ISP Restrictions Based on Hardware/Software?

An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"

Err....

[Anonymous Coward]

What if the user is behind a SOHO router? It will be hard to figure out what the client's OS/version is. Try using www.grc.com and their ShieldsUp.

Anyways, this being the US, such practice will be considered discriminatory especially if poorer families cannot afford the latest M$ tax.

Microsoft is completely against this censorship...

[Anonymous Coward]

....or they are afraid that most Windows machines will eventually be shut off from the internet and OSX/Linux will run free

Of course MS would object

[Todd Knarr]

Of course Microsoft would object to this proposal. Any objective analysis (which the ISPs are certain to do) would put Windows high on the list of vulnerable systems. No matter how much Microsoft tries, it's always hard to configure a Windows system to be both secure and capable of easily running the software most users want to run without glitches. Putting a hardware firewall in front of it's just as bad from Microsoft's point of view: you're still telling users they have to spend more money and do more work to use Windows on the Internet. By contrast, many of the competing systems (Max OSX, *nix) are at low risk and would pass most security checks easily out of the box. No way does Microsoft want ISPs making it easier to put a Mac or a Linux box on the Internet than a Windows box.

I don't care why...

[ChowRiit]

Personally I don't care why Microsoft is against it - I'm sure they have their own agenda, but the enemy of my enemy is still my friend. If Microsoft are against it, it almost certainly won't happen - they have enough clout.

Anyway, such a law would be pandemonian, it would require international standards etc etc - it would never work...

Problems with this

[Ruff_ilb]

1. It's impractical -
I can see how the White House might deal with this sort of restriction, but an ISP dealing with thousands of customers that don't WANT to cooperate - not to mention, there would be an absurd number of software and hardware iiterations, hacks, etc, all of which they'd have to deal with.

2. It's unfair -
I should be able to run the software I want on the hardware I want, as long as I'm not producing malware. A restriction on rights for security is inconsistent with democractic ideals, especially with the qualifier that the security doesn't necessarily protect rights.

Bend us over and Shape our Bandwidth...

[xoip]

It is becoming increasingly obvious that the large ISPs are out to put a strangle hold on the "Services" they deliver. There will be problems with VOIP caused by port restrictions, Others will stop offering basic services like nntp access. They have taken the view that the network is theirs and that they will dictate what is run over them with consumers being and endless cash cow that can be milked for access to "Premium" applications.

Not really that amazing

[ltbarcly]

that Microsoft would want to prevent people from being punished for using an insecure OS...

It's because they're for choice right? I mean, every time I turn around I hear about a new Red-Hat exploit which has allowed a worm to spread into millions of computers around the world, causing massive amounts of bogus traffic and driving up costs for ISPs.

Re:Hah

[Ruff_ilb]

Answer: Does it really make any difference?

How much power does MS wield? How much power does the OS community wield?

Terms of Service

[saikatguha266]

> Laptop and home users also have the right to run an insecure PC

Absolutely. But do they have the right to abuse the ISP's network by sending spam/DDoS attacks etc?

Run what you may on your PC, but if you are using the network infrastructure owned and maintained by your ISP, you have to adhere to their Terms of Service, and they should have the right to enforce those terms of service.

If you don't like your ISP's TOS, find a different one. But don't confuse you right to run an insure PC with your right to abuse your ISP's network -- you do not have the latter.

The obvious question

[rewt66]

Laptop and home users also have the right to run an insecure PC.

Yes, but do they have the right to run an insecure PC connected to the Internet? When their insecure PC, if it gets 0wned, is going to have adverse consequences for others on the Internet?

An analogy: I have the right to drive a car that fails safety inspection - on my own land. I do not have the right to drive it on the public roads, where it can endanger others. (Of course, this analogy breaks down, because the government mandates the safety inspection, and the government owns the roads, and in the Internet case, it's not the government that mandates the safe PC, but rather the ISP... and the ISP owns the "road" that I'm putting the unsafe PC on, or at least the road I use to access it... hmm, maybe the analogy isn't that bad.)

Re:Of course Microsoft is against it...

