Internet Quarantines

Last month, Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update users' computers so they could rejoin the greater Internet.

This isn't a new idea. Already there are products that test computers trying to join private networks, and only allow them access if their security patches are up-to-date and their antivirus software certifies them as clean. Computers denied access are sometimes shunned to a limited-capability sub-network where all they can do is download and install the updates they need to regain access. This sort of system has been used with great success at universities and end-user-device-friendly corporate networks. They're happy to let you log in with any device you want--this is the consumerization trend in action--as long as your security is up to snuff.

Charney's idea is to do that on a larger scale. To implement it we have to deal with two problems. There's the technical problem--making the quarantine work in the face of malware designed to evade it, and the social problem--ensuring that people don't have their computers unduly quarantined. Understanding the problems requires us to understand quarantines in general.

Quarantines have been used to contain disease for millennia. In general several things need to be true for them to work. One, the thing being quarantined needs to be easily recognized. It's easier to quarantine a disease if it has obvious physical characteristics: fever, boils, etc. If there aren't any obvious physical effects, or if those effects don't show up while the disease is contagious, a quarantine is much less effective.

Similarly, it's easier to quarantine an infected computer if that infection is detectable. As Charney points out, his plan is only effective against worms and viruses that our security products recognize, not against those that are new and still undetectable.

Two, the separation has to be effective. The leper colonies on Molokai and Spinalonga both worked because it was hard for the quarantined to leave. Quarantined medieval cities worked less well because it was too easy to leave, or--when the diseases spread via rats or mosquitoes--because the quarantine was targeted at the wrong thing.

Computer quarantines have been generally effective because the users whose computers are being quarantined aren't sophisticated enough to break out of the quarantine, and find it easier to update their software and rejoin the network legitimately.

Three, only a small section of the population must need to be quarantined. The solution works only if it's a minority of the population that's affected, either with physical diseases or computer diseases. If most people are infected, overall infection rates aren't going to be slowed much by quarantining. Similarly, a quarantine that tries to isolate most of the Internet simply won't work.

Fourth, the benefits must outweigh the costs. Medical quarantines are expensive to maintain, especially if people are being quarantined against their will. Determining who to quarantine is either expensive (if it's done correctly) or arbitrary, authoritative and abuse-prone (if it's done badly). It could even be both. The value to society must be worth it.

It's the last point that Charney and others emphasize. If Internet worms were only damaging to the infected, we wouldn't need a societally imposed quarantine like this. But they're damaging to everyone else on the Internet, spreading and infecting others. At the same time, we can implement systems that quarantine cheaply. The value to society far outweighs the cost.

That makes sense, but once you move quarantines from isolated private networks to the general Internet, the nature of the threat changes. Imagine an intelligent and malicious infectious disease: That's what malware is. The current crop of malware ignores quarantines; they're few and far enough between not to affect their effectiveness.

If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine. So instead of nontechnical users not bothering to break quarantines because they don't know how, we'd have technically sophisticated virus-writers trying to break quarantines. Implementing the quarantine at the ISP level would help, and if the ISP monitored computer behavior, not just specific virus signatures, it would be somewhat effective even in the face of evasion tactics. But evasion would be possible, and we'd be stuck in another computer security arms race. This isn't a reason to dismiss the proposal outright, but it is something we need to think about when weighing its potential effectiveness.

Additionally, there's the problem of who gets to decide which computers to quarantine. It's easy on a corporate or university network: the owners of the network get to decide. But the Internet doesn't have that sort of hierarchical control, and denying people access without due process is fraught with danger. What are the appeal mechanisms? The audit mechanisms? Charney proposes that ISPs administer the quarantines, but there would have to be some central authority that decided what degree of infection would be sufficient to impose the quarantine. Although this is being presented as a wholly technical solution, it's these social and political ramifications that are the most difficult to determine and the easiest to abuse.

Once we implement a mechanism for quarantining infected computers, we create the possibility of quarantining them in all sorts of other circumstances. Should we quarantine computers that don't have their patches up to date, even if they're uninfected? Might there be a legitimate reason for someone to avoid patching his computer? Should the government be able to quarantine someone for something he said in a chat room, or a series of search queries he made? I'm sure we don't think it should, but what if that chat and those queries revolved around terrorism? Where's the line?

Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software.The music and movie industry will want to quarantine anyone it decides is downloading or sharing pirated media files--they're already pushing similar proposals.

A security measure designed to keep malicious worms from spreading over the Internet can quickly become an enforcement tool for corporate business models. Charney addresses the need to limit this kind of function creep, but I don't think it will be easy to prevent; it's an enforcement mechanism just begging to be used.

Once you start thinking about implementation of quarantine, all sorts of other social issues emerge. What do we do about people who need the Internet? Maybe VoIP is their only phone service. Maybe they have an Internet-enabled medical device. Maybe their business requires the Internet to run. The effects of quarantining these people would be considerable, even potentially life-threatening. Again, where's the line?

What do we do if people feel they are quarantined unjustly? Or if they are using nonstandard software unfamiliar to the ISP? Is there an appeals process? Who administers it? Surely not a for-profit company.

Public health is the right way to look at this problem. This conversation--between the rights of the individual and the rights of society--is a valid one to have, and this solution is a good possibility to consider.

There are some applicable parallels. We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians. The small number of parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population. We all suffer when someone on the Internet allows his computer to get infected. How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having.

This essay previously appeared on Forbes.com.

EDITED TO ADD (11/15): From an anonymous reader:

In your article you mention that for quarantines to work, you must be able to detect infected individuals. It must also be detectable quickly, before the individual has the opportunity to infect many others. Quarantining an individual after they’ve infected most of the people they regularly interact with is of little value. You must quarantine individuals when they have infected, on average, less than one other person.

Just as worm-writers would respond to the technical mechanisms to implement a quarantine by investing in ways to get around them, they would also likely invest in outpacing the quarantine. If a worm is designed to spread fast, even the best quarantine mechanisms may be unable to keep up.

Another concern with quarantining mechanisms is the damage that attackers could do if they were able to compromise the mechanism itself. This is of especially great concern if the mechanism were to include code within end-user’s TCBs to scan computers­ essentially a built-in root kit. Without a scanner in the end-user’s TCB, it’s hard to see how you could reliably detect infections.

Posted on November 15, 2010 at 4:55 AM • 74 Comments

Comments

shadowfirebirdNovember 15, 2010 5:18 AM

"We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians."

Linux drivers aren't licensed, and that works out okay AFAIK. (And I suppose you could argue that if drivers were prosecuted for negligently failing to maintain their vehicles, inspections might not be necessary?)

I think you've nailed the concerns nicely, but maybe it's simply that the quarantine model isn't a useful one in this context. Sometimes a model seems to fit but actually doesn't -- prohibition / alcohol springs to mind.

Simon BridgeNovember 15, 2010 5:18 AM

Media companies have been wanting to get NZ isps to enforce quarantines against accused copyright infringers.
http://lawgeeknz.posterous.com/...

... internet users managed to get part of the law repealed by pressuring ISPs (who were expected to enforce it). But it keeps coming back in many guises.

