RE: Comcast man-in-the-middle attack

["Thomas J. Arseneault" <arsen () certaintysolutions com>]

My $.02 worth, someone with more ISP savvy than I might want to comment if I
get too lost.

If Comcast is like my Cable company (ATT, use to be @home) they have an
Acceptable Use Policy (AUP) that states that you can't run a web server from
your home on their network (probably due to the bandwidth issue mentioned
below) and if I recall properly ISP's were hit rather hard with CodeRed and
other nasties.

So beyond the evil issues raised by Hoover I can see at lease two valid
reasons for monitoring HTTP traffic: 1) Compliance with the AUP, with
relates to the "..service quality control checks." exception in "US Code
TITLE 18, PART I, CHAPTER 119, Sec. 2511. (2) (a) (i)" and 2) To scan for
malicious code in the HTTP requests, which would again relate to the
exception. I don't see #2 as likely, just possible.

My philosophy "Never attribute to malice what can be adequately explained by
stupidity". There are many more stupid people in the world that evil ones,
or at least people who sometimes act stupidly. Maybe not the best philosophy
for a security guy but I'll stand by it. So the fact that this/these
device(s) does not do something correctly may just be misconfiguration.

Again just my $.02 worth and if I'm wrong many, many people will point it
out.

**********************************************
Tom Arseneault
System Admin.
Certainty Solutions, formerly Global Networking and Computing (GNAC).
"Certainty in an Uncertain World"
arsen () certaintysolutions com
http://web.corp.rwc.crtsol.com
**********************************************

> -----Original Message-----
> From: jon schatz [mailto:jon () divisionbyzero com]
> Sent: Friday, February 08, 2002 2:20 PM
> To: J Edgar Hoover
> Cc: vuln-dev () securityfocus com
> Subject: Re: Comcast man-in-the-middle attack
>
>
> On Fri, 2002-02-08 at 13:27, J Edgar Hoover wrote:
> > > This is standard behavior for a transparent web proxy.
> Nothing new here.
> > > These have been around for a while, and Inktomi is not the
> only company
> > > to deploy one. Hell, you can do this with squid and ipchains:
> > >
> > > http://www.linuxpowered.com/archive/mini/TransparentProxy.html#toc5
> >
> > Whether the device is performing correctly is not the question. The
> > question is whether the device is appropriate at all in this context.
>
> It certainly is. Comcast (like all ISPS) sells alot more bandwidth than
> they actually have. Without some type of caching system, their network
> performance would suffer greatly.
>
> > > Once again, standard behavior for a proxy request. Most (if not all)
> > > proxies are dependant on a partial HTTP/1.1. implementation,
> and without
> > > the host header, all would be lost...
> >
> > It may be "standard behavior", but it is incorrect behavior. If I send a
> > packet to my office, I expect it to go to my office, not comcast's.
>
> But you're not sending just any packet. you're sending an http request.
> We dealt with this issue at my previous employer, and non-http requests
> on port 80 were just passed through without any interference.
>
> > They log the requested URL, and the response. They log it to a network
> > storage device, that is simultaneously accessed by datamining software.
> > This gets passwords, contents of webmail, web bbs posts, news you read,
> > etc.. What part of this is *not* snooping?
>
> Does their privacy statement or EULA state this? If so, find a new
> provider. If not, why would you assume that it's happening?
>
> > Incidently, the IP of one of the machines I used to test the evil proxy
> > this week is now blocked. This isn't speculation, they've
> already started
> > censoring.
>
> I truly don't buy it. No offense, but your level of paranoia seems to
> match your email handle. I mean, if they really wanted to track all
> network data, why not just run tcpdump on a machine somewhere near their
> outside POP? that would be a lot easier (and less expensive) than buying
> some proprietary inkotmi software.
>
> --
> jon () divisionbyzero com || www.divisionbyzero.com
> gpg key: www.divisionbyzero.com/pubkey.asc
> think i have a virus?: www.divisionbyzero.com/pgp.html
> "You are in a twisty little maze of Sendmail rules, all confusing."