ISP Restrictions Based on Hardware/Software? 387
An anonymous reader writes "IT Architect magazine is reporting that ISPs are working towards a greater restriction of a customer's right to run what may be 'insecure' software. From the article: 'A greater threat is that ISPs may try to restrict the customer's side by denying access to machines based on their hardware or software configuration. [...] former head of cybersecurity, White House terrorism advisor Richard Clarke even said it should be made mandatory to quarantine malware.' Something that may also come as a surprise to some is that Microsoft is completely against this censorship of internet access. 'According to Chief Privacy Officer Peter Cullen, Microsoft is against ISPs doing anything that would restrict customers' choice of software. And he says this isn't just about the impracticability of demanding that data centers patch everything on the second Tuesday of the month. Laptop and home users also have the right to run an insecure PC.'"
Microsoft's involvement (Score:5, Interesting)
Wow (Score:2, Interesting)
Hah (Score:2, Interesting)
There Will Be Alternatives... (Score:3, Interesting)
MS jokes galore (Score:1, Interesting)
"ISP" == Inherent Stupidity of People (Score:2, Interesting)
ISPs, Telcos, are symptoms of antiquated centralist thinking.
Comment removed (Score:3, Interesting)
Re:Microsoft's involvement (Score:5, Interesting)
Of course, they could also monitor traffice in and out of an IP and watch to see if there's spy/malware type things going on, which a cloak wouldn't mask. In which case, they should notify the end-users, not restrict them without doing so.
We'll see how this plays out. The trend is toward more speed, more speed, and I don't see that changing anytime soon. If a malware infected PC's user doesn't know he/she has it, and internet service becomes slower because the cable company reduces the speed, the user will just think the service sucks and switch to DSL or whatever else.
Re:Of course Microsoft is against it... (Score:5, Interesting)
That'll actually not work for most ISPs. If you call my ISP (Cox Cable) for a new installation these days, the installer will show up with a home router/firewall along with the modem. You have to ask to get a direct computer-modem hookup, or do the installation yourself. Windows-only access agents don't play well with that setup. Cox went with it, BTW, because it's cheaper and easier for them to manage the firewall and router than it is to keep dealing with malware/virus-related support calls from clueless Windows users.
Re:This is the real world. (Score:5, Interesting)
Hope it never happens (Score:2, Interesting)
Re:Hah (Score:3, Interesting)
Fair to who? IT technicians and open source advocates? They must represent at least
Not a bad idea... (Score:3, Interesting)
Thoughts?
Re:Bend us over and Shape our Bandwidth... (Score:3, Interesting)
And I cannot say I entirely disagree. Vote with your wallet. Where a large enough market exists (i.e. people who want no restrictions placed on their access), there will be an ISP to fill that need.
Problem is, most places have 1, possibly 2 isps for broadband. Not really a choice, is it? I say, either open up your lines or accept some restrictions in what you can do to what is, effectively, a captive audience.
That said, I've been shocked at how hands off Comcast has been with me.
Re:This is the real world. (Score:2, Interesting)
Welcome to the new reality - where the telcos decide what you can and cannot do on your machine.
Re:This is the real world. (Score:3, Interesting)
Re:Of course Microsoft is against it... (Score:5, Interesting)
One of my friends had to dig up a spare PC running Windows just for this purpose.
Re:This is the real world. (Score:2, Interesting)
Re:Of course Microsoft is against it... (Score:3, Interesting)
Moving was stressful enough in the first place and the fact that the "tech" they sent was less than competent did not improve my mood. I had to restrain myself from pointing out that I'd probably been doing that sort of thing for quite a while longer than he had when he started giving me the "that won't work" spiel.
Re:isp's blocking p2p traffic (Score:2, Interesting)
everyone, calm down (Score:2, Interesting)
I did a 6-month internship with a national ISP called CopperNet. They're based in my hometown, and serve all over the country except in my area. I don't know why. As part of my internship, I "shadowed" the CopperNet Customer Service Manager, and spent most of my hours there listening in on calls with Tech Support agents. Also, I got to sit in on a very critical department head meeting, which was called by the president to coordinate a response to the Worm of the Month, one of the earlier Sober variants. This one in particular rated 5 out of 5 on Symantec's virus outbreak report... very fast-spreading, borks up the computer good, and is all over the place ITW (in the wild).
