Excite@Home Claims Broadband 'Safe'

← Back to Stories (view on slashdot.org)

Excite@Home Claims Broadband 'Safe'

Posted by timothy on Monday October 23, 2000 @03:30PM from the only-customers-with-computers-should-worry dept.

photozz writes: "Ya know it's rare when an article can get me angry, but this has managed. Cable provider Excite@Home claims that their users are 'relatively' free of attack from hackers due to DHCP, and say you should only be concerned if they are storing private information on their PC's. From the article:'The fear created in consumers' minds is actually greater than the risk that exists,' he said. 'If a customer operates the computer in a safe manner, there shouldn't be any problem.'" Perhaps not surprising that @Home would downplay the risk, but photozz is right -- the fear in broadband customers' minds ought actually be higher, not lower. BackOrifice, zombie attacks etc., ought to frighten the broadband providers into pushing at least simple firewall software themselves perhaps.

13 of 356 comments (clear)

Min score:

Reason:

Sort:

DHCP is for ease of use... by sulli · 2000-10-23 12:14 · Score: 4

NOT security.
I work for a major ISP that offers DSL service, and we use DHCP to allocate IP addresses. We do this because it's a pain to type in your IPs, particularly for mobile users, and because it does help allocate IP addresses a bit more efficiently. It's not a protection against someone who scans a pool of IP addresses looking for open shares, as the "911 Worm" did some months ago. Just for IP allocation, that's all.

--

sulli
RTFJ.
Corrections by Shagg · 2000-10-23 21:13 · Score: 5

Actually, if you read the article, the majority of it is talking about how INSECURE broadband connections are, and experts were quoted saying that everyone should be running a "personal firewall".
The DHCP remark was made by a DSL provider, NOT by EXCITE@HOME. The @HOME representative was quoted as saying that their techs take precautions during the installation such as "Disabling file sharing". They also say that people should take more precautions if they have "sensitive information" on their PC, not "private information", and that while Excite@home does not provide such software, they did say that they are willing to help a customer install and set it up to work with their service.
I'm not much of a fan of @HOME's tech support and security policies either(personally I run an ipchains firewall on my @HOME account), but the original poster made a pretty inaccurate review of the article and painted Excite as being more clueless than they actually were.
Don't be too quick to jump on the "bash @HOME's security advice" bandwagon based upon the posters comments. Read the quotes in the article for yourself first, the original poster was way off the mark.

--
Unix is user friendly, it's just selective about who its friends are.
Remember a Cracker's Motive by dmccarty · 2000-10-23 12:16 · Score: 4

Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.
Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)
Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes. I'm not trying to start a huge flame war here--but the facts speak for themselves. Look at all the rootkits out there. Look at all the successful cracks. Were the servers running Unix and variants thereof? Probably.
Now I'm not saying that a Unix box can't be properly secured. But the fact remains that more hacker activity is exerted towards cracking Unix and its siblings than Win32 and other OSes--and with good reason: it's easier.
Interesting discussion invited; flames to /dev/nul please.
--

--
Have fun: Join D.N.A. (National Dyslexics Association)
Re:Elf Bowling by wirefarm · 2000-10-23 12:19 · Score: 5

"Because Windows 98 does not by default have lots of services running and doesn't have a good command prompt, it's harder and a less desirable target for crackers..."

Would that be "Security through unusability"?

;-)
Cheers,
Jim in Tokyo

--
-- My Weblog.
Motives by _Sprocket_ · 2000-10-23 18:11 · Score: 4

Let's remember what a cracker does this for: the thrill of the chase, the bragging rights to a successful crack, and (more maliciously) any rewards from the compromized site.
Not many crackers are going to waste their time scanning @Home subnets looking for Internet newbies that they can screw with. It isn't worth the time and the "kill value" is negligable. How fun is it to kill someone in Quake with a ping of 500+ who is stuck in a corner? The true glory comes from killing the best guy on the map. (Or, in Slashdot's case, from rooting a /. box and posting a story about it.)

