Slashdot Mirror
Comcast Cuts Infected PCs' Network Connections
fidget42 writes "I just noticed this article over at Infoworld. It seems that Comcast is finally doing something about the machines on their network that are being used by spammers. They are now cutting off service to those customers who have computers that have been hijacked by spammers. Now, if only other broadband ISPs would start policing their user base ..."
Because we all know Corporations policing is a VERY GOOD THING!tm
You'd be first in line to moan about them 'infringing' on your interweb right!
which side of the fence are we on? We don't like bandwidth limits, but we do like automatically triggered cutoffs, because we all know there is no such thing as a false positive.
also, say grandma gets infected. She is best off downloading updated definitions for her old version of symantec, and letting AV take care of it. how do you do that with no intarweb?
Doesn't this force those users to go out to CompUSA and buy a copy of McAfee or Norton antivirus?
Blocking web access also means that those users aren't able to download good, free virus scanners like Grisoft's AVG.
I have been pwned because my
For example, I administer a mail server, and occasionally have to mail a virus or spam to myself to check that the filters are operating correctly. It would be very inconvenient if I got my connection pulled each time that happened.
Although a lot of of the spammer are not spammers but people with infected computers. But they wont do anything unless they have to. Cutting net access to them will force them to fix the problem one way or an other. Most people who are hacked will go well it is not affecting me so I wont fix it. But with their connection gone then it is affecting them. Now they can fix it them self or hire someone to do it. But this is a good first step.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I applaud this decision. Even though it will possibly cost them customers or cost them additional tech support time, they will be cutting off peoples owned windows boxes.
Lets hope they hold to this once the calls start coming in from people who have everything from Bagle to Netsky (along with probably a heavy dose of spyware too)
wtf? How is this going to benefit the people who're running the machines?
Try sending out an ISP bulletin with the simple tips on how to avoid getting exploited in the first place. It's dead simple.
1. install patches regularly
2. virus scan
3. don't open attachments
4. don't install spyware.
If people used these 4 simple techniques, while it wouldn't be perfect, it would by my thoughts drop the number of infected machines down by three quarters, which will DRAMATICALLY reduce the efficiency and productivity of running a spamming business, and spammers won't have any choice but to leave you alone.
Cutting people off is just going to get them to take infected machines somewhere else.
Why disable the account when they could just block certain ports?
How is an infected user supposed to resolve the issues that they have if they can't get to an update or patch?
This reminds me of the idea of putting people in jail for debt. Bankruptcy amounts to a life sentence, since there was no possible way a person could make up the sum of money while in jail, away from the work force.
How can these people fix the problem without access to up-to-date patches and virus scans?
don't cut them off
send them an email saying something like "type ftp://blah.blah.blah in your internet explorer (would they be using any other browser?) and run the virus remover exe you see there"
then dump them into a quarantine subnet with access to nothing else except that ftp address
that email would be the last email in their inbox
just cutting them off leaves them no recourse
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
To me, this sounds like an OK idea, because I bet this will be the ONLY way that many users FIND OUT that their computers have become zombie spambots.
There is a certain responsibility that comes with being a part of the internet, one that has become greatly understated since the commoditization and commercialization of the 'net as a whole: do not become a danger or a malfeasance to the rest of the machines that are also connected.
Unfortunately, this is something that seems to be lost on the clients of broadband always-on connections, especially those that are used by folks with little or no proficiency. While they have no intention of becoming spam-hosts, or DDOS platforms, by not keeping their machines protected against the various evils that lie in waiting out there, they unwittingly become part of the problem.
This does not reduce the hassles and costs to other sysadmins and users of the 'net as a whole. That said, it seems only fair for an ISP to mitigate the problem by pulling the connection of a user whose systems(s) are spewing out malware.
There are reasonable precautions one should take, that is, having a good firewall, keeping the machine patched and having good virus protection. No, this does not come without some effort and not always without cost. But, to be connected to the internet full-time, it is a cost of doing business, not unlike having insurance for your car in case you cause an accident. Liability insurance is to protect the public, and you from losing everything should you do harm to others. Keeping worms, trojans and viruses off of your machine also protect not only you but others as well.
So, it is really a matter of responsibility.
Require the installation of a "personal firewall" when the users sign up for an account. Hell, everything else and the kitchen sink was on that CD when I signed up for Comcast... This would probably cut 99% of the problems out. If not a software based solution, how about a hardware based one? How hard would it be to put a firewall in the router they charge 4.95/m to use? Hell, tech support could configure it for grandma, grandpa, mom, dad, ...