[grub]

Depending on your definitions, banning malware could mean banning Windows!

Or if the RIAA/MPAA have their way: P2P traffic. Be careful what you wish for.

Re:Of course Microsoft is against it...

[N3Roaster]

While true, I really doubt ISPs are going to start blocking Windows users from accessing the Internet. Not only because they'd be blocking somewhere between most and all of their customers (Why yes, we'll sell you Internet access, we just won't let you use it.), but I've also encountered a lot of ISPs that would get really freaked out (for no good reason) if they heard you planned on connecting with anything but a Windows PC.

Well...

[Anonymous Coward]

I have nothing against blocking those who *are* infected--they're lagging the rest of the net with their crap and they need to shape up.

The real problem is banning those who "might be" infected because they don't run an approved version of Symantec or Norton Antivirus. What software I run is none of their business.

Rights? Huh?

[dada21]

There is no right to do anything with anyone else's property or for them to provide a service they don't want to.

On the other hand, an openly competitive market generally won't see companies trying to reduce services or increase fees -- competition is what gives consumers what they want at the price they're willing to pay.

If we allow our government to regulate the Internet, you better believe the market will be disturbed by enough regulations that we WILL see restrictions such as these -- regulations always serve the interests of the now mandated monopolies instead of the end consumers.

If a few big ISPs decide they want to restrict services for certain users -- let them! The little ISPs will gain enough business to give them a nice profit. Seems like a win-win to me.

Re:Of course Microsoft is against it...

[TheSpoom]

Actually, when I was reading the summary, I was thinking something along the lines of this: ISPs are legislatively mandated to have a set of software that protects customers and that customers have to run to connect. ISPs then make said software available -- only for Windows. This, of course, indirectly bans any other operating systems from connecting, even when they (almost certainly) are better protected.

Re: Microsoft's involvement

[Black Parrot]

> At the risk of pointing out the obvious, but - does it surprise anyone that the maker of the #1 target for malware writers is actively campagining against ISPs downthrottling infected users' PCs?

Of course, our idiotic "security" bureaucracy would probably put Windows on the short list of approved systems, since it's a Legitimate Product (tm) from a Legitimate Business (tm).

The two sides of this issue:

[crazyphilman]

Side #1: Microsoft is terrified of this because it will set a precedent whereby an ISP will be able to cut people off based on the ISP's view of their software configuration. So, ISPs will be able to threaten to kick Microsoft in the balls unless they get favorable treatment (RE: cheaper prices), and home users will be able to demand that tainted machines get knocked off the web until they're fixed (which will mostly affect MICROSOFT). Microsoft, God bless 'em, is naturally against the whole thing.

Side #2: The TRUE result of this will be that lazy ISPs (read: most ISPs) will just lock out anything that doesn't match some piece of shit filter they put in place. So, a fully patched Microsoft or Apple box will probably be able to connect, but my Slackware box will NOT. And when I call tech support, the retard who takes my call will say "SlackWHAT? You can't run that on our network, for, uh... SECURITY reasons. Why don'cha run Winders like everyone else?" And I will be forced to resort to cruel, mocking language, upsetting his supervisor and getting me absolutely NOWHERE.

So, naturally, I'm against this bullshit too. ;)

Even if...

[jd]

...you are generous and don't define Windows as malware, you can reasonably define it as insecure, so it would certainly be bannable under the proposal. Especially early versions of Windows. And that's important, as a very large number of Windows users haven't upgraded and won't upgrade. (Windows 98 is still a very common OS and Windows 95 is still far from dead.)

The other concern Microsoft may well have is that if you can only run "approved" OS' on the Internet, it will kill their beta programs and may well make it harder to roll out service packs. After all, it changes the version ID, so won't be an "approved" OS any more. If nobody patches their system, for fear of being disconnected from the Internet, it will be Microsoft that suffers.

What about Linux users? Well, there's always the IP Personality patch. This disguises your OS, so that common methods of fingerprinting your computer will return the OS identity that you choose. You can always make a Linux box look like Windows XP or whatever.