Unfortunately the economic incentives to implement good quarantines are nonexistent.

RichardNovember 15, 2010 5:48 AM

This is a great discussion Bruce. Social engineering comes with costs and brings other issues (that need to be socially engineered).

Your list of liabilities of quarantining remind me of the slippery slope Amazon (and all of us) found themselves in when it was revealed that they were carrying a book on pedophilia. Get rid of Polanski films? Woody Allen's Manhattan? Where does it end?

No doubt we're on the way to quarantining in the background with operating systems that update themselves and applications that send companies information about our computers.

On the face of it, quarantining sounds like a reasonable way to save the whole from the part but the social liabilities are many.

StephenNovember 15, 2010 5:50 AM

@shadowfirebird:

"I suppose you could argue that if drivers were prosecuted for negligently failing to maintain their vehicles, inspections might not be necessary?"

Except that people who don't maintain their vehicles are less likely to have the means to pay the resulting fines. They may be less likely to be concerned about jail time resulting from violations - just like habitual drunk drivers don't care if they don't have a license. The value of the license isn't the perceived authority to drive, it's access to the vehicle that the license permits. Chronic drunks can't buy or rent cars legitimately for lack of a license, so they end up riding scooters (which require no license). This works out nicely because they're no much more likely to kill themselves than someone else.

If you made vehicle inspections an enforcement issue - rather than a regulatory issue - you're transferring highly technical work onto police and insisting that they perform it flawlessly under all sorts of sub-optimal circumstances. Do you want your local police attaching an emissions detector to a '73 Vega at the side of the road at 4:30 in the morning or investigating a string of local assaults?

CaeNovember 15, 2010 6:04 AM

To draw a parallel - this is like imposing a military curfew to the internet.

Also, I've used tools/programs that is detected as a virus by the anti-virus tools but the program is totally legit, then what ?

What about other OS besides Mac and Win, will they be considered "not-normal" (just ask WOW gamers) and be quanrantine?

Roland DobbinsNovember 15, 2010 6:17 AM

Qwest have been quarantining abusive/compromised hosts, based solely upon observed external behaviors, since 2006. And Comcast just announced they're doing the same thing.

In both these systems, users can get themselves out of the penalty-box by asserting that they've remediated their boxes. In Qwest's case, repeated quarantines leads to proactive help-desk communications with the user (which translates into opex).

Posture assessment doesn't work, because once you're pwn3d, the malware can like to the assessment system. When I was at Cisco, I pointed out that this alone was the fatal flaw which would render 'NAC' unusuable, not to mention all the opex associated with the version-checking nonsense, and events proved me right.

But quarantining based upon observed behavior can and does work at scale, provided that the architectural and operational models are worked out in advance. The practical span of control of such a system is a single network under a single administrative aegis; as long as more networks do this, one ends up with 'inkblots' of quarantine-enabled networks gradually permeating the Internet as a whole.

Yes, countermeasures in order to ensure that the bots don't let themselves out of the quarantine must certainly be developed and actualized, but that's just part of the ongoing arms race between the miscreants and the rest of us. Nothing new, in that regard.

StephenNovember 15, 2010 6:24 AM

@Simon Bridge

"Unfortunately the economic incentives to implement good quarantines are nonexistent."

There are some fairly straightforward means to construct incentives:
1. Establish a minimum acceptable infection rate ("base rate") for nodes on a well-maintained network.
2. Rate networks according to their actual rate of active infected nodes (with assessments performed over a random 24 hour period once each quarter).
3. Normalize the results to multiples of the base rate and throw out any multiples below 2.0.
4. Stratify the remaining (high) rate multiples into percentiles.
5. Assess per-node fees / fines on the owners of networks according to the percentile rank of their network over the course of the preceding year.

Step 2 is clearly the problematic one, but the audit function could be built into existing enterprise security / network management software suites or devices. Every time the security solution performs a routine scan, there's a chance that it will be used to grade the network. You'd have to make allowances for zero-day worms and the like with calendar-date blackouts, but that's pretty easy, IMO.

The revenue generated could be used to sponsor security research and to support enforcement / auditing. Could even be implemented as a private or non-profit venture - a kind of "Better Internet Bureau" - rather than as an initiative of government. That body could also independently certify security solutions that met auditing or other criteria for use in operating environments of varying scale and complexity.

Peter N. M. HansteenNovember 15, 2010 6:32 AM

One fairly useful indicator of malware or other takeover is that a machine is sending spam or is exhibiting other distinct (unesirable) behavior on the network level.

If we limit ourselves to the spam case, greytrapping (trapping machines that try to deliver mail to known-bogus addresses) can be very effective, at least for easing the load on the content filtering. In fact several greytrapping generated blacklists are available for general use, ie http://www.openbsd.org/spamd/traplist.gz or http://www.bsdly.net/~peter/bsdly.net.traplist).

Key to keeping the number of false positives low is aggressive auto-expiry of entries - the spamd greytrapping default is 24 hours, others such as nixspam go as low as 12 hours of no undesirable activity seen for expiry.

lamerNovember 15, 2010 6:46 AM

Qwest's quarantine program is nothing but a marketing program for McAfee - they demand that you install it, even when network is undeniably clean. Which works great for them when they practically have a local monopoly and the customer has no understanding of why they are disconnected or recourse. Qwest also provides no evidence whatsoever that malware has been on the network.

Nice idea, but non-profit enforcement must be a MUST on this rfc. The ISPs and security vendors would just monetize this baloney.

claudioNovember 15, 2010 7:06 AM

I agree with most of the post, however I feel that "If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine" is the kind of generic assertions that are too generic to be true, like "security through obscurity is useless".
It is true that they would try, but this doesn't mean that they would be able to. If this would be true, then every countermeasure would be useless, because then the bad guys would "try to evade it" and automatically succeed.
A quarantine would mean that the ISP would put the pc on a separate network with limitefd access to e.g. a *whitelist* of antivirus sites. Being able to do this is a basic feature of every ISP. Think at something like: "if the ISPs would start to autenticate DSL users, then users would try to evade authentication": ISPs *do* have the upper hand on this, and also on putting users on specific subnets; worms would need to turn to a different ISP in order to be able to access the Internet. The key is that the control is small, simple and based on default deny. If there were holes in this it's not because worms are intelligent, but because some political/contractual issue would turn this simple mechanism in something different.

Brian DuffyNovember 15, 2010 7:13 AM

This sort of scheme is a dangerous slippery slope. Once you allow someone to be quarantined for undesirable activity, whomever controls the definition of undesirable controls who can use the network.

I'm not pro-malware, but I don't want my company quarantined and put out of business because an employee found a way to surf shemale porn or play poker at work. Or because a competitor lobbied the quarantine bureaucracy and convinced them that we were guilty of undesirable behavior.

Historically, extremist groups like the Puritans in the US adopted this model for their societies -- they called it lofty things like "a city on the hill". The modern legacies of this sort of nannyism are things like being unable to get a tattoo in the state of Massachusetts, because someone in the state house knew that only scurvy sailors up to no good had tattoos. At the end of the day they created a repressive environments that took decades to fix.

