The Need for Global Collective Defense on the Internet

Posted by Scott Charney
Corporate Vice President, Trustworthy Computing
For more than two decades, people have struggled to understand the cyber threat, evaluate the risks to individuals, organizations (including nation-states), and society at large, and craft appropriate responses. Although many organizations have invested significantly in information assurance, most computer security experts believe that a well-resourced and persistent adversary will more often than not be successful in attacking systems, especially if raising defenses is the only response to an attack. For this reason, increasing attention is being paid to deterring such attacks in the first instance, especially by governments that have the power to investigate criminal activity and use a wide range of tools to respond to other public safety and national security concerns.
Notwithstanding this emerging discussion, it appears to many people that neither governments nor industry are well-positioned to respond to this highly complex threat and that, from a policy and tactical perspective, there is considerable paralysis. In my Rethinking Cyber Threats and Strategies paper I discuss a framework for categorizing and assessing cyber threats, the problem with attribution, and possible ways for society to prevent and respond to cyber threats.
In my speech today at the International Security Solutions Europe (ISSE) Conference in Berlin, Germany, I proposed one possible approach to addressing botnets and other malware impacting consumer machines.  This approach involves implementing a global collective defense of Internet health much like what we see in place today in the world of public health. I outline my vision in a new position paper Microsoft is publishing today titled “Collective Defense: Applying Public Health Models to the Internet.”
In the paper I discuss how commonly available cyber defenses such as firewalls, antivirus and automatic updates for security patches can reduce risk, but they’re not enough. Despite our best efforts, many consumer computers are host to malware or are part of a botnet. “Bots,” networks of compromised computers controlled by hackers, can provide criminals with a relatively easy means to commit identity theft and also lead to much more devastating consequences if used for an attack on critical government infrastructure or financial systems.
Just as when an individual who is not vaccinated puts others’ health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society.  In the physical world, international, national, and local health organizations identify, track and control the spread of disease which can include, where necessary, quarantining people to avoid the infection of others.  Simply put, we need to improve and maintain the health of consumer devices connected to the Internet in order to avoid greater societal risk.  To realize this vision, there are steps that can be taken by governments, the IT industry, Internet access providers, users and others to evaluate the health of consumer devices before granting them unfettered access to the Internet or other critical resources.
Cyber security policy and corresponding legislation is being actively discussed in many nations around the world and there is a huge opportunity to promote this Internet health model.  As part of this discussion, it is important to focus on building a socially acceptable model. While the security benefits may be clear, it is important to achieve those benefits in a way that does not erode privacy or otherwise raise concern. 
With both security and privacy in mind, the following statements reflect proposed principles for progress outlined in my paper and are intended to help guide stakeholders’ efforts, promote action, address challenges, and influence future initiatives. 
•         The risk that botnets present to Internet users and critical infrastructures must be addressed.
•         Collective defense can and should be used to help improve the security of consumer   devices and protect against such cyber threats.
•         A public health model can empower consumers and improve Internet security.
•         Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced. 
•         Privacy concerns must be carefully considered in any effort to promote Internet security by focusing on device health.  In that regard, examining health is not the same as examining content; communicating health is not the same as communicating identity; and consumers can be protected in privacy-centric ways that do not adversely impact freedom of expression and freedom of association.
Within the current legal and political landscape, and with the current state-of-the-art in technology, there are collective defense actions we can take now and we should commit to continued cooperation, collaboration and investment to fully leverage current tools and technology.  With examples like France’s Signal Spam or Japan’s Cyber Clean Center as models, industry and governments need to build upon the successes to more systematically help improve and maintain the health of Internet connected systems and to disrupt cybercrime and other threats to individuals and society. 
For its part, Microsoft looks forward to continuing to provide and promote research and development that will make system scanning and cleanup more cost effective, along with looking to solve current technical barriers. We will also advocate for legislation and policies worldwide that help advance the model, but does so in a way that advances principles supporting user control and privacy.

Comments (109)

  1. Debbie Mahler says:

    Oh no you didn't just go there! Thanks for the blog fodder for my website! Microsoft touting removing unsecure PCs from the Internet and networks?? By that logic we need to remove every machine running Windows!  Great job Microsoft!

  2. Good and bad says:

    You should not be interfering win our freedom and privacy microsoft. Make politicians in countries but don't you EVER break my web browsing and internet because I am trying to find a cure to an advanced trogan. Pathetic that you would Even suggest controlling your customers but of course since bill gates left you only managed to pop out a crap os and then fix the bugs and put out another one. NO bad microsoft.

  3. ribose says:

    If Microsoft isn't competent enough to make software that is safe, how are they going to be able to make an Internet quarantine that works?

  4. Bad micro says:

    There are many false positives for malware or your computer parts especially in older comps. This idea is plainly absurd because of privacy and the unethical taking away of our freedom. Microsoft I demand that you throw away this plan and then quit your jobs. This idea shouldn't have gotten farther then the trash can where it belongs. First of all semantec has problems with windows firewall and other parts of the system. Some people cannot afford go buy one or really need one for rare Internet uses. If this is put in place all free anti-malware services will most likely dissapear because of some stupid regulations. How about you go and actually make laws in Spain where bot nets are allowed to operate? Pathetic microsoft but of course your next OS will only be leased to buyers because like most companies you are controlling and corrupt.

  5. Lisandro Pardo says:

    "Lead by example". You can't just ask a "digital quarantine" of all infected devices when almost 100 per cent of all systems that are part of a botnet are using Windows as their main operating system. You want isolation? Fine, integrate it in the next version of Windows and: 1) Try to convince the consumers that this is necessary, and 2) Deal with the fact that you'll have to lock-down your own product to keep the Web "safe". Do it yourself Microsoft, do it if you dare, just don't go around asking for a "global solution". There's one tiny little thing called "net neutrality", and no, you can't mess with it.

  6. alan says:

    Good idea! Get all Microsoft machines off the internet once and for all.

    How did you manage to type all that without getting the blue screen of death at least three times?

  7. darren stewart says:

    Dear Scott,

    May I answer your comment, and give you some feedback? Thanks in advance. I've been working within IT since about 1990. Much of this work has been spread over differing technology, but the bulk has been Microsoft in basis. I enjoy working with MS products in a general sense, and overall, I'm not, or at least I try not to be critical. But a core and very serious problem with the internet and the point you make has actually come from you. And your posting runs along the line of its someone else's fault.

    Microsoft, even with service packs still has XP setting new users as users who have admin rights. And while I confess its simplistic to make the statement that admin rights causes the bulk of malware, the harsh truth is that its been the primary driver.

    Microsoft has been erratic and very slow to get to grips with this issue. Today, Microsoft is still writing apps that require admin rights to run. Not install, but run. The more generic wider world still and historically has done this. Games within the windows world require admin rights to actually play, not just install.

    How can we have any sanity if our kids on computers end up with privileges like admin rights because of fundamentals being so wrong. Yes, its an example. But guess what, how about office? Guess how your older office systems operated and if a component needed changing – the end user had to have rights.

    Now, MS has learned some lessons. But not hard enough. You worked hard on Vista (the worst OS since Millenium) and on 7 (An OS i regret to say I personally hate and detest for so many reasons I won't go into here) to try and turn this round. But today, and I state this blunty, what is happening is that people are turning off UAC and making themselves admin once more because of the fundamental disaster that exists within the windows structure.

    It is no good taking a 3rd degree line on poor fools who suffer from the fundamental failings. Disconnect them from the net. Well great. Next day, they wipe the machine like good children, and a week later they turn off UAC and give themselves Admin rights because the landscape is that broken.

    Now, with the move to a 64 bit OS, Microsoft could and should have made harder lines on this. Users should simply not be able to run as admin. And by hard lining this, you would have forced ISVs and others to work to a hard limit on this subject, and you could have set UAC so that it or other technology remain in place. I know that UAC has now magically morphed inside MS from being the original security tool, now to a Dev tool for helping everyone note when they cross the admin line, but its there, and its one tool.

    Please note when I say no admin rights, I'm not saying no 'elevation'. I am saying that they should not be able to sign in and simply run as admin ala XP. And that the system thus behaves in line with elevation akin to 7 perhaps, but not unlike many Linux distributions, or other systems today that deny direct admin access – cutting down on the invariable code getting access at that level.

    I am also aware that this would cause a higher level of breakage. But you know what, I would have preferred a more solid MS future OS, and not just continuing disaster, even if this mean limited take up initially. But MS had the opportunity to force this at the 64 bit break point and for the sake of brevity, screwed up royally. I think its good that UAC and a general move now nudges people towards doing things the right way. But you and others at MS need to understand the disaster that exists. And how even today, its hard to find MS directly and plainly saying don't run as admin.

    Now you have still today, large numbers of XP users – and you will have. When as a starting point will you as a company put an add on to the new user screen of that OS strongly advising not to set users as admin accounts. And further, when will MS start telling the world that at a point in future, things are actually going to be tightened and running as an admin is going to end, so devs and ISVs start to change NOW.