Some of their customers had been infected with it, and CopperNet was in the process of a) getting off Earthlink's blacklist, because customers were complaining that their e-mail to Earthlink users was being bounced, b) diagnosing and helping infected customers get the worm squished, and c) managing a TEMPORARY block-list of users who they believed to be infected.
And at my college, all students are provided with wireless and high-speed Internet access for no extra cost beyond room and tutition, with some restrictions. One of those restrictions is that they will deny Internet access if you are known to be infected with a virus or are the source of malicious traffic. They also run some kind of remote security scanner on connected computers several times a day. I choose to block this inbound traffic with my firewall, but I understand that many people are oblivious about computers, and that this security scanner, while it can be considered an invasion of privacy, is doing the job of mantaining a baseline of security to be responsible stewards of the freedom the Internet gives us.
The bottom line is: Some users are stupid, and that will always be a constant, no matter what OS or ISP they use. If the user doesn't know how or refuses to ensure that his or her computer is being sufficiently secure in order to avoid hurting other users, then someone has to minimize the effects of the user's lack of security know-how, until such time that the user is secure enough to be a responsible citizen of the Internet, regardless of their operating system or service provider of choice.
Re: Err.... (Score:5, Interesting)
You CAN'T.
Not just working with software anyway. This is the Trusted Computing Group's Trusted Network Connect system. I'm been posting on Slashdot about it for over a year now. Thesystem is based on everyone having a Trust chip in their computer (which will come standard in all PCs as a hardware requirement for Windows Vista). The Trust chip spys on and locks down your computer - locks it down against you. Each chip has a unique master key locked inside the silicon... a key that the owner is forbidden to know. In fact the chip is boobytrapped to self destruct if you attempt to open the chip to get at your key. This key is cryptographically signed by the manufacturer, and the manufacturer's key is cryptographically signed by the Trusted Computing Group.
What happens is that the chip can lock files on your computer. If you attempt to make any "unauthorized" modification to your hardware or software, the chip denies you any ability to read or modify your files (you can always delete/destry files, but you can't alter them).
When you try to log on to your ISP, the ISP asks the chip for a "Remote Attestation". The chip then sends a spy report listing exactly what hardware you have and exactly what software you are running. This list gets cryptographically signed and authenticated by the chip. You are forbidden any control over this spy report. The ISP then checks whether they like the hardware and software on the list. If they don't, they refuse you any internet access. They then check the signature authenticating the list, if that fails, you are again denied internet access. Then they check the manufacturer's signature authenticating it as a genine Trust chip. Again, failure means no internet for you. They then check that there is a valid Trusted Computing Group signature on the manufactuer's key, proving that the manufacturer and all chips made by them are properly compliant to deny you control over the master key in the chip and to securely lock down your computer against you and to enforce DRM systems.
Without a genuine key and all of the proper signatures on that key, it is cryptographically impossible to fake the "A-OK signal".
The only way to "fake" the system is to buy a genuine compliant PC and to physically rip a genuine key out of the genuine chip - the boobytrapped self destructing chip.
Oh, and if you do buy one compliant PC and you actually HAVE a sophisticated laboratory and you manage to bypass/disable the boobytraps and selfdestruct mechanism rip one key... that is only good for liberating ONE machine. If you attempt to give that ONE key out to your friends to use in software to fake the system, it will immediately be spotted that that key is in multiple use and has been replicated. As I said, each chip has a unique key. If any key is seen in multiple use then it no longer a legitimate and properly secured key and it immediately goes on a revokation list. All machines attempting to use that key then drop dead.
So for each machine you want to "liberate", you must PURCHASE one GENUINE compliant computer and physically rip the chips one by one. And even then you need to be insanely careful never to leak the fact that your machine is liberated and capable of doing things that you are not permitted to be able to do, or again that key is revoked and drops dead and your REAL MONEY PURACHASE gets flushed down the toilet and you need to pay for another compliant PC to rip another key.