ThomasNovember 15, 2010 7:31 AM

"Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software."

I guess they mean me.

Operating System aside, who gets to decide which virus scanner, office suite or browser is up to scratch?

This quarantine filter could easily be subverted into a tool for ensuring you get all your software from companies big enough to be able to afford certification.

Such a 'security' measure would ensure a startup (like Firefox a few years back) could never attain any significant market share. Ironically the pressure Firefox has placed on Internet Explorer to evolve and improve has done more to improve security for the average user than anything else I can think of.

Ideas like this, sponsored by companies like Microsoft, are more than a little unsettling to us Penguins. Maybe we're just paranoid....

JillNovember 15, 2010 8:23 AM

Quarantines are good, but effective vaccines are better by far.

The existence and widespread use of AV software means there is very little to gain from network-level quarantining.

Clive RobinsonNovember 15, 2010 8:31 AM

I can see a big issue as to why ISP's would not wish to have anything to do with over and above cost and resources.

There is the thorny issue of who guards the gate to the citadel has to be responsable in BOTH directions.

That is they would effectivly be liable for having alowed your machine to become infected...

Now if you consider mobile phones running say some stripped down version of Windows then who is responsable for upgrading it phones "sold under contract" are technicaly not the phone users property (otherwise they could unlock them) so it will turn around and byte various OS developers in the backside MS beying the main one.

PC.TechNovember 15, 2010 8:50 AM

What about "false positives"?
Suppose the appointed "traffic cop" (whoever the 'Big Brothers' anoint) decides you are guilty?
U R screwed. Period.

Meanwhile, the online criminal element is free to do whatever they want...
What's wrong with this picture?

.

DNovember 15, 2010 8:57 AM

@shadowfirebird:

But Linux drivers *are* licensed. Since they are copyrighted works, they're either licensed or you're not allowed to have them.

OK, perhaps technically, YOU are licensed by the software maker to use their software, but that's not how we tend to discuss it in the industry.

PeterNovember 15, 2010 8:59 AM

I've often thought that putting a default limit on the number of e-mails an ISP subscriber could send per day would be a useful tool. The vast majority of users don't send more than, say, 25/day. Anyone who actually needs more would have to call their ISP and have the limit increased, or removed. But for most people, hitting the limit would suggest that their machine was being used as a spam forwarder, and they would be encouraged to take action.

The main effect would be to make many machines much less valuable to botnet operators.

JohnNovember 15, 2010 9:16 AM

The quarantine method I think is relatively simple here.

If the machine shows worm activity, i.e. attempts to infect things by way your IDS recognizes, block everything outgoing from it except 80 and 443. QED. You can now use the WWW, but nothing else. No e-mail, no IM, no Skype, no games.

Continue to monitor of course. Whenever it makes an attempt, set the unblock time to now + 24 hours. So first offense, 24 hour block. Second offense 8 hours later, the block stays active for 32 hours total--24 hours from the second offense. A thousand offenses in 10 minutes... 24 hours and 10 minutes blocked.

Immediately on a NEW block and then every 24 hours, set something on your network to change their routing. When they get on the WWW it redirects them to a captive portal, which tells them why they have been blocked. They hit OK and the 24 hour timer is set; they'll see the message again then, or the next time they're blocked after being unblocked, whichever comes first.

The message says "Use one of these products to remove the infection: X Y Z." It also says "We think your OS is this, so go to Microsoft Update/Apple Update/Ubuntu Update/etc and run updates." QED.

This is not a disaster for most users. It still allows gmail/hotmail webmail access. It allows you to web browse blissfully while infected. You can do your e-banking at your own risk.

Best effort, you know?

RichNovember 15, 2010 9:34 AM

A client was on the receiving end of an isp quarantine for spewing spam. Attempts to bring up the web brought a notification page of the problem with contact info. Finding the offending office machine and cleaning it took longer than getting the ISP to clear the block.

John CampbellNovember 15, 2010 9:46 AM

Evolving after the Code Red worm hit IBM's internal network the "Boundary Service Offering" was created in order to provide isolation for "computer labs" within the IntraNet. It seemed strange to me how a "mandatory device" was a mandatory addition.

It was-- and is, still-- my belief that these devices provided a "quarantine" ability, in effect providing a kill switch for a specific lab, allowing cleansing operations to be performed before allowing the labspace to have connectivity to the intranet restored.

The problem, however, is that I can see quarantine "layers" in an OS or switch or router or whatnot becoming a plaything (like the "kill code" for OnStar equipped cars) for folks who are not part of the authorized food-chain.

It is a WONDERFUL means of implementing a denial of service attack, right? And it can be played against servers, too, so you can silence dissent almost instantly.

This "kill switch" is just adding a new vulnerability to the internet.

Mind you, ISPs may be the ones who need to pay attention to abusive systems and they must be far more amenable to licensing and inspection, not that they want to do that, but how can anything like this be done on a global scale?

Should anything like this be attempted on a global scale?

Vaccination leading to immunization has its risks on an individual level but the benefit to the larger community-- family, friends, co-workers, people in the food-court at the mall, etc-- where compliance reaches 99% provided benefits... to those who choose NOT to vaccinate, but that's not quite a compatible model since those running Windows are the ones w/o any vaccination.

cdmillerNovember 15, 2010 10:06 AM

This appears to be a blatant attempt at Internet censorship and control. People *will* be quarantined unjustly under this type of regime for many reasons beyond malware infection. It could easily go so far as "unknown" software or network behaviour gets quarantined by default.

Running an encrypted channel? Prove it's not malware to the grand inquisitor.

Microsoft is pushing for this, but Microsoft's poor product engineering is the cause of much malware taking root in the first place.

"We require drivers to be licensed and cars to be inspected"

Do Internet users need a license, or should it be the proprietary software vendors who hide their bug ridden source code from public audit?

"parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population"

How were there outbreaks among the greater population, if the greater population was vaccinated?

Who decides what a valid vaccine is? Have there been reports of folks in Europe or the U.S. who refused the recent rushed to market swine flu vaccine causing outbreaks among the greater population?

There have been reports recently and in the past of malware scanners and software update mechanisms themselves being infected.

"We all suffer when someone on the Internet allows his computer to get infected"

I simply don't suffer that much when this occurs. Perhaps another message in my SPAM folder, or another log entry of a portscan. If however this type of system comes to pass I could suffer greatly by running software the "general population" deems unusual or inappropriate.

"How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having"

If we don't try this over reaching Internet control scheme we don't need to have the conversation at all. The earlier points in Bruce's essay show there is no balance to be had.

MuffinNovember 15, 2010 10:10 AM

Here's another problem. How do you, as an outside party (ISP etc.) even find out whether a user's computer is properly patched or not?

There is, after all, no API to query this. Microsoft could conceivably build one into their products, but would others? There's literally hundreds of Linux distributions, for instance, and I'm sure quite a few would disapprove of the idea. Would niche OSes like OpenBSD etc. do it?

How would this work with firewalls? With routers? With NAT?

What's more, if there is an API that tells you whether a machine is properly patched or not, what would keep the bad guys from using it to conveniently find out who can be infected easily?