But I guess it is easier to just shut them off, and then charge a reconnection fee... eh?
--ryan
Lets put it another way: the ISP states in their terms & conditions something like: "Subscribers are not allowed to distribute spam or worms over their connection, nor are they allowed to carry out DDOS attacks.". Doesn't sound too unreasonable, does it? Not even if the user breaks this rule unwittingly, because his computer is infected with something nasty.
A rule like this puts the responsibility for the cleanliness of the subscriber's computer firmly with that subscriber. Rightly so, since that user is in an excellent position to do something about it. It sucks being disconnected because of a worm on your machine, but the alternative is to allow the worm to continue to spread.
The only things I worry about is the accuracy of the detection mechanism used on the ISP's side, and the promptness with which they reconnect you after you fix the problem on your machine.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
in modem, he means cable modem. It's not an integrated piece of hardware but a little box that sits somewhere outside of the PC. I can't really imagine a virus being able to reconfigure the modem, no. At least not trivially.
It's about the easiest thing ion the world for the ISP to and it's _very_ effective. Another option would be for ISP's to force all SMTP traffic through their own mailserver and virus scan it. They could easily spot a home user sending a couple of thousand messages in an hour or one spreading infected email everywhere.
If you want unfettered access you can pay for a co-lo box and take the responsibility too. People can't keep hiding behind their ISP and dynamic IPs. I'm all for personal freedoms on the net, but with freedom comes responsibility. Deal with it.
Now that would be a ' Good Thing !
Because the "Little Old Granny" wouldn't have a clue that she was being throttled. Blocking is a good idea. However, the blocked message should be something like "We have detected your machine has a virus. Please CALL Comcast at..." Then, the customer support person could help out. cb
Remember, licking doorknobs is illegal on other planets.
Oh, but I do
I work in system support. This conviction of mine that the numbers out stupid people outweigh the power users is borne of considerable experience and many thousands of hours of fixing things for those friends who only call when they have a problem.
There is a massive hard core of people who just DO NOT LEARN from their mistakes. Frankly if ISPs are going to let these dangerously ill-educated people onto the web they should have a duty to deal with the consequences
Anything ISPs do to protect these people or us techies from their side-effects is a good thing.
This isn't a whinger or an outsider speaking. I've got the T-shirt and it wasn't worth what they charged.
I have been a user for about 10 years. This ends Feb 2014. The site's been ruined. I'm off. Dice, FU
It fixes the issue for me as well. And you. And, in fact, anyone at all who isn't the person infected.
Having said that, I agree with your point about prior contact. I'm fully in favour of cutting off virused connections however, and in a reasonably swift time limit too.
Cheers,
Ian
Yes it well within the ISP's right (at least for users without pink contracts). The user is bound to the ISP's TOS/other agreements and if the user is in violation of those agreements the ISP can suspend or terminate service. I believe that sending spam and viruses is against the TOS of all legitimate ISPs (even on a hijacked machine). Remember that ISPs are NOT common carriers. I just wish that broadband providers would restrict SMTP traffic only to the ISP's mail relay for residential accounts. Most, if not all, dialup providers now restrict port 25 and it has dramatically cut down on the spam and virus propogation from dialup machines.
ISP could set up captive portal (like on WLANs) with information and pointers to AV software updates. Either all traffic is relayed through proxy or then packets are allowed to AV sites.
But false positives are the problem, of course. But once you get confirmed spam, virus or worm traffic, then you can be quite sure.
That's all well and good, but . . .
I work for one of the largest meta-ISPs. To put things simply, my employer operates the back-end of of a few hundred interest services. Said employer shall remain nameless, and no, my email address does not reflect said employer.
Anyway. I'm a graveyard shift network operator. There isn't a whole lot to do on the graveyard shift except make sure nothing bursts into flames. So I'm pretty bored until about 5am when our authentication logs gets rolled into the database.
And this is when i can go through all the complaints about spam, viruses, port scans, and whatever else our teeming masses of end users have perpetrated, and figure out exactly who's computer is doing what. And then shut 'em off.
I agree completely that it would be great if there were some way i could efficiently get the end user to disinfect or secure their systems without having to resort to strong-arm tactics, but the truth is that, for 99.99999% of home users, disabling their supply of email and porn is the only way we can get them to sit up and pay attention.
