Fwd: [ NNSq Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)

[Dave Farber <dave () farber net>]

Begin forwarded message:

> From: George Ou <george.c.ou () gmail com>
> Date: October 12, 2009 8:18:13 EDT
> To: 'Vint Cerf' <vint () google com>, 'George Ou' <george_ou () lanarchitect net 
> >
> Cc: "'Livingood, Jason'" <Jason_Livingood () cable comcast com>,  
> 'Richard Bennett' <richard () bennett com>, nnsquad () nnsquad org, 'Brett  
> Glass' <brett () lariat net>, 'Dave Farber' <dave () farber net>,  
> 'Christopher Yoo' <csyoo () law upenn edu>, 'Rich Woundy' <Richard_Woundy () cable comcast com 
> >, 'John Day' <jeanjour () comcast net>, "'David P. Reed'" <dpreed () reed com 
> >
> Subject: RE: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
> (Lauren Weinstein)

> “I would have expected most email-borne virus checking to be done at 
>  the post-message assembly level, not packet by packet. DPI has limi 
> ted reassembly scope. If someone is sending malware by email, I woul 
> d expect the ISP that provides the email service (not necessarily th 
> e same as the ISP providing access service) would be where the detec 
> tion occurs - the same may be said for incoming email.”
>
>
>
> Consumers don’t really care if it’s done pre-assembly or post  
> assembly or which model of the OSI layer it happens at.  It’s all th 
> e same thing to them and my point is that they don’t view content an 
> alysis as a form of privacy invasion especially when it’s merely a m 
> achine that merely looks for infections or spam.  Now if the mail pr 
> ovider were to store the email for future data mining like Gmail, th 
> at would be far more invasive than a DPI system that merely stores t 
> he content long enough to determine whether there is dangerous conte 
> nt or not.  Also, IDS systems generally scan for malicious payloads  
> pre-assembly.
>
>
>
> “Depending on what information is obtained and/or kept using DPI, th 
> ere is plainly a potential for considerable invasion - it's not so m 
> uch the method as the question of what is retained that concerns mos 
> t folks.”
>
>
>
> This is very ironic coming from someone at Google.  Again, I have no  
> problems with Google’s business model so long as people are informed 
>  that their personal data will be stored and mined.  But it seems ra 
> ther hypocritical of you to criticize DPI which generally doesn’t st 
> ore any data or even behavioral advertising systems that generally s 
> tore less data than Gmail.
>
>
>
>
>
> “As to cutting someone off if an infected machine is detected, this  
> only makes sense if there is an easy way to clear the problem reliab 
> ly and quickly. I am not too impressed by the current crop of virus/ 
> worm/trojan cleansing software.”
>
>
>
> No, cutting off the machine immediately is very effective at  
> stopping the spread of the infection which should be a much higher  
> priority (to society as a whole) than restoring access to the  
> infected user.  The way it works today is that users usually know  
> something is wrong with their computer but they choose to live with  
> it.  A network-based detection and quarantine system forces them to  
> fix their computer and it also reduces the likelihood that they  
> would be infected in the first place.
>
>
>
> “It would be great to find much better tools for resisting, detectin 
> g and eliminating malware once detected.”
>
>
>
> No tool is going to protect a user who willingly launches malware on  
> an open platform like the personal computer where the user is the  
> administrator.  My family members have never been infected with  
> anything simply because they have no admin rights.
>
>
>
>
>
> From: Vint Cerf [mailto:vint () google com]
> Sent: Monday, October 12, 2009 12:09 AM
> To: George Ou
> Cc: 'Livingood, Jason'; 'Richard Bennett'; nnsquad () nnsquad org;  
> 'Brett Glass'; 'Dave Farber'; 'Christopher Yoo'; 'Rich Woundy';  
> 'John Day'; 'David P. Reed'
> Subject: Re: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
> (Lauren Weinstein)
>
>
>
> George,
>
>
>
> I would have expected most email-borne virus checking to be done at  
> the post-message assembly level, not packet by packet. DPI has  
> limited reassembly scope. If someone is sending malware by email, I  
> would expect the ISP that provides the email service (not  
> necessarily the same as the ISP providing access service) would be  
> where the detection occurs - the same may be said for incoming email.
>
>
>
> As to cutting someone off if an infected machine is detected, this  
> only makes sense if there is an easy way to clear the problem  
> reliably and quickly. I am not too impressed by the current crop of  
> virus/worm/trojan cleansing software. This reminds me of the credit  
> card companies early attempt to detect fraudulent use of stolen  
> credit cards - three failures to enter the PIN caused the cards to  
> be eaten by the machine. This pissed so many consumers off (who  
> simply could not remember their PINs) that they stopped the practice.
>
>
>
> It would be great to find much better tools for resisting, detecting  
> and eliminating malware once detected.
>
>
>
> Depending on what information is obtained and/or kept using DPI,  
> there is plainly a potential for considerable invasion - it's not so  
> much the method as the question of what is retained that concerns  
> most folks.
>
>
>
> v
>
>
>
