A few weeks back, the fine folks at Microsoft used a healthcare analogy to describe a possible solution to the Internet’s bot infestation. Scott Charney suggested that every PC should have a health certificate which would provide access to the Internet. No health certificate, no access. Kind of like a penalty box for consumer Internet users. It’s an interesting idea, and clearly we need some kind of solution to the reality that Aunt Bessie has no idea her machine has been pwned and is blasting spam and launching DDoS attacks.
Unfortunately it won’t work, unless mandated by some kind of regulation. It’s really an economic thing. Comcast will proactively send devices connected to their network exhibiting bad behavior a message telling them they are likely compromised. They call it their Bot Alert program. Then they point to a nice web page where the consumer can get answers. The consumer is then expected to address the issue. If they can’t (or don’t) Comcast will continue to notify the customer until they do. Here’s the rub: if the consumer knew what they were doing in the first place, they wouldn’t have gotten pwned.
You can’t blame Comcast (or any other ISP) for drawing a line in the sand. They charge maybe $40 a month for Internet service. The minute a customer picks up the phone and calls for help, they lose money for that month. There is no financial incentive for them to try to fix the compromised device. Sure, a bot does bad things. But bad enough to spend staff time trying to fix every one of them? The constant notifications will definitely push a customer to call and force Comcast to help them address the issue. I guess that worked OK in their pilot test, but we’ll see how well it scales as they roll it out nationwide.
And Comcast seems to be out in front on this issue. I’m not familiar with any similar initiatives from the other major ISPs. So let’s tip our hat to Comcast for at least trying to do something. But is it the right approach?
Do we just accept the fact that a percentage of consumer devices will be pwned and will exhibit bad behavior. Is it a cost of doing business for the ISPs? Is there some other kind of technical, procedural, or cultural answer?
I wish I knew. What do you folks think? Can this health certificate thing work? Am I just stuck in a cycle of cynicism that prevents me from seeing any solution to this problem? Or do we just make sure our families aren’t the path of least resistance and forget the rest?
Reader interactions
10 Replies to “FireStarter: Consumer Internet Penalty Box”
@Jay, better late than never. That’s a funny analogy but all too true. The world is still MSFT centric (even with all of us Apple fanboys roaming the halls now), and that’s were a bulk of the problems remain, so it makes sense for them to focus on that platform.
To be fair, I think that if the consumers would have up to date patches, more secure configuration and maybe even get rid of IE6 and use an O/S more recent than Windows 98, things would be marginally better.
But they won’t and due to the way a lot of inter-network traffic is charged back between ISPs and network peering points, they don’t have a choice but to deal with it.
It’s an untenable situation. But it’s the one we’ve got. Let’s just hope the ISPs can light fiber fast enough to keep up because I need by 20 Mbps up/down at all times.
Late to the party again…
I think this sounds monumentally dumb and MS-specific. All good points here. However, fer the love of all that is good, how about we focus more on creating systems that stay healthy rather then skull-thumping end-users for, well, being end-users?
It’s like we’re telling them to drive their car across a pothole ladened road and our fix is to put a sensor in the road that tells the idiot drivers when their suspension is screwed up.
NSS and AVtest data suggest that AV systems have a prevention rate of 30-75% of the current wildlists. So even with up-to-date AV, this lets infected systems on the net. Is software whitelisting next?
Also, what happens when less-enlightened governments get their hands on this? Green Dam at the network port? Will the Turks ban your system if it’s configured to work in Kurdish?
What’s the next three plays by each side, and where will that leave us?
Could be the ‘infected’ customers are the ones who are already calling support and Comcast simply want to annoy them enough that they go somewhere else.
If the support call isn’t about the internet connection, they can just push the customer to some-one they can pay to fix the issue….and maybe get a referral fee from that service technician.
Heads you win. Tails I lose, eh?
Clearly the malware notification would typically fall into a category of something we shouldn’t click on. But as @nick said, that’s how they got pwned in the first place.
@jack makes a bunch of good points about who defines what is “healthy,” and that has to be the ISP. But who is going to be the first to say that is no good, and not take the $40 each month? Right, probably no one because it’s not just $40. Lose the Internet service and the ISP will lose the phone and cable, and maybe the cell phone too. That’s not just $40, it’s now $140. Won’t happen.
So the answer is unfortunately to keep beating our heads against the wall. I do applaud Scott Charney and everyone else that gets us maybe thinking about how to change things. But ultimately I think this kind of fraud is just like shrinkage in the retail business. You factor in the cost and you deal with it.
Unless I’m missing something (which is entirely possible)…
There are a number of technical reasons why the health-certificate won’t work (too long to address the Comcast approach):
– There are many and widely varied operating systems in use today on devices that connect to the Internet. Microsoft only has a small taste of the hassle of making an app run on several versions of their own OS, how could health-certificate software run on every OS? You can’t block someone from connecting to the ‘net just because they’re using an innovative OS that doesn’t have an “approved” health-check app yet.
– Running Anti-virus software and inbound packet-filtering firewall don’t actually grant you much protection in today’s world of drive-by downloads. Requiring them would merely line the pockets of big AV vendors and slow-down user’s computers, without making them much “healthier”. One could argue that they would be sicker, with their “immune system” often attacking it’s own host (FPs) and causing general sluggishness.
– Being up-to-date on patches is probably the best suggestion, but still it’s questionable. Which vendors would be included in the checking? Certainly not all apps would be subjected to this, it would set the bar for entry into the software market impossibly high. Even if you are up-to-date on patches, you can still be quite vulnerable. Anyone running Adobe, Apple, Microsoft, or Oracle software could tell you that. What about rankings for the “side-effects” of software from vendors? Some vendors consistently write software that’s not very healthy for you, where’s the equivalent of the FDA?
Summary: I see it boiling down to two things: Putting the Anti-Virus industry on irrational life-support (just pull the plug already), and stifling innovation & personal choice.
The only “health Certificate” I can imagine would be verification of the presence of an active firewall package and AV software, similar to what many VPN packages do. And even that won’t be much protection. After all, our home states require us to have a driver’s license to drive but that’s no guarantee of being a good driver.
Putting the onus on the ISP will only raise connection rates and may not produce meaningful remedies.
I work at an ISP and would be over joyed to be able to do this for our customers. This is the next level of the game.
As for is this the cost of doing business? Maybe, but in the ISP world it’s cost we can increasingly not afford.
Comcast may mean well, but seriously…
To the users we need to reach, what is the difference between a popup from a malware distributor which says “you have a virus, click here to clean it up” and one from Comcast saying the exact same thing? This will only further the rogue AV problem by supporting the idea that it is OK to click on popups.
As far as the “health certificate”, who defines health? One company (or a small group) can’t do it fairly (at least not long term), multiples can’t be trusted (look at the certs your browser trusts for you).
They made an interesting point about this on the pauldotcom show. Aren’t the emails that the user receives from his isp telling him he has some malware and he can click this link to find out more about how to fix it spookily similar to the meesages we tell users NOT to click on? It’s pretty easy to spoof emails that would look valid, and maybe phish some credentials.
Of course you might argue that it would still work because clicking on things is probably what got the user infected in the first place.
I like the idea, that isps can help to reduce the problem, but I think the method is flawed. I don’t really have any better suggestions at the moment though