Think about it. If you got some popup on your screen that said you have a virus and your internet connection is at risk, you'd just close it and go about your business. Unless your connection didn't work, and then you'd call customer service and try and get it 'fixed'.
Heck, most people get popups that tell them that sort of thing all the time.
Would a smart person trust that the 'free' antivirus tools are indeed what they claim to be without some way of independently verifying that? I sure wouldn't.
Would an *average end user be able to use them effectively? That joke isn't even funny. I did my time in tech support - the sheer number of people who have asked me what a comma is while I'm trying to help them disable call waiting on their phone line are shadowed only by the monumental stupidity of the woman who was overheard - on several calls - shouting at her husband - over and over - "IT'S THE A IN THE CIRCLE! THE *A* IN THE *CIRCLE*!!!". It would be funnier if it didn't make one lose all faith in the future of humanity.
Furthermore, have you considered the liability issues here? You want a corporation to tell a user to run a program that proports to remove a virus from their system? a FREE program? What happens when it runs across some new variant of some virus, thinks it's the old variant, does the wrong thing to remove it, and ends up rendering the whole system inoperable? I'll tell you what, some arm-chair attorney is going to threaten legal action. You have no idea how frequently this really happens. Even if you so much as recommend third party software.
So we cut 'em off. Just to force them to call us. And then we tell them, essentially, "Look, buddy. Your computer has this problem. And your computer's problem is our problem. And that makes it your problem. We don't care what you do to solve this problem, but you better do it. We suggest antivirus software as a first step. We hear that you can get a free version of something called AVG."
And then, if they seem to understand, we turn their connection back on, so that they can update their norton or download avg or whatever.
And every week, there's two or three end users who get their accounts totally closed because we've been over this with them three times already and they haven't managed to get the picture.
I wish there were a kinder, gentler way to do it. So far, I don't think there is.
This is just like television, only you can see much further.
instead of cutting off net access entirely, why not provide a means to actually fix the problem instead of alienating their customers?
why not (say) decrease the dhcp lease time from whatever to an hour or so. when whatever mechanism they're using to detect spam/whatever infection (hope to god they're not just listening for smtp traffic, that'd be evil but sadly likely) goes off, it would tell the cable modem ot use a different config which would then allow the user to get a different dhcp lease. this lease would set their router to something different, which would then pipe a single page to the user - similar to what many universities install for when users try and access pr0n or something like that from a school computer.
some mechanism ('m not familiar with routing protocols unfortunately) would then be provided to drop all traffic at the router except for http traffic through a specific gateway, possibly to specific hosts such as mcaffee, symantec, windowsupdate.microsoft.com, and the vairous other free virus and malware scanning packages.
This is a bit more complex, but surely it's possible - I've seen and/or read about all the various mechanisms I mentioned above.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I'm one of the sysadmins for a company with a large number of remote employees. Recently, one called me saying Comcast told them they had a trojan. Well, I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service.
I understand that techies across the world think this is super-fantabulous, but this is horrendous for the average end-user. Comcast doesn't (I will refrain from saying can't or won't) say what a user's system is infected with, or what exactly it's doing...just that there's some "illicit traffic" coming from that IP. That's great, now how am I supposed to diagnose the problem? It wouldn't be that difficult if the machine were in front of me, but how to I walk Mary End User through complicated tasks over the phone while she's already frustrated? If Comcast were doing more - i.e. they told you what the problem was and the steps you can take to remedy it - I would be more supportive of this. As it stands, it's just going to make a lot of end-users get cheated by shady local PC repair places while they get the run-around from fifteen different vendors. Make jokes about virus scans all you want, but nothing is fool-proof...and since any fool is equipped with a computer these days, infections will happen and malicious attacks will succeed. So +1 to Comcast for taking some initiative, and -2 for crappy execution and not giving half as much of a flying foo as they'd leave their customers to believe.
This is a very bad idea! The best source for antivirus and spyware-removal software is on the internet. To me, it looks like they're burring the problem instead of fixing it.
Now, here's my humble suggestion for a better solution. If a PC is identified as a compromised machine, it's added to a pool of machines that all gets a special IP and special DNS servers (I assume they run DHCP - if they don't they should). Now, the new DNS servers resolve all addresses to a special page dedicated to downloading anti-spyware and virus checkers. Maybe even an online scanner like housecall. So, when Joe Luser fires up his web browser, he reaches this page no matter what he types. Once he's machine is cleaned, he will be removed from the compromised pool.
