WHERE do they get help! (was Re: dumb. Comcast pop-ups)

[RandallM <randallm () fidmail com>]

> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > .
Wrote today:

Message: 4
Date: Sat, 10 Oct 2009 12:42:04 -0400
From: Rich Kulawiec <rsk () gsp org>
Subject: Re: [funsec] dumb. Comcast pop-ups
To: funsec () linuxbox org
Message-ID: <20091010164204.GA25408 () gsp org>
Content-Type: text/plain; charset=us-ascii

On Sat, Oct 10, 2009 at 12:05:24PM -0400, Jon Kibler wrote:
> A *much* smarter move on Comcast's part would be to simply null route any
> suspected infected computer until it is cleaned up.

Absolutely.  Infected systems should be walled off *in toto* (not in part,
as some on NANOG have recently suggested, not grasping the true nature
of the problem) until they're fixed.

> Yes, that would put a
> greater load on Comcast's support staff, but maybe they could do it smarter --
> like limit access to only the Comcast and legit AV vendor's web sites. Not a
> 100% cure, but I would think it would create less problems than pop-ups that get
> ignored and spawn rogue pop-ups that create even more malware infection.

I'm with this as far as it goes.   (And I certainly agree that sending
pop-ups is off-the-scale idiotic.)

But...the first improvement I'd make to this would be to gain agreement
from those AV vendors to host mirrors of their sites inside my own walled
garden so that no external traffic at all is permitted.  Surely an entity
the enormous financial resources of Comcast could make this happen,
and surely it would be in the interest of AV vendors to collaborate.

The second would be to dispense with this approach entirely: too many
people, in fact, I'd say *most* people, labor under the delusion that it's
possible to boot a known-infected system off known-infected media and get
the desired outcome.  But Comcast won't even attempt this, because the
accompanying support costs would cut into their massive profits.

Let us also not forget that Comcast is *finally* taking this first,
bumbling, feeble step most of a decade after the problem was very
well-known among the clueful portions of the community.  Any competent
organization would have acted within days, at most, even if that action
was being scripted on-the-fly.  (Compare/contrast with the speed and
efficiency of the response to 11/2-3/1988.)

---Rsk


> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >

Now, this brings right back to a subject I brought up a few months
ago, getting online help to CLEAN! No infected computer is going to
allow the user to get to help and most of these people know nothing
about this.

You have to provide a mean for help if they are going to block them.
Or at the least provide url obfuscation to stand alone apps or sites.
I tried to get something like this going. The first place these users
are going to be told is go somewhere online and "scan" and that
computer with its infected DNS is going to laugh at them.

 Only way that will happen is for them to pull off tools from not
blocked sites. I did test with facebook distributing from a server and
hiding it with tiny URL. My test computer was more then happy to pull
it down.

 I could say have comcast scan them but soon malware would just evolve
against them too because it is a stationary known site also. But, a
fastflux type url for download, like the bad guys use could distribute
stand alone programs. And they can't name them McAfee, Symantec,
F-secure, etc.exe!!!

Ok. I am rambling cause this just so aggravates me. Why cant the big
boys team up and offer this.  As my friend who saw this need also
stated, "a stenographic" nature to hide the means to reach the users.

-- 
been great, thanks
a.k.a System
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.