Re: Not so fast, broadband providers tell big users

[David Farber <dave () farber net>]

Begin forwarded message:

From: Joe St Sauver <joe () oregon uoregon edu>
Date: March 15, 2007 1:14:22 PM EDT
To: dave () farber net
Subject: RE: [IP] Re: Not so fast, broadband providers tell big users
Reply-To: joe () oregon uoregon edu

Hi Dave,

For [IP], if you wish...

Rich Kulawiec <rsk () gsp org> mentioned:

#And that is one place where providers could not only free up some
#bandwidth, but could spare the rest of us the ongoing flood of abuse.
#Just blocking outbound port 25 connections would provide substantial
#relief -- locally (and elsewhere), >90% of inbound spam is coming
#from zombie'd systems on broadband providers.
#
#(Yes, I know it's a band-aid, and yes, I know it breaks the end-to-end
#connectivity principle here, but we're getting pummeled and it's the
#best fix we have...because nobody seems ready, willing, and able to  
secure
#the huge number of zombie'd systems out there and keep them that way.)

I'd encourage folks to see

   "Infected PCs Acting as Spam Zombies: We Need to Cure the Disease,
   Not Just Suppress the Symptoms,"

a talk I did for the 2nd Joint London Action Plan-CNSA Workshop held
in Brussels, December 2006... If you're interested, you can get a copy
online at:

   http://www.uoregon.edu/~joe/lapcnsa2/london-action-plan.ppt  
(or .pdf)

As noted in that talk, just blocking outbound port 25 traffic fails on
so many levels... for example, just to mention one problem with that
approach, it leaves tens of millions of infested machines live and still
able to be used for myriad other nefarious purposes including (but not
limited to):

-- participating in distributed denial of service attacks, flooding
   attack targets with unwanted traffic

-- scanning additional systems for exploitable vulnerabilities,

-- sniffing network traffic for passwords or other sensitive content,

-- hosting illegal web content (such as malware, child porn, warez or 
   phishing sites), or hosting tunnels to such sites hosted elsewhere

-- conducting pay-per-click fraud against online advertisers, etc.

What's really needed is a coordinated international *governmental*
response to the cyber epidemic we collectively face.

But hey, where's even something as simple as a consumer-oriented
TV security awareness campaign? Many consumers don't even know that
their PCs may have been suborned, and that they may unintentionally
be helping miscreants to do all sorts of bad things. If infested PCs
were a problem, surely we'd be seeing a *huge* public awareness
campaign talking about that problem -- wouldn't we?

And what do each of our governments propose to do to help consumers
clean up their zombied systems?

In the US, we've got FEMA for physical disasters, and the CDC and
state health departments for outbreaks of infectious diseases, but

   --> Who's responsible for helping to identify, contain and combat
   consumer *cyber infections*? <--

If Katrina strikes, the government hands out MREs, bottled water, and
blankets, and assists with the relocation of the displaced.

If an infectious disease breaks out, the government insures
that medication gets distributed and preventive vaccinations get
administered.

But if a cyber disaster occurs, what does the government hand out?
Nothing.

We have no automated tools, no "one-click CD" with which citizens
with striken systems can begin basic self-remediation. We have
nothing to give citizens with infected sytsems for cyber first aid.
We have nothing to give them to get them started down the road to
being clean and secure once more.

Why is that?

Having throught about this problem, I believe infested consumer PCs
are not viewed as "a government problem." Infested consumer PCs may
be a *personal* problem, or perhaps a problem for the consumer's ISP,
but they're not viewed as "the government's problem."

It's a shame that that's the perception, because all those infected PCs
*ARE* in fact something which should be viewed as a governmental
problem, if only because all those infected PCs represent a potent
vector for potentially attacking critical online infrastructure
(including online governmental resources, online financial resources,
and online e-commerce activities).

Given the tens of millions of infested consumer PCs out there, we really
need a plan and a program of government action to start getting them
fixed.

Regards,

Joe St Sauver, Ph.D. (joe () uoregon edu)
http://www.uoregon.edu/~joe/
Disclaimer: all opinions strictly my own


-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/@now
Powered by Listbox: http://www.listbox.com