Underholdning.info
I sent one here.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
this last round of worms came in an email that pretty much said exactly that.
"Hi, I'm the admin from [YourISP]. We think you have a virus. Please run the attached program, and blah blah blah."
The next round will have something like "Please type in [EvilURL].com and run the 'virus remover' you see there."
How is Joe Averages' Grandma supposed to tell the difference?
"I couldn't fly out to look at the laptop and the employee couldn't exactly just send the computer and work from nothing. I had this person seek local help, and after several attempts Comcast still shut down internet service....this is horrendous for the average end-user." What's horrendous for the end user you speak of is not that Comcast acted responsibly by cutting off a spam zombie's access, but that your IT department has not provided adequate support for remote users.
My other machine is a lever.
same situation with a neighbor... I cleaned Mydoom, Netsky, and Beagle (the J variant) out of his computer... his computer was slower and more unstable than usual, so he asked me to look at it for him (it's a win98 box... 'nuff said).
I've already set them up with a good firewall... controlling what they do with their Email attachments is a bit more problematic.
I support cutting off accounts for abuse, whether intentional or simply clueless/negligent. Hell, I'd be delighted if somebody warned me that something was up with my connection, for a couple of reasons. One: I have more than a passing interest in net security, so if my box just got pwned, I want to know about it, including how they did it. Two: I try to be a good netizen, and just like I'd expect one of my neighbors to call me if he noticed my house was on fire, I'd hope somebody would tell me if I was polluting the 'net.
This is comcast doing the user and their fellows a favor.
Even if a man chops off your hand with a sword, you still have two nice, sharp bones to stick in his eyes.
A few weeks ago, I got a warning from RR saying "you are doing a DDOS attack and are probably infected with a trojan"
Considering a) I'm running Linux and b) I do forensics on trojans at work, I'm not going to be infected.
I checked my wife's box which was Windows at the time, and it was clean. I checked mine and it was clean.
A little more digging and the "attack" comes down to SpamAssassin. Anyone who was running SpamAssassin or MailWasher got these warnings because RR couldn't manage their freaking DNS servers correctly.
I for one do not want to get cut off because of the incompetence of the ISP.
While activating my Cox Cable access the other evening, they actually require you to disable all firewalls (hardware and software) and connect to the internet.
Then, if you have problems once you turn on your firewalls, multiple techs have recommended, "Just turn it off, the connection will work fine!"
Right.... here, let me put this un-firewalled box on the internet.
I don't care what OS you're using, this is a bad idead.
A few minutes before I found this thread today I received an automated message from lafn.org. In that message it stated very clearly that it was an automated process that was blacklisting a /24 around a machine on one of our dialup netblocks that was caught sending mail to one of their spamtraps. That user is of course infected as are probably 50% IF NOT MORE of our customers. Our customers, no matter how big they are, no matter how big a customer they *think* they are, no matter what service they pay for have the right to cause 252 other customers at any given moment to be blacklisted. If they think they are that important then we sure as hell don't need them as a customer.
Personally, I'd like to see more type of this internet policing by ISP's. They should also be blocking people who have open SMB shares on their Windows Networks. I cant count the number of times I've purposely went in Someones SMB share and dropped a text file telling them how to fix it.
While I can appreciate the nobility of such an act, unless it's part of Comcast's user agreement that they are allowed to have control over, and the ability to deposit data on their customer's computers, you just violated a bunch of laws. Anyone who had this happen to them could probably sue the crap out of Comcast.
... to get the new virus definitions from where exactly? What are they expecting people to do call symantic and have them snail mail them a floppy. Why don't they do the responsible thing, and partner with someone like sophos, and have free virus software as part of their install/update procedure.
That's like in Britten when they used to put paupers in jail for not paying their taxes. Not a lot of people got a lot of high paying jobs in prison, so they never paid the taxes.
RandomAndInteresting.comdefending the world from stupidity since 1979
Yes, I'm all for getting people who are infected by viruses and spammers and thus make the Internet suck for the rest of us, but this is setting a bad PRECEDENT.
Comcast has already gotten lambasted here for cutting off "abusive" downloaders who have "unlimited" access. If Comcast not only is allowed to but also is *encouraged* to handle this problem simply by dropping the users' access, then there's no reason they won't feel like they can address the other problem by continuing to cut off those using a large amount of bandwidth under unlimited plans.