Different people are motivated by different things. Sure, you're going to have attackers whose interests aren't met by @home customer targets. That doesn't hold for every attacker.
What's the value of an average user's Windows box?
Perhapse a script that runs through open shares looking for a default install of financial software and harvesting the user's data. Maybe the script harvests cookie.txt files and scans them for common online bank identifications. Imagine the wealth of information an identity theif could have waiting for them after a day or two running such scripts.
Maybe the data itself isn't interesting. Instead we have a host with a broadband 24/7 connection. Relatively insecure. Perfect DDoS server host.
Of course... that's assuming the value is something that normally makes sense. Its great that you mention Quake. Quake cheats are relatively rampant. Why bother playing if you're playing with an artificial advantage - and one that's been "done" before? Yet it happens all the time. In the same line, you have skript kiddies who see themselves as something special if they can poke around, and maybe even delete, some unsuspecting target's files. The fact that it may have been trivial to do so means nothing to them.
Also, let's assume 90+ percent of @Home users run Windows boxes--Win95 and Win98. Even without firewall software, Win32 is much less likely to be cracked than *nix boxes.
The article opens up with the example of an unknown individual posting messages on target machine's WINDOWS desktops. Apparently enough of a customer base was affected by this "attack" to warrent a FBI investigation.
It doesn't matter what OS you're using. It doesn't matter if your IP address is constantly moving. Connect a box up to a broadband, persistant connection and it is a target. Being unaware of this is the danger.
Re:DHCP != security by DreamerFi · 2000-10-23 12:48 · Score: 4

Step 4: visit www.dubbele.com

I may not be a Geek on a caffeine high, but that firewall is priceless - free, that is :-)

-John
No thanks by Zagato-sama · 2000-10-23 10:39 · Score: 4

Well, I'll be the first to say that @home sucks like no tommorow. I was one of their first beta testers, and had stuck in until half a year ago when I finally couldn't take their ex-taco bell phone support anymore. Having to stay on hold for twenty minutes in order to get transferred to someone who knows what "traceroute" is bites.

However, one thing @home didn't do is silly things like this. Please, you want an ISP to infringe upon your freedom and dictate what kind of traffic can come in, and can't come out? Hey that's nice and all, but I'd rather have the freedom to setup a firewall for myself, I don't need my ISP to do that for me. For a website who talks about freedom so much, this is a pretty bogus idea
It's a double-edged sword by petermarks · 2000-10-23 10:40 · Score: 5

I use the austrialian excite@home, and we get probed every day. It's important to warn consumers about the risks, - don't turn any services on that you can't control, stay up to date etc.

What would be worse would be for the broadband provider to put a big filtered firewall in the way so I couldn't use the internet the way I want.

What might be best is the ability for consumers to choose "safe/protected" mode or "open" mode where we are responsible for our own firewall.
You think that's bad by nihilogos · 2000-10-23 10:41 · Score: 4

Optus@home ( an australian cable ISP ) states in their FAQ that

Optus@Home is completely secure if you are using a standard operating system like Windows 98.

I had a good laugh over that one.

--
:wq
Firey balls of broadband by Graymalkin · 2000-10-23 10:46 · Score: 4

When Skeletor finally kicked He-Man's ass he bestowed upon man broadband. There were those that said of this thing nothing good shall come. These nay-sayers tried to convince people that they were in danger of everything. Broadband won't hurt you. Why don't broadband companies invest a few more dollars (offer to thier customers at a discount) good cable or DSL modems that have built-in routers with a bit of security. And completely besides the point, where the fuck are my internet active toys? Why can't I plug my microwave into my router and surf the net on its one line monochrome screen? I need to check my fucking email!

--
I'm a loner Dottie, a Rebel.
Hope DHCP keeps away from me :( + what security? by Enigma2175 · 2000-10-23 10:55 · Score: 4

I am on @Home, but in my area they don't force us to use DHCP (yet). In my area, you have an IP address assigned to the MAC address of your modem and you keep the same IP address. Of course, they have DHCP available, but you don't have to use it. They are planning on forcing everyone to use DHCP in the future, so they can have more IP addresses available at any given time. They have a class A, how many damn ip addresses do they need? I use my IP address for alot of things (network administration from work, web server, etc.) I hope they don't try to make me change it every 2 hours. I imagine it will be awhile, they just barely are getting around to putting the 128 kbps cap on my line :( I guess it was good while it lasted, many market have had the cap on for quite a while.
As for security, that is total bunk. DHCP does not stop the 5cr1p7 k1ddi35 from scanning a subnet and attempting to hack whatever open ports they can find. Once they have control of a machine, it is trivial to have it mail them or signal them (have it ping an address, or do a POP mail check, or even an ICMP unreachable packet). There are a million methods to get the new IP address when it changes. DHCP helps nothing.

