Interesting People mailing list archives
Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
From: David Farber <dave () farber net>
Date: Sun, 11 Oct 2009 08:09:53 -0400
Begin forwarded message: From: Andrew C Burnette <acb () acb net> Date: October 10, 2009 10:29:45 PM EDT To: dave () farber net, Jason_Livingood () cable comcast comSubject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
Dave, For IP if you wish. I think comcast deserves major "thumbs up" for taking *any* action. For years in the industry, email (corporate/enterprise/gov't/etc) have often had to block all residential ISP email in some form or fashion due to the utter lack of enforcement or action towards "unfortunate users" who have infected machines. I think it's hard to argue that public disclosure of their efforts (not methods) is a big leap forward compared to the missteps of the p2p/etc traffic management of recent times. Much better. As an example, I recently advised an ISP on their impending "agreement" to block piratebay. Using my recommendation, they put up a simple text web page explaining what and why, and despite it not being a popular action, almost no one called customer care to complain, as the ISP openly and actively informed users "what and why" which is miles ahead, and avoided numerous retaliatory actions users could have taken. Much like calling the power company (or any service you purchase), if you get a real answer rather than a false or ignorant "what?" response, you as a customer feel like they are being upfront, and despite identical outcomes, will respect the honesty in the end, as will other users.There are a couple things that any provider can do to mitigate some of these
1- setup another server/service with proper authentication & SSL/TLS and message submission capabilities. Well covered and supported in many popular commercial and open source MTA software packages. Makes it easy for the rest of us to whitelist that particular aspect of the service. 2- change the name of the outbound server from "mail.domain" to "mailhost.domain" (or anything other than mail.domain ; we did this in 1993 at AT&T/Bell labs; still works today) as a vast majority of malware and bots simply attempt to relay through "mail." and let the DNS search domain take care of the rest. This also cuts a huge $$ cost in customer care, and the abuse@ desk. This tends to be a significant cost center in the grand scheme of end user ISP operations, often more expensive than providing basic transport services themselves. 3- Network metadata profiling. Doesn't violate *any* privacy principles of the end user, and yields loads of good information which can be used to notify infested users. Also a good upsell tool for care packages which many many users do need, and are happy to pay for. Same rules help corporate/enterprise users using the wifi at hotels and conferences. If your IT dept doesn't support message submission protocol and TLS/SSL and related "best practices" it is a good idea to ask, and provide suggestions. Also, eliminates much of the VPN need and support for something that users typically dislike. It's built into most apps and MTA's/browsers; use it. Whatever the opinion might be overall, I give comcast major respect and thanks for taking on a scurge of an issue. Non trivial, but even if they manage to clean 1/2 their unfortunate users, the rest of us on the net appreciate the efforts. I say good luck, and stand your ground. Best regards, Andy Burnette Dave Farber wrote:
Begin forwarded message:*From:* "Livingood, Jason" <Jason_Livingood () cable comcast com <mailto:Jason_Livingood () cable comcast com>> *Date:* October 10, 2009 18:39:10 EDT *To:* Dave Farber <dave () farber net <mailto:dave () farber net>>, ip <ip () v2 listbox com <mailto:ip () v2 listbox com>>, <mailto:dpreed () reed com>dpreed () reed com <mailto:dpreed () reed com> *Subject:* *Re: [IP] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)*I have a great deal of respect for David's achievements, his views and the fact that he and others may have concerns like these. However, I'd submit that they may not fully take into account the large (and growing) threatthat malware poses on the Internet (bot networks in particular). Botnetworks are **massive** criminal enterprises used not just for spamming, but also for identity theft, financial theft, DDoS attacks, and many other not-so-friendly things. I can tell you ISPs and many other organizationsare getting more and more intelligent about how these networks function, and our customers expect us to do what we can to protect them.But after they have been infected with a bot, why would you **not** want someone with this information to advise the user? It would be like I wasyour neighbor and knew that not only had your home been burglarized, but theburglar still lived there in your basement unbeknownst to you, and was renting out one of the rooms to whatever random criminal wanted to useyour home for a little while.This is an extraordinarily serious threat, it is one that the average userknows very little about, and it is a growing threat.As for the method of the notification this is an area we have said we wantto learn more about in the trial, and we do not claim is perfect (no methodis, nor anything else for that matter). See the following Internet Draftfor some discussion of options -- and I hasten to add that it is only on -03 revision and we still would like lots of feedback, comment and ideas: http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03. I also would like to note that the draft on the general system is athttp://tools.ietf.org/html/draft-livingood-web-notification-00 and you are correct that we do not disclose precisely all methods by which we learn about bot networks. As John Levine pointed out, this would quite easilypermit bot net controllers to subvert a system that is years in development. Please see my other comments inline below. Regards JasonFrom: "David P. Reed" <dpreed () reed com <mailto:dpreed () reed com>> Date: October 9, 2009 9:53:40 PM EDT To: <mailto:nnsquad () nnsquad org>nnsquad () nnsquad org <mailto:nnsquad () nnsquad org>Subject: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project (LaurenWeinstein) I don't see where Comcast is being transparent about *how* they do this, or giving customers a chance to opt-in or -out.I fear that making good security optional is one of the reasons that got us here in the first place on the Internet. But once infected by a bot, it isnot just the end user that suffers. They are then the launching pad for other malicious activity and can affect (and infect) many, many others.If I send a lot of email, why does that make me a "bot"? Maybe I justsend a lot of email.It is not about volume (this data point refers to mail relayed through ouroutbound SMTP servers).If the contents of my communications are being "scanned", why is thatlegal? Why does Comcast care?I might choose (if it were explained to me what was happening and what the risks are to my privacy or being accused of a crime or hauled offas a "suspected child pornographer" because I sent pictures of my naked child) to have this service, or not. But to be honest, in most markets, Comcast is the only real choice,and imposing their "features" on me might not be what I want, even if they "market" it as a *good thing*. If there were serious competition(multiple providers, and no special "franchise" deals with localgovernments that block new competitors, perhaps customers would have a choice. However, most do not have other choice for highspeed Internet,except Hobson's: "take that or nothing at all").I'm really not impressed by these moves by Comcast. Livingood alreadysent out an email saying that they redirect DNS service to a service that sends certain names to hosts that do not have those names registered, but which will respond with advertising-only websites. This is not the way the Internet is designed to work.It'd be nice though if the Internet had better security, then these kinds ofsystems would not be needed, since malware, spam, and bot nets would notexist. ;-)Comcast supposedly cleaned up its act. Now it's backsliding - forcingsecret and invasive services on customers. On day one, they will "love it" (especially in the Comcast-authored press release).Archives <https://www.listbox.com/member/archive/247/=now><https://www.listbox.com/member/archive/rss/247/> [Powered by Listbox]<http://www.listbox.com>
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 10)
- <Possible follow-ups>
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 12)