funsec mailing list archives
WHERE do they get help! (was Re: dumb. Comcast pop-ups)
From: RandallM <randallm () fidmail com>
Date: Sat, 10 Oct 2009 18:03:10 -0500
.
Wrote today: Message: 4 Date: Sat, 10 Oct 2009 12:42:04 -0400 From: Rich Kulawiec <rsk () gsp org> Subject: Re: [funsec] dumb. Comcast pop-ups To: funsec () linuxbox org Message-ID: <20091010164204.GA25408 () gsp org> Content-Type: text/plain; charset=us-ascii On Sat, Oct 10, 2009 at 12:05:24PM -0400, Jon Kibler wrote:
A *much* smarter move on Comcast's part would be to simply null route any suspected infected computer until it is cleaned up.
Absolutely. Infected systems should be walled off *in toto* (not in part, as some on NANOG have recently suggested, not grasping the true nature of the problem) until they're fixed.
Yes, that would put a greater load on Comcast's support staff, but maybe they could do it smarter -- like limit access to only the Comcast and legit AV vendor's web sites. Not a 100% cure, but I would think it would create less problems than pop-ups that get ignored and spawn rogue pop-ups that create even more malware infection.
I'm with this as far as it goes. (And I certainly agree that sending pop-ups is off-the-scale idiotic.) But...the first improvement I'd make to this would be to gain agreement from those AV vendors to host mirrors of their sites inside my own walled garden so that no external traffic at all is permitted. Surely an entity the enormous financial resources of Comcast could make this happen, and surely it would be in the interest of AV vendors to collaborate. The second would be to dispense with this approach entirely: too many people, in fact, I'd say *most* people, labor under the delusion that it's possible to boot a known-infected system off known-infected media and get the desired outcome. But Comcast won't even attempt this, because the accompanying support costs would cut into their massive profits. Let us also not forget that Comcast is *finally* taking this first, bumbling, feeble step most of a decade after the problem was very well-known among the clueful portions of the community. Any competent organization would have acted within days, at most, even if that action was being scripted on-the-fly. (Compare/contrast with the speed and efficiency of the response to 11/2-3/1988.) ---Rsk
Now, this brings right back to a subject I brought up a few months ago, getting online help to CLEAN! No infected computer is going to allow the user to get to help and most of these people know nothing about this. You have to provide a mean for help if they are going to block them. Or at the least provide url obfuscation to stand alone apps or sites. I tried to get something like this going. The first place these users are going to be told is go somewhere online and "scan" and that computer with its infected DNS is going to laugh at them. Only way that will happen is for them to pull off tools from not blocked sites. I did test with facebook distributing from a server and hiding it with tiny URL. My test computer was more then happy to pull it down. I could say have comcast scan them but soon malware would just evolve against them too because it is a stationary known site also. But, a fastflux type url for download, like the bad guys use could distribute stand alone programs. And they can't name them McAfee, Symantec, F-secure, etc.exe!!! Ok. I am rambling cause this just so aggravates me. Why cant the big boys team up and offer this. As my friend who saw this need also stated, "a stenographic" nature to hide the means to reach the users. -- been great, thanks a.k.a System _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- WHERE do they get help! (was Re: dumb. Comcast pop-ups) RandallM (Oct 10)