That's probably another concern of Microsoft. Linux distributions can be easily modified to fool such restrictions and existing Linux users will likely install the necessary patches. This could make Linux more attractive to the Walmarts of the world (fewer customer complaints) and also to corporations (no risk of unexpected downtime, due to ISPs not keeping up).

I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard. Only closed-source vendors and closed-minded customers have anything to be scared of, and I've no problem with them being scared silly by Homeland Security.

blah blah blah

[Transcendent]

...blah blah blah, of course Microsoft is against it blah blah blah...

But this IS a horrible practice? Restricting people's internet access based on their computer? Does anyone see what is wrong with this or are you all going to complain about MS?

Re:Microsoft's involvement

[obeythefist]

That's a bit kneejerk isn't it?

R'ing TFA, and a vague FA it was, the whole system would work by running a client agent that spies on the user and reports to the ISP, allowing the ISP to determine how to manage traffic (based presumably on draconian laws that further US govt ends).

Now, Microsoft will, realistically, be opposed to this simply because they don't control it. Absolutely they have every right to tell the govt they're not interested in them bundling software onto every Windows distribution. Only MS is allowed to bundle. But at the same time, MS has been reasonably anti-DRM and reasonably pro-freedom lately (it seems they are on the end of more patent litigation than they're causing lately, for example). A lot of this is simply going to be MS trying to prevent others from controlling the market in the same way they try to. Either way, take it as given that corps are evil, at least don't complain when they do something good.

Likewise, I am amused to think of what the Linux kernel owners would say about a mandatory bundling of a linux client agent to spy on the end user for the government.

Personally, I can't see it being popular anywhere outside the USA. And you try tell an ISP they need to increase their operating costs so they can enforce government policy for the government by running servers to monitor mandatory government spyware installed on client PC's.

Danger to Linux users?

[srk]

This idea can be a potential danger to Linux users. Yes, Linux is much less susceptible to malware than Windows. However, Windows will be always defended by Microsoft but there is no body to protect Linux users. Any minor public doubt in Linux safety for ISPs has a chance to result in a major action to ban access from Linux boxes.

Re:Even if...

[Stripe7]

They will probably pass a law to make it illegal for you to mask your linux OS as windows.

Re:Wow

[syzler]

It is not a matter of the ISP trying to protect the individual, but a matter of the ISP trying to protect the ability to provide service to others. I work at an ISP in Alaska. We are having to take preventive measures to ensure that our entire network is not black listed by larger ISPs such as AOL.

We may be inconveniencing a small minority of our users, but we trying to maintain access for the majority of users. If we allowed our network to be in a perpetual blacklist, we would eventually not have any subscribers since they would transfer to providers that take measures to allow most of the subscribers to use services that the subscriber pays for.

Client-side official spyware

[AndroidCat]

Vendors call them by different names, but all use an agent on the client to verify its configuration. If the agent reports software (or in more advanced versions, hardware) that isn't on a white list, access is denied.

Access control agents have two big practical problems on a private network, both of which are more serious on the wider Internet: Not all clients can run the agents, and new programs not yet certified malware-free won't be on the white list. Worse, ISPs might base their lists on commercial considerations. So while custom enterprise applications are locked out, Sony's rootkit gets through.

Okay, it's not quite spyware, but it does raise a few questions, doesn't it? The above misses a few like: (a) What if you develop software? (Software which isn't on anyone's list?) (b) And what's this about hardware? Are haxors leaving trojan hardware on people's doorsteps now? (Hmm...) (c) Lastly, I'm not going to open my security to let their untrusted agent software phone home to tell my ISP that everything is okay. Sorry. If need be, I'll haul out an old box to run their agent to tell that that everything is fine--but it'll be isolated as much as possible from everything else on my LAN.

Re:Microsoft is completely against this censorship

[bcrowell]

How will open software get on the "trusted" list,
And, as pointed out in the article, how will custom proprietary apps get on?

The whole thing sounds like a ridiculous idea when you start thinking about the repurcussions. ISPs have no way of knowing what percentage of their customers are running software that's not on a particular whitelist --- until the day they implement the policy, at which point all hell breaks loose and some of their best customers run to the competition.

