Blame the Victim: Microsoft Proposes Blocking Infected Computers from the Big Wide World

This seems to be my week to be irritated.

From the BBC:

Virus-infected computers that pose a risk to other PCs should be blocked from the net, a senior researcher at software giant Microsoft suggests.

The proposal is based on lessons from public health, said Scott Charney of the firm’s Trustworthy Computing team.

It is designed to tackle botnets – networks of infected computers under the control of cybercriminals.

Graham Cluley of Sophos, among otheres, doesn’t seem to think much of Microsoft’s proposal.

“Microsoft doesn’t have a faultless record when it comes to security,” he said.

“It has improved over the years, but every month they have to release a package of updates.

“There may be some who would say that Microsoft shouldn’t be on the internet until they get their own house in order.”

After two decades of development, Microsoft still cannot create a workable security model, so now it proposes to make the users pay (er, pay more?).

I recently had a long discussion with my LUG about running anti-virus on my Linux computers–which I do.

A highly configurable firewall is inherent in Unix and Linux, and the old hat Unix guys (and some of the new hat Linux/Unix guys) argued that a good firewall was all that was necessary, unless I run a mail server for Windows email clients. They pointed out that Linux anti-virus clients use virus signature files that look for Windows viruses because, frankly, there are no *nix viruses in the wild (though *nix viruses have existed); they also pointed out that viruses are no longer the major issue–botnets and remote control are.

There are two reasons why *nix malware is so rare as to be almost non-existent:

  • *nix has a small footprint in the market and is therefore not a big target.
  • The *nix security model is inherently more effective, so *nix is not an inviting target. Unix was designed as a multiuser system from the beginning, so security was part of the design from the git-go.

Most *nix computing, except for certain aspects of system administration, is done as a user, with limited rights, though not nearly so limited as the notorious Windows “Guest” user. For example, as user, I can run any program that I have “read” access to (“read” access is commonly the default).

I can look at the directories containing system files, but I cannot delete or modify them in any way; I cannot copy a new file into one of those directories. Linux sticks out its tongue and tells me to go away (“You do not have access to [directory name]”). I must log in with root user (administrator) rights to do that sort of stuff.

Assuming that my root password is something more complicated than password or 1234, if a baddie gets loose in my computer during normal operations, it might trash my personal files and settings in my home directory (the ones that are backed up over there and also over at that other place), but it’s not going to give control of the computer to someone else or integrate it into a botnet or do any of that other stuff.

(So why do I run an anti-virus? For the same reason I have a fire extinguisher. Just in case.)

Windows, on the other hand, is descended from DOS, by way of WindowsNT. DOS had no security model. Anyone could do anything. Anti-virus vendors came into being because DOS and later Windows were so porous. Security was an afterthought.

Microsoft’s efforts to improve security have been like a homeowner’s putting more locks on a screen door.

It’s still a screen door.

They are proposing that users pay if the locks fail.

It’s still a screen door.

In other news, go Phillies.

(Visited 11 times, 1 visits today)