Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)

[David Farber <dave () farber net>]

Begin forwarded message:

From: Andrew C Burnette <acb () acb net>
Date: October 10, 2009 10:29:45 PM EDT
To: dave () farber net, Jason_Livingood () cable comcast com
Subject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project (Lauren  
Weinstein)

Dave,

For IP if you wish.

I think comcast deserves major "thumbs up" for taking *any* action. For
years in the industry, email (corporate/enterprise/gov't/etc) have often
had to block all residential ISP email in some form or fashion due to
the utter lack of enforcement or action towards "unfortunate users" who
have infected machines.

I think it's hard to argue that public disclosure of their efforts (not
methods) is a big leap forward compared to the missteps of the p2p/etc
traffic management of recent times. Much better.

As an example, I recently advised an ISP on their impending "agreement"
to block piratebay. Using my recommendation, they put up a simple text
web page explaining what and why, and despite it not being a popular
action, almost no one called customer care to complain, as the ISP
openly and actively informed users "what and why" which is miles ahead,
and avoided numerous retaliatory actions users could have taken. Much
like calling the power company (or any service you purchase), if you get
a real answer rather than a false or ignorant "what?" response, you as a
customer feel like they are being upfront, and despite identical
outcomes, will respect the honesty in the end, as will other users.

There are a couple things that any provider can do to mitigate some of  
these

1- setup another server/service with proper authentication & SSL/TLS and
message submission capabilities. Well covered and supported in many
popular commercial and open source MTA software packages. Makes it easy
for the rest of us to whitelist that particular aspect of the service.

2- change the name of the outbound server from "mail.domain" to
"mailhost.domain" (or anything other than mail.domain ; we did this in
1993 at AT&T/Bell labs; still works today) as a vast majority of malware
and bots simply attempt to relay through "mail." and let the DNS search
domain take care of the rest. This also cuts a huge $$ cost in customer
care, and the abuse@ desk. This tends to be a significant cost center in
the grand scheme of end user ISP operations, often more expensive than
providing basic transport services themselves.

3- Network metadata profiling. Doesn't violate *any* privacy principles
of the end user, and yields loads of good information which can be used
to notify infested users. Also a good upsell tool for care packages
which many many users do need, and are happy to pay for.

Same rules help corporate/enterprise users using the wifi at hotels and
conferences. If your IT dept doesn't support message submission protocol
and TLS/SSL and related "best practices" it is a good idea to ask, and
provide suggestions. Also, eliminates much of the VPN need and support
for something that users typically dislike. It's built into most apps
and MTA's/browsers; use it.

Whatever the opinion might be overall, I give comcast major respect and
thanks for taking on a scurge of an issue. Non trivial, but even if they
manage to clean 1/2 their unfortunate users, the rest of us on the net
appreciate the efforts. I say good luck, and stand your ground.