It also isn't obvious how they can really detect all the software on a computer. Are they really going to look at every file foo.bar on my hard disk to see if it would really run if you did a `perl foo.bar'? And remember, malware authors are specialists at hiding their software.

It would make a lot more sense to analyze traffic. If a certain user starts sending 10 million e-mails a day all of a sudden, just shut off his access and wait for him to get on the phone and talk to you. Another, possibly complementary option would be just to impose upstream and downstream traffic limits (maximum peak and maximum monthly?), although a lot of ISPs don't want to advertise that they have limits or reveal what they are.

The article sounds very suspect to me. Lots of vague statements like "the required technologies are now becoming available." Oh yeah? What are they called? Who's selling them? Which ISP's have tested them?

Re:Bend us over and Shape our Bandwidth...

[HairyCanary]

Taken the view that the network is theirs?

It is.

Like it or not, an ISP does own the part of the network you traverse to get to "the rest" of the Internet. So it should be no surprise that they wish to control it, and consider it their right to do so.

And I cannot say I entirely disagree. Vote with your wallet. Where a large enough market exists (i.e. people who want no restrictions placed on their access), there will be an ISP to fill that need.

And besides, I doubt that all ISP's are heading in this direction. I work for an ISP (part of a CLEC) and I know for a fact that we are not considering anything along these lines, and I'd be sincerely surprised if we ever did. Our marketing people, while occasionally dumb, are not nearly stupid enough to try and make it fly.

Re:Of course Microsoft is against it...

[Anonymous Coward]

This is what happens when the internet gets too big. Too many people try to control it for "the greater good". This is not a good thing. Let users be stupid. Let them have to hire someone to fix their mistakes and let them make choice whether to use microsoftCrapware or Linux. Government regulation is always a bad thing.

Re:Microsoft is completely against this censorship

[TeraCo]

And, as pointed out in the article, how will custom proprietary apps get on? Easily - They rock up to the bureau of certification, pay the X thousand dollar testing fee and wait for the results.

The great debate over who's rights are greater:

[Anonymous Coward]

"Laptop and home users also have the right to run an insecure PC."

Which raises a great philosophical question, one which has raged since the beginnings of civilization: Where do you draw the line between personal freedom and rights versus the rights and good of the whole of the people?

For example- I'm a car nut and I would LOVE it if I could drive whatever I feel like welding together!! But in my state, and most of the US, cars have to be inspected and insured. It's a filter for what we as a society allow to be on the network of roads and highways. (makes for safer but boring driving...)

Re:Of course Microsoft is against it...

[AWhiteFlame]

They're going to be against this not only because Windows computers will be at the top of the list, but because the anti-malware software industry is so large now, and Microsoft is planning to get its fair share of the industry (Microsoft Anti-Spyware Beta?). That is to say, if they're not already getting the benefit from Norton and their other partners. They want their systems to be infected but they want their friendly Windows utilities to come to the rescue and download the latest 'patches'.

Re:This is the real world.

[JPriest]

I think you are wrong. You forget that most ISP don't care about MSFT's bottom line, but they do care about their profits being eroded from bandwidth hogging spyware and abuse complaints due to infected Windows machines. I think the idea that ISPs are in on some kind of anti-Linux conspiracy is basically just retarded.

Re:Sign me up.

[grub]

Wow, thanks for the heads up. Good thing I'm on the "commie" side of that Great Northern Wall they're planning! :)

Re:Hah

[grcumb]

"The real question is, is the open source community against it?"

Actually, I think the real question is 'How could everyone miss the point so completely?'

Look, I think that government does have a place in enforcing standards, especially with regards to safety and security, but those have to be standards of behaviour. The difference between saying 'nobody is allowed to run software that does X' and 'nobody is allowed to run software X' is critical.

Taken to its logical extreme, it's the difference between saying:

'Hoarding money is a crime, so we'll punish anyone who does it'

and saying:

'Jews hoard money, so we'll punish all Jews.'