What would prevent this API from being abused? What kind of information would be gleaned, by whom, where would it be saved, for how long, and with whom would it be shared?

Does the government get to access this API? If yes, under what circumstances? If no, what'll keep the three-letter-agency du jour from doing so, anyway?

What about foreign governments? Will e.g. Russian computers be monitored by the Russian government? Do we want to enable that sort of thing - in fact, is it legal for us to enable that sort of thing?

How do we get everyone to join in, anyway (since obviously, as long as a significant share of Internet users will not be subject to possible quarantining, it will not achieve anything to begin with)? What are the challenges posed by international law, different legal systems, different cultural values? Can we even overcome those?

The whole thing just isn't worth it, IMO.

JohnMNovember 15, 2010 10:12 AM

This is one of those "problems" that is not really on anyone's plate. Check systems before VPN? Yes. Sure. Quarantine from ISP?

AV continues to not do their job as they should. Heuristics should be far better, but they are not. Malware keeps to identifiable patterns not so difficult to catch with software... but this is not done.

It is really not hard to observe zombie or worm behavior - or spam, to get more specific - on a system.

One reason is white list rules need continual update so you do not just pay once for your software... you get married. Keep paying.


Just think about it. This is not advanced AI being talked about.


That is the kind of problem people should be working on... not this hitleresque nonsense.


Carlo GrazianiNovember 15, 2010 10:21 AM

@Clive:

ISP liability is the point. Under the externality-management theory of "place the liability in the lap of the entity that is capable of dealing with the problem", it is precisely the ISPs who are positiioned to monitor network activity for misbehavior (contacting botnet control servers, say, or participating in a spam or DDOS campaign), and to send affected machines to the penalty box.

If ISPs were legally held liable for not mitigating damage to other entities due to malware on their customers' PCs, they'd get tooled up to squash the problem in a big hurry.

The new enforcement would mean that customers, in turn, would get themselves educated about their responsibilities as owners of networked computers, at least to the same extent as they are educated about their responsibilities as owners of motor vehicles (admittedly a low bar, but an improvement over what they understand now). The pressure said customers would put on computer vendors for basic security would at least rise to the level they demand of their locksmiths as homeowners (again, a low bar but an improvement).

The problem is that as things stand now, _nobody_ is either liable for infection or responsible for abatement. I'm convinced there will be no progress on malware until some participant asses start getting lined up for a legal shoeing. When malware really starts costing people and corporations in a tangible way, the pervasive "Inshallah/manana" attitude about security will change, and maybe it won't be trivial to make cybercrime pay anymore.

phred14November 15, 2010 10:43 AM

@Jill
> The existence and widespread use of AV software means there is very
> little to gain from network-level quarantining.

But then some of us think that AV software is fundamentally broken at the conceptual level. To put it simply, it's reactive, and will always lag the latest'n'greatest threats. There's also the fact that AV software only came about because the underlying OS security usage (Beginning with NT, the model was good, but common usage negated all of that.) was also fundamentally broken.

Since we're also talking public health, it's worth remembering that we don't need 100% coverage. The way I've heard, with vaccines the real target is somewhere between 60% and 70% and the disease becomes sufficiently sparse to quit being a threat.

derfNovember 15, 2010 10:54 AM

Make Microsoft directly responsible and accountable for infected operating systems and the next version of Windows will be a lot more secure.

HJohnNovember 15, 2010 11:11 AM

Like most things, quarrantine has good and bad.

The bad could be used for profiteering. Get a little too bold on heuristics so people get locked out a bit too much, even though they have good security, with a solution: "For just $X.XX per month, you can ensure this never happens again with [insert ISP name]'s revolutionary Internet protection suite."

JohnNovember 15, 2010 11:13 AM

FWIW I think a UK ISP does this already. This is a few years back. Think unpatched, fresh, XP pre - SP1 install got plugged in where it shouldn't. Got a prompt email from their NOC. Because it was on a public IP, they blocked only that IP.

Now, I see how this could all suck very hard under some circumstances . .

But if you used IPv6 as even the tunnel across the local loop and backhaul, their ISP NOC could block by the MAC address in the packet header and not waste out your whole service.

And that's being crude, blocking entire addresses. You can do this by ports.

As for worries over disconnecting people in quarantine, i seriously wonder how many people have just a *single* means of contact with the outside world?

If you're running critical VOIP, that ought to be tunneled, so that traffic iseasily separable, maybe even multi-homed.

Can you even get DSL service without a functional landline? How many SME's installing fiber to the cabinet ethernet do not keep DSL as a backup?

If this was an Opt-In service, i can think a lot of SME's would be better off.

HJohnNovember 15, 2010 11:14 AM

@dmc: Can't wait till hackers get access to the quarantine mechanism.
__________

Goes in line with my post at 11:11am. A hacker could falsely quarrantine and then sell a bogus product. Basically ransomware.

JD BertronNovember 15, 2010 11:33 AM

Quarantines work only because the people under quarantine either die or get better.
This isn't true for computers.
Quarantines also work with people when infection rates are high and when incubation is relatively slow compared to the speed of making the decision to quarantine.
Not true for computers. Rates are usually low, and spread rates are much faster than the time it would take to make the quarantine decision.
This proposal is akin to suggesting that people affected by the flu should be quarantined.
It should be obvious that the sort of quarantine that could be implemented would target only mild trojans and worms while being completely ineffective toward containment of zero-day situations.

PeterNovember 15, 2010 11:38 AM

HJohn - Yes, that could (would) happen. But it would almost certainly be a much smaller problem than the current problem.

dragonfrogNovember 15, 2010 11:41 AM

"Might there be a legitimate reason for someone to avoid patching his computer?"

Absolutely - if the patch bundles undesirable behaviour along with bug fixes. This is doubtless a more common situation with proprietary software than with FOSS, but I can imagine it happening with FOSS as well from time to time.

iTunes is a classic example of this nefarious, user-hostile "patch" problem. When iTunes came out, it allowed you to handily manage your music, including copying music off an iPod e.g. after you rebuilt your computer.

Then out came an iTunes update, which listed a few bugfixes, maybe even security patches, in its summary. What it didn't mention was that it crippled the software - you now couldn't copy mp3s off an iPod, only onto it. Some time later, the interaction with iPods was further crippled (to do with syncing files & such). The iTunes music store stuff got gradually more and more annoying and intrusive into the user interface.

If you wanted to maintain a full-featured, fully functional iTunes, that basically meant foregoing all security updates to iTunes after a certain date.

Noble_SerfNovember 15, 2010 12:30 PM

MOVIE PLOT TIME!

It's 2015. The government passes the long awaited "Personal Computer Security Act" and establishes the "Computer Defense Agency" in the wake of the 9/11/14 Cyber Terror Attack.

Now that ISPs are centrally managed and computers are quarantined at will in defense of the nation, one man, CDA director Bruce Slider holds the keys to the grid and the net. But while the nation sleeps under the blanket of protection he provides, and rumors of his popularity have the pundits talking about a presidential bid, the horrible truth is about to be known.....

cue evil guy inserting world domination bug in US network.... glimpse of west point ring.... glimpse of CDA seal.....

cut to global chaos

screen goes dark to focus on our hero, a middle aged net cop 2 days from retirement and his wise-cracking rookie sidekick

skilaNovember 15, 2010 12:43 PM

@Muffin:

"Does the government get to access this API? If yes, under what circumstances? If no, what'll keep the three-letter-agency du jour from doing so, anyway?"

