be cleaned, then the ISP could block SMTP traffic for that subscriber."

    I don't think this is the job of Windows Defender or Microsoft for that matter. I know my ISP will cripple outbound SMTP when certain thresholds for outbound SMTP are passed. So I don't think we need any of the three suggestions above on top of that.

    The ISP should check for excessive amounts of malware data and should be watching closer for botnet activity.

    December 20, 2006 1:19 AM
  • Mihai said:

    <<should Microsoft start punishing the few to protect the many?>>

    I think this will punish more than few, because there are many computers out there that are highjacked.

    Second, this also implies that somehow MS can (reliably) identify malware, which is unrealistic.

    Third, this also implies the ISP and/or ISV cooperation. And we know this will not happen. Ok, maybe it will, but if it is not 100%, is kind of useless. For instance ISPs can already do something about spam, quite easy, but they do. They can (for instance) add a setting to each account configuring the maximum numbers of emails one can send per day. Not decided by ISP, but by the user. And if I say sending 100 emails/day is enough for me, then the ISP should send me a warning email if I send 300. And another one if I send 1000.

    No restriction, don't stop my email, just letting me know there is something wrong.

    I think that the normal user would react to a notice from the ISP saying "Yesterday you have sent 12,313,413 emails. If this sounds suspicious to you, you might be infected with some form of malware. Please call our tech support at 1-800-ENDSPAM and we will try to help you clean it up."

    December 20, 2006 2:08 PM
  • List244 said:

    Mihai, I disagree. I don't think there is really anything that an ISP can do. This assumes that the method you are sending mail is the method in which the ISP is monitoring. Also, even if they could truly identify mail, this wouldn't really stop spam. Spammers can mail via other means and from outside regulated areas. So really, there is not too much that can be done.

    December 20, 2006 8:28 PM
  • Mihai said:

    I don't buy the ANYTHING part in "think there is really anything that an ISP can do"

    ISP alone cannot completely stop spam, but they can help reduce it. And If only everybody does his share, we might end up with 10 spam emails per day, instead of 10000.

    Most spam is sent by SMTP, from "owned" computers.

    So ISPs should not allow mail-relay, and filter port 25 to anything but their designated SMTP server, with authentification.

    The SMTP server should send me a warning if I am sending more than 100 emails per day (or whatever I set in my config). Spam-boots don't send emails using Yahoo or GMail web UI.

    If one ghost PC sends 100 emails instead of 10,000,000, if the user is warned as soon as some suspicious activity happens, it will help.

    Flexibility: for power users allow to whitelist some other SMTP servers (I can login to my profile at the ISP and change it). But have filtering in by default.

    Adopt standards that don't allow the spoofing of the origin (they are out, but nobody care).

    Will this stop smap? No! But it will drastically reduce it.

    I know, it will not happen, because all these changes cost money. This is the one and only reason. Not because they cannot, but because they don't want, it cuts the profit.

    December 21, 2006 12:39 PM
  • That would be the end of the internet as we know it. The death of the last place of freedom we have.

    It really scares me that some people encourage this idea. Where's this world going to?

    Don't want an infested PC?

    a) learn how to use one


    b) don't use windows

    Don't punish the victims for being computer-illiterate. Punish the malware developers. Take it at the roots.

    December 23, 2006 10:29 AM