    I'm still meeting Microsoft  Windows developers who are saying because they are not being pressured 'Its too hard, we will just make it that they need to be admin to run. These devs need to be fire, change or go and find a new career. Further, anyone at MS who is making apps that require Admin rights to run, – seriously, how can you preach to the world when you are still doing this, needs a whole sale attitude adjustment. You are the company that makes the OS, and its unfathomable that this happens in the general sense.

    Now, historically, and internally, I am sure this is terrific in terms of the problems it creates, but I can tell you outside the MS walls, its castly worse, and vastly harder. And MS as a company has to take a serious hard look at itself.

    The malware and virus issues on the whole platform, at least in part stem from this wholesale disaster, and the recent changes MS have made on Vista and with 7 do not go far enough, and fundamentally still have the core problem. I agree that this is caused by much 3rd party software, but again, MS did not do enough to stop apps being built that way, to educate against it, and to start to lock that misbehaviour down.

    I am sorry for ranting. Anyway, I produced two vids on youtube, which I confess are not professional in their nature, but can guide users on XP to avoid the admin rights problem, at least in part. But its not my job, its something MS should have done, and should be doing.

    Kind Regards


  8. Why not?

    When Police can shut down your car because it is not safe for traffice anymore, why not do it for computers too? People should take some responsibility and maintain their computers. Like they do for their cars.

  9. Rasheed Afaar says:

    So how would they get around the problem of virus scanners that misidentify files as viruses, trojans, or malware when they aren't? Hell, some Windows files get identified as being infected. I think M$ is just still mad that they produce the most targeted, unsecure software on the planet.

  10. Anonymous says:


    Not that this will matter to you fat cats @ MS, but if you do go ahead with this i'm afraid i'll have to stop using Windows.

    Want to know why? Simply because I have never used an anti-virus and I have no plans on starting now just because some company has decided i need one to go on the internet.

    That's right. I've NEVER used an Anti-Virus other then a web based scanner every now and then. And in the past 10 years, I have yet to get a virus or any kind of malware. Why? Simply because I practise safe surfing. Something that people really need to be educated on in my opinion. 99.99% of viruses i've removed from friends/families PC's have all come from user error. the remaining .01% was from an infected network which most likely became infected, once again, due to user error.

  11. George says:

    If all the pc machines that are infected with any virus or spyware are to be blocked from using the internet.  Then can anybody tell me and the other peolpe who use the internet were the visuses come from. They come from the internet itself and then if the ISP's start cleaning up their act about getting rid of these virus's before they get onto the system then we would not have this sort of problem. The authorities are always going on about keeping your machine clean from unwanted virus's and spyware. They should bloke them at the source. The ISP's are to blame for not keeping their house clean in the first place. then we would not have this problem.

  12. Ogden says:

    I wonder if the author believes his own tripe, or is cynically pushing these ideas out there on behalf of his superiors. It is no secret that certain groups are now desperately grasping for any control they can impose over the internet, and any "threat" they can invent to justify it. Of course it must be a "global" threat, so we can impose a "global solution." Gee, where have I heard that before?

    Your repeated use of terminology such as "global" and "collective" gives you away, sir. And the vaccine analogy as well. Very tasteless, especially considering the staggering loss of credibility suffered by vaccine manufacturers and public health officials in the last couple of years.

    I remember that talking point from the old H1N1 hysteria last year. "Un-vaccinated people make everyone else unsafe." Sounds reasonable, until you actually think about it and realize how ridiculous it is. If the vaccines protect you, you have nothing to fear from the un-vaccinated. If anything, the vaccinated are making the un-vaccinated less safe, because in many cases they become carriers.

    Sounds like you've been listening to Mr. Gates a little too much. Have you attended any CFR meetings recently? Do you share his opinions on population reduction?

    PS. the irony of a Microsoft representative complaining about the threat of infected PCs is not lost on me either. The leading cause of infection? Microsoft products.

    You engineer the problem then you propose the solution. Sooooooo typical.

  13. Phil says:

    Nice idea in theory.. however say your AV is out of date as you've not been online for a month. How do you then get your latest AV definition files if you're blocked from the net?

    Plus if you are infected where do you get the removal tool, erm the net.

    This is why some viruses actually block your web connection to prevent you getting the fix.

    There is a pot and kettle situation with Microsoft not really setting the example of secure tested internet solutions.

  14. Karl says:

    I agree it is a major problem.

    However, the need to protect the vulnerable is paramount. The vulnerable in this case would be those unable to buy new hardware or services and those in repressive places who rely on anonymity.

    I disagree strongly with two points.

    "Collective defense can and should be used to help improve the security of consumer devices and protect against such cyber threats."

    It is the "Should" part that worries me. What if I do not want to? What if I do not want anyone else to see my data (and it is all data whether you use it for a process or a presentation). Consider my machine on a business trip to China. i want to email home. Do I allow the Chinese government to scan my drives? Would you? How about the Iranian government for that all important sales trip?

    "Voluntary behavior and market forces are the preferred means to drive action but if those means fail, then governments should ensure these concepts are advanced. "

    So the government knows best? Which government. It is bad enough having to find ways to get around suppressive governments ISPs anyway. Now RIM has agreed to move its servers to the UAE so any message can be snooped upon, do you feel any safer? Do you trust every single poor country to implement and what happens if one does not?

    So to go online, I need to have a health check. To be effective it needs every device to be compliant, including phones, WebTVs, online gaming consoles and PCs.

    Apart from the fact that my WinPhones do not have the horsepower to run yet another process, what would stop anyone from issuing a false certificate? Would that give a false sense of security?

    Assuming then that everyone has to connect to a trusted device to let that check first, what is the potential for a poisoned trusted device?

    How would Microsoft ensure all older machines comply and what would it do about none-Microsoft OSes such as Apple or Solaris?

    I do not want my sensitive data scanned by a third party, so do I get an opt-out and if so what would stop just a single Bot from getting through?

    As Bot attacks increase the health check would need to change, otherwise machines and their certificates would be out of date.

    How would Microsoft protect the anonymous?

    While everyone would agree that identifying know offenders would be a good thing, how does that protect the vulnerable who use anonymous browsing?

    The health scenario does not quite work as while one country can have an excellent public heath service not all countries are equal. Are you proposing to block off any country that does not meet up with your ideals?

    I am currently sat in a VPN, behind corporate firewalls, using company proscribed McAfee host intrusion. Do I consider that safe – No. Secure work is done on other OSes in air gapped environments.

    Could Bots could be prevented by ISP co-ordination and if so how do you prevent a false positive Digg effect compared to a DDos or even worse a slow loris attack?

    Where does responsibility lie? If you certify a machine, do you accept responsibility. If a car manufacturer fits faulty brakes and it causes a death, they are responsible. Would Microsoft accept ANY responsibility? If not you are imposing control without your duty.

    My main concern is after decades in the industry, Microsoft has failed on security. Not once or twice, but consistently. While I use the products every day, you need to earn that trust and it will be me that decided when that has been gained not you.

    Just as an aside – how come every single satellite engineer on the planet for commercial satellites uses BSD and not any other OS? Is it really that secure and if so, why not do whatever it is they do?

    If you and Microsoft really believe that this is the correct model, then why not create a walled garden. Inside you can control who connects and even make it safe and secure to enjoy. Communities could join and the wall expand to include them. Would I join the gated community – probably. Would I agree that all MUST be certified to connect to the net – NO! Stay away from my companies intellectual property and data.

  15. Linuxrich says:

    As a Linux user, could you explain to me why I need to be running A/V and a firewall to be 'allowed' onto the internet?  My O/S of choice works just fine with IP Tables built into the kernel and a tried and proven 'user access control' setup.  (Unixlike permissions.)

  16. Kystien says:

    you gotta be kidding me right? 1st of all you cant ban a infected person from seeing a doctor, and to be honest the internet is a PC's doctor. without the net we can download the antivirus updates or search online for walk throughs to remove the viruses or trojans from a persons computer. And to be honest my friend have you ever worked at a help desk before? I do, if a infection is bad enough we will segregate the system and reimage it. but if its a small lil thing then really it isnt that bad. What is really required is school courses starting in elementary to teach students how to trouble shoot computers. We start them young and then in 20+ years we wont have the stupidity of common users that we have now. and yes 90% of computer users in this world are so bloody stupid that they cant even tell the difference or know the proper terms for computer parts such as the monitor and the tower. So before you go saying that we need to shut a pc off to the net, maybe think about educating those morons out there who know nothing about computers and ban those people from touching a computer in the first place.

  17. Brian says:

    Absolutely unbelievable that the company *directly responsible* for making life easy for criminal types is now trying to have infected machines removed from the net.

    It's obvious through the long and sorry history of Windows-based malware that Microsoft is totally incapable of properly dealing with this problem by hardening the OS and implementing some sort of halfway serious security – well really, *any* sort might be useful: see comment above about the default user rights being those of admin for an example of Microsoft's very poor understanding of basic security – and despite managing to have "computer virus" enter common language as a mask for "Windows virus", the user is *still* being promoted as the root problem.

    The user is not the problem – the OS is the problem.

