Slashdot Mirror
Major Aussie ISP Disconnecting Trojaned PCs
daria42 writes "Australia's largest ISP, Telstra BigPond, has started disconnecting customers that it suspects have excess traffic-causing trojans installed on their PCs. The trojans have been flooding BigPond's DNS servers and causing extremely slow DNS requests for around a month now. Despite nightly additions of DNS servers, BigPond appears to be unable to cope with the extra traffic on its network." Note that the article says the disconnections are temporary and accompanied by communication with the affected customers, not just a big yanking-of-carpet.
Good.
"Thank God"
"It's about Time"
"Glad somebody is finally taking an interesting in keeping the neighborhood cleaned up"
"Oh crap, is this the first chink in the armor, ISP's can disconnect people based on their traffic... Virus, Trojan, P2P, Torrent"
ISPs around the world have been doing this for a while now! I live in a house with 12 people and one person had a hijacked computer sending out mail and Adelphia cut us off. Although they never told us that they did (a quick call to customer support hooked us back up).
Seriously, why is this news?
I think my principles are reachin' an all time low
More ISPs should handle compromised computers this way. Just leaving them around to harm the internet for the rest of is is irresponsible.
Do you care about the security of your wireless mouse?
ISP has problems with boxes infected with malware. ISP identifies and blocks said boxes. Block is only temporary, and will be lifted when customers disinfect their boxes.....
Where's the story?
Burn up the SMTP servers, then take your lumps.
All responsible ISPs should apply that logic. Too bad money often replaces responsibility so much.
Never play chicken with a passive aggressive.
Right- I can smell a cake burning. Let's add more flour! Come on- more flour!
Oh- right- let's take the cake out the oven...Seems a sensible thing to do to me- tackle the computers causing the problems, rather than trying to react to the problem itself.
Although, tackling the writers of the infecting programs would be good too, if somewhat harder.These are drastic measures, but given the average BigPond user is much less a geek than anyone frequenting these parts, this will probably be the first time that most of these users will know about it, and given BigPond's previous problems with mail-servers, perhaps they're striking before the problem gets too out of hand.
Although I don't understand the purpose of a trojaned machine repeatedly hitting a DNS server, is this an attempt to cause an overflow and therefore making the DNS server itself vulnerable?
<? include ('signature.inc'); ?>
if BIGNUM% of PC's are malware-infested (I've heard 80% tossed around) and they get disconnected, suddenly anyone who's looking at their web logs will think that an unusually high number of Big Pond users are on Linux boxen, Macs, etc.
If more ISPs did this, maybe we'd see a decline in sites that only work in MSIE...
Village idiot in some extremely smart villages.
i think this is a good idea as well. I work in technical support, and the amount of infected machines i have to deal with is just phenomenal. Cutting of the machines access to internet both fixes the problem. The customer goes "WTF" and i say.. yea your machine is infected. Either install nix or go to a computer store. However its open to abuse... define excessive traffic.. and what traffic is malware or legitimate traffic. However... since a good 90 percent of spam comes from infected machines as well (go windows you good thing go) its all thumbs up from me.
is that "(excess traffic)-causing trojans" or "excess (traffic-causing) trojans"?
i.e. can you get kicked for having only one trojan, or is there a threshold ?
Not all people pick up the phone and tolerate the script. Some people actually try to diagnose the problem first.
Most ISPs have language in their terms of service that permits this action. It is a shame that an ISP need to have their services almost knocked out before taking action.
I'd like to see some ISPs that ignore trojaned machines or support spammers get sued by other customers when their IP blocks end up on block lists.
Fight Spammers!
I'm sure there's firewall logs one can examine and filter through. Users that are connecting to remote clients on strange ports, or excessive ping requests to a certain ip address, or a port connection across a wide range. With that, someone can filter the IP, and block the customer. That being said, that's a lot of customers being blocked. But it would speed up, no? Though the logging might hurt response times a bit. :\
c/f/s
Disconnections from my University network pushed me to give GNU/Linux an earnest try. People may not switch in droves, but there may be just enough resultant frustration to have a positive effect.
Okay, so a philosopher, a philologist, and a philatelist walk into a bar...
My isp (plus.net) monitors any communications on port 135 etc and if it dedicates any when your connected. You get redirected to a Plus.net you may have been effected with MSBlast page etc. And give you the links to tools to fix it.
Very handy indeed.
Automation - The Car Company Tycoon Game
All of these infected Windows boxes are killing the net. If ISPs would simply yank them as they show signs of infection (trojan, worms, etc) UNTIL the customers can demonstrate that they have taken care of problems, then things would be a lot easier.