No the government will not get access to the API because all their computers will have been quarantined for continuing to run Internet Explorer 6 and other software-non-grata.

That's the irony - if the government allowed this to happen, everything would stop working!

swhx7November 15, 2010 12:55 PM

It's a little disappointing that neither you, Bruce, nor anyone but (partially) "muffin" above has identified the egregious defect in the whole concept.

Actually it's fine if the only inspection of the endpoint is monitoring its network traffic for hostile behavior. If your box is spewing spam or malware, a quarantine until it's fixed is a good thing.

That scenario, however, is mixed up, in the discussion, with an idea of inspecting the endpoint device to assess its software. This latter idea is a recipe for cyber-totalitarianism and tyranny.

To see this, simply ask how the ISP (or other outside party) would instpect the PC. If they send me the source code, and it passes my review for acceptable behavior, I might run it on a user account - but I could make it lie to the server. If it is closed-source, no one with a sane security policy would run it as root.

But to prevent false reports, it would be necessary to not only force outside software on the user, but to effectively remove root from the computer owner.

The idea that a "quarantine" or NAC scheme of this kind would help computer security is based on a total misconception of security. Security means, inter alia, that the owner is in control. If the owner gives root to someone else, even for a moment, security has been breached, and the system must be rebuilt to restore security.

Thus, taken to its logical conclusion - as would be necessary for it to work - the "inspect everyone's PC as a condition of network access" idea is a pretext for an Orwellian "trusted computing" regime, where no one would be able to control their own PC, and consequently no one could trust any communications it would provide.

Peter A.November 15, 2010 1:06 PM

Quarantine based on patch status is plain extortion. What if I chose to run an ol' good W98 I've bought ten years ago on that old 486 PC I've just assembled from parts dug out of some trash heap to run Eudora in order to access my email? What if I run some experimental or outlandish OS? An ISP would simply force you to buy the latest and greatest piece of crap from M$ (and probable get kickbacks from them). And ascertaining the patch status remotely simply means having a mandatory backdoor in your OS.

On the other hand, quarantine based on traffic analysis (a'la IDS) will just make the malware evolve to avoid detection and greatly harm the evolution of legitimate Internet services at the same time. Function creep will be inevitable as the malware evolves. For a start the quarantine trigger rules may involve considerable volume of spamming, contacting the well-known botnets' C&Cs etc. This will immediately cause malware writers to lower the number of emails sent per botnet node per unit of time (which they already do to some degree) up to the point of the same order of magnitude as legitimate users' outgoing email traffic, switch to covert C&C protocols (read some Clive Robinson's posts here for ideas) and so on. This will induce ISPs to implement stringer quarantine triggers only to have malware writers to invent even more clever ways etc. In the end, every traffic that does not match the rules for one of the blessed protocols will get you outed, which would make development and dissemination of new uses, protocols and applications impossible.

Julien CouvreurNovember 15, 2010 1:08 PM

Since ISPs own the network (thru mutual contracts) and let consumers in, each ISP is responsible for who it lets in.

It's like a co-hosted party.
If one of your guests gets drunk and attacks other people (ie. breaking the rules that the host set or the mutual rules between hosts), then you are responsible for kicking the guest out.

This is not akin to a "public health" problem, since this falls perfectly within the framework of private property and contracts.

To answer common questions: (1) If you are unjustly kicked out, your contract with your ISP can be used as a recourse. (2) If an ISP offers "unfair" contracts, then change ISP. (3) If all ISPs offer "unfair" contracts, then you or some other entrepreneur will start a business and make millions.

JoeNovember 15, 2010 1:18 PM

How about just charging for email?

If the users were charged for the spam their computers sent out, then they would have more incentive to keep their systems clean.

John FNovember 15, 2010 1:25 PM

@dragonfrog:

"Might there be a legitimate reason for someone to avoid patching his computer?"

With some of the more specialized systems out there, patching the OS (at all) can void the vendors support of their product. I've seen this firsthand is on devices supporting scientific instruments, I've also heard of medical instrumentation, SCADA type systems, etc where you get similar situations. (whether or not these devices should be network connected or not is a moot point, in this case - they are connected, and so they have to be accounted for.)

swhx7November 15, 2010 1:35 PM

Julien Couvreur: "(3) If all ISPs offer "unfair" contracts, then you or some other entrepreneur will start a business and make millions."

I don't know the other pros and cons of your country, but it is very fortunate in regard to internet, if such competition is a realistic possibiltity there.

Here in the USA, broadband internet in each area is a closely guarded monopoly or duopoly, because a few giant cablecos and telcos own the "last mile" infrastructure. It would cost many billions of dollars for someone new to lay new wires or fiber, if they could even get permission from the governments, which is doubtful.

These monopolies and duopolies have come about through government subsidies and grants of privileges. Yet although much of the funds to build the "last mile" infrastructure, and the land easements to make it possible, have been extracted by force from the citizens, the citizens do not own it. Instead, it has been given to private companies.

Because of this local-duopoly situation, real competition is a distant dream, prices are high and bandwidth is lagging behind the rest of the developed world. This is a classic picture of a market failure in need of regulation to protect the public.

In countries where there is good government in regard to internet, the "last mile" is a public resource and there is real competition among companies to provide service on it. Only in such a scenario do your remarks make sense.

Whiskers in MenloNovember 15, 2010 1:44 PM

Quarantined doe not imply that nothing gets in.
i.e. food, water and medicine get in to a human
or animal quarantine.

Anyone that designs a quarantine program must also
include remedial actions. A number of positive actions are possible.

While hateful it is common for ISPs to return valid pages when an invalid URL is requested. i.e. an
invalid domain name returns marketing or other junk.

This or proxy tools could be extended to establish a way to connect to a trusted site with trusted remedial tools. Further we need a return to delivery of physical install and recovery media so customers have tools.

Quarantine without a remedial plan is
yet another denial of service plan.

PietNovember 15, 2010 2:13 PM

Isn't it the case the worms spread to fast to be bothered by quarantine? How many vulnerable PC's can my PC infect in the say 5 minutes it takes to cut it off? Also: one infected PC can infect every PC in the world, which is clearly not the case with one infected person escaping the city.

RobNovember 15, 2010 2:14 PM

@cdmiller: Vaccines are not 100% effective, nor are they permanent.

I have a problem with this, given the technical competence of ISPs. I got warning of infection from my ISP. Checked my network for anomalous traffic. nada. Virus scanned. nada. Scanned the Windows boxes with a security scanner that was not yet available to the public. nada. Everything came up clean.

After finally managing to escalate it to someone with a clue, they were considering my spamassassin blacklist queries as a DoS.

RandallNovember 15, 2010 2:41 PM

Seems important that we can stop worms from spreading from infected computers by just *degrading* their service, not cutting it off. Maybe we shut off particular ports. Maybe we scan for "signatures" of the worm in network traffic, like antivirus software and the Great Firewall of China do.

