In a New York Times op-ed piece today, Harvard Law School Professor and Berkman Center Faculty Co-Director Jack Goldsmith called on the federal government to regulate consumer-level PC security:

Our digital security problems start with ordinary computer users who do not take security seriously. Their computers can be infiltrated and used as vehicles for attacks on military or corporate systems. They are also often the first place that adversaries go to steal credentials or identify targets as a prelude to larger attacks.

President Obama has recognized the need to educate the public about computer security. The government should jump-start this education by mandating minimum computer security standards and by requiring Internet service providers to deny or delay Internet access to computers that fall below these standards, or that are sending spam or suspicious multiple computer probes into the network.

Obviously we at StopBadware agree strongly with the first paragraph. Rather than taking a position on the second, I pose these questions that would have to be answered about Prof. Goldsmith’s policy recommendations:

• Would computer security standards be based on technology (e.g., computers must have real-time anti-virus scanning), principles open to interpretation (e.g., computers must be kept updated with security fixes), or something else? In any case, who decides on these standards and how do we ensure that they are kept current and do not benefit the software industry more than they benefit national security?
• If ISPs are expected to play gatekeeper, how do we build transparency and a fair, responsive appeals process into the system? What happens when an ISP blocks my connection because they think I’m sending spam, when in fact I’m operating a high-volume, opt-in mailing list?
• If the government "jump-starts this education," who will actually provide the education? After all, blocking a user from the Internet because his computer is infected does not educate the user, it just creates a motivation for the user to become educated. Is the responsibility of helping the user to clean up and protect his PC the ISP’s? The government’s? StopBadware’s? Or is the user just expected to be on his/her own?

These are not trivial questions, but there is precedent for answering all three successfully. Our Badware Guidelines have been a helpful tool in identifying applications that dip below a certain level of community expectations. Our independent review process keeps a check on our data partners’ autonomous detection of badware websites. And our BadwareBusters.org community and StopBadware security tips have proven a useful educational resource for website owners with compromised sites.

Despite these successes, there are many differences between Prof. Goldsmith’s proposal and StopBadware’s independent, voluntary system. And setting minimum security standards for computers is a different animal than setting behavioral standards for applications. It remains to be seen whether the questions above can be adequately answered within a system like the one described by Prof. Goldsmith.

We’re very pleased to announce that, as of today, Sunbelt Software has joined Google as a data partner, providing updated data about badware websites to our Clearinghouse. (See the press release.) Sunbelt’s research director, Eric Howes, has helped us out for a long time as part of our working group, and it’s great to have the company on board in a more formal way. The new data allow us to extend and deepen our analysis of, and insight into, the badware website landscape.

Adding a new data partner required us to rethink our database design and our Clearinghouse report page layout, so we’ve been hard at work redesigning everything. The new report (example) incorporates more information—both current and historical—than our old report page, and it displays Sunbelt’s and Google’s data side by side with our independent review history.

Do you have suggestions for future improvements to our report page or feedback on the changes? Let us know over at BadwareBusters.org!

StopBadware assisted the Open Net Initiative in evaluating China’s Green Dam filtering software, which the Chinese government recently mandated be installed on every new PC in the country.

The software violates our guidelines due to a lack of disclosure about some significant unexpected behavior. While the software advertises itself as protecting children from harmful content such as pornography and violence, it also filters political speech without notice. Also not mentioned is the fact that, if such political speech appears in an application window, whether Internet Explorer or Notepad, the window completely shuts down without advance notice and without saving the user’s work.

Based on our and ONI’s research, and also other research posted online, the software has additional flaws, as well, ranging from poorly implemented features to security vulnerabilities. The biggest flaw of all, though, appears to be China’s policy of mandating such a product. As ONI’s report, released yesterday, concludes:

The mandate requiring the installation of a specific product serves no useful purpose apart from extending the reach of government authorities. Given the resulting poor quality of the product, the large negative security and stability effects on the Chinese computing infrastructure and the intense backlash against the product mandate, the mandate may result in less government control.

Those interested should read the full report, which explains both the software’s behavior and the national reaction to the software, in detail.

A blog post at PC World by Frank Ohlhorst implies that Microsoft’s forthcoming free anti-malware product, Morro, will proxy users’ Internet traffic:

Morro will work by routing all of a users Internet traffic to a Microsoft datacenter, where the Morro application will process the traffic and identify and block malware in real time, by examining all of the rerouted traffic.

This seems very unlikely. First, the technical challenge of handling, and analyzing in real time, the Internet traffic of hundreds of millions of Internet users would be outrageous. Second, this would have tremendous privacy implications, and Microsoft has recently been pretty good at staying out in front of such issues.

An intern here at the Berkman Center e-mailed the article’s author to question his characterization of Microsoft’s new service. Ohlhorst answered that the Windows-based client would route traffic to Microsoft’s servers for analysis and back to the client, similar to "how Panda’s hosted security works."

I suspect Ohlhorst is referring to Panda’s Cloud Antivirus. If so, the comparison is probably closer to the truth than his explanation of it. Panda’s service has a client that monitors the PC for new processes and, when one is found, sends a cryptographic hash of the executable up to "the cloud" to learn whether the process is malware. This is, at least in theory, more efficient and effective than each client downloading definitions each day. Several AV products from other vendors use some variation on this theme, sending hashes, URLs, or sometimes even entire suspicious executables to a central server for analysis and/or checking against an updated block list. My educated guess, from what I’ve heard about Morro and seen elsewhere, is that Morro will do something similar, but will not route all of a user’s Internet traffic to Microsoft.

Within the past hour, President Obama addressed the nation from the White House to emphasize the importance of cyber security, to announce the release of the administration’s report of its 60-day cyberspace policy review, and to announce the creation of a new White House position, the Coordinator of National Cyber Security.

This represents an enormous step forward in national awareness of the role cyber security in general and malware in particular play in our economy and our physical security. Having the "leader of the free world" describe the threat of botnets and spyware on national television will expand press and citizen interest in this issue.

As important as the threats, though, are the freedoms that the President discussed. He emphasized the importance of preserving both personal privacy and net neutrality while securing our infrastructure. He also pointed out that this will require a collaborative effort amongst individuals, schools, corporations, and governments from the local level through the national level, not just in the U.S., but internationally, as well.

The attention is an important start, but of course execution is the key. Melissa Hathaway, Cybersecurity Chief at the National Security Council, posted some information about the policy review she led, as well as links to the report (PDF) and to the papers that informed the report. Based on a preview of the report that Melissa Hathaway delivered at the Kennedy School last night, I expect the administration is moving in the right direction. I look forward to reading the report, and I encourage others to do so, as well. Meanwhile, it’s up to all of us to work together to build a safer Internet. StopBadware looks forward to playing a role in bringing together the people, the organizations, and the data that make this possible.