Best regards,
Andy Burnette

Dave Farber wrote:
> Begin forwarded message:
>
> > *From:* "Livingood, Jason" <Jason_Livingood () cable comcast com
> > <mailto:Jason_Livingood () cable comcast com>>
> > *Date:* October 10, 2009 18:39:10 EDT
> > *To:* Dave Farber <dave () farber net <mailto:dave () farber net>>, ip
> > <ip () v2 listbox com <mailto:ip () v2 listbox com>>,
> > <mailto:dpreed () reed com>dpreed () reed com <mailto:dpreed () reed com>
> > *Subject:* *Re: [IP] Re:    Comcast's "Evil Bot" Scanning Project
> > (Lauren Weinstein)*
> >
> > I have a great deal of respect for David's achievements, his views  
> > and the
> > fact that he and others may have concerns like these.  However, I'd  
> > submit
> > that they may not fully take into account the large (and growing)  
> > threat
> > that malware poses on the Internet (bot networks in particular).  Bot
> > networks are **massive** criminal enterprises used not just for  
> > spamming,
> > but also for identity theft, financial theft, DDoS attacks, and  
> > many other
> > not-so-friendly things.  I can tell you ISPs and many other  
> > organizations
> > are getting more and more intelligent about how these networks
> > function, and
> > our customers expect us to do what we can to protect them.
> >
> > But after they have been infected with a bot, why would you **not**  
> > want
> > someone with this information to advise the user?  It would be like  
> > I was
> > your neighbor and knew that not only had your home been burglarized,
> > but the
> > burglar still lived there in your basement unbeknownst to you, and  
> > was
> > renting out one of the rooms to whatever random criminal wanted to  
> > use
> > your
> > home for a little while.
> >
> > This is an extraordinarily serious threat, it is one that the  
> > average user
> > knows very little about, and it is a growing threat.
> >
> > As for the method of the notification this is an area we have said  
> > we want
> > to learn more about in the trial, and we do not claim is perfect (no
> > method
> > is, nor anything else for that matter).  See the following Internet  
> > Draft
> > for some discussion of options -- and I hasten to add that it is only
> > on -03
> > revision and we still would like lots of feedback, comment and ideas:
> > http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03.
> >
> > I also would like to note that the draft on the general system is at
> > http://tools.ietf.org/html/draft-livingood-web-notification-00 and  
> > you are
> > correct that we do not disclose precisely all methods by which we  
> > learn
> > about bot networks.  As John Levine pointed out, this would quite  
> > easily
> > permit bot net controllers to subvert a system that is years in
> > development.
> >
> > Please see my other comments inline below.
> >
> > Regards
> > Jason
> >
> > > From: "David P. Reed" <dpreed () reed com <mailto:dpreed () reed com>>
> > > Date: October 9, 2009 9:53:40 PM EDT
> > > To: <mailto:nnsquad () nnsquad org>nnsquad () nnsquad org
> > > <mailto:nnsquad () nnsquad org>
> > > Subject: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
> > > (Lauren
> > > Weinstein)
> > >
> > > I don't see where Comcast is being transparent about *how* they do
> > > this, or giving customers a chance to opt-in or -out.
> >
> > I fear that making good security optional is one of the reasons that
> > got us
> > here in the first place on the Internet.  But once infected by a bot,
> > it is
> > not just the end user that suffers.  They are then the launching  
> > pad for
> > other malicious activity and can affect (and infect) many, many  
> > others.
> >
> > > If I send a lot of email, why does that make me a "bot"?  Maybe I  
> > > just
> > > send a lot of email.
> >
> > It is not about volume (this data point refers to mail relayed  
> > through our
> > outbound SMTP servers).
> >
> > > If the contents of my communications are being "scanned", why is  
> > > that
> > > legal?  Why does Comcast care?
> > >
> > > I might choose (if it were explained to me what was happening and  
> > > what
> > > the risks are to my privacy or being accused of a crime or hauled  
> > > off
> > > as a "suspected child pornographer" because I sent pictures of my
> > > naked child) to have this service, or not.
> > >
> > > But to be honest, in most markets, Comcast is the only real choice,
> > > and imposing their "features" on me might not be what I want, even  
> > > if
> > > they "market" it as a *good thing*.  If there were serious  
> > > competition
> > > (multiple providers, and no special "franchise" deals with local
> > > governments that block new competitors, perhaps customers would  
> > > have a
> > > choice. However, most do not have other choice for highspeed  
> > > Internet,
> > > except Hobson's: "take that or nothing at all").
> > >
> > > I'm really not impressed by these moves by Comcast. Livingood  
> > > already
> > > sent out an email saying that they redirect DNS service to a service
> > > that sends certain names to hosts that do not have those names
> > > registered, but which will respond with advertising-only websites.
> > >
> > > This is not the way the Internet is designed to work.
> >
> > It'd be nice though if the Internet had better security, then these
> > kinds of
> > systems would not be needed, since malware, spam, and bot nets  
> > would not
> > exist.  ;-)
> >
> > > Comcast supposedly cleaned up its act.  Now it's backsliding -  
> > > forcing
> > > secret and invasive services on customers.   On day one, they will
> > > "love it" (especially in the Comcast-authored press release).
> Archives <https://www.listbox.com/member/archive/247/=now>
> <https://www.listbox.com/member/archive/rss/247/> 	[Powered by  
> Listbox]
> <http://www.listbox.com>




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com