If some worm really does need everything blocked to stop it, or as a temporary measure against a new kind of worm, some computers might need to be quarantined. But seems important that we have less drastic options available.

'Nother, possibly more important problem is, our philosophy about updates is all screwed up. Everyone but Google has it wrong: updates should happen frequently, automatically, and the user should have to disable them, not actively accept them. And the millions of pirated copies of Windows ought to be updated too, for legitimate users' sake.

PeterNovember 15, 2010 4:08 PM

Viruses fall into two categories: 1) Zero day/unknown and 2) known.

You cannot quarantining zero day/unknown viruses (don't know what to quarantine) therefore it would be useless for this category.

As for the known viruses category they only harm society to the extent that society is unprepared to deal with them. Thus the blame for the harm caused by known viruses has less to do with where they originated from then why the systems in question that they infected were not adequately protected in the first place.

On the whole the concept of quarantining systems at any level is a matter of censorship and therefore while it may be well intended will, nevertheless inevitably result abuse for political, financial or religious (or anti-religious) gain.

David ThornleyNovember 15, 2010 4:11 PM

@Randall: I believe Microsoft likes to ship Windows with automatic updates enabled. I hadn't done anything to my new W7 update settings when I noticed that it really wanted to reboot, despite what I was doing. That's about 90% of desktop computers right there, and the 90% most vulnerable to the current batch of exploits. Adding auto-update to Macs and Linux boxes wouldn't improve things noticeably.

Therefore, the problem is either that updates are insufficient, or that people turn off automatic updating. If you stop me from turning off automatic updating, I don't know that my computer is mine anymore, because another party has the ability and presumes the right to change my operating system at will. There are, further, many computers running things that updates might break, and there are legal consequences. Medical equipment is certified in a particular configuration, for example, and must be re-certified if anything changes.

RobNovember 15, 2010 4:35 PM

@Peter:

From the point of view of the quarantining, known or unknown for the virus is almost completely moot.

Something is sending out a million e-mails a second. Something is forging packets. You look at the symptoms, not the cause.

_ArthurNovember 15, 2010 4:47 PM

Whatever credentials a machine may present to show it is "clean", can be faked without any difficulty.
So the next generation of viruses and botnet will circumvent the quarantine attempt without any difficulty.

But Microsoft will get to push it's "Trusted Comouting" once more.

David ThomasNovember 15, 2010 5:14 PM

Requiring patches to be up-to-date drives us toward a monoculture, in which new viruses will do better not worse.

Brandioch ConnerNovember 15, 2010 5:25 PM

I think Bruce put it best.

"Similarly, a quarantine that tries to isolate most of the Internet simply won't work."

With millions of zombies out there, attempting to keep THEM isolated is useless.

Quarantines can work on corporate networks because the controlled machines usually outnumber the risky machines.

HavaCuppaJoeNovember 15, 2010 6:03 PM

@Stephen:

Quoting:
>" 1. Establish a minimum acceptable infection rate ("base rate") for nodes on a >well-maintained network.
>2. Rate networks according to their actual rate of active infected nodes (with >assessments performed over a random 24 hour period once each quarter).
>3. Normalize the results to multiples of the base rate and throw out any multiples >below 2.0.
>4. Stratify the remaining (high) rate multiples into percentiles.
>5. Assess per-node fees / fines on the owners of networks according to the >percentile rank of their network over the course of the preceding year.
>
>Step 2 is clearly the problematic one..."

Hmm. I think you forgot a few, and, IMHO, yours weren't even close to the hardest to achieve. If you'll allow me:

6. Buy at least 60 US Senators and 218 US House members.
6b) Must outbid AT&T, Verizon, and Comcast in combined "contributions"
7. Repeat step 6 for all other relevant jurisdictions until critical mass is achieved
8. Create and pass relevant legislation making said ISPs liable (for ANYTHING)
9. Repeat step 8 for all other relevant jurisdictions until critical mass is achieved
10. Buy the largest law firm in the world
10b) Must fund at least 15 years of appeals
10c) Must outspend combined litigation teams of AT&T, Verizon, and Comcast
11. Repeat step 10 for all other relevant jurisdictions until critical mass is achieved

HavaCuppaJoe


A N O'TherNovember 15, 2010 6:46 PM

Or, alternatively, we could just quarantine any computer running software produced by Mr Charney's employer. In practical terms, this would be the simplest and most effective measure.

Peter MaxwellNovember 15, 2010 7:07 PM

This is definitely something that requires discussion: firstly to determine whether the benefits outweigh the downsides, but also to regulate the private companies providing our internet access from implementing unsatisfactory systems unilaterally. This will need to be regulated one way or another.

There are a number of technical problems:

i) attempting to quarantine infected hosts from compromising other hosts is at best only partially effective as the means of detection are also the means of infection - closing the barn door after the horse has bolted;

ii) quarantining hosts from doing "noisy" activities like sending spam or port scanning should work, but one has to wonder what the utility of this is;

iii) for large ISPs, to implement this correctly could be a substantial resource and administrative burden that perhaps could be more advantageously used elsewhere.


Potentially, the most desirable solution would be to have a system where users are automatically opted in then upon undesirable network activity the hosts are cut off. At any point - before or after cut off - the connection owner has the option to opt out. That would catch most of the ignorant users and not give the rest of us undue hassle.

In a more pragmatic view, those hosts that a quarantine is likely to protect are exactly those hosts that are likely to instigate undesirable behaviour in the first place - the unpatched and poorly secured hosts.

Those of us that that have bothered to pay basic attention to rudimentary security procedures will either be willing to "take the hit" or be unaffected anyway.

Why further reduce everyone's right to privacy in a futile attempt to protect those that will not take simple measures to protect themselves.


richrumbleNovember 15, 2010 9:34 PM

The internet is too big for any quarantines, even at the ISP levels. I run an open wifi, Bruce runs an open wifi, we'd get quarantined for sure, and we wouldn't be the ones with the infection. We run scanners from outside IP's, how do we get them white-listed like we do with our SMTP servers when AOL/MSN think we've sent too much "spam" from our company (it is opt-in only). How do I use my home DSL/Cable lines for pentesting if I'm likely to get some sort of isolation from the activity (nessus). Nothing about quarantine makes sense for the internet, and it barely makes sense from smaller internal networks, it's more overhead putting NAC or whatever into place than it is to "config t > int fa0/1 shut". Posture assessment is a joke, to put this simply, we need new and better systems. We need an internet renaissance.
Perhaps IPv6 could be the beginning of that period. The principal of least privilege is dead, we need more of what DJB did (http://www.schneier.com/blog/archives/2007/11/thoughts_on_the.html) and less patches/service packs/hotfixes/mitigation/workarounds/. We need programmers to create programs to do what, and only what they are supposed to do. We need kernels and operating systems that are slower to emerge but better/secure for having waited.
No ISP level anything will quell the tide of a poorly written or less maintained OS. We need "thicker water", not more cement and crack filler.
-rich

SteveNovember 15, 2010 10:05 PM

A vulnerability of the quarantine model would be malware that quietly spreads and bides its time. At the appropriate predetermined moment, the malcode awakens, gets correctly detected by the quarantine system, and causes the client's access to be cut. The quarantine system itself then becomes part of the exploit -- one giant CDoS (centralized denial of service) attack.

tuZNovember 15, 2010 10:35 PM

My guess is that Scott Charney has not lived in, or ventured beyond the hotel presentation rooms in a 3rd world country. If he had, he would understand in emerging markets the vast majority of software is stolen, he would understand the vast majority of operating systems are infected with malicious software, and understand that his proposal would disconnect entire countries from the internet.