    So now we arrive at the next step, where users are punished by disconnection – effectively for failing to handle the problems inherent in the OS.

    If the long-standing and malign influence of Microsoft on computing wasn't so damned prevalent (and please; don't wave the tired old "that's because it's popular" canard around) this would simply be a bad joke in very poor taste.

    Unfortunately it's not a joke.

    This disgraceful, predatory company is being serious and to me, if any further examples were needed, this is just another compelling reason why its poor excuse of an OS should be dropped like a hot brick.  It is positively and demonstrably DANGEROUS when online and has been for years.

    The OS itself should be barred from connecting.

  18. Anonymous says:

    Here is my thoughts on this one…..

    @Debbie Mahler

        Unfortunately this is true. Microsoft would end up banning itself from the internet. Macs are gaining in the market due to the security problems with the operating system (OS) itself.

    @Good and bad

        I would have to agree with you on the failure of Microsoft since bill gates left the company in June 2006 and Windows Vista was released in November 2006. You don’t have to do Pearson, Spearman, or Kendall test for correlation to see a relationship for
    this one. Windows vista was almost if not worse then windows ME. I still remember installing it once and having to open my C: drive to make my sound work on the computer…. It seems like a great lot of work went into that OS, but defiantly to no avail.  July


        They won’t basically and more people will use Macs or format there windows machines over to a version of Linux once the get the bugs worked out with the wireless drivers. (Which do work by the way it just takes a bit of effort above the average user

    @Bad micro

        Some of lower quality virus checkers, even flag utilities that are used to repair computers are a virus, I am sure that there software would be just as happy to flag anyone that uses a higher than average bandwidth as a virus infected computer.

    @Lisandro Pardo

        Even if they shutdown all the windows PCs with bot nets, they will just end up moving somewhere else to do the same thing, the problem is OS as much as it the ignorance of the end users that aren’t smart enough to use or protect a computer properly.


        The problem with this solution is that all the people that are too ignorant to use a computer will suddenly flood over to Linux or Mac. I don’t want all those fools messing up all the hard work put into Linux so far, and if Mac gets all the users then
    they will end up with the same mess that Microsoft already has.

    @darren stewart

       Microsoft has done a lot of good towards helping the average user be able to use a computer over time. MSDOS was great, windows XP was great, but I fear this company is going to fail and disappear like a bunch of dwarfs in a tantrum spiral a the rate
    is it going (…/DF2010:Tantrum)

    @Gerhard Goeschl

        This may sound good to begin with to you, but as always people will take it another step. It is matter of where do we as citizens of the US draw a line. If they take away the cigarettes then for you all know that may next tell anyone that is not in the
    shape that the PTBs (Powers That Be) want that they can ban you from eating steaks or fatty foods. "I am sorry we can’t serve you a pizza sir you are on the national fat people list." How does that sound for a call to a pizza place? or burger king?

    Banning people from  the internet over a virus could be too easily abused. Microsoft could decide all Linux users are a threat to the internet, or people who look at porn are a threat and ban them all. How is that for personal freedom?

    Also Gerhard Goeschl please stop using internet explorer to post your reply if you did. If you were using Firefox you could have right clicked on ‘traffice’ and correctly spelled it correctly as ‘traffic’.

    <h1>All in all</h1>

    I see this as a way for Microsoft to ban Linux users, and violate net neutrality overall. Just another way to hand off the blame for their own failures and the failures of the massive amounts of 100% windows users.

    Just for your information i am knowledgeable in C64 basic, LOGO, QBASIC, VB6.0, VB.NET, C++, C#, HTML, PHP, and Java [no not the coffee] and I repair computers for my own amusement. I do know a few things about computers☺

  19. Toby says:

    I'm going to take quite a long "walk" to get to enforced AV software: Civil liberties are not lost all at once. It's little by little. The US, our Constitution–the highest law in our nation–has a section called the "Fourth Amendment." It states: "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    Terrorists bombed New York on 9/11/01. Now people are practically strip searched when they fly. How does this not violate the Fourth? It's because we're protected "…against unreasonable searches and seizures…" The key word is "unreasonable". The courts have ruled that the public now finds airport security reasonable. Moving search & seizure issues in our legal system from unreasonable to reasonable is too easy. Moving them back to being considered unreasonable never happens. Our Fourth Amendment rights are eroding.

    Now, back to the antivirus question. It has nothing to do with the Fourth. However, once we legally enforce people to use it, we can never go back. It's not a far step in the imagination to next enforce parents to vaccinate their children. I'm not a conspiracy theorist. I don't believe in the black helicopters or that the government invented AIDS in order to reduce the populations of drug users, minorities, and homosexuals. Still, if we start moving down this path we have to ask some questions:

    Who decides what AV software meets the legal requirements? Who is to say that governments won't hide spyware (in EVERY sense of the word, "spy") into that software? Will there be one monopoly whose AV software is the only allowed software, or will there be competition? Who regulates that, and how?

    Legislating OS security has the same problems. Who decides what the definition of a secure OS is? How do we know that governments won't forcibly inject their own "security" code into the OS?

    Is it the end-user's responsibility to protect their OS? Yes. You can't hold different products to different standards. Here's what I mean: If you point your moral finger at Microsoft for having the responsibility to secure Windows, then you hold Microsoft accountable for that. What about Linux? It's developed and secured by thousands of people worldwide. None of them are accountable to anyone. Who do you hold accountable for Linux security? Companies like Red Hat and Cononical (who makes Ubuntu) simply take various open source projects like the Linux kernel, GNOME, Open Office, and Firefox, and they bundle those products together. So you can't hold them accountable either. So if you can't put the responsibility for Linux security on anyone, then you can't hold Microsoft to a separate standard.

  20. Arsha says:


  21. sgislain says:

    Malware is a big problem. But I dont know why ISPs just redirect you to page every so often to inform you that malware is coming from your line.  I'm sure its in their interest, as many over bandwidth users is actually caused by PC viruses.


  22. friedemann says:

    I think this is an attempt by  MS to pull off those computers that do not have a verified MS O.S.(increase in sales).    What better way than under the guise of internet security?   I run AV all the time(however not a MS brand).  No different than you.  Not all of you drive 2009 Chevrolet.  We have a choice of many different cars to choose from and majority are safe on the road to the same extent as the 2009 Chevy is.

         > We don't need a new model.(just because they make it)<

       As I said before, I have an AV program that seems to catch any stuff out there(but it is not recognized as being on my system)  I won't use a MS product for they are the problem.   I have had my computer checked over by "6-7" other AV systems(after all I want to know if it is performing) and none of the others found any bugs.    Then I have used Antispyware programs 4 different types and let them take a gander.  And an anti-malware program also takes a look.  I also use a registry cleaner.

        Microsoft does not see many of these programs as existing on my machine(and yet they were written in the early days of Win98 era)

          I am not about to let MS inspect my machine because "frankly my dear, MS is not the internet".  I never use IE, having gone to Netscape first until it died and then to FireFox.   My mail(which usually contains the viruses) is on an on-line E-mail service which has its own AV checker.    

        Do I get spyware?  Yes.  But not from "porn sites"   More from gambling and gamining sites and stores that sell consumer goods-that I might have visited for an item.

           So Herr  Gates, look at what is being allowed on the web and whether you can do anything about it…………against freedom.

          I have also used my buddies "XPHome" product.      There are so many pop ups I must OK in order to do anything.  Then it won't recognize my AV as being legit to run to autoscan the pc because it is not a MS product.        You call that security?

       It is only secure in the "world of Microsoft".    

     The internet world is much bigger than  the world of Microsoft

    When I say Microsoft's OS is holey , I mean full of holes(not the religious idea)

    And you guys are incapable of fixing it?  So blame the masses(that made you a billionaire)

    Definitely Smart.

  23. Ubuntu says:

    Just install Ubuntu Linux on your PC and forgot about Microsoft Windows.

  24. Brent says:

    Well congratulations. Yuu had to know this would be a magnet for every MS-hating moron and troll on the web. And they haven't let you down.

  25. Russ says:

    I assume this ties in with the signed driver model. I read this and see:


    And added bonus, we can get governments to subsidize it!

  26. JoeMan says:

    I agree with everyone, this is ironic. Why don't they just create better quality software, then there would be no virus problems, because the majority of infected computers are MS operated. Also regarding how in the article it said that unvaccinated people pose a risk to vaccinated people that is just plain BS. Then what would be the point of getting vaccinated if your going to end up infected anyways?        

  27. Linuxrich says:

    @ brent.

    Is it any wonder there are MS haters out there when a scheme like this gets proposed.  Instead of producing decent products, MS these days resorts to abusing flawed software patents to blackmail smaller companies and competitors and then come out with this plan to force every non MS approved computer off the internet.  I hope they go the way of SCO and soon!

  28. LCode says:

    I see a big security problem in this scheme.  

    What if the virus was a root kit that sent out the signal that the computer is clean?

    No AV would detect it and they could continue messing up the web.  All you would need is a trojan like that and all of the old worms would continue to work like they do.