And if the do roll this out, does anyone really dobt that is will be highly criminal to forge the signature and to lie to your ISP every time you log on? Not only is it a contract violation, but it will be computer crime. It is illegally hacking to obtain unauthorized access to a computer network. In fact the way the law is written the already draconian prison terms for that almost inherently carry two or three "special aggravating circumstances" to multiply
Re:Terms of Service (Score:3, Interesting)
And in fact we are running into ALL THREE of those issues are potentially involved here, if not already involved here. While Microsoft claims to oppose ISP's making this system mandatory, they have already produced their own version of the system under the name "Network Access Protection" and they have abused their monopoly position to effectively extort ALL PC manufaturers to include the anti-owner "security" hardware all new PCs for next year. Virtiually all new PCs are sold with thge latest release of Windows preinstalled, and Microsoft simply ANNOUNCED that anyone trying to manufacture and sell non-compliant hardware will simply NOT WORK properly on new machines with Windows Vista.
And in case you didn't notice, the story mentioned the fact that the government is involved in pushing for this. They have been promoting it for a couple of years now. The government has not taken forcible action yet, but it would be premature anyway. The hardware and software had to be produced first, and has yet to be rolled out. All new PCs will have the new hardware and software when Vista rolls out in about a year, and then figure another three or four years for the majority of PCs to be routinely replaced through obsolesence, and then the majority people will have the hardware and they can start the process of making it mandatory. The EU is keen on it too, as part of their new DRM enforcing "Information Society" plans. The UN is keen on taking over the role of "Internet Governance" and to set standards for this sort of thing.If this does become an internet stadard, it then becomes effectively impossible for any ISP *not* to impose it on their users. If they tried their own connections to the internet backbone would fail.
As for machines infected by viruses or worms or whatnot, this system cannot prevent that. To any extent that it *is* helpful against such infections, that is not the design of the system. It is almost a side-effect of the fact that it is designed to secure computers against their owners. It is perfectly possible to get the exact same protections and security for the owner of the computere with an identical design with identical capabilites... except where the owner *would* permitted to know the master key to his own computer. Then the ISP gets the exact same protections against machines getting infected and spewing spam/DDoS attacks or anything else, and anyone who uses their master key to spew spam or to engage in an attack is still just as subject to commerical termination or legal/criminal prosecution.
-
Re:Of course Microsoft is against it... (Score:3, Interesting)
Totally obvious why MS is against it - they're the freakin' cause of the problem in the first place!
While users have the "right" to run an insecure PC, they certainly don't have any "right" to communicate with an ISP if their systems introduce malware or spam into the ISP's network. That should be obvious to anybody with a brain.
Does anybody think any corporation would deliberately allow their users to run insecure machines (leaving out simple incompetence - such as running Windows in the first place - on the part of the sys admins, of course)? So why should ISPs be any different? Just because they're offering a consumer service doesn't mean they don't have the "right" to remove that service when it is abused.
I don't agree with the Feds mandating this policy or trying to enforce it in their usual hamhanded way - and I'd be suspicious of their motives in any event - but I see no problem with ISPs enforcing such a policy. If an ISP abuses the policy - and I certainly would expect some to do that - they can easily go out of business and be replaced by someone more accommodating.
And that actually is why such a policy probably won't be enforced - it's too risky for most smaller ISPs that are operating on tight margins as it is. In fact, about the only way I would see it being enforced is if the larger ISPs tried to use it to force out some of the smaller ISPs. That would eventually backfire as well, but it could happen.
Re:The Horses Mouth (Score:5, Interesting)
But, I've supported all kinds of crap as well, so I really do feel your pain. My worst call was Windows NT Alpha - it looked like Windows 3.1 and we couldn't find half the settings to do anything dialup (this was 2000). The guy screamed and screamed. I transferred him back into the Q on his demand. Got a call from the tech that got the guy "Yea, I just let him go - he was still screaming when I hit the Wrap-up button." I don't know why people expect the ISP to support anything they come up with.
My best support experience is a tie between blind users (they listen better than anyone else) and a 10 year old that was helping his mom fix the internet.
Re:Of course Microsoft is against it... (Score:4, Interesting)
No, you may leave now.
I've been around the military for 20 years now plus some time outside the military. I've moved over 20 times, and I don't play well with people like that at all.
