Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)

[David Farber <dave () farber net>]

Begin forwarded message:

From: Michael Collins <mcollins () aleae com>
Date: October 10, 2009 5:10:03 PM EDT
To: dave () farber net
Cc: "ip" <ip () v2 listbox com>
Subject: Re: [IP] Comcast's "Evil Bot" Scanning Project (Lauren  
Weinstein)

This is more of an inevitability than anything else.  Several years  
ago, the Korean government decided that Spam was a national  
embarassment, and KISA, Korea Telecom and several other organizations  
joined together and started a program of highly aggressive spam  
filtering at the ISP level to take care of this.  They published on it  
in FIRST '08 - ref here (http://www.cert.org/csirts/national/best_practices/2008/NationalSpamThreatMgmtSystem.pdf 
).

That said, I think there's a messier problem that we're all whistling  
past the graveyard on here.  I'm willing to bet that roughly speaking,  
given any IDS, spam defense or defensive measure we want to think of,  
a sufficiently motivated attacker can develop a mechanism for evading  
it and -still- turn a profit - user behavior is just too eccentric for  
bolt-on solutions to knock a severe dent in endlessly innovative  
attackers.  of the four defense strategies I think we have (Policy,  
Architectural, Reactive, Enforcement), I think our reactive defenses  
are pretty much exhausted, and we're moving onto enforcement and  
policy mechanisms - which means that yes, ISPs are going to be  
stomping on people, and technically literate people are going to get  
stomped on more than anyone else, because we tend to wander around the  
stomping grounds.

So, here's the fun question - in other engineering fields, design  
conservatism is encouraged because real people with real lives are at  
stake.  In network security, so far, we've basically been saved by  
our  irrelevance.  However, if we have a blood on the floor incident,  
is innovation worth that?  Is constant spamming the price we pay for  
getting things like  Twitter?  Do we have to accept that some portion  
of the population will be phished[1] in order to get YouTube?
----

[1] I can hear the chorus of excited voices now saying "I'm too clever  
to be phished!", Newton lost money in the South Seas Bubble, and he's  
smarter than you.[2]
[2] I used the present tense intentionally.  Even dead, Newton is  
smarter than we are.  That's just how smart Newton is.[3]
[3] I've footnoted an email, God strike me down.

On Oct 10, 2009, at 4:27 PM, Dave Farber wrote:

> Begin forwarded message:
>
> > From: Doug Humphrey <doug () joss com>
> > Date: October 10, 2009 14:50:23 EDT
> > To: dave () farber net
> > Cc: ip <ip () v2 listbox com>
> > Subject: Re: [IP] Comcast's "Evil Bot" Scanning Project (Lauren  
> > Weinstein)
> >
> >
> > It might be optimal if they would lay out "policy" in two
> > statements, one technical and one for the "masses"
> >
> > Of course, there would be the danger that the two would
> > not match - the lawyers would point that out - one of the
> > reasons that lawyers point out for "plain language contracts"
> > not being a good idea (in their view)
> >
> > The "non-tech" statement is for them people who want to
> > know how this might effect them, but are not technical and
> > do not really have concerns on how it is implemented - they
> > would not understand those details anyway,  remember, the
> > average Comcast customer is not on this list - and then the
> > "tech" statement would be as much about how they would
> > go about it as what they were trying to accomplish, so that
> > tech savvy people could look to see if there are any side
> > effects that they are not going to like, etc.
> >
> > As a former founder/owner/runner of an ISP (Digex) I can
> > assure you that I understand both sides of this argument!
> >
> > doug
> >
> >
> >
> > On Oct 10, 2009, at 2:03 PM, Dave Farber wrote:
> >
> > > Begin forwarded message:
> > >
> > > > From: John Levine <johnl () iecc com>
> > > > Date: October 10, 2009 13:33:21 EDT
> > > > To: dave () farber net
> > > > Cc: "David P. Reed" <dpreed () reed com>, lauren () vortex com
> > > > Subject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project  
> > > > (Lauren Weinstein)
> > > >
> > > > > I don't see where Comcast is being transparent about *how* they do
> > > > > this, or giving customers a chance to opt-in or -out.
> > > >
> > > > Right.  Do you suppose there's a reason they'd rather not publish
> > > > instructions to tell bot writers how to circumvent their defenses?
> > > >
> > > > If you're wondering how their sandbox works, look at the I-D they
> > > > sent in last week.
> > > >
> > > > > If I send a lot of email, why does that make me a "bot"?  Maybe  
> > > > > I just
> > > > > send a lot of email.
> > > >
> > > > It doesn't.  As others have noted, it's not hard to tell bot  
> > > > behavior
> > > > from heavy user behavior.
> > > >
> > > > > But to be honest, in most markets, Comcast is the only real  
> > > > > choice,
> > > > > and imposing their "features" on me might not be what I want, ...
> > > >
> > > > Ah yes, "ISPs musn't deal with dangerous software installed on  
> > > > their
> > > > networks by criminals because it might, hypothetically,  
> > > > inconvenience
> > > > me."  Get real.  This is not a few script kiddies.  This is
> > > > sophisticated criminal malware that does things like rewriting  
> > > > online
> > > > bank transcations in real time to steal money from users' accounts,
> > > > and DDoS ecommerce sites in extortion schemes.  It would be
> > > > irresponsible for large ISPs like Comcast NOT to use whatever tools
> > > > they have to deal with it.
> > > >
> > > > R's,
> > > > John
> > > Archives
> Archives





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com