Another example: I don't give a hoot who made the truck that pollutes my lungs with reeking black clouds of exhaust, nor do I care who the owner is. I just want it to stop. The best way to do this is to set standards for behaviour and punish or reward them as society sees fit.

Gee, when we put it that way, it almost sounds like what laws are for, huh? 8^)

In that sense, I have no objection to making malware quarantine compulsory, provided that malware is defined by its actions and not its name.

Re:Bend us over and Shape our Bandwidth...

[Zackbass]

I think the thing that makes this concerning to many of us is that those of us who would be severely hurt by charging extra for things standard today like NNTP or VOIP do not seem to be enough of a force to be of any consequence.

Suppose a provider like Time Warner decided that they want to increase profits a bit so they make the privilege of using specific ports a five dollar premium fee. Essentially they've created profit where it didn't exist before. Some people will simply have to pay (it's a good deal otherwise, only game in town, and so on) the 'power user' tax.

What fraction of people care? One in fifty? What fraction will just deal with the extra expense? How will this alternative provider get their data to me, on the network we agreed is owned by the original provider?

It's hard for me at least to see a purely free market solution arise that doesn't hurt the power user when the service can be sliced up any way the provider wants inconsequentially. That's why I'm worried. The situation may currently favor us who 'abuse' the system by using ports that the average Joe doesn't for things like FTP, NNTP, and remote administration and I'm not saying that it isn't fair for the ISPs to take what they can, but it certianly would hurt us.

Re:Of course MS would object

[obeythefist]

Of course, if you RTFA, the article stipulates that ISPs would be required by law to only allow boxes with mandatory government spyware running connect to the internet.

The government is unlikely to be interested in producing a spyware module compatible with your favourite flavour linux distro, although industry uproar might make a Mac version available. Many linux and BSD clients under this system would be completely blocked from using the net.

Writing spyware for MS is quite easy however and therefore, Windows systems would be the first back on the net when the new wall comes down. Not a bad deal for Microsoft, eh?

So why are they objecting? Because it's a blatently stupid idea. Not, as you suggest, because they might lose market share from it, when in fact they stand on gaining a monopoly on american internet from it.

Re:THE INTERNET IS NOT SECURE

[mpapet]

You are right, but it turns out the whole Internet thing is very useful and a source of wealth and power.

Naturally, that means it will be regulated by government and made into whatever they please. You could inform your Congressperson of your simple fact and it simply will be drowned out by so many other interests that want to profit from the Internet.

The most likely candidates that would sell the internet as securable are the media conglomerates, military and law enforcement agencies.

Media conglomerates want it to be a giant sh*t pipe delivering their DRM'd content into your home.

Military want to "secure" it to use special applications as weapons. Spys love it for the same reason.

Law Enforcement wants to catch bad guys on the Internet too. It's like they work with hammers all day and so everything starts looking like a nail.

Re:Wow

[Anonymous Coward]

You CAN NOT rely on the client for a secure network. I assume blacklist meaning from spam. If spam is spewing out of your ISP from your clients, you can attack that problem thousands of times easier from your network end then trying to secure every Tom, Dick, and Harry that use your network. Being a small provider does not mean it is any harder to accomplish or require a lot of money. Heck, I block any outbound connections from my local network to any smtp server with the exception of my ISP's and to use their server requires auth for sending. It cost me nothing to do this and I am much smaller then you are ;) Only two rules in my firewall config.
Might be an inconvience for some of your customers to block smtp but I would think much less of one then trying to certify every single PC from every user on your ISP.
You can fix it once in the network or play cat and mouse with each individual
client.

To clarify once more... You CAN NOT rely on the client for a secure network.

Re:And what about ISP rights?

[triffid_98]

Say I need to reinstall windows. Since my install CD contains Windows 2000 SP1, for however long I'm re-installing/patching my OS, I have an insecure PC. If my ISP blocks my access on that premise, I am f*cked. Never mind that this entire situation is retarded, since I ought to be able to download the patches and install them offline, but the reality is that windowsupdate.com doesn't work like that. Even over broadband I'll probably spend the next 40 minutes downloading security patches, WTG Bill.