Charney’s solution is myopic at best.

JoeNovember 15, 2010 10:44 PM

At an ISP that I worked at back in 2001, we placed all home users, by default, in a quarantine network that blocked outbound SMTP not to our mail server. We also blocked inbound access to the default proxy ports and SMTP. This was opt-out for those users who claimed to have the expertise to maintain their own equipment properly and was conditional on their obeying their ToS (ie not causing harm to others on the Internet). We also blocked all outbound traffic that had a non-valid source address (reverse path forward) and blocked all inbound traffic source from invalid IP addresses. This didn't create a huge overhead and was a trade-off between expense and standing in the community. I was shocked by the amount of obviously bogus traffic which arrived from our upstream providers with no filtering on their part. This isn't about censorship but rather dropping invalid traffic and blocking, by default, services that are easily abused and the average user doesn't need.

Davi OttenheimerNovember 15, 2010 10:54 PM

"It must also be detectable quickly, before the individual has the opportunity to infect many others. Quarantining an individual after they’ve infected most of the people they regularly interact with is of little value"

This presumes a predictable level and rate of infection, which is not the case.

Systems are often infected differently and at different rates, just like people. This has been a nagging problem for ages -- how to spread antibodies (patches) quickly. A 60% deploy on first-pass would be lucky for most software.

Some comments suggest a single PC can infect the world, but they forget simple things like timezone-based behavior (systems powered off, removed from the network, compatibility, etc.) make this improbable if not impossible.

"Quickly" thus depends. The spread rate is not as fast as we can dream.

LMNovember 16, 2010 8:22 AM

Microsoft contributes to this number of unpatched machines by preventing machines using illegal copies to be patched. While i agree that someone using illegal copy can't complain, the rest of the world will have to handle with botnets as this machines are exploited.
If they want to quarantine machines, then they must provide any kind of assurance and quality control, they must take blame (and pay fines) any time it's proven a given vuln is their fault, unpatched vulnerabilities should be handled as "negligent" behavior by the manufacturer and if patch is not produced in given time frame and hefty fines applied...

Microsoft, do you still want to go this way?

MinchinWebNovember 16, 2010 11:29 AM

Another problem that I've run into with such a university network is that they can be really slow to update their definition files.

My story:
I could log on to the university's secure network just fine. Then one day, I find out my antivirus software (AVG, I think) has a new version, so I update it. (Good security practice, right?) Well, the next day, I can't log on! After spending two hours on the phone with tech support to finally get someone who really understands the system works, they tell me that my new version of antivirus software wasn't on the approved list, and they didn't know when it would be - the university IT people couldn't add it; the definition file can from their software vendor! Four months later, I graduated and never did manage to log on to the network with my new antivirus software...

Richard Steven HackNovember 16, 2010 4:49 PM

There are two issues I have with quarantines.

First, who pays for the cost? It's not going to be cheap for ISPs to monitor everyone on their network, despite the assertion frequently heard from the anti-piracy people that ISPs already monitor your monthly quota and the like. That just shows they don't comprehend the technology. It's not an answer.

Second, the point of quarantining someone is to TREAT THEM. You don't allow them to "just die" - that's "triage". So if you have the technology to identify who must be quarantined then, unlike disease where the ill person cannot treat themselves, the quarantining authority needs to PROVIDE the technology to the person to allow them to resolve the problem. The person involved can be charged for that if they want to resume access to the Net, but they must be given the chance.

Otherwise you're just creating "mini Guantanamos" where people are held hostage with no charges ever filed.

Jay Libove, CISSP, CIPP, CISMNovember 17, 2010 10:01 AM

I'm a bit late to this party, but here goes anyway...
-----

Hi Bruce,

For a rare change, I think you’ve missed a couple of already-settled points, and proposed a balance different than where I think we actually live today, in the discussion of Internet Quarantines.


Specifically, you remind us of the spectre of corporate feature creep (aka abuse) of quarantine technology. This is an important spectre, because we’ve seen it happen, and we know that, unchecked, it will happen again. But it has been checked in some cases already - the Comcast anti-P2P TCP RST experience showed us this, as does the current net neutrality discussion in both the US and Europe (and, despite the recent setback against the FCC’s apparent regulatory power on this point, and Europe’s recent statement that it favors sensible self-regulation, I believe that companies are and will remain sufficiently cautious because they know that stepping over the line now will result in legislation and regulation). Another example we’ve already seen and gotten past is Microsoft’s desire to block what appear to be pirated copies of their software. They did this with Windows Activation and limitations on non-security patches for non-activated systems. And then they backed off quite a bit, turning non-activation and even pirated copies from “won’t work” to “nag”, as a result of user pushback.
So, well-intentioned commercial actors are unlikely to go too far, and ill-intentioned actors (rogue states, totalitarian states) already go “too far” and don’t care one whit about our deliberations here. This suggests that we should, conservatively, go forward with technical quarantines, even keeping in mind the spectre.

A second detailed consideration which can help with, though not solve, the above spectre, is for ISPs to impose a conservative quarantine (only that which definitely identified and known-very-bad), and then allow users to elect further layers such as “warn me if I appear to be vulnerable”, “let me know if (my children) are using P2P from my network”, etc. This could include, as part of the ISP enabling quarantine capability for each individual user, a chance for the user to identify things like “I rely on VoIP”, “my alarm system (foolishly) can’t signal unless it has an Internet connection”, etc, potentially reducing the impact of or even opting out from quarantine for those few who make the effort – with the caveat that truly egregious symptoms would still result in IPS-like responses.

The second spectre is of government abuse. This is covered above – governments will impose technology solutions (Clipper chip debacle in the US, Piracy disconnects in France, the Great Firewall of China, Iran, Turkey, you name it), or they won’t. Thinking that we should delay the creation of a technology which absolutely will help secure the Internet because some governments would abuse it is unlikely to reduce government abuse, and maintains the ugly status quo much longer.


Regarding the balance issue, so many computers today are infected and causing harm to the Internet at large by lack of old patches and presence of old malware that a quarantine, even only against known bad things, would still be very helpful. As new attacks become known attacks, the much smaller number of computers now infected only by new attacks will become recognizable to the quarantine agents. A highly infectious new attack will of course infect a large number of computers in a short period of time, but that would still lead to a much smaller number of infected computers at any one moment in time than we live with and suffer from every day in the current situation. This leads to the suggestion that deploying a very conservative quarantine mechanism (only quarantine that which currently suffers a known definitely-bad thing) would still pay large dividends.

