Tuesday, February 15, 2011

Windows users: it's your problem now

Microsoft Vice President Scott Charney, a longtime advocate of a coordinated approach to cybersecurity, describes a vision of Internet health:
"We broke Windows. It's your problem now."

At least, that's how I interpret his comments. Charney wants to have users pass a kind of "health test" for their computer before they can use web services.

"Security is not a problem that can be addressed fully by individual consumers, or even individual companies or governments. That is what led to the development of my public health model proposal, which calls for collective defense against cyber threats," he said.

Charney uses a public health model to support his new idea. Basically, in order to access web services (say, your bank - or cloud services, maybe even social networking like Facebook) you first need to let the provider run their virus check on your computer. Intrusive? I think so. Would you let a web site run their code (virus scan) on your machine before you are allowed to use their web application? I think I smell more malware coming.

Let me take the "health" idea in a different direction: it's like safe sex. Previously, wise PC users used a sort of "computer condom" (anti-virus software, firewall, etc.) That worked pretty well, and was really aimed at preventing infection. Like a condom, see? Microsoft's Charney now wants to change that, so that you can go play with whomever you like, but you should make a "good health" claim first. Charney suggests you can opt out of a scan, but there will be consequences.

Yeah, right.

To me, this is just passing the problem on to the consumer. That makes me wonder - does Microsoft even intend to address the gaping security holes in Windows anymore? Maybe the Corporate Vice President for Trustworthy Computing should suggest a different approach: make Windows more secure, more "trustworthy".

But maybe that's just me.

Instead, I see Charney's statements as raising the TCO for running a Windows system. Corporate IT can probably absorb this without too great an additional cost, but home users may quickly find the constant barrage of "let me scan your PC before you can access our web site" to be annoying. That would make for an interesting sea change.

9 comments:

  1. What's worse is that Linux and BSD users will get shut out of the whole thing because they won't run the antivirus scanners...thanks to the built-in security disallowing executable files from automatically running. Oh, what cruel irony. Oh yeah, and what about all the smartphone users using Android to access their favorite websites? Although I guess if a solution does become available for Android, in time it'll be ported for all Linux systems. It'll still be annoying, though.
    --
    a Linux Mint user since 2009 May 1

    ReplyDelete
  2. Maybe this would work better if we just disallowed Windows users access to the web. A quick check to see what the host OS is. If it's Windows, denied!

    No antivirus needed!

    ReplyDelete
  3. @linuxcritic: Unfortunately, at this point that's counterproductive because at least 85% of end-user computers run Microsoft Windows. It'll be like trying to quarantine people in a particular city with cholera...when 85% of the people have cholera. There's no point. What I will say though is that on my blog I have a notice that displays for Microsoft Internet Explorer 6 users encouraging them to switch browsers and telling them that much of the web will not render properly due to Microsoft Internet Explorer's blatant disregard for web standards. (It isn't much better now even with version 9.)
    --
    a Linux Mint user since 2009 May 1

    ReplyDelete
  4. Excellent post linuxcritic!

    ReplyDelete
  5. Then again, supposedly about 60% or so of all web servers run linux, so to run those types of apps, they would have to be written for Linux to make the effort worthwhile.

    ReplyDelete
  6. Even more importantly, how does Charney expect to apply this to mobile devices? iPads and smartphones are increasingly being used to access the Internet. I'm a Linux guy, but most of my surfing the web and checking personal email is done from my phone. So, how does Charney expect me to run a third-party scan on my phone before I can access my bank account online?

    ReplyDelete
  7. @some guy: That's also what I said earlier. :)

    ReplyDelete
  8. Yes PV, good for you. :-D

    ReplyDelete
  9. Huh. Scan for malware, including memory resident ones which may not be stored on disk? How long will it take to perform this "health check"? My favorite of course is that the idiot wants everyone to essentially enable arbitrary remote program execution on their machine - so the moron is demanding we flush security down the toilet and pretend that his scheme is somehow secure. Great going - yet more proof that Microsoft don't even understand the most basic ideas in computer security.

    ReplyDelete

Note: Only a member of this blog may post a comment.

Followers