This, too, is not an entirely new service. Several large ISPs have provided similar features over the past two decades. However, Comcast is one of the largest providers to offer this sort of service, and as an industry leader, its decisions will have wide-ranging impact.
As part of its End-to-End Trust initiative, Microsoft (for whom I am a full-time employee), is recommending that consumers, businesses, and ISPs to be even more proactive. The company would like to see infected and exploited PCs disconnected from the Internet until they get a clean bill of health. Security-wise, this is a step in the right direction: Why wait for exploited consumers to read and react to a warning before their PCs are cleaned?
Heck, many consumers -- already wary of fake antivirus scareware -- might think malware warnings are bogus and ignore them. Even if they don't ignore them, how long might it take some home consumers to log on and read their email or start a browsing session?
Let's say it's only a couple of hours for argument's sake. In those few hours, bots and malware are capable of sending out millions of malicious emails and connections. In those few hours, many people are losing their identity and money. If warning consumers is a good idea, why not help them further and disconnect their systems until they are clean or just allow one connection to a cleaning service?
As good as an idea as I think this is, it probably won't happen. All it would take is one wrongly disconnected computer and the lawsuits would start flying. How are we to know what is being faked as coming from the consumer? How accurate are ISPs in identifying malicious versus legitimate traffic? And what are the risk ramifications of disconnecting someone's computer if it runs lifesaving services -- for example, a PC that collects real-time health diagnostic information? Microsoft's proposed cure, in a few cases, might be worse than the disease.
Although we'd all love to disconnect exploited PCs, it's proven difficult to do so with great accuracy in practice. Would it be enough for the ISP to put the disconnection warning, and what constituted potentially maliciously detected traffic, in the EULA? I'm not a lawyer. I don't know.
My "Fixing the Internet" whitepaper [PDF] has always promoted the idea that it would be safer to allow computers that have been contacted by a potentially maliciously exploited PC to decide how to handle the traffic. My vision has a centralized, DNS-like service that warns everyone else when a maliciously detected PC is noticed or reported. Then the receivers of the service warning can decide how to handle the maliciously detected computers.