Notes on Trustworthy Computing

How much is security worth to you? What about freedom? Currently, the Internet is akin to the Western United States in the 1800s. It is mostly a lawless land, unorganized, untaxed, and full of roaming bad guys. The commercial sector is exploiting it more and more. And in turn, is being harassed by the bad guys (crackers). Some foolish individuals, and organizations, wish to expel all of the bad guys from the Internet, and fund it with a tax on all Internet connections. Not only is this an ineffective waste of everyone’s money, it will make things worse.

Microsoft’s Scott Charney wishes to frame the issue of computer viruses in the same manner as their biological counterparts. He boasts, “I actually think that the health care model, particularly related to the World Health Organization and the Center for Disease Control …might be an interesting way to think about the problem.” While the idea itself is not new, the implications tend to draw heated debate. And, after the H1N1 and Avian Flu scares that did not materialize during the last decade, following too closely in the footsteps of the WHO and CDC would be foolish. However, having a procedure for containing and cleaning up virus outbreak is beneficial.

Charney continues, “Why don’t we think about access providers who are doing inspection and quarantine, and cleaning machines prior to access to the Internet?” With the bandwidth shaping technologies out today, a third party real time traffic scanner for malicious activity is possible. However, the first hurdle to this is the issue of privacy. With the real time scanner, the carrier could look at data that was once forbidden. Looking at packet destination won’t work as botnets become more sophisticated and operate in a more peer to peer fashion. Thus, content analysis will become necessary. This will drive both the botnets and legitimate users to encrypt all network traffic. Which is the second issue, real time scanners will become ineffective in the arms race against the bad guys.

Creating a WHO of computer viruses will cost money. Charney suggests a compulsory internet tax for all connected individuals. He even goes as far as suggesting that “…it’s a public safety issue…” Since when has the Internet been vital for public safety? If we, as a global community, are so dependent on the Internet for day to day life, maybe the roll of the Internet needs to be rethought. Twenty years ago, most people had never heard of the Internet. Today, most use the Internet just for logging into Facebook and playing Farmville or some other worthless time sink. Contrary to what Hollywood would have you believe, infrastructure–such as nuclear power plants–does not have vital components exposed to the Internet (e.g. the plot in Live Free or Die Hard could not happen). Why should one, who is responsible and maintains good security practices, pay to clean up the computer of some idiot who still believes that a Nigerian prince is going to give him (or her) a large sum of money. Recent viruses have not been self propagating, and the idea that the actions of one idiot will cause everyone else to get infected is invalid. The last major auto infecting worm was Blaster, and that was back in 2003 (Sasser does not count as a patch was available before it went public).

If a WHO of computer viruses is necessary, maybe it should be funded the same way that the quit smoking organizations are, charging the software vendors. Microsoft, in particular should pay. It is their insecure OS (Windows XP), and their ignorant user base that has caused the problem. They need to educate their users as to why UAC is good, and should not be disabled or ignored. Mr Charney, that is your organization, do not push your burden onto us.

-John Havlik

[end of transmission, stay tuned]