Monday, November 15, 2010

The Plan To Quarantine Infected Computers

From Bruce Schneier's column at Forbes Magazine ...

Last month Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update users' computers so they could rejoin the greater Internet.

This isn't a new idea. Already there are products that test computers trying to join private networks, and only allow them access if their security patches are up-to-date and their antivirus software certifies them as clean. Computers denied access are sometimes shunned to a limited-capability sub-network where all they can do is download and install the updates they need to regain access. This sort of system has been used with great success at universities and end-user-device-friendly corporate networks. They're happy to let you log in with any device you want--this is the consumerization trend in action--as long as your security is up to snuff.

Charney's idea is to do that on a larger scale. To implement it we have to deal with two problems. There's the technical problem--making the quarantine work in the face of malware designed to evade it, and the social problem--ensuring that people don't have their computers unduly quarantined. Understanding the problems requires us to understand quarantines in general.

Quarantines have been used to contain disease for millennia. In general several things need to be true for them to work. One, the thing being quarantined needs to be easily recognized. It's easier to quarantine a disease if it has obvious physical characteristics: fever, boils, etc. If there aren't any obvious physical effects, or if those effects don't show up while the disease is contagious, a quarantine is much less effective.

Similarly, it's easier to quarantine an infected computer if that infection is detectable. As Charney points out, his plan is only effective against worms and viruses that our security products recognize, not against those that are new and still undetectable.

Two, the separation has to be effective. The leper colonies on Molokai and Spinalonga both worked because it was hard for the quarantined to leave. Quarantined medieval cities worked less well because it was too easy to leave, or--when the diseases spread via rats or mosquitoes--because the quarantine was targeted at the wrong thing.

Computer quarantines have been generally effective because the users whose computers are being quarantined aren't sophisticated enough to break out of the quarantine, and find it easier to update their software and rejoin the network legitimately.

Three, only a small section of the population must need to be quarantined. The solution works only if it's a minority of the population that's affected, either with physical diseases or computer diseases. If most people are infected, overall infection rates aren't going to be slowed much by quarantining. Similarly, a quarantine that tries to isolate most of the Internet simply won't work.

Fourth, the benefits must outweigh the costs. Medical quarantines are expensive to maintain, especially if people are being quarantined against their will. Determining who to quarantine is either expensive (if it's done correctly) or arbitrary, authoritative and abuse-prone (if it's done badly). It could even be both. The value to society must be worth it.

It's the last point that Charney and others emphasize. If Internet worms were only damaging to the infected, we wouldn't need a societally imposed quarantine like this. But they're damaging to everyone else on the Internet, spreading and infecting others. At the same time, we can implement systems that quarantine cheaply. The value to society far outweighs the cost.

That makes sense, but once you move quarantines from isolated private networks to the general Internet, the nature of the threat changes. Imagine an intelligent and malicious infectious disease: That's what malware is. The current crop of malware ignores quarantines; they're few and far enough between not to affect their effectiveness.

If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine. So instead of nontechnical users not bothering to break quarantines because they don't know how, we'd have technically sophisticated virus-writers trying to break quarantines. Implementing the quarantine at the ISP level would help, and if the ISP monitored computer behavior, not just specific virus signatures, it would be somewhat effective even in the face of evasion tactics. But evasion would be possible, and we'd be stuck in another computer security arms race. This isn't a reason to dismiss the proposal outright, but it is something we need to think about when weighing its potential effectiveness.

Additionally, there's the problem of who gets to decide which computers to quarantine. It's easy on a corporate or university network: the owners of the network get to decide. But the Internet doesn't have that sort of hierarchical control, and denying people access without due process is fraught with danger. What are the appeal mechanisms? The audit mechanisms? Charney proposes that ISPs administer the quarantines, but there would have to be some central authority that decided what degree of infection would be sufficient to impose the quarantine. Although this is being presented as a wholly technical solution, it's these social and political ramifications that are the most difficult to determine and the easiest to abuse.