Re: Err....

[Black Parrot]

> Check the FA. The fools want people to run client-side software to verify that all your software and hardware are on the approved list. ("Gee, does your client run on PC/104 ARM9 hardware?")

I wonder how many minutes it would take for someone to write an emulator to send back the "A-OK" signal.

I can't imagine the system working even if people didn't try to jack with it. It would require regular automatic updates as new products came out, and a simple bug could result in shutting down most their customers in one swoop.

More likely it would serve as a conduit for a new class of worms.

This is a good thing.

[man_ls]

Quarantined connections are a very, very good thing. Corporate networks already do this -- there is, if I recall, a Cisco client which enforces router rules based on the security software installed on the PC. Windows RRAS can enforce a quarantine network based on whether or not the connecting machines are patched up-to-date. Captive portal software allows only authenticated users to connect to the greater network -- same with VPN tunnels.

All of these things work in a very good, and non-censoring way: they require the user connecting to the network, to take certain "safe computing" steps. Requiring virus/spyware protection is overkill (I for one have never run spyware or virus protection, and have only had one spyware infection that required a reformat and two viruses -- in 11 years of being connected to networks unprotected. All of those infections were 3+ years ago.) but requiring that computer users, say, don't broadcast worm packets and don't have unpatched security holes, is a very good thing.

It's one thing for the ISP to shut off people for downloading certain types of content, it's another if the user is abusing the network resources. Similar to, a phone company won't cut your line for calling people they might not agree with the opinions of -- but if you, say, wardial your entire neighborhood on a daily basis, they have some recourse against you.

Overall, the ISP restricting access to its network to people who aren't infected and are secure, is only a good thing -- on every possible front. And, from the stand point that Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well. There's no excuse for people to still be broadcasting the Sasser worm, other than the fact that it isn't worth their time to fix it. This will make it worth their time, to no longer be a deliberate nuisance to everyone else.

Re:Of course MS would object

[rmallico]

it is NOT hard to configure a Windows system to be both secure AND capable of easily running software people need... its stupid people who purchase e-machines at their corner wal-mart and give it to junior who starts downloading crap from who knows where... The bugs focus on the weak points of the network... its NOT Microsoft itself, its the people running the software who are the dolts... hell, you can use ms antispyware, freeware av software and spend 17.99 for the airlinksucks 4 port router/firewall and take the huge target off your head... (that, and not be cruising for warez on some of hte more iffy websites out there) i hate hearing how windows can't do this, windows can't do that... it can, it does... if it could not do it how the hell do fortune 1000 companies get anything done anymore? rant now set to stun...

Re:Of course Microsoft is against it...

[Anonymous Coward]

Microsoft has as much of a legitimate reason to be against this as they have not-quite-so-saintly-white reasons. As an American, I don't feel it's anyone elses' place to tell me how to live my life, what computer system to run, how to run it, etc. Stay out of my bedroom, stay out of my house, and get the hell off my computer! As a Mac user (and a burgeoning Linux user), I've had to live with discrimination over the years (I go back to 1986, so I know all about the OS wars and tons of other bullshit.) Anyhow, if anything, this might kill Internet useage in the U.S., leaving us even further behind educationally and technologically in the world. This is not exactly what I'd call a smart idea. And, if you think that end users are idiots about this sort of thing, you've obviously never worked in a school or a school district. The moment this kind of crap goes through and gets implimented, I absolutely promise you you'll hear continual stories school after school, county after county, getting knocked off the Internet.

Now that DSL is an information service

[tepples]

Now when we reach the point where there's only a handful of ISP's (esp. if they're regional), we will have a problem.

This may in fact be the case. Now that the FCC has defined DSL as an "information service", this may give the ILEC the right to boot other DSL ISPs off the ILEC's copper. Then you end up with a duopoly, and in that case, "go[ing] elsewhere and find[ing] some other provider" would involve expensive real estate transactions.

Re:Even if...