After moving to Germany, my local ISP got upset at me when I told them I would be using a router and I didn't need them to help me setup my access. They wanted me to open the router up to them (remote access) and give them the password so they could do some technical stuff. After prodding a little they threw technobabble at me (MTU, DNS - you know sir, technical stuff) and I said, "Well, opening the router up to you may expose my internal network of over 5 servers, 2 workstations and Cisco equipment to the internet. If you want access, you'll need to proove what you're doing by telling me how to open up a Cisco router for you." They tried to tell me to open my browser and go to 192.168.... "Nope, I said Cisco, not Linksys..."
They shut up and I haven't heard from them since.
Of course, now my wife is demanding that I get rid of the "portable heaters that hum all night in the office". I'll tell her their gone and just relocate them to the basement
Re:Bend us over and Shape our Bandwidth... (Score:3, Interesting)
Re:The Horses Mouth (Score:3, Interesting)
Of course, I learned the very hard way about how Jaws liked TCP/IP. That took an hour and a half of counting tabs and enters to fix that situation. Not only did it fix the problem he was having, but when his computer started talking again, that dude was so cool about it "Ok, you and I are going to go have a stiff drink now. Thanks for the help!"
Re:... and I thought *I* was paranoid (Score:3, Interesting)
Some of the prototype Intel based Apple systems have already been found to include this Trust chip on the motherboard, and there is strong speculation that Apple is likely to use this system to force people to buy Apple-brand Intel-based hardware in order to be able to run the Apple Operating System.
Also with Apple moving to Intel chips.... well Intel has been moving the Trust chip into the CPU itself. I presume that they will have that ready within a year or so. So the mere fact that they are using Intel CPUs may itself automatically make it a Trusted system.
the remote hardware/software scanning item being listed as an actual planned function is the top item on the list, I believe. Also, something I've not heard rumors of, so if you've info handy.
Sure. This is called Remote Attestation.
I'll give a detailed explanation based on the Specifications I've read, and then below that I'll have links to less detailed, but authoratative refference links to confirm the functionality. And you can always just Google for Remote Attestation for a few hundred additional links.
The chip will come effectively welded to the motherboard. It comes with manufacturer signed "Platform Credential". This credential specifies what hardware is present, and according to the Trusted Computing Group specification, it will also detail how securely it is bound to that platform and what level of security it has against various forms of physical attack and any other physical protection mechanisms that are present.
This Platform Credential will presumably be requested and sent during at least some Remote Attestation events.
Now we get to the boot sequence. The general process is to build a "Secure Chain of Trust". This means that the BIOS software gets hashed - the hash is the "identity" of any peice of software. This BIOS hash is recorded in a memory or disk log, and the hash value is hash-mixed into a 160 bit Trust chip register. The BIOS runs and it hashes the bootloader software. The bootloader hash is added to the log of hashes, and is hash-mixed into the Trust chip 160 bit register. The bootloader runs and it hashes the operating system. The OS hash is added to the hash log file, and it too is hash-mixed into the Trust chip register. The point here is that no software can run and gain control of the system until AFTER it's identity has been added to the log file and mixed into the Trust chip's rolling hash register.
The operating system may then hash and log EVERY program you load, mixing that hash into the Trust chip register, or the operating system might run normal non-Trusted software normally and only adding Trust-using software to the log file and mixed into the Trust chip register.
Oh, and at any point the ID codes of your network adapter and hardrive and videocard and monitor and any other hardware might be added to the hash log as well.
Now here's the reason a log file is kept of each hash value... the Trust chip has limited memory and it only uses the rolling 160 bit hash register to secure the current cumulative state of the system. What happens during Remote Attestation is that the system sends the other person the FULL LIST of all of the software that got added to the hash log. That person can look at each value on that list to identify the EXACT software (and potentially hardware) on your system. The first item on the list is the BIOS identity, then the bootloader identity, then the operating system identity, then each and every program you've run. The LAST item in the list would generally be the currently running application, the one thatthe other person is talking to. That makes it really easy to check that they're talking to the software they want - that they INSIST - you to be running. However what you just sent them was an ordinary text logfile and it would be trivial for you to alter it or fabricate it completely. What happens is that the other person can walk th