Once we implement a mechanism for quarantining infected computers, we create the possibility of quarantining them in all sorts of other circumstances. Should we quarantine computers that don't have their patches up to date, even if they're uninfected? Might there be a legitimate reason for someone to avoid patching his computer? Should the government be able to quarantine someone for something he said in a chat room, or a series of search queries he made? I'm sure we don't think it should, but what if that chat and those queries revolved around terrorism? Where's the line?

Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software.The music and movie industry will want to quarantine anyone it decides is downloading or sharing pirated media files--they're already pushing similar proposals.

A security measure designed to keep malicious worms from spreading over the Internet can quickly become an enforcement tool for corporate business models. Charney addresses the need to limit this kind of function creep, but I don't think it will be easy to prevent; it's an enforcement mechanism just begging to be used.

Once you start thinking about implementation of quarantine, all sorts of other social issues emerge. What do we do about people who need the Internet? Maybe VoIP is their only phone service. Maybe they have an Internet-enabled medical device. Maybe their business requires the Internet to run. The effects of quarantining these people would be considerable, even potentially life-threatening. Again, where's the line?

What do we do if people feel they are quarantined unjustly? Or if they are using nonstandard software unfamiliar to the ISP? Is there an appeals process? Who administers it? Surely not a for-profit company.

Public health is the right way to look at this problem. This conversation--between the rights of the individual and the rights of society--is a valid one to have, and this solution is a good possibility to consider.

There are some applicable parallels. We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians. The small number of parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population. We all suffer when someone on the Internet allows his computer to get infected. How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having.

10 comments:

Reilly Davis said...

This seems like a good idea in theory, but it seems to me like it will be very hard to implement.

First, a plan like this would probably get a lot of resistance from internet users. So far, the general public doesn't really have a reason to be concerned about infected computers on the internet. Most people, like me before taking this class, are very ignorant to the threat of viruses and worms spreading over the internet. To the public, this will just be a hassle.

Second, it seems like it's unrealistic that threats can be quickly and accurately identified without false positives. For example, I had a problem with UIS last year where they identified my computer as having a virus so they shut off my internet. I went to them and they checked and couldn't find anything. It took three days to get my internet back on. I feel like there would be a lot of resistance to a plan like this that is a great inconvenience to regular users.

Until users understand this risk I don't think they will be willing to put up with this additional hassle because it's an additional burden for little foreseeable benefit. I think it will take a catastrophic event, like a huge botnet that takes down the power grid or something, before people take this idea seriously.

Gabrielle Miller said...

I agree with Reilly that most people don't really comprehend the threat posed by these worms. If someone hasn't been directly affected, I don't think they would be willing to have their computer undergo a quarantine.

The major issue brought about by this, I think, is an invasion of privacy, much like what we talked about towards the beginning of the semester. Who determines which private machines to quarantine? And like Schneir said, who is to say that major corporations won't start to quarantine computers if they happen to be running a counterfeit program (etc) ?

Also, if these cyber criminals are capable of writing these intricate and sophisticated viruses, why wouldn't they be able to do the same thing after the quarantine?

I think that the quarantine is a good plan in theory, but I don't think the average American will consent to it and I think it brings about very complex privacy issues.

Olivia George said...

The first thing I thought when I read this echoes Gabrielle's comment...why do they think the quarantine would somehow be bulletproof to newly-invented viruses?

We discussed in class today that "where there's a will there's a way, and where there's money there's always a will." I don't see what would stop someone in the underground cyber market from working to develop a way to get around the quarantine and then selling this to botnet controllers, etc.

I also agree that it would be difficult or impossible to correctly identify threats.

HOWEVER, if the quarantine engineers could somehow find a way to keep up with updates that would react to these new viruses before they got out of hand, I could actually see this idea working well. I feel that there might not be as much resistance from internet users as one might think. As long as when the internet is denied, the user is led to a patch/update (which hopefully doesn't take a ridiculous amount of time to load), I think that this might be accepted. I think that at worst the quarantine would be considered an annoying but necessary precaution. If the quarantine was promoted using the shock-value of the true danger of viruses, I think the public would be willing to adopt it despite the minor "hassle."