  29. PK says:

    I propose a better solution:

    1. MS produce a Un*x based Windows with a 'Windows' interface – much like Apple have done with Mac OS X.

    2. Include something like Rosetta that will provide the required crossover for the legacy apps. Let's face it, Wine is already out there and doing just that.

    3. Sell it for a reasonable price – a buy in if you will – so that the majority of Windows users migrate to the more secure system. Perhaps $75?

    4. As someone already pointed out, remove the user's default admin setup – ensure that a password is required for all privilege elevation.

    Instantly, you lose all of the current malware on the planet as it is unable to manifest itself on Un*x type machines. You get a more secure OS. Happier users and the Internet is a better place for all.

    Won't make the AV vendors happy, but hey – you gotta break some eggs after all…


  30. Anonymous says:

    @PK: problem with that is that as soon as MS do that, the people who create viruses will start targeting UNIX based system (which include Linux, Mac OS X, And this new "Windows" you propose), Which means more PC's infected which means they'll have failed. Again.

  31. PK says:

    @Anonymous – Why have these virus creators not currently succeeded with the large number of Linux and Un*x based servers already on the internet?

    Yes – they will become more focused. I still think that the barrier of getting through the security that is inherent in Un*x would prevail more often than not. Removing the vectors for a virus or trojan to operate in is key to halting the problem. Whilst some might argue that the removal is at the user level, I honestly believe that this is achievable.

  32. LCode says:

    @PK – Viruses exist for both Linux and Apple (I also assume for more flavors of *nix operating systems).…/72642

    They just aren't talked about as much.

  33. Lloyd Cata says:

    Funny to have Microsoft propose such an approach to cyber-security since it is their operating system that is  the main problem for malfeasance on the internet. It's almost like proposing that 'everyone' must always use condoms because of AIDS, when we know that certain behavior is the prime means of infection….and in this case using Microsoft software is a high risk behavior.

    For the love of money, Microsoft proposes that the 'government' intervene to force internet users to use, essentially, a PC condom….and we know who, with a shrinking profit base, is going to be marketing condoms. They know they cannot convince the internet community that they already have such protection, so they want government to mandate the purchase of a product. It's not enough that they could incorporate such a product in their software because they cannot convince their own users that they are distributing a safe product.

    Lots of lobbying will go into this, and every time the government gets hit Microsoft will turn the screw. Government is slow and stupid…and scared(giving the president an internet "on/off" switch). Can you hear their pitch, "Mr. President, we want to make sure you never have to use that switch…"

    I have been a communications engineer longer than Microsoft has been around, so you know I no longer use their software for my personal use. Neither do I participate in risky behavior since my Linux security is as secure as "I" set it, but if you want a peek at what Microsoft is proposing, here's a look at their solution;

  34. ric says:

    Simple do not use MS use Linux. Problem solved

  35. sam says:

    Yes, I agree with Phil. So when you are infected, and you need to look up the manual removal of the virus/malware (editing registry, deleting files, etc), you can't because you aren't allowed online. That's the first thing I thought of reading this. People aren't going to go pay tons of money for anti viruses that run like crap on top of paying for internet every month.

    A lot of viruses come through email anyway, so how about people stop being so stupid when it comes to opening their email? They get infected, their problem. Other than that, they usually come through using programs like Java and DirectX (both have allowed things through on my computer) by opening one thing that you know should be safe. Maybe they should start working on better patches, hm?

  36. Keith says:

    There are indeed some viruses for Linux -BUT they've never succeeded in spreading due to the vastly more secure nature of the OS AND the more knowledgeable ( on average) user group. Any fool on the other hand can give themselves admin privs and install a ddodgy program – only defence against that is education. What you can't do on Linux is infect your system by clicking on a link or just browsing to a web-page or directory.

  37. Marton R says:

    First MS spreads the good word about computers. Then, as its star rises and it makes a fortune, a lot of other things become cheaper and cheaper. Now you would want to establish rules for who is allowed in and who is forbidden (I read my Huxley, thank you).

    What about you FINALLY put toteher a program that works rather than use all of us as guinea pigs? I am still running XP on an old machine (and I wish I had Win '95!!), because 4 experts I know say that it is still better than anything MS has produced thereafter. My wife has Vista, it has been a catastrophe from day one, I have spent weeks trying to get basic stuff going.

    By the way, folks: try to avoid arguing by analogy. That is always flawed— automobiles and vaccinations are different from computers.  You can't argue that because we have inspections, on cars, we should have inspections on computers. It does not make any sense because of the other differences.

  38. Daz says:

    So… if you take infected machines off the Internet, how do they download the security patches/updates required to rectify their vulnerabilities?

    Or will MS finally put out a version of Windows that won't need patching every week?

  39. Joe says:

    Dude, get your head out of your ass. This is equivalent to the government attempting to repair everything. It's impossible; there are ways around everything, and they are always discovered sooner or later. CSS, HDCP, and DRM in general are prime examples of this.

    Tell everyone, "The Internet is not a secure place." Done. Don't run Windows, don't open strange e-mails, and don't visit foreign websites. Surf safely. There's your health check. For the large percent of the population who can't understand that, they deserve what they get. Sell them a stripped-down version of Windows with a whitelist of allowed websites if you want to milk this issue. Don't screw over the Internet for those who know what they are doing.

  40. Alec says:

    Upgrading the infected Windows machines to Ubuntu will solve the malware problem and make the users far more productive.

  41. David North says:

    How very typical of Microsoft's Big Brother approach. Or, to put it more bluntly: what a bloody nerve! Seems to me Microsoft produced the half-baked software that allowed hackers free rein to spin viruses into their systems. Now the victims should be banned!?

  42. BRAWL says:


    So how would I access my PC's internet connection if I became infected with a virus to actually sort out an anti-virus program… Oh wait, according to you. I wouldn't be able to? Pointless.

    I'll be making sure "Auto-Update" is off permenantly now I've seen this, all it takes is one dodgy bit of code (and lets be honest Micro$oft, you do make some fantastic messups with Code +coughs VISTA+) and my internet is snapped off quicker than a branch under the weight of a fatman.

    Why not go make some software to prevent the DDOS attacks happening? you know, that might be better for the consumer… for once…

  43. Marton R. says:

    Pne more thought:

    How about this:

    All you softwaristas take a vow: "We will not add on, write , or "improve" anything until we have the basic machinery going"

    In other words: a 5-year mopratorium on anything called new, red-flag the word "innovative" and when you have something that really is a solution, call it a solution. Don't call quickfixes to an "oops-I-forgot-that-detail" problem a solution. It is not.

    Oh, I am dreaming…. sorry.

  44. Mick says:

    @ BRAWL: You don't. You simply chuck your PC into the boot/trunk of your car and take it to the nearest computer retailers where they will happily charge you an arm and a leg to let you take it home and use it again.

    However, nice one Microsoft.

    Given that you weren't that bothered about embracing the internet in the first place. Then you come along with your web unfriendly standards like Active X which, incidentally, gives hackers and malware writers a key to the door.

    Everything since XP has been a kludge. Although Win7 has gone a little way to restore faith in your ability to provide trouble free computing. I'd still like to reinstall my O/S without penalty on the machine that it was purchased with without going through the Spanish Inquisition.

  45. Anonymous says:

    @PK: The main reason you don't see many viruses for UNIX today is because there aren't enough users on the platform for it to be worth it for those writing them.

    More recently, there have been proof of concept Trojans & viruses created for Mac OS X proving OSX isn't as secure as Apple would have you believe. Of course, that's just one UNIX based OS that isn't quite as secure as other *nix based systems such as Linux.

    The real problem is, no software is truly secure. Humans aren't perfect. Software we write isn't ether. While *nix is a step towards a more secure platform, it's highly unlikely that no one will be able to write viruses for it. People are PAID to write viruses in the black market, and as long as that is allowed to continue, nothing will really change.

  46. R Lewis says:

    Elevates blaming the victim to new levels. Way to go MS, abdicating your responsibility to secure your own products. You're Sorry Development Liecycle is not nearly enough.

  47. leodp says:

    MS, are you going to sell security certificates for inherently unsecure machines, i mean, those running MS OSes?

    That may be a goldmine!

  48. DJOHNSON says:

    How appropriate a location for waging a first strike war effort against workers who have paid a weeks average salary for an Operating System worth $25.00.

    Windows should be banished from the  WEB and the Internet, except for the 'first class citizens' who are  self defined as the only deserving broadcasters of WEB info, the businesses and organizations which are judged and controlled by a separate set of laws from the common Internet user person(individuals).

    We have a staging on the WEB of a class war, waiting for the subversive German styled acts of ordering laws to reduce the citizens unruly perusal of available information, wherein the individuals become infected with 'virus' injuries, and used as fodder for the 'first class netizens' to bring a sweep of new laws protecting the routine of organized  economics, and, in the process, soundly eliminating the cause of individual equality of idea and political transfers by the vastly larger population of individuals(second class in the eyes of the organizations, governments, conspiracy rings).

