Re: dumb. Comcast pop-ups

[Rich Kulawiec <rsk () gsp org>]

On Mon, Oct 12, 2009 at 09:33:27AM -0400, Larry Seltzer wrote:
> > > Given what we've observed during this decade about botnet operators, I
> think they are *easily* smart enough to hold huge numbers of systems in
> reserve.
>
> First you complain about false positives, now you switch the subject to
> false negatives? Yes, the method Comcast is probably using probably only
> identifies the conspicuous ones. Just because it doesn't find them all
> is no reason not to find these ones.

Oh, I agree: definitely go after the low-hanging fruit.  But that could
have, should have, been done 6+ years ago, when the problem was multiple
orders of magnitude smaller, and when botnet operator expertise was not
nearly as well-developed as it is now.

They (botnet operators) are more than ready for this.  And they will
exploit both false positives and false negatives to their advantage.

For example, if I were them, I'd be writing malware this morning that
checks rDNS for patterns matching known end-user subdomains on Comcast's
network and which then throws pop-ups which lead to malware installs.
In other words, I'd try to beat them to the punch and infect *more*
of their users before they even roll this out.

> > > Of course there isn't.  But do you really think that people clever
> enough to rewrite bank statements on the fly will have any technical
> difficulty at all deploying the code to block those pop-ups?
>
> Right, and when that happens and when it becomes a serious impediment
> then they'll have to deal with it. There's an awful lot of malware out
> there right now that doesn't do it.

So Comcast should go ahead and deploy a laughably inept "notification
method" that will be defeated at the whim of botnet operators?   They
should spend money and engineering time on it, promote it, (try to)
educate their customers about it, and let the whole thing fold like a
house of cards the next time some bored malware author decides to
amuse themselves?

This is classic security theater.  All it needs is a post-mortem that
uses the phrase "No one could have foreseen..." to make it complete.

> What do you actually expect Comcast to do by themselves, while still
> serving a broad market of clueless average users? They're in a tough
> spot and broad condescension like this doesn't contribute anything to
> the debate.

I expect them to run their network properly or shut it down.  If they're
in a tough spot, it is only because their own actions have placed them
there.  Their failure to pay attention, their failure to act in a timely
manner, their failure to heed warnings from experts, their failure to
budget appropriately, their failure to engineer their network properly,
their failure to grasp the situation, have all led to this point.

Had they not made all these serious mistakes repeatedly over a period
of many years, then they might have some better options to choose from.

s/Comcast/Verizon/
s/Comcast/Charter/
s/Comcast/Tiscali/
s/Comcast/Blueyonder/
s/Comcast/just about every end-user ISP on the planet/

I'm not sympathetic: I spent my time and my money trying to warn
them *at the same time* that their incompetence was allowing their
network operation to abuse the hell out of mine. (I'm not alone in doing
so, either.)  They *could* have solved this problem with the equivalent
(in their budgetary terms) of chump change. They chose not to.

And they've still chosen not to: this is a PR exercise on their part,
deserving contempt and mockery.  It's not a serious attempt at security.

---Rsk
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.