(Still, a quarantine that can both adapt to new threats and recognize them, while correctly identifying infected computers seems unlikely to begin with.)

Max Andonov said...

the article raises some very valuable points that in some way or another have been mentioned in class.

Personally, I think that while an idea like that could theoretically make a lot of sense; in practice, I doubt it would be effectively implemented. As the article mentions, quarantines would not be able to detect the most up-to-date versions of malware and even if put in place, it seems that quarantines would be just as effective as regular security software - just in this case it won't necessarily protect the individual consumer but rather the internet community as whole by shutting the computer off. And it will prevent the spread of virus that was created a month ago as opposed to the ones that were created today or just yesterday. In order for the benefit of the quarantine to outweigh the setbacks, imo, there should be a constant update of the quarantine which seems humanely impossible.

Another point the article touches is the fact that an eventual quarantine poses concerns to the privacy of the individual internet users. It appears that to the majority of the internet users such (inadequate) security measures are not reasonable for the level of individual liberty given up. In order for the development of such program to even advance, we must ask ourselves which one do we value more - privacy or security? While forms of quarantine do exist in the private world there is the choice of opting in and agreeing to the terms. In the public it's a fair game.

Kevin Milmoe said...

This proposal, if enacted, would start an avalanche to break net neutrality. This quarantine would build the structure, both physically and politically, for other third parties to inject themselves into the line of communication between you and the sites you visit.
It might be possible if there could be a separation of networks on the ISP level where you could opt into a network with quarantine protocols for a few more dollars a month. More regulation online would provide safer surfing environments but would subject the users to increased monitoring and less privacy. The potentially more dangerous, public internet would let those who wanted to keep their privacy have things their way without forcing a monumental change on the online community.
However, the laws that would inundate the quarantinable network is hardly worth the separation as it would be filled with bugs when it first gets released and would need a significant trial period to bring it to a level where it would be convenient enough to be worth the extra charge.

Tevans said...

I agree with what everyone else has said regarding the feasibility of and potential public outrage at this idea. However, I really stand by the concept of an internet quarantine. Granted, it has to be done well and, as others mentioned, its protocols have to stay up to date with hackers trying to break through it, but the general principle stands: it will protect our online selves.

So what if it's annoying? So what if it sounds big brotherish? The average american has NO idea how electronically violated they are each and every day, and so he has to be protected. It's to everyone's benefit that all computers be clean of malware, etc. We're so internet crazed today that the incentive to participate in this program is built right into it: if your internet is shut off, you're going to do whatever it takes to fix the problem so you can get back online. It's that simple.

So long as this program can technically go off without a hitch, I think the public approval argument is irrelevant.

Benjamin Kussman said...

I'm very skeptical of this idea. It seems that the benefits will not outweigh the costs. At the risk of generalizing from my personal example, I have had numerous infections of malware on my computer and have generally been able to remove them (through System Restore or MalwareBytes or through the registry).

Like Reilly said, there would be too many false positives for this system to work. It may be beneficial to some users who are paranoid of getting viruses and malware, but the general computer user would not benefit from this.

Instead, I would propose more education of malware and how to remove it. The average internet user doesn't understand how to edit the registry to remove malware from it, how to perform a system restore, and probably not even about the benefits of MalwareBytes. This would be a better solution.

Patricia Kehoe said...