Enigma

--
Enigma
DHCP != security by Platinum+Dragon · 2000-10-23 11:26 · Score: 5

DHCP just makes you a slightly moving target, and if an attacker is looking for victims, they probably won't restrict their portscans and probes to single addresses, but IP ranges. I occasionally do a sweep of my university's residence network just for yuks, and I've run across a few unsecured boxen, Windows and Linux alike (the guy in Pitman Hall who just installed Debian, this means you!)

However, there are some simple ways to make your broadband connection a little bit less like swiss cheese:

1) Disable file sharing and remote login - Running Windows? Take a look for any folder or file with that little hand icon, and un-share them. Even better, just go into Control Panel -> Network and shut it off completely. Don't think passwords on your shares will help you, as a recent bug was discovered in Win9X share-level password protection where a one-byte character string can be used to bypass a protected share should that byte happen to match the first byte of the actual password. If you're on Linux/*BSD, for the love of Bob shut off NFS, ftpd, telnetd, Apache, and the like until you know what you're doing! Can you say "backdoor"? Even experienced admins leave the occasional hole, and default installs aren't often known for being secure (OpenBSD people, stuff it while I make a point for everyone else:).

2) Don't let anything run automatically - Java and ActiveX in IE and Netscape installing and running automagically? Kill it. Auto-DCC in IRC clients? Un-auto it. Run attachments on preview in Outlook, or run macros in Word documents? You know the drill. Don't let a damn thing run automatically unless you actually know what's taking place. If I ever see LIFE-STAGES.TXT offered to me by DCC again, I'm going to reach through the monitor and shove a virus scanner up the patoot of the victim. The world doesn't need another Melissa or backdoor being passed around just by opening an e-mail in a brain-dead-by-default program.

3) Check for patches and follow directions - MS didn't tell people to change their Outlook settings while it took them a month to patch the program in the wake of ILOVEYOU because it was fun for everyone. Red Hat isn't releasing megs of updates for Red Hat 7 so you can sit there and kvetch about buggy .0 releases. You don't think the latest macro virus craze can get you? Think again, spam-boy; why do you think Unix/Linux vendors have been going batshit looking for format string holes in their software offerings? The exploits may be merely theoretical, but it's best to close them up before the theoretical becomes practical (with apologies to the L0pht).

4) Extra steps if you're really careful and/or paranoid - Old 486: $50. Geek on a caffeine high: $5, $0 if s/he's already jacked on coffee. OpenBSD or Slackware burned on a CD: $0. A kickass firewall to confound the kiddiez with the latest 'sploits and nmap: priceless.

5) Ignore the DSL/cable pissing contest - Nothing to see here, move along...

I'm glad to say most cable installers where I live have a brain, and hence make sure filesharing is turned off in Win9x when they set up your system. Linux/BSD geeks usually have to take matters into their own hands, but most usually know enough to at least kill nfsd and ftpd if they're not going to be used. (Incidentally, this is also why Red Hat and others need to stop enabling every conceivable service by default.)

Closing your box off to kiddies is acutallly pretty easy. However, back-patting fluff like this Excite dropping does way more harm than good by instilling that false sense of security that leads people to think its OK to let attachments run automatically, or leave all those services running on their new Mandrake box. Hard advice is better than press releases and misrepresenting technologies as security measures.
-------------

--

Someday, you're going to die. Get over it.
Re: Oh dear... by jihad23 · 2000-10-23 11:46 · Score: 4

It should be the responsibility of the company supplying the broadband access to supply and configure a firewall as part of the installation, and explain to the users whay it is needed.

Great. You want to handle the tech support calls when your average cable modem using consumer hoses up his $ISP provided firewall software? I thought not.

Speaking as someone who used to work in broadband at a large ISP, no fscking way would we get involved in end-user security. Our customers were encouraged to read up on security and run firewall software, but we weren't going to give them the software or provide tech support for it.

You have to draw the line somewhere. If you help them install/configure a firewall, who is held responsible when it's compromised? Whether or not the ISP should be held responsible, that's exactly how the users would see it.

-- Turn on, log in, burn out...