    The virus acts defined in the articles, both here and following this in the BBC follow-up story, are explained as acts by conspirators, groups, and active programmed operations, then transformed by switching words into an accusative broadened identification of the injured victims as the offending parties. As victims, the individuals should seek to know the source, fight the source, and contain the source, of these attacks by crafted virus-like processes.

    We have been prevented from fighting the sources of these acts of damage, by Microsoft Corporation which racketeers a product so endangering and flimsy that it would be banned if it were not a racketeered monopoly styled system. With an original WEB of several competing and available finished Operating Systems we could have made good group judgments. That was prevented in heavy handed ways, over tens of years, resulting in a product sold for ten to twenty times it's true value. We call it Windows or NT, but it is an illusory puppet for virus and malware and spyware writers. We can't even see whether we are infected in most files, and the OS was designed to not clean itself, and to not define it's own internal health. Truly it was not even sold as a healthy program.

    Microsoft Corporation now offers one of the anti-malware scanning programs to users, but is only a mediocre performer in the actions of it's own self health and self cleansing in the use of that process.

    How much better will the megalopogous Microsoft be in selecting those millions of excluded injured Windows users who cannot  use the Microsoft 'cleaners' to save their systems now currently? A third to a half of malware cannot be found by Microsoft's own anti-malware programs. I got that lesson again this week, with a virus found only by F-Secure, and not by MS anti-malware.

    Where is the outward reaching logic of the Millionare and Billionare making machine monopoly in the advocation of a system to exclude politically selected groups from Internet access upon the attacks waged against them by the true sources of the malware and virus'?

    Why attack the individual in such a classic return to German Nationalism ordering of obvious class politics cruelty when the real solution is to jail and permanently exclude the criminals issuing the malware?

    This argument is deserving several pages of examples.

    Do you want me to provide the historical place of Microsoft in the scheme of bad behavior, bad salesmanship, and poor leadership in the PUBLIC Internet, or WEB?

    Can the rich and the monarchs be the rulers of the billions of individuals who seek a self-sustenance and minimal wealth in the use of the WEB or Internet?

    Why attack victims, and not the perpetrators of the damages?

    Write a better solution, and use better thinking in the matter.

    Do not stage such folly from Germany as well.

  49. Jack Donio says:

    A other good reason to switch to Linux

  50. Laughing all the way says:

    This is a terrible idea.  Instead, try educating computer users about how to surf the internet safely, set up OSs with the capability (easily found and implemented, please) to adjust user permissions so random executables are not permitted to run (something Linuxrich alluded to), and provide security fixes on a timely basis (along with information about why they are a good idea and how to install them).

    Microsoft should not be the gatekeeper, and when the bulk of the offending computers are running Microsoft OSs, pardon me for my skepticism about their idea for a "solution".

  51. Michael Foukarakis says:

    While it is necessary to take measures both when micro- and macro-managing computers (connected or not, infected or not, doesn't matter), we are far from having a competent means to achieve so. At best, we could come up with a privacy-invasive scheme which would only delay the inevitable, while at the same time aggravating users.

    One needs to focus more on micro-managing computer malware, and achieve certain success, before trying to macromanage more.

  52. Deb says:

    Although I agree with the desired result, I think it would be better if Microsoft would not go it alone on this one.  To work with the ISPs…..yes, I know, huge undertaking….but the best approach.  Possibly an intermediary who can coordinate with both Microsoft and ISPs, contact the customer, and do an orderly cleanup of the machine.  This approach may also enhance Microsoft's image a bit, make them seem a bit more human.

  53. futurama says:

    @Brian 6 Oct 2010 9:33 AM

    "Absolutely unbelievable that the company *directly responsible* for making life easy for criminal types is now trying to have infected machines removed from the net."

    Sure it's Microsoft's problem if people don't update their software. Also Adobe's etc. And don't forget open source providers too!

    I really think that Microsoft itself would burn their earlier software which are not secure and this is suggestion for that. That includes XP/IE6 and so on which are STILL in use because of lazy people who simply don't update anything. There are lots of fresh options nowdays for those which are more secure.

    Anyways, I actually do like this idea. Every bit of your internet connection is controllable by your ISP. If there are some major viruses spreading which uses uncommon ports or so and they can monitor it's activity, it's fairly easy to shutdown connection if it causes 'illegal traffic'.

    No matter what anyone says, it's doable and it should be done by every ISP. Like 90% of spam email are caused by these infected machines. It simply won't go down if something major doesn't happen in whole internet structure. This would be at least one step forward.

  54. glynn says:

    Instead of persecuting innocent computer users you need to be looking at 2 things, the first is the security and vulnerabilities of  your own operating systems that 'allow' botnets to be installed on a host pc in the first place, to me this is just an example of how Microsoft cannot fix their software issues so they will pass the buck and make users pay for their mistakes.

    Second, you need to look at what makes a botnet, right down to its coding and squash it from being able to be installed by the botmaster on their pc, make the next operating system have the ability to detect botnet activity on the botnet masters pc and have windows itself disallow use of that programme or coding. Obviously this would require some serious encoding to make sure it cannot be just 'switched off' but with some hard work it might be possible to stop it at the source, you could even issue an update to all previous operating systems making a claim that its just a simple 'security hole' update and force it onto existing internet connected computers – people wont like that but they will like your idea even less

    the point is, there are other solutions to be explored and you, as usual are trying the easiest without thinking about alternatives.

  55. Brian says:

    @Gerhard Goeschl

    "When Police can shut down your car because it is not safe for traffice anymore, why not do it for computers too? People should take some responsibility and maintain their computers. Like they do for their cars."

    But unlike cars, software doesn't require regular maintenance because of mechanical wear & tear so your analogy is a little weak.

    However, and along the same lines, I assume you'd be happy paying to have the wheels fixed back onto your car after they've dropped off – again – and would happily continue buying cars from the same manufacturer, despite the wheels dropping off every other model they've released and despite assurances with every new model appearing that this is the safest one *ever*.

    There comes a point where you have to seriously consider just how much of this you can reasonably be held responsible for fixing when really, none of it is your fault or responsibility: it's a design problem with the car itself which the manufacturer is demonstrably incapable of resolving.

    Me?  I simply don't drive a car from that manufacturer because I have better things to do with my time than waste it by applying sticky tape in an attempt at resolving the manufacturer's problem.

  56. Fire Scott Charney says:

    Scott Charney should be fired immediately from Microsoft.

    If this is what Microsoft considers R&D, then MSFT will go down another 20% next year.

    What Scott Charney wrote is laughable and Steve Ballmer should fire him by 5 p.m. today.

  57. MikeJJ says:

    It's much simpler than what he suggests.

    If a PC running windows connects to the Internet, block it.

    No need for Health checks, just a simple OS detection at ISP level.

  58. Brian says:


    "Sure it's Microsoft's problem if people don't update their software"

    If Microsoft had any real answer to the security problems designed into Windows and if the software update process worked reliably (instead of often creating more issues than it resolves) then this discussion wouldn't be taking place and there would be no malware/botnet problem.

    That there is still a *massive* Windows-related problem – after all this time – and that Microsoft is apparently serious about this health certificate/quarantine idea should only serve to indicate that it has totally lost control of its own software and is intent on blaming the user.

    I find this admission of defeat incredibly arrogant but hey; this is Microsoft we're talking about.

    Also, to quote that thoroughly over-used Microsoft buzzword – it is at least innovative to make it all the user's problem.

  59. alan says:

    MS is reinventing the wheel, that has been products on the market for years that already do it! Look at Bradford Networks ANS it has done this and more for years.

  60. paul says:

    Can I ask as to who will be issuing these 'health certificates'? And if MS isn't good enough to make an OS that can resist virus attacks, they have no right to demand that virus infected machines be taken of the internet.

  61. christopher cotie says:

    I have tried and tried to get hold of microsoft to find way for disabled and low income elderly to upgrade their old machines to windows 7 , but microsoft is totally unresponsive to the elderly and disabled low income segment of population.

  62. DJOHNSON says:

    update- a link to a screen capture from an attempt to use the MSDN forums to solve an audio and a digital camera problem, both from a new installed XPP build, and the camera being a new product from the far East.

    No audio, and the DVR camera cries out on XPP as an error after being played successfully on XPP Media Player,…why???

    and then this, how appropriate a daily example of the wide,wide, world of MS.


    "   – a clean link.

  63. Jack Harkness says:

    Wow. Simply WOW!!

    It takes HUGE sized genitalia to actually work for Microsoft and claim this.

    Stuxnet, Conflicker and all the usual cast of viruses arent a problem on my Macbook Pro nor

    on the older computers in the house that were once WinXP and that we have since changed

    to Linux.

    Most tech sensible people know the truth about viruses and Microsoft's role and incompetence.

    Its just appaling that the BBC is running these kinds of stories.

    I do agree that dangerous and potentially dangerous machines should be quarantined from the net.

    I just dont think your bosses are going to agree to it.

  64. Greg Lambert says:

    Just run Linux or Unix….Problem Solved!!