When I began reading, my initial thoughts were about the impacts of a quarantine on people whose livelihoods depend on internet access. The article raises this concern toward the end, but it still seems like would not be the highest priority of the legislation or innovation that would enable large-scale quarantines.
The biggest problem I can see is corporate responsibility. In order to make a quarantine effective, there has to be a relationship between ISPs and security providers to continually re-establish the newest lower bound for protection so that computers that do not meet those requirements will be quarantined. I'm picturing an exclusive relationship where Symantec sets its anti-virus definitions and users who would prefer another brand are "inadvertently" kicked off for not matching the virus updates that the ISP and Symantec set. I suppose that is just cynicism about the aspirations of corporations, but it is an aspect that could theoretically restrict users' freedom on the internet.
At least for now, it sounds like the internet driver's license idea, where the general public is still to averse to learning how to protect themselves on the internet through identifying themselves. However, like the driver's license, it could be enough of a bother to users that they are forced to be smarter on the internet and learn how to avoid malware, phishing, and other internet dangers.

Anonymous said...

I agree with Reilly's comment. When I was reading this article, all I could think of is hordes of people being shepherded into a big stone building against their will. It seems like a pretty medieval formula to me. There are two general paths that an implementation of these quarantines could take:

First, there could be general rebellion to the idea. With this initial unacceptance, any mishap or misstep of the program would be put in the spotlight and a list would formulate quickly with all the reasons why the program should be discontinued. It probably wouldn't and so there would be feelings of discontent by the regular users and free reign for the expert "bad guys" to try their hands on penetrating and evading the new system.

Second, if the program were to be established slowly, for example, if there were looser rules against which computers count as infected, etc., and if people were notified well in advance of the changes that were to come, there would hopefully be less resistence and more cooperation.

However, it sounds like whomever wrote the article has a fairly good idea of the possible risks and benefits such a program could bring about, and seems fairly wary about the whole thing. It would take someone with a lot of initiative and stubborn demeanor to pull off generating such a quarantined Internet. I personally feel pretty doubtful about the suggestion, as well. While I praise the notion of increased security against malware, I feel like this kind of a quarantine cannot be cast in the same light as a medical quarantine. In a medical case, people are put aside only when it is to the benefit of the greater public--and this benefit is usually the evasion of death through a certain disease. In this modern age with the amount of technology available (for example, I don't have internet access on my computer at the moment and so I am typing this whole blogpost on my blackberry) and back-up options, infected computers are becoming less of a problem and more like a slight inconvenience. I believe these quarantines should continue to exist in the Private IPS rather than on the general Internet, because more often, it is very specific companies or individuals who would suffer a great risk from an infected computer.

Paloma B said...

I agree with Reilly's comment. When I was reading this article, all I could think of is hordes of people being shepherded into a big stone building against their will. It seems like a pretty medieval formula to me. There are two general paths that an implementation of these quarantines could take:

First, there could be general rebellion to the idea. With this initial unacceptance, any mishap or misstep of the program would be put in the spotlight and a list would formulate quickly with all the reasons why the program should be discontinued. It probably wouldn't and so there would be feelings of discontent by the regular users and free reign for the expert "bad guys" to try their hands on penetrating and evading the new system.

Second, if the program were to be established slowly, for example, if there were looser rules against which computers count as infected, etc., and if people were notified well in advance of the changes that were to come, there would hopefully be less resistence and more cooperation.

However, it sounds like whomever wrote the article has a fairly good idea of the possible risks and benefits such a program could bring about, and seems fairly wary about the whole thing. It would take someone with a lot of initiative and stubborn demeanor to pull off generating such a quarantined Internet. I personally feel pretty doubtful about the suggestion, as well. While I praise the notion of increased security against malware, I feel like this kind of a quarantine cannot be cast in the same light as a medical quarantine. In a medical case, people are put aside only when it is to the benefit of the greater public--and this benefit is usually the evasion of death through a certain disease. In this modern age with the amount of technology available (for example, I don't have internet access on my computer at the moment and so I am typing this whole blogpost on my blackberry) and back-up options, infected computers are becoming less of a problem and more like a slight inconvenience. I believe these quarantines should continue to exist in the Private IPS rather than on the general Internet, because more often, it is very specific companies or individuals who would suffer a great risk from an infected computer.