ISP Restrictions Based on Hardware/Software? 387
An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"
THE INTERNET IS NOT SECURE (Score:3, Informative)
THE INTERNET IS NOT SECURE
By connecting to it you must expect to be probed, attacked, sniffed, decrypted, spammed, hacked, and denied service. In order to avoid these things either you must not connect to it, or you must take measures that degrade its performance in order to eliminate some of these possibilities. But you will never make it secure, because it is not secure.
If you want a secure network, you will have to start over from scratch.
Re:Microsoft is completely against this censorship (Score:1, Informative)
Terms of Service-Rights. (Score:1, Informative)
"When everything's a right, nothing is a right." [stgeorgepress.com]
Re:Microsoft's involvement (Score:2, Informative)
What percentage of all Internet users are on Windows versus everything else?
Okay, so this is NOT a good business practice. Disenfranchising 90%+ of all Internet users is just plain stupid. Right up their with a multitiered Internet where big carriers can throttle your traffic if it comes from IP addys other than in their blocks or is aimed at ports they believe signify what is in their opinion unimportant traffic.
This is plainly a stupid idea on multiple levels.
Re:Err.... (Score:3, Informative)
No problem. (Score:3, Informative)
isp's blocking p2p traffic (Score:5, Informative)
PROPER USES:
"Unlimited NationalAccess/BroadbandAccess:
Subject to VZAccess Acceptable Use Policy, available on www.verizonwireless.com. NationalAccess and BroadbandAccess data sessions may be used with wireless devices for the following purposes: (i) Internet browsing; (ii) email; and (iii) intranet access (including access to corporate intranets, email and individual productivity applications like customer relationship management, sales force and field service automation).
SUCH USE DESCRIBED BELOW WOULD BE SUBJECT TO TERMINATION OF SERVICE CONTRACT
Unlimited NationalAccess/BroadbandAccess services cannot be used (1) for uploading, downloading or streaming of movies, music or games, (2) with server devices or with host computer applications, including, but not limited to, Web camera posts or broadcasts, automatic data feeds, Voice over IP (VoIP), automated machine-to-machine connections, or peer-to-peer (P2P) file sharing, or (3) as a substitute or backup for private lines or dedicated data connections."
Re:Even if... (Score:3, Informative)
That's probably another concern of Microsoft. Linux distributions can be easily modified to fool such restrictions and existing Linux users will likely install the necessary patches. (...) I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard.
You can not have read much about trusted computing, and in particular trusted network connect. Without the proper TCPA signatures, Linux won't be able to fake being a Windows box. The OS fingerprinting of today relies on implementation differences, and is a completely other ballpark than trying to forge a digital signature.
Re:Well... (Score:3, Informative)
You're vastly oversimplifying. Firstly, most home PC users can barely figure out how to begin to use Windows. If you throw something completely new at them (Linux or OSX) they will probably be even worse off than where they started.
Secondly, you're assuming that it's impossible to have a secure Windows PC, and that simply isn't true. My home PCs run Windows XP and are secured. My place of employment is about 95% Windows XP, and we haven't had any security incidents or security related downtime since we opened over two years ago. No PC platform will ever be 100% secure and exploit-proof, but you can make pretty much any current platform secure enough to not be a threat to the Internet. If a user is faced with learning how to secure Windows (possibly with a minimal additional hardware/software investment) versus scrapping the whole thing and learning a whole new OS, and how to secure it (possibly with a minimal additional software investment or a completely new PC purchase), they will probably stick with Windows.
And that's the big thing about Windows, it is relatively easy to secure it for connecting to the Internet. For example:
1. Download and install a decent antivirus/firewall package. You can buy one for $50 or less from most securty vendors, or you can get a free package like Avast or AVG with ZoneAlarm or Windows Firewall.
2. Turn on automatic updates so that security patches are installed automaticall when they become available. Or for the more paranoid (like me), set it to automatically notify you when they are available so that you can review them or test them before using them.
3. (optional but highly recommended) Spend $30-$50 for a DSL/cable router/firewall with NAT capability.
4. Don't open messages from strange or unknown sources, and don't open unexpected attachments from known sources.
If you have a Windows PC and follow those 4 simple steps you should very rarely, if ever, have security issues.
No way will this fly. Too many people have a LAN. (Score:4, Informative)
The ISP's first responsibility is IP egress filtering. The ISP must validate the outgoing source IP address of each packet. This at least prevents the most annoying types of denial of service attacks. Most competent ISPs do this now, although some of the cable guys are weak in this area.
The ISP's second responsibility is outgoing mail rate limiting. That's enough to slow down zombie-based spam. If the outgoing mail rate exceeds some reasonable threshold, the user should get a phone call, even if the phone call is automatically generated.
The ISP's third responsibility is incoming mail spam filtering. This should include virus filtering.
Incidentally, ISPs which block outgoing TCP ports should return an ICMP message (type Destination Unreachable, code Communication Administratively Prohibited). At least then you know what's going on, and who's doing the filtering.
Re:The Horses Mouth (Score:3, Informative)
Every time he called, he had read about something and wanted to try setting it up between his router and his pda....he was patient, took notes, followed instructions and was generally cool to talk to....on top of it all - he thanked us for our time and assistance. A rare individual.
Some links (from TFA author) (Score:2, Informative)
There were also some leaked memos that went into more detail. I don't know if they're still on the Web anywhere, but this story [theregister.co.uk] from The Register describes them.
There are no TPM/TNC-based authentication systems available yet, but plenty of companies sell software-only versions. (These can be spoofed, of course.) The most well-known is Cisco's Network Admission Control ("the self-defending network"). They're intended mostly for LANs, but some vendors are already suggesting that they be used by ISPs [itarchitect.com] (especialy in Wi-Fi hotspots).
I'd be extremely interested in seeing the Pentium with an onboard TPM, as this is something Intel has denied. (They sell motherboards with third-party TPM chips, but claim not to be integrating it with the CPU itself.)
Re:Some links (from TFA author) (Score:3, Informative)
It's apparently inactive: Intel Prescott micrograph, bottom picture on the page. [chip-architect.com]
Richard Clarke's speech about mandatory TNC is here.. I think the date (2001) might be wrong
Yep, 2001. That's the right one. Trusted computing has been in the works for a few years now. The Pentium III CPUID was to be the first step in a step-by-step Trusted Computing deployment, until the backlash.
-
La Grande (Score:2, Informative)
Interesting. It could be that the chip-architect article is mistaken, but it was right about Yamhill, and also mentions an Intel patent that involves an on-chip crypto engine. (I think it means #6542981 [PDF] [freepatentsonline.com], not the one referenced.) Alternatively, Intel could be lying, or just have changed plans since 2003.
But the two aren't really incompatible. The circuitry that the monograph points to is allegedly part of La Grande, Intel's proprietary version of Trusted Computing, not a TCG-compliant TPM. That’s even worse in a way, as it would mean software that only runs on an Intel CPU (and an Intel chipset: La Grande will also require a TPM and AMT [itarchitect.com], a proprietary technology in Intel network cards).
On-CPU crypto might also have something to do with trusted components. The TCG's long-term plan is to have some form of hardware signing/encryption in everything, not just a single chip in every PC. Most of the focus so far is on graphics/sound cards (for DRM) and keyboards/mice (to stop hardware sniffers), though.
I was aware that the TCPA predates the official announcements about Palladium, etc., but I thought that meant technical work. It's disturbing that the White House and the BSA were involved so far back, and that they chose the immediate aftermath of 9/11 to talk about it publicly.