  65. DaveK says:

    You disgust me.  Your real motives are transparent and beneath contempt.  You propose a scheme that, as if by coincidence, implies that nobody should be allowed to access the internet without regularly paying money to Microsoft.  This has nothing to do with protecting internet users or increasing internet security and everything to do with rent-seeking.

    Oh, and you also believe that government should help enforce your private taxation scheme?  Your greed and sense of entitlement is sickening.  I'll do everything I can by way of political action to help ensure your vicious corrupt and wicked scheme never gets beyond square one.

  66. visionofarun says:

    Hilarious article.

    Simple solution to the problem: Ditch MS Windows and run Linux. Free as in Freedom.

  67. Iain Stevenson says:

    The analogy with a human quarantine process is flawed. If a sick person is quarantined they are given medical assistance to help cure them, not abandoned to thier fate. Its time for some joined up thinking microsoft. You are supposed to employ some really clever people. Its a shame you don't let them out once in while.

  68. Bruce says:

    If we could get all PC's to run in a secure UNIX style configuration with a a bit of user education at the same time, that  would surely eliminate most problems… after reformatting and re-installing any  infected systems of course.

  69. OneCitizenSpeaking says:

    Perhaps users should demand Microsoft revise its EULA (End User Licensing Agreement) to accept responsibility for Microsoft code which compromises systems and causes provable damages. You can't have it both ways: no responsibility for Microsoft and putting the government deeper into our personal lives.

  70. Chris says:

    YES! I agree! But we should go further – we should cut off from the Internet, any computer on which you installed the operating system which is potentially vulnerable to computer viruses.

  71. Chris says:

    YES! I agree! But we should go further – we should cut off from the Internet, any computer on which you installed the operating system which is potentially vulnerable to computer viruses.

  72. Mark says:

    How long will it take before I am allowed onto the web? I have 2TB of drives and I only want to look up where to buy something. Will the scan and certificate take more than a few seconds?

    Where can I get hold of a Linux virus?

  73. BobbySkillz says:

    >> Just as when an individual who is not vaccinated puts others’ health at risk,

    This makes no sense at all. If others are vaccinated, they won't be at risk. Unvaccinated people only put other unvaccinated people at risk.

  74. Brian says:

    @ Anonymous 7 Oct 2010 3:32 AM

    "The main reason you don't see many viruses for UNIX today is because there aren't enough users on the platform for it to be worth it for those writing them."

    Newsflash – UNIX *is* the Internet, and Microsoft's activity on it is an annoying background noise – much like a petulant child.

    UNIX users can only hope that the child receives some much-needed discipline very soon and finally grows up.  Then it can come play with the big boys.

  75. Matthew Wilcoxson says:

    think this is an interesting idea that should definitely be looked into further.

    As a previous comment has said this is very similar to car maintenance (called the MOT here in Britain), if the car fails these tests it is forbidden from driving on the road until fixed.

    My first thoughts are some kind of tests (probably remotely) administered on the computers, and internet connections temporarily disabled if a problem is found. The ISP's are likely to be best positioned and could charge extra, or have it including in the monthly charges.

    It may cost us a little more, but is likely to benefit everyone from better security to faster internet speeds (because of less spam etc)

    Thanks for putting the paper forward. (I wish more of your comments were a response to your blog rather than a flaming of Microsoft.)

  76. David says:

    Think the real problem is poorly written software by Microsoft, each new version with a promise of a fix which never comes. The last bug in memory was from a high school kid in Minnesota who was not that smart,but did high $ damage.

    The extent of the items that are hidden in the Microsoft driven computers will eventually become known.

  77. ShugoBR says:

    the idea is good…. you isolate the problem, then the user will take some action to clear the virus and etc…

    the problem is, you are surfing on the web…. tem "PAN" your internet is gone…. and you cant update your antivirus and download other softwares to clear your machine.

    linux, ios, and others dont have virus because there is few pcs with those OS, and is kind of hard to run a virus on a command based OS like linux that you must always use Terminal for some advanced programs.

    Windows is not bad, dumb users that use it are the bad thing… everyone here know how to use a pc, how to keep your antivirus and other programs updated… but many users dont know that… they just think that the computer is just slow because of many programs that they installed, here on Brazil this is the reallity*?*

    try to make "any" user to use linux and try to install the video drive or some advanced program, or try to active the firewall, on windows anyone can do this just reading the message on the window.

    this is why many people use windows, more then 90% os the computers run windows today… because more then, at least, 80% are dumb users who dont know how to use a computer, just know how to turn on/off the computer and chat and see porn on the web….

    you cant ask a maid to know how to format and configure a linux.

    Fernando Étore Gallão

    Network Administrator, Multsystems Informatica & Networks. Brazil – São Paulo.


  78. DHH says:

    So you are telling me Mr. Charney, that the software empire Microsoft cannot think of a real solution to Malware threats and is now advocating Government mandated MALWARE as the ultimate solution?  That is about the lowest I have seen Microsoft slump too, it makes me want to remove all Microsoft technologies from my resume and go back to GNU C++ development on Unix while I become an expert at Java development.  This is nothing more than promoting some Government Malware system designed for the sole purpose of Governmental CONTROL of the Internet; it blatantly violates our Freedom of Privacy, Speech, and Press, and affects everyone that utilizes the Internet for personal as well as commercial uses.  This line of thinking is easily more threatening than the threat that it was designed to circumvent.  The industry cannot sit idly by while such nonsense is being promoted.  It is my opinion that this proposal is far from trustworthy, and should make everyone question the very motives of the Trustworthy Computing initiative at Microsoft, or perhaps the corporation as a whole.  You sir either need to step up and devise real solutions to the problem of Cybersecurity or step down so someone that  can has the opportunity to do so.

  79. Gers says:

    How about free, effective and reguarly updated (for free) anti-virus software, as standard for every new computer?  

  80. justaname says:

    the economic disaster this would cause can only benefit the very few rich corporations, the smaller companies who rely on new business each day would have very little, and the people, how would 'millions' of computers with viruses be fixed, the cost alone would enable the rich corporations to cater to the few… well done microsoft, you make software full of holes, then cry fowl when they are exploited… Microsoft is the virus

  81. mr-bisquit says:

    This is a joke. Someone is angry because they have a little dick.

  82. lee says:

    Don't touch my linux with your "Windoze" godammit

  83. Igor says:

    Scotty you are so fired from job:)  you tool  😀

  84. Nasrullah.Naim says:


  85. LeslieRockDupervil says:

    dear Mic,

    this proposal is very interesting but there are somme issues I can't deal with

    , first let's start with the case i have a single PC and this PC has been Internet access denied , How could I get INFO to resolve it While I'm traveling ?

    Second U trying to compare the PC health world to our real world, I think It's good for some point, but U should Know that malicious code are written by smart guys and those smart guys their next target will be the certificate health, it can take longer than expect but they will find a way to by pass this.

  86. premdesai says:

    SIR, MY PC is strucked with virus,i will tell you the whole thing so i hope you can help me in this matter,some sioril toolbar is getting automatically downloaded on my PC,i didnt download it,,and wen i deleted & scanned my Pc,there was so much virus like (Browser hijacker),Adware HB helper,Malware trace,& adware trackig cookie,so i want to know how can i get rid of these virus,Please hel pme out.Because you people are the Master of PC's.I hope i will get the Reply soon.

  87. we-willie says:

    I, for one, have had all I can stand from Microsoft. They want to ban us, because their OS is not secure. Ever since windows95, Microsoft's operating systems have been prone to virus's and malware. Microsoft does nothing about it, and most of these crappy anti-virus programs don't stop a virus from getting in, and then they have a hard time removing it. Well, I have heard it over and over that Linux is better, and that I won't need an antivirus program. So, if it is the last thing I ever do, I am going to format my machine and start using Linux. Ballmer is an idiot, and this banning is insane.If they really do this, 75% of the windows PC's in the world will be quarantined. Microsoft needs to get off their butt and make a real operating system and stop penalizing the user for their own short comings!

  88. Linuxrich says:

    @ we-willie

    Bear in mind when migrating from Windows to Linux that you are used to doing things the Windows (Wrong!) way.  Therefore, make sure you plan your migration properly and have support (Either from your local Linux Users' Group or a good internet forum.) in place.  Chances are if you don't go into using Linux with your eyes open you'll become disillusioned and turn back to MS lock-in.  There is plenty of help available for the new Linux user and modern distributions are really very good!

  89. phillipsjk says:

    Prem, this is not really a virus help forum. Briefly:

    You can't delete something you didn't download. Viruses and malware are just software like anything else. Some malware is marketed as an antivirus: your machine is fine until you install it, then it refuses to uninstall without extortion money (called 'scareware').

    Many people have flippantly suggested moving to GNU/Linux. Some other people have suggested that Linux and MacOS mainly avoid viruses through obscurity. While that may be true to a certain extent, there are important differences. Most important is that there is no culture of running as the administrative user most of the time. This implies that random software does not require administrative access most of the time. If a piece of software requires administrative access, it is considered a bug (unless it is a system utility that can *only* reasonably function with administrative access). There have been a few stupid exploits demonstrated, but I'm sure they will be patched quickly if GNU/Linux ever becomes popular with the average user (source code is free to modify; it takes only 0.1% to know enough to improve things).