This actually leads me to wonder about a third point in your article: You note that quarantines are only effective when not-more-than-a-minority of the overall population needs to be quarantined. That’s surely true with medical quarantines of humans, where remediation of the illness ranges from long/expensive to impossible. But for computers where most infections are readily curable with free tools, I suggest that even when a substantial portion of the population needs to be briefly quarantined to a remediate-only (+ critical services) corral it is still a very effective technique. And this places one more challenge: The human/ medical quarantine model isn’t really the same, and we must be careful of allowing it to guide us without challenging each possible non-parallel between the two realities.


Thanks, as always!

mooNovember 17, 2010 10:24 AM

I'm not so sure "net neutrality" is alive and well. Tens of thousands of Canadian players of World of Warcraft discovered yesterday that after installing the latest mandatory patch to the game, their ping times had risen by 400ms or more. Most but not all of these customers get their internet service from Bell Canada or some smaller ISP that buys service wholesale from Bell Canada. On Blizzard's end, World of Warcraft servers are run from the AT&T network. Many players did traceroutes and posted them, and what they all showed was that the extra lag gets added on the first hop out of Bell's network and into AT&T's. It turns out that Blizzard changed something about their traffic pattern (nobody has said in public exactly what) which is now causing AT&T's traffic shaping algorithms to mis-classify this traffic as P2P traffic instead of "Gaming" traffic. So it now goes in the lowest priority queues instead of the highest, and gets crowded out by actual P2P traffic.

I know that traffic management is a reasonable thing to do, but the various "traffic pattern" machinations of both Blizzard and AT&T have now combined to change players' typical latency from 50-100ms into 500ms or more (some players get 2000 to 3000ms and frequent disconnects). Unless it is fixed soon, Blizzard is actually going to lose some customers over this. Which is ludicrous, because they pay AT&T huge amounts of money for all the bandwidth and network services used to run WoW. So its in the interests of both AT&T and Blizzard to make sure these players get a good experience.

Note that the "ideal" short term solution to this problem is for AT&T to simply mark all of the traffic to and from Blizzard's ranges of IP addresses, as being high priority "Gaming" traffic. Which would certainly go against net neutrality, even if they were to do it for benign traffic management reasons rather than economic extortion reasons.

And I'm not sure that discriminating against certain "traffic patterns" is any less neutral than discriminating against certain sources or destinations of the traffic. If a big ISP has their own video-conferencing thing, and they can recognize the "traffic pattern" of a competing video conferencing application and degrade its QoS, then you can get non-neutral results with economic consequences.

BrianNovember 17, 2010 10:53 AM

I wrote my Masters thesis on something quite similar. Basically a DDoS defense at the core that could be used to single out potentially infected machines. It could either block them or tag the machines for further deep packet inspection in order to prevent the machines from creating further attacks. It was more reactive then proactive, but could increase the accuracy of detection quite a bit.

Email me if you want a copy of that.

Doug CoulterNovember 17, 2010 8:33 PM

I don't have much to say on the heavier aspects of the issue Bruce and others have brought up; that would take a book to cover adequately anyway, and the frailty of human nature would take most of that book, but I have a cool true anecdote.

I'm with a small-time effective-monopoly ISP out in the boonies. Most of their customers are more or less clueless (and so was the ISP, who allowed HELO etc on their email service and a lot of other things that made getting a list of their clients easy), and many are infected. This got to the point of stressing their service due to spam and so on, so they thought to offer a service you'd have to pay for to filter spam coming in.

I pointed out to them that about 90% of it was coming from their other customers, not outside, and they were missing a business opportunity.

First, do the filtering free -- it was for their own good, and cost effective. Second, since they were in the best place to detect infected customers by the sheer volume of their outgoing mails and so on, why not offer a service to those people that they would charge for, that would disinfect their machines and put in the relevant security updates and patches?

They'd know who to contact to sell it to, easy.

To my utter surprise, they did! It worked, too!
Not that their customer base is all infection free, but it knocked the problem way, way back from where it was, and they made money and created a couple of jobs doing it. Pretty cool.

The key, as Bruce likes to point out, is incentive -- they were losing money due to the costs of keeping up with the spam and DDOS coming from their own customers -- now they could not only put a stop to that (more or less) but get paid to do it.

They jumped right on it and are doing a fairly decent job now. How about that? Rare, but good things do happen now and then.

And this doesn't help evil outfits like the media mafiaa or MS -- they have no part or control over this, and the ISP couldn't care less if you're angering someone by file sharing or pirating windows. But they'll happily install Linux for you if you like, and will suggest it if you don't ask.
It's what they use in-house once they got a good sysadmin, so they can easily show it off.

Which I do for my neighbors when they ask me to support them. Very convincing argument -- I'll support you free, or for minor favors if it's Linux (you might pay me for hardware and I make a little on that, since I have a way to get very good deals myself), and for quite a sum if it's Windows. I get few arguments, and with these type people, do very little work supporting Linux -- the base distros pretty much do all they know how to do on computers anyway. I tell them to do the updates in Ubuntu and that seems to work pretty well, but I manually upgrade to the next major version for them as that's trouble prone sometimes. I generally put them on a long term support version, for obvious reasons.

They feed me and give me free drinks whilst I do that, could be worse, all are nice people to hang out with anyway, while we wait for the odd updates and downloads to do it.

For those who just can't live without Windows, I install virtual box on Linux, and don't let it on the internet -- shared folders to Linux only. If they can figure out how to turn that back on, it's on them to keep it working, or I charge for that.
That way, about all the MS updates are meaningless anyway, and that big time waster doesn't hit them at all. Those people all run XP of course.

It's a working system, admittedly in an almost ideal situation, but it's an example of how to do this right. An existence proof, if you will.

This is one of the few instances where small beats big coming and going. Can you imagine Verizon or AT&T, or Comcast doing this?

J. RochkindNovember 19, 2010 10:24 AM

The university where I work is already doing this, probably other universities are too.

How did I find out? My computer got quaranteed as a result of my use of IRC--they apparently had systems in place that automatically considered any IRC use evidence of an infection, since some worms apparently use IRC to communicate with each other. I never got notified, I had to contact tech support, about a problem with my internet connection. Took two days to convince them that I did not have a worm infection, I used IRC as part of my job (really). VERY annoying.

J. RochkindNovember 19, 2010 10:33 AM

Oh, and I'd add that I am a fairly technically competent person (my job is in software development), so I was able to interpret what they were saying to understand that my computer had been quarantied for network activity that made them think it was infected, and that the the port numbers they were telling me about were IRC ports. And then get to work convincing them that, no, I actually intentionally use IRC. A non-technical person would know nothing but that IT told them their computer was infected and couldn't be on the internet again until it was uninfected, and then go through painful attempts to uninfect their computer (with no internet access), all for nothing because the computer was never infected in the first place. Who knows how long it would take them to get back on the internet.

And this was at a medium-large organization where I was an employee. Can you imagine dealing with a giant ISP (with typical giant ISP customer service) on something like this? You'd never be back on the net. And presumably would shortly stop paying the ISP for a service you weren't getting. Which is fortunately a reason that giant ISP's will never implement such a thing.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..