BBC News is reporting that Microsoft says that Sick PCs (Infected PCs) should be taken off the internet.
While I cannot find the link, I remember that sometime ago, I argued that it is not infected PCs should be taken off the net, because this will reduces operating system vendors, including Microsoft’s, incentives to build more robust programs to stop infection in the first place.
But time passes, and I mellowed. Today, I will say yes, take infected PCs off the internet. As to the incentives problem? I think that will take care of itself, i.e., the cost to users for using a more infection prone software just rocketed, and the evolution process will weed the bad operating systems out. So, since I still think Microsoft’s operating system is the most vulnerable in this world, so I hope Microsoft doesn’t fall on its own sword.
As to requiring PC users to provide “health certificate”, my answer is a total NO. The process is too prone to manipulation and cannot cover a heterogenous computing system. Take for example, “anti-virus” and “firewall” only applies to Windows, it is less obvious that this applies equally to other operating systems. We do not want the rubbish system we have in UK, where the banking code requires the customer to install anti-virus and firewall. Both are rubbish for Macs and Linux. Thus unfairly discriminates against customers choosing to use Macs and Linux. [I have a Mac antivirus, but it is more to protect other PCs on the network than myself]. Also, having anti-virus and firewall does not guarantee precautions had been taken. A out-of-date antivirus software, or firewalls with more holes than swiss cheese will get you a health cert, but nonetheless useless in the fight against infection. Finally, philosophically speaking, “health certificate” is another way of saying “Guilty until proven innocent”.
I cannot help but to criticise Microsoft for asking for “health certificates”. First, they are simply trying to shift blames to their customers. That is to be vehemently opposed. Second, they know that a “health certificate” schemes is easier (and potentially cheaper) to implement for Windows as oppose to operating systems of their competitors simply because they are likely to assume you use Windows. That to me is rewarding their lousy security practice in the past.
I think a scheme to allow ISPs to immediately throttle suspected computer, and to quickly escalate to a complete withdrawal of service can be implemented fairly.
If we can find a way that protects everyone on the net without reducing incentives for vendors to make their software secure, then I am all for it. However, any proposed scheme must not be the favour of a vendor.