    In my opinion, Microsoft made a strategic error with Windows NT 6.x: They tried to do the impossible by implementing the "protected path" at Hollywood's request. This requires DRM built right into the hardware using secret interfaces. The conspiracy nut in me doesn't think it is an accident that secret interfaces make GNU/Linux (or BSD) migration more difficult.

    What Microsoft should have done with Vista was make a clean break from the culture of granting administrative access to normal users. If Vista required TPM support for business-class vista, they could have required virtualization support instead. All software requiring administrative access; including legacy games with crappy DRM should have been virtualized in a sandbox. If game developer want out of the sandbox, they should demonstrate they play nice in a limited-user environment: including installation. If somebody really wants a dedicated game machine (with DRM), they can buy an Xbox.

    The problem with the 'correct' solution outlined above is that it would upset all of those software authors who think they have a right to root your machine for "anti-piracy" purposes. That is not a big problem, IMO. Apple demonstrated it could be done with the Mac OS 9 -> X transition. Apple has also changed processor architectures twice: Apple computers now use Intel chips, just like Windows PCs. Instead, we have the poorly-documented UAC hack were even the Administrator user is considered a limited user…most of the time. Games are still allowed to root the Machine for DRM purposes; making the whole system fragile. HD video is now re-encrypted after decompression, generating extra heat, power consumption and cost.

    But, yeah, keep using MS Windows if you want. Plan 9 is just an experimental OS you wouldn't be interested in.

  90. we-willie says:

    I did it! I got Ubuntu installed and it is just AWESOME! Even did a dual boot for me, but I haven't had any need to boot the Windows. All of my office stuff works with openoffice and everything is working perfectly.

    Thank You Microsoft, for pointing me to Ubuntu Linux!!

    The thing I want to know is, HOW is Micro$oft going to determine what a virus or malware infected computer is?

    Are they now the definitive source on virus's and malware? Not that it maters anymore. My computer has never run this good or this fast with windows. It is like I bought a brand new computer.

  91. T-Jay says:

    This is awesome news. An internet without Windows PC's. Malware & virus writers will double their output, just to keep windows machine off the net. My tech business, which is mostly cleaning infected windows pc's, will double in workload. This is a typical ploy by Microsoft, to place blame for their crappy OS problems, on someone else. AND, let me ask this…. Windows users everywhere have anti virus suites running, but yet they still get infected….hmmmm, seems to me that the antivirus programs are just about as useless as the windows operating system is, at protecting from malware and virus. And how long will it take for some 9 year old to come up with a health certificate hack? Face it, this is a desperate attempt, by microsoft, to save their own ass. By doing this, it would appear that they really care… This problem has been around since before Windows95, yet microsofts answer to the problem is to give you yet another version of windows, such as Vista and 7, both of which still do not address the real problems with windows. They need to stop trying to reinvent the wheel, and get down to figuring out how to secure the wheel to the cart.

    @we-willie, YOU have made the smartest move of your computer life! Stick with it, the Ubuntu forums are some of the best when you need help, unlike the knowledge base at microsoft.

    More windows users should at least test drive the Ubuntu Live CD. But most are afraid to try anything new, and will get quarantined.

    I left windows when XP was released. The kindergarten look of XP was more than I could stand. Looks like something made by Hasbro/Playskool for ages 5 and under. I have never regretted it. Some will complain that there are no games for Linux…. screw games, I have a PS3 that will out perform any PC playing games. I don't need PC games.

    One thing to remember is, Gates didn't get rich because Windows is the best operating system. He got rich because of the marketing of windows and the licensing agreements with the big pc manufactures. People are fooled into believing that windows is the best, because when they walk into a computer store or an electronics department, they see windows on the computers. All marketing. Until you try Linux or BSD, you just don't know what a great system they are. I use Linux everyday as my main operating system, and I play around with PC-BSD. In 2007 I bought my first Mac, and OS X is totally awesome. Apples only problem is expensive hardware. The OS is cheap enough at 129.00, and the last one, OS X 10.6 was only 29.00. Plus it doesn't come in 7 different crippled versions like windows.

    I run into web sites all the time that have malware and virus for windows. Linux doesn't run them and normally just drops the file in my downloads folder, and I delete it and go on with what I am doing. Unlike windows which executes everything… I often wonder why these websites are allowed to keep operating…. don't see anyone quarantining them or removing them from the internet….

    I really don't think microsoft will ever deploy this quarantine, but it just goes to show you their mentality level. "We can't fix it, so lets just make everyone else suffer for it".

    If they really do this, and you continue to use microsoft products, well you are just a fool.

    If you bought new tires for your car and found out they were recaps, would you go back to the same store and buy some more? Hell no you wouldn't, but you keep buying the virus magnet…. windows.

    You pay for access to the internet, but you will be quarantined by a company that offers no internet access…. ironic or what?

    Good luck windows users…. I really don't feel sorry for you.

  92. George says:

    no company has good record on computer security, it is just that apple applies its updates without the user knowing it, giving the impression that their operating system is more secure

  93. T-Jay says:


    You are wrong George. Apple updates are not applied without the user knowing. The user is informed, and usually enters the administrators password to apply security update.

  94. Ubuntu says:

    If every PC was switched to the latest version of Ubuntu overnight, with everyone running as user, tomorrow there would be no malware whatsoever. Microsoft know this perfectly well. Writing successful malware for Linux is much more difficult – the file permissions system and architecture of Linux are concrete compared with the marshmallow security of Windows.

  95. Write good software, not bad laws says:

    MS has a fundamentally insecure architecture on all of its OSes. Instead of trying to put innocent users to bureaucratic hell, you better fix your own software. Or the world will just switch to Mac.

  96. Anonymous says:

    Tell me something MS… Why is it that every single application installed for all users requires admin to install?

    While when I use MacOS, most applications can be installed by simply dragging an icon from a disk image to the Applications folder, no need to enter a password at all. In fact, I don't remember the last time I had to enter my password on MacOS.

    Funny how one of the few apps I've installed that required admin privileges to install was your own Microsoft Office for Mac.

    I've even seen a few Linux apps that can be installed without an admin password too.

    So why does Windows need admin for every last thing?

    You guys seriously need to start again from scratch with Windows. NT was a start (looking at Win 9x here) but it really is NOT good enough. Start again. Base it on *nix.

  97. Trevor says:

    Bot attacks are not going to go away. Everyone cannot or will not change to Linux I do not care that the Internet connections all run on Unix or that Macs never get viruses in real life. The majority of people use Windows and are happy enough not to change.

    For the foreseeable future, bot DDoS attacks will occur, so Scott's comments are welcome in that he has at least opened up the discussion.

    Equally so, having the government force compliance to allow connection will never happen. It is not wanted and the benefits are outweighed by the effort and efficiency. Antivirus is only good for a limited amount of time before it is out of date and the next zero day exploit occurs.  You either have to lock down everyone on the planet's PC or not allow others to join your protected zone.

    ISPs could drop connections if they seem a threat until proof is supplied or even limit speed and full access to just their help forums. That way people would have an opportunity to fix systems and prove they are clean.

    It is all about whom do you trust? A big scary government that you have no control over or an ISP who you can always change.

  98. R.J. Brown says:

    So Microsoft and State say I must have their permission to go online, but it is my fault if any damage occurs through lack of knowledge or negligence. They have no responsibility but all the control.

    I assume I will also have to pay again for this *service*, but I no comeback if my business is harmed as a result of an attack.

    I have just seen my IT boy and he says he can put Debion on my new laptop. He is always saying how easy it is to use, so we have a small gamble about it not being up to the job. If it is good enough to carry on without major business problems I will convert the whole of my business just to protect it from Microsoft control. The second option is to convert to Apple and a new machine is now on order just in case I lose the bet.

    I do not want any more outside help in running my comapny. I do not need yet another consultant telling me that I need to pay or that they must audit me for my own good.

  99. Vosana Fenris says:

    I have used Linux distributions under virtual machines but not as the main OS as of yet anyway. but one thing I did want to say is shutting down the internet isn't what they are trying to do. UAC is good in its own right but the problem with viruses and malware still relies on the users. if the END USER can be educated as to what is going on and why they shoold patch their machines and keep software up to date, then less of the rouge malware would have a chance to take root. a firewall is fineand so is antivirus software. but that only keeps things from coming in. a firewall keeps connections from coming in (that you would have no control over) antivirus does the same thing. but it doesn't protect against something that you allow into your system. tha majority of users that have computers aren't that literate when it comes to how to remove viruses and I seriously doubt would go through the trouble of removing registry keys in relation to them if it is needed. for someone that is a programmer, building an Os or re building I should say shouldn't be that hard. even though it would take a while to develop and test to get all of the bugs out. doing something right the first time, keeps future problems from Arising. very few users are going to create a standard account

    if only one person is using the computer. now if a computer has multiple users that is a different story. but the thing that UAC has done is gotten rid of the need to have to log in as an admin to install a program or modify a setting which alone can be a pain when you have something you want to install. while you think Xp is the perfect operating system think about how many patches and service packs it took to get it like that. where as 7 is more secure just right out of the box than Xp ever was.

