Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)

[David Farber <dave () farber net>]

Begin forwarded message:

From: Vint Cerf <vint () google com>
Date: October 12, 2009 3:09:09 AM EDT
To: "George Ou" <george_ou () lanarchitect net>
Cc: "'Livingood, Jason'" <Jason_Livingood () cable comcast com>,  
"'Richard Bennett'" <richard () bennett com>, <nnsquad () nnsquad org>,  
"'Brett Glass'" <brett () lariat net>, "'Dave Farber'" <dave () farber net>,  
"'Christopher Yoo'" <csyoo () law upenn edu>, "'Rich Woundy'" <Richard_Woundy () cable comcast com 
>, "'John Day'" <jeanjour () comcast net>, "'David P. Reed'" <dpreed () reed com 
>
Subject: Re: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
(Lauren Weinstein)

George,

I would have expected most email-borne virus checking to be done at  
the post-message assembly level, not packet by packet. DPI has limited  
reassembly scope. If someone is sending malware by email, I would  
expect the ISP that provides the email service (not necessarily the  
same as the ISP providing access service) would be where the detection  
occurs - the same may be said for incoming email.

As to cutting someone off if an infected machine is detected, this  
only makes sense if there is an easy way to clear the problem reliably  
and quickly. I am not too impressed by the current crop of virus/worm/ 
trojan cleansing software. This reminds me of the credit card  
companies early attempt to detect fraudulent use of stolen credit  
cards - three failures to enter the PIN caused the cards to be eaten  
by the machine. This pissed so many consumers off (who simply could  
not remember their PINs) that they stopped the practice.

It would be great to find much better tools for resisting, detecting  
and eliminating malware once detected.

Depending on what information is obtained and/or kept using DPI, there  
is plainly a potential for considerable invasion - it's not so much  
the method as the question of what is retained that concerns most folks.

v

On Oct 11, 2009, at 11:03 PM, George Ou wrote:

> S/MIME email or SSL signed web page is a pretty good technical  
> mechanism (with exception of current null character certificate  
> vulnerability in many X.509 clients e.g., CryptoAPI) for notifying  
> customers.  The challenge there is that many consumers treat non- 
> signed and signed email or websites the same.  Even if they know  
> they’re supposed to look for the lock symbol, not everyone is going  
> to know if a digitally signed ComcastNotification.com (which anyone  
> can buy for $10/year right now) or Comcast.somedomain.com is from  
> the right source or not.
>
> I still think the best mechanism is a quarantine with Internet  
> access cut off with everything redirecting to a notification site.   
> Then the user doesn’t need to guess because they know they’ve been  
> cut off and they have to do something about it.  Emails and web  
> popups can be ignored and/or blocked and the consumer can just keep  
> spewing malicious payloads all over the Internet.  Many consumers (I  
> know quite a few personally) know they’re infected with something,  
> but they’re willing to live with it because fixing an old computer  
> is going to cost two hours of expensive labor at a minimum for a  
> fresh OS install and that doesn’t include data backup and recovery.   
> A lot of consumers simply live with it until they can get a new  
> computer and replace the old and severely degraded computer with  
> malware and crapware loaded to the rim.  Then when they get the new  
> computer, they do the exact same things they shouldn’t have done and  
> they get infected all over again with a few weeks.
>
> So realistically, the only thing that can/should currently be done  
> is to cut infected users off until the actually fix the problem.  If  
> every ISP did that, it would actually make consumers a less valuable  
> target to botnet herders because an infected machine doesn’t stay  
> infected for long unless it is a very low profile (non DoS) type bot  
> needed for small targeted attacks against high profile targets.  So  
> by making all users clean their computers, users become less  
> valuable and less likely to be infected.
>
> Notification mechanism proposal
> One possible way to make a reliable notification mechanism is to  
> standardize it into current anti-virus software and anti spyware  
> applications.  Better yet, just make it a standard part of the web  
> browser because not everyone wants to run anti-virus (since we know  
> it can easily be bypassed and sometimes exploited).  Then a  
> digitally signed notification could be inserted into a non-visible  
> part of a web page and the browser would pop up an out-of-band  
> notification (think Vista UAC) that would be very obvious that it  
> isn’t your typical web popup.
>
> The threat of false positives and false negatives is being  
> overplayed.  It won’t be any different than false positives and  
> false negatives in anti-spam solutions.  It’s always going to  
> require careful configuration and ongoing tuning to minimize the  
> inconveniences.  We could also have escalated levels of response  
> based on the certainty of infection.  If it’s just some anomalous  
> traffic that might look like a piece of malware, we can send the  
> notification.  If it’s a blatantly obvious signature match, we  
> quarantine the subscriber.
>
>
> DPI is NOT an invasion of privacy
> As to the debate as to whether this is “DPI” or not, of course it’s  
> DPI and there is nothing wrong with DPI.  That’s how the Internet  
> works for the majority of email services and many networks that run  
> Intrusion Detection Systems (IDS).  Do users think their privacy is  
> violated if a piece of software on a remote computer (owned by the  
> provider) parses every word and sentence in their email?  With the  
> exception of a few fanatics, I doubt most people would feel this  
> way.  Is IDS a form of DPI?  Of course it is, but it is not a  
> violation of privacy.  DPI is not much different than going through  
> a metal detector and air blast machine that sniffs out bomb making  
> chemicals at an airport.  DPI is far less invasive than the X-Ray  
> machines your luggage goes through at the airport where a human  
> operator looks inside your back.
>
>
> George
>
> From: Livingood, Jason [mailto:Jason_Livingood () cable comcast com]
> Sent: Sunday, October 11, 2009 5:25 PM
> To: Richard Bennett; Vint Cerf
> Cc: nnsquad () nnsquad org; Brett Glass; George Ou; Dave Farber;  
> Christopher Yoo; Rich Woundy; John Day; David P. Reed
> Subject: Re: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
> (Lauren Weinstein)
>
> Richard said:
> > Vint made a perfectly sensible comment on the system, highlighting  
> the weakness in the notification chain
>
> Vint said:
> > i like the option of notification by digitally-signed email or   
> something verifiable. I am less sure I like the popup idea.
>
> [JL] The notification methodology is clearly an area we hope to  
> learn a great deal about during this technical trial.  I am also  
> happy to take any specific suggestions on workable alternatives,  
> which I can add to Section 6 (“Notification to Internet Users”) of  
> this draft: http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03 
> .
>
> Regards
> Jason





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com