> On Oct 11, 2009, at 11:03 PM, George Ou wrote:
>
>
>
>
> S/MIME email or SSL signed web page is a pretty good technical  
> mechanism (with exception of current null character certificate  
> vulnerability in many X.509 clients e.g., CryptoAPI) for notifying  
> customers.  The challenge there is that many consumers treat non- 
> signed and signed email or websites the same.  Even if they know the 
> y’re supposed to look for the lock symbol, not everyone is going to  
> know if a digitally signed ComcastNotification.com (which anyone can 
>  buy for $10/year right now) or Comcast.somedomain.com is from the r 
> ight source or not.
>
>
>
> I still think the best mechanism is a quarantine with Internet  
> access cut off with everything redirecting to a notification site.   
> Then the user doesn’t need to guess because they know they’ve  
> been cut off and they have to do something about it.  Emails and web 
>  popups can be ignored and/or blocked and the consumer can just keep 
>  spewing malicious payloads all over the Internet.  Many consumers ( 
> I know quite a few personally) know they’re infected with something, 
>  but they’re willing to live with it because fixing an old computer  
> is going to cost two hours of expensive labor at a minimum for a fre 
> sh OS install and that doesn’t include data backup and recovery.  A  
> lot of consumers simply live with it until they can get a new comput 
> er and replace the old and severely degraded computer with malware a 
> nd crapware loaded to the rim.  Then when they get the new computer, 
>  they do the exact same things they shouldn’t have done and they get 
>  infected all over again with a few weeks.
>
>
>
> So realistically, the only thing that can/should currently be done  
> is to cut infected users off until the actually fix the problem.  If  
> every ISP did that, it would actually make consumers a less valuable  
> target to botnet herders because an infected machine doesn’t stay in 
> fected for long unless it is a very low profile (non DoS) type bot n 
> eeded for small targeted attacks against high profile targets.  So b 
> y making all users clean their computers, users become less valuable 
>  and less likely to be infected.
>
>
>
> Notification mechanism proposal
>
> One possible way to make a reliable notification mechanism is to  
> standardize it into current anti-virus software and anti spyware  
> applications.  Better yet, just make it a standard part of the web  
> browser because not everyone wants to run anti-virus (since we know  
> it can easily be bypassed and sometimes exploited).  Then a  
> digitally signed notification could be inserted into a non-visible  
> part of a web page and the browser would pop up an out-of-band  
> notification (think Vista UAC) that would be very obvious that it is 
> n’t your typical web popup.
>
>
>
> The threat of false positives and false negatives is being  
> overplayed.  It won’t be any different than false positives and fals 
> e negatives in anti-spam solutions.  It’s always going to require ca 
> reful configuration and ongoing tuning to minimize the inconvenience 
> s.  We could also have escalated levels of response based on the cer 
> tainty of infection.  If it’s just some anomalous traffic that might 
>  look like a piece of malware, we can send the notification.  If it’ 
> s a blatantly obvious signature match, we quarantine the subscriber.
>
>
>
>
>
> DPI is NOT an invasion of privacy
>
> As to the debate as to whether this is “DPI” or not, of course  
> it’s DPI and there is nothing wrong with DPI.  That’s how the  
> Internet works for the majority of email services and many networks  
> that run Intrusion Detection Systems (IDS).  Do users think their pr 
> ivacy is violated if a piece of software on a remote computer (owned 
>  by the provider) parses every word and sentence in their email?  Wi 
> th the exception of a few fanatics, I doubt most people would feel t 
> his way.  Is IDS a form of DPI?  Of course it is, but it is not a vi 
> olation of privacy.  DPI is not much different than going through a  
> metal detector and air blast machine that sniffs out bomb making che 
> micals at an airport.  DPI is far less invasive than the X-Ray machi 
> nes your luggage goes through at the airport where a human operator  
> looks inside your back.
>
>
>
>
>
> George
>
>
>
> From: Livingood, Jason [mailto:Jason_Livingood () cable comcast com]
> Sent: Sunday, October 11, 2009 5:25 PM
> To: Richard Bennett; Vint Cerf
> Cc: nnsquad () nnsquad org; Brett Glass; George Ou; Dave Farber;  
> Christopher Yoo; Rich Woundy; John Day; David P. Reed
> Subject: Re: [ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project  
> (Lauren Weinstein)
>
>
>
> Richard said:
> > Vint made a perfectly sensible comment on the system, highlighting  
> the weakness in the notification chain
>
> Vint said:
> > i like the option of notification by digitally-signed email or   
> something verifiable. I am less sure I like the popup idea.
>
> [JL] The notification methodology is clearly an area we hope to  
> learn a great deal about during this technical trial.  I am also  
> happy to take any specific suggestions on workable alternatives,  
> which I can add to Section 6 (“Notification to Internet Users”)  
> of this draft: http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03 
> .
>
> Regards
> Jason



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com