  100. phillipsjk says:

    Anonymous:  NT, when it was developed, was based on VMS and more advanced than Unix in many ways. It even supported multiple processor architecture, just like GNU/Linux or the various BSDs do.

    Everybody knows Windows ME was a flop: it extended the Win9x line as far as possible. At its core, it still used the DOS security model (supporting Archive, System, Read-only and Hidden file attributes). Windows 2000, based on the NT line was popular, but not marketed to the average user. It was stable and had a reasonable security model.

    Windows XP was a mistake in some ways, but not as bad as the mis-steps with Windows Vista and 7. Microsoft tried to combine the stability of Windows 2000 (NT 5.0) with the backward compatibility of Windows ME. The problem with this approach is that the security models are not compatible.

    Many program written 20-2 years before the release of Windows XP assumed a DOS security model: They would refuse to install or run without write-access to the System directory, for example. As a result, most users simply ran as an Administrative user full-time. This effectively short-circuits the more robust security model of the NT system. The instability of Windows XP is due to programs contaminating portions of the system they shouldn't be allowed to.

    I have already explained in my previous post why UAC was a mistake, and what Microsoft should have done instead. Essentially, UAC tries to 'patch' the differences between the DOS and NT security model by making 'System' files and services special. The 'Administrator'  no longer has full control of the machine: That role is left to Microsoft. As I have hinted in my previous post, I don't completely understand how the "split token" model is implemented, so I may have some details wrong here. The overall result is the same.

  101. Vosana Fenris says:

    Full administrator is fine if you are running a business, but as a home user, I don't see the need to have to log out of an account and log in as an admin just to install a program. if you look at the windows structure, in some ways DOS commands are still used. or at least the shell is. for example. ip config is done at the command line. netstat is done at the command line etc.people can use Mac all they want. but for what I myself use the computer for? windows is fine. plus the programs I use are windows based not Mac.

  102. T-Jay says:

    With Linux & Mac you do not have to log out and log in as administrator to perform administrative functions. You use SUDO or SU command at the command prompt ( terminal ) or the system prompts you for the root password, and you provide the administrators password, do what you need to do as the administrator and move on. Actually, logging in as Administrator ( or root ) in Mac is not possible unless you do some things to enable logging in as administrator. Same for Ubuntu. Some versions of windows do have a "run as administrator" option on the right click menu, and some versions are crippled and the option is not available. The thing is, when you hit a malware/virus site with windows, internet explorer automatically runs the installer, usually not prompting the user at all, and installs the malware or virus before you know it is happening. And most of the time that happens from a javascript popup. You can help protect windows by disabling javascript support in internet explorer, and only enable it when you really need to for the site that you are on. On a Mac, it does not happen. If you download any file with Mac, the first time you run it, you are warned that the file was downloaded from the internet, and asked if you are sure you want to run it. Logging in as Administrator ( Root User ) is being done away with in almost all major distributions of Linux, and is not recommended. During the initial install of the Linux OS, you set up an administrator password, and then set up your normal user account, that you log into. Then when ever an administrative function is needed, you are prompted for the root password only. You don't log out and login as root.

  103. Paolo B. says:

    Let's check:

    – most of computers banned from internet would be with Windows

    – if the rule is applied to servers, your services will be not available. If hosting is your job, all mail, sites and services of your customers would be cut from Internet. And if you di hosting you don't have few sites/services on each of your server.

    – Viruses and threats generically try to hide themselves. Do you remember viruses which were making spoofing on maill sender ? I mean, for a similar principle, how can you safely find one host as infect ? And if you ban a computer which instead is clean, then the owner should demonstrate his computer is clean ?

    – extend the rule to big companies network, where behind a public IP there is a network with thousands computers, and only one computer could be infect: as result an entire company is cut off from Internet  ….

    I could continue the list, but this is enough for Mr Charney to think a little..

  104. phillipsjk says:

    Paolo B.: Have you read the PDF?

    The PDF does not say that only virus-infected computers will

    be quarantined from the Internet: "potentially infected" computer are

    included as well.

    : Under this model, a consumer machine seeking to access the Internet

    : could be asked to present a “health certificate” to demonstrate its

    : state. Although the conditions to be checked may change over time,

    : current experience suggests that such health checks should ensure that

    : software patches are applied, a firewall is installed and configured

    : correctly, an antivirus program with current signatures is running,

    : and the machine is not currently infected with known malware.

    – page 8 "Collective Defense:

    Applying Public Health Models to the Internet"

    By Scott Charney

    Corporate Vice President

    Trustworthy Computing

    Microsoft Corp.…/Collective%20Defense%20-%20Applying%20Global%20Health%20Models%20to%20the%20Internet.pdf

    One of the footnotes (14) on that page says:

    :  To be effective, ‘health certificates’ would need to be both valid

    : and unaltered using a trusted stack of hardware and

    : software. For additional information on the trusted stack, see the

    : author’s prior work, Scott Charney. Establishing End to End

    : Trust, available at End to End Trust. Microsoft Corporation. October

    : 1, 2010

    : <…/&gt;.

  105. TripleBoot2010 says:

    I think it's ridiculous that MS is fobbing responsibility for their operating system security onto everyone

    else but themselves.  

    (Remember, the EULA says we are licensing a copy and that we don't own it.)

    Rather than trying to coerce ISP's into quarantining infected users, and probably seeking public policy

    to enforce this idea, perhaps you should make a more secure product.

    Here's an idea.  Rather than punishing end users (which include governments and major corporations)

    and ISPs, punish the manufacturer and vendor of the faulty product.

    A better comparison would be cars to computers, rather than computers to human immune systems.

    Imagine if 95% of the world's cars shipped with as many problems as Windows.  Locks that don't work

    or are easily by-passed, engines that seize up and fail randomly, steering systems that are easily

    hijacked by remote, integral parts that required frequent repairs, the list goes on.  When cars ship with

    manufacturer defects we punish the car manufacturer, not the driver (end user), and not the gas

    stations (ISP's).

    I'm willing to be that if you were held fiscally responsible for the vulnerabilities and flaws in your software, Windows would be much more secure.  If we won a class action suit that resulted in fining MS $0.50 for

    every hour of downtime due to malicious code or exploited vulnerabilities per PC Windows would be

    the most secure system on the planet within weeks.

  106. Alan G says:

    I don't work for a computer-related company, and I'm not a big fan of any, but I do have a strong vested interest in computers and the Internet being safe to work with. So I don't know which I find more depressing: the astounding level of ignorance in the majority of these comments, or the ridiculous paranoia. Whether it's people touting Unix-based systems as "inherently more secure"; others insisting "it's all Microsoft's fault" for not having predicted (notwithstanding that nobody else did either) the huge sea-change in malware authorship, purpose, sophistication and development resources over the last decade; or the profoundly naive who think it's all a big conspiracy to sell more software, it's clear that most responses entirely missed the point.

    The fact is there are only two small-computer OSes with extensive application-developer support outside of some strictly vertical (and very expensive) markets. It doesn't matter a fig whether you like or don't like OS X or Windows: if you're running commercial applications beyond simple surfing, email and office apps, you're going to be on one or both of those platforms.

    Unix systems have been hacked since time immemorial.One of the biggest computing/internet scandals of the last decade was a Unix-only worm, and the recent Network Solutions break-in was a Unix root-level attack on their servers. Most of the "drive-by" malware-insertion attacks originate from Unix servers that have been successfully attacked, because Unix is the most common server software on the 'net and is therefore a target worth investing resources into. DNS man-in-the-middle attacks are accomplished on Unix servers. Android is already under attack as it becomes more popular. Ditto iPhone/iPad. As we move to smarter smart phones, this will only get worse, and the problem may even shift from desktop machines to mobile devices over the next decade.

    The botnet issue is one that depends on numbers — huge numbers — and the basic fact is that Windows has those numbers, so it will inevitably be the primary attack point. This will be true of ANY operating system that gains a large enough user base: teams of bad guys with lots of money and computing resources will spend a lot of time and effort finding any possible entry point to compromise it. And they will find them. They're pretty easy to find in OS X and Linux at the current state of those systems, mostly because they are not under much pressure to harden their attack surfaces.

    We already use security certificates every day. Without them, nobody could conduct business on the Internet. The health certificate idea isn't a bad one at all. Hardening ISP defenses (very much including improving Unix security) isn't a bad idea at all. Proactively quarantining rogue systems is a GOOD idea. "Health education" is an excellent idea.  Instead of carping (and remaining part of the problem) all of us with smarter-than-the-average-bear computer savvy should be part of the solution.

  107. calvin w lane says:

    i would like to update windows seven on my computer but can't do it help

                                       thank you

  108. Mad about Botnets says:

    You should read this article about a Botnet and spammers that are ruining people.…/97504724-Kelly

    How come they don't get shut down?

  109. Anonymous says:

    Pingback from Menu

Skip to main content