[stalebread]

I'm all for these restrictions, because they don't apply to Open Source software - masquerading as other software is already quite standard. Only closed-source vendors and closed-minded customers have anything to be scared of, and I've no problem with them being scared silly by Homeland Security.

That is ridiculous. Stop being blinded by your hatred of everything Microsoft/closed source and open your eyes. If ISPs get involved in regulating what's on peoples' computers, it's opening up a bag of worms. Besides, who decides what's secure? From what I've seen, nothing is truly secure. Who's to say that in the future, a major corporation with its highly paid lawyers, won't convince some regulatory board that open source software is a security risk? And don't tell me that Linux will just pose as something else. Technology changes, and who knows if it will always be able to do that. For once, Microsoft is on the right side.

Re:This is a good thing.

[Agent Green]

That's all well and good...but you're forgetting something critically important.

On a corporate network, they most likely own every single device on the LAN, and have an IT staff that maintains what the "standard" images are. In fact, one place I worked would block the port within 30 seconds of a link-up condition if the device connecting to it wasn't running an approved image.

ISPs don't own the users' devices at the edge...and they should _not_ be just given some kind of backdoor to "check on things." Once that exploit gets into the wild, the info could be used to make a much, much more efficient and easy to hide botnet.

Nobody seems to remember that the road to hell is paved with good intentions, such as this.

Re:This is a good thing.

[dodobh]

The problem is that the Internet is _not_ a quarantined corporate network, with a single global policy. If I want to develop a new protocol with a bunch of people all over the world, restricting what I can do is a bad thing.

The rules change on the open Internet.

Re:isp's blocking p2p traffic

[Fred_A]

SUCH USE DESCRIBED BELOW WOULD BE SUBJECT TO TERMINATION OF SERVICE CONTRACT
Unlimited NationalAccess/BroadbandAccess services cannot be used (1) for uploading, downloading or streaming of movies, music or games,

So "emerge xbill" is right out

(2) with server devices or with host computer applications, including, but not limited to, Web camera posts or broadcasts,
automatic data feeds,

No RSS for you !

automated machine-to-machine connections,

And your box will never have it's clock at the right time either, no ntp !

But you can do some internet browsing. Whatever that is.

Re:Even if...

[CagedBear]

I'm all for these restrictions, because they don't apply to Open Source software

So you are ok with your ISP requiring that you allow their installation tech to pop a CD ROM into your machine and install an agent to monitor your system? Each time you add a PC or reinstall the OS, you'll call them up and have them come out and do it again? How about when you find out their policy is to support RedHat, but not your favorite FreeBSD distro?

On a side note, I don't really understand Microsoft's angle on this. It seems to me they would benefit. Heck they could even bundle the agents with Windows and advertise "internet ready".

AUP Violations

[nuintari]

Laptop and home users also have the right to run an insecure PC.

Sure, you do have the right to run an insecure PC, run an adware ridden piece of crap to your heart's content, most people seem to think those fifty billion popups and 14 minute boot times are normal. Doesn't mean you should do it....

Its when I start getting spamcop complaints, and reports of intrusion attempts on other people's pc's that we start to have a problem. Then I have to cut you off from the internet (I work for an ISP), acceptable use policy says nothing in it about infesting the internet just because you aren't smart enough to keep your pc a little more secure.

If you owned a house next to mine, and you let it fall into disrepair, and become a huge fire hazard, sure, I guess that is your right to do so. If it actually catches fire, and spreads to my house, then we have a problem, because now, your neglect has caused damage to somone else's property. Same on the internet, if you become a threat to your neighbors, I will simply isolate you until you are no longer a problem.

Bad Implementation.

[twitter]

Overall, the ISP restricting access to its network to people who aren't infected and are secure, is only a good thing -- on every possible front.

That depends entirely on how you can tell. If the method is your silly Cisco router which checks for this or that piece of Windoze shit, it sucks. If the method is detecting obvious spam and worm broadcasting signatures, great. Detecting spammbots is getting tricker all the time because the spammers are smart enough to not want damage the user's performance enough for the user to want to fix the computer. ISPs have been turning off blatantly broken computers for a while and it is a very good thing.

Windows updates generally are denied to people using pirate copies, it will reduce software piracy rates as well.

How do you equate the two without advocating some really stupid and lazy method of punishing people for not having whatever Bill Gates wants you to have right now? A check which provides that kind of solution will outlaw all the software that's actually secure.

Re:This is a good thing.

[skiman1979]

I for one have never run spyware or virus protection, and have only had one spyware infection that required a reformat and two viruses -- in 11 years of being connected to networks unprotected. All of those infections were 3+ years ago.

I've seen people make this claim before. If you do not run spyware/virus protection, how do you know that you're not infected? I mean you would notice if your computer started opening popup ads every 5 minutes for a spyware infection, but a lot of malware works in the background. Wouldn't you need to scan your system to detect these sorts of things? Would you know for sure that you don't have a rootkit on your system if you didn't use some type of software that detects this?

Re:... and I thought *I* was paranoid

[Alsee]

Before the situation can occur, "legacy" software must be re-written or otherwise processed to allow it to run inside the "Trusted" platform.

No. You are absolutely right that that would be a huge barrier to deplyong such a system. No one would ever buy a computer that cannot run their existing software.

One of the most critical aspects of their Trusted Computing deployment is to ensure that there is NEVER any reason NOT to have a Trusted computer. No reason NOT to take a Trusted computer.

A Trusted computer can do everything and anything a normal computer can do. A Trusted computer can run any and all existing software.

A Trusted Computing *is* a normal computer with all of the capabilites of a normal computer. It just has something extra. A new Trusted mode, or as I call it "handcuff mode". Outside handcuff mode it is a normal computer. Once you turn Handcuff mode on the computer can report to other people what hardware and software you have, and it can unlock "DRM files" on the condition that you are running the EXACT and UNMODIFED software approved to read that file. And of course the DRM software can create locked files that can only be read in handcuff mode by that exact unmodified software.

So old software always runs fine, both in normal mode and in handcuff mode. Old files can always be read no problem, both in normal mode and in handcuff mode. However certain NEW software will refuse to run except in handcuff mode, and certain NEW files can only be read by approved software and only in handcuff mode, and people over the internet can set up new software that refuses to talk to you unless you send a Trust report stating that you are running the software they want you to run.

So normal websites can be viewed on a Trusted computer using any web browser, but NEW websites can be set up that will spit out error messages unless you have a new PC in Trust mode and you run an approved new Trusted browser.

The entire point of Trusted computing is to make people with normal old computers suffer. None of the new stuff works on normal old computers. They increasingly get error messages telling them they need to upgrade to a new Trusted "enhanced" computer. For anyone with a Trusted computer, everything both old and new "just works". The new stuff may only work in DRM-hell handcuff mode on new computers, but that's still "more" and "better" than it not working at all on old computers.

On top of that, your system cannot phone home to ANYONE without software to tell the hardware what to do.

Does the Windows Product Activation process ring a bell?

I expect online activation will be increasingly required for the installation of software, but in fact the entire system can work just off of a single operating system activation. Other software could then undergo a secure Trusted installation with Windows itself handling the encrypted software. It would be impossible to install or decrypt the software without the key loaded into Windows and locked by the Trust chip, and if you make any attempt to modify the Windows software the Trust chip denies you the key. So there'd be no way to decrypt and install the encrypted application without the assistance of the unmodified DRM-enforcing operating system.

On top of that, your system cannot phone home to ANYONE without software to tell the hardware what to do.

Yes. That is why they formed the Trusted Computing Group, which currently contains something like two hundred companies - virtually every signifigant company in the computer industry. And why they have designed in certain "privacy features" and they are advertizing it as a privacy enhancing system. (Hah!) Hyping the fact that there are protections built in to keep your ID number secure unless you "opt-in" to reveal it. They even formed a bogus "grassroots" consumer protection group lobbying for new standards for consumer privacy protections and standards... and they just so happen to be "demanding" the exact protections that

So Microsoft says...

[Gildersleeve]

...According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software.
What, something like writing web pages to stop a particular browser from viewing them? *cough*Opera*cough*