Thats not to say it isn't impossible, but it wouldn't surprise me that taking a laptop/ipod/some other storage device big enough around to another friends house and getting all the updates is going to be beyond most people.
Also, last time I checked, I can't download all the updates that have been developed after XP SP2 was released from a machine running Windows 2000.
(side note: I'm on a 56k modem at home and therefore don't have a spare 3 weeks to get the several hundred megabytes of updates - and autopatcher xp hasn't been updated after sp2 was released)
Avantslash - View Slashdot cleanly on your mobile phone.
Dutch ISP Xs4All has been doing this for months/years, blocking all traffic (most notably SMTP) minus SSH and access to their HTTP proxy.
Lucky they're ringing up the user, because otherwise the user will just assume that they've been disconnected. Yet again. Bigpond is terrible with keeping it's users online (I'm talking broadband here), and believe that two to three disonnects per day is perfectly fine, even when those disconnects last for an hour or more.
I can see it now:
Customer: My broadband is down again.
Bigpond: Oh, I see. Well from time to time this does happen for a brief moment...
Customer: It's been down all day, and it's happened every day this week.
Bigpond: I see.. What's your account *clickety* Oh yes, we've marked you as a computer with a trojan. Please do a virus scan and call us back, if it comes back negative we'll re-connect you.
I'd go with someone else but they're the only broadband provider for my area. And I live in Sydney (the suburbs, an hour from the city itself)
Cox Cable has been doing this since the summer of 2003. A blessing in my opnion.
Look, I ALL for ISP's disconnecting "polluting" PC's. They just better make damn sure its not legit traffic.
My ISP does exactly this, if it suspects trojan traffic it shuts you down (and snail mail you). You subsequently call the helpdesk, they ask what you did to resolve the matters (The ISP provides FREE anti-virus and firewall software). If they rae happy with your counter measures, theyll reconnect you in a jiffy.
If you can explain you have a legit reason to hit DNS 9765 times per second, I suspect they'll unlock you too.
I love it.
*whistles innocently*
If Telestra is like any other large ISP I've seen, I figure that the first thing they should do is hire (or allocate) a good gaggle of AUP investigators so that their intelligence on this problem is reasonably real-time.
They could also write some scripts to log and categorize the DNS queries that they're getting from their customers. It should be fairly easy to automatically identify the worst offenders. You could then send notes to their owners, and if there's no reasonable response, pull the plug. Over the last few years, I think that I've written scripts to do pretty much everything but the last step, so I know it's doable. (that last step should almost always be manual).
Free Software: Like love, it grows best when given away.
Aussie ISP Internode (one of the better alternatives to BigPond) deliberately block various types of malware (usually port blocking but other means have been employed such as IP blocking a client's IP) and an advisory is placed on the service status page indicating what is blocked and for how long.
LOAD ".SIG"
PRESS PLAY ON TAPE
Why not simply do a precise measurement (get the netflow from the router) and take actions based on correct data rather then guessing?
I for one wouldn't want to be cut off by my ISP because of someone at the ISP is guessing.
That is bad, because those trojans normally use ports they have not reserved with IANA and that are used by other services.
Putting up random port blocks for everyone is going to cause random problems to legitimate users.
Attempting to strangle ADSL adoption, killing the national BBS community when the Internet first became mainstream in Australia in order to force adoption of Big Pond, and a host of other offenses meant that after an extended period of shopping around, I finally stopped using Telstra as a carrier completely last year, and they can now consider themselves permanently boycotted as far as I'm concerned. They are one of the most short-sighted, destructive, and generally amoral corporations I've heard of. They were also vocally criticised by Bill Gates during one of his visits here, for their strangulation of broadband adoption.
Apart from the above, to some degree there are now price incentives to use other carriers as well, particularly for voice. If you've got a credit card, you also might want to check out TPG for ADSL...they probably have the best deals I've seen.
NTL (UK cable provider) does this. They once started redirecting all HTTP requests from our home network to a page saying "You have netsky. Download this." or something. I had to try this with the Linux box before I believed this wasn't an attempt to distribute malware. Thing is, I checked all the Windows machines with NTL's tool and with Sophos AV, and they were all clean.
Other people with this problem have speculated that Linux machines (which NTL allows but "doesn't support") are sometimes mis-detected as Netsky-infected Windows PCs.
The moral is, if this sort of thing is going to become widespread, they need good detection of many different types of network usage, and they need to tell them by phone instead of just giving them what looks like a default-homepage highjack.
In a similar vein, remember MS marking VNC as spyware? Imagine if an ISP starts taking down VNC servers for the users own security, etc, etc.
# cat
Damn, my RAM is full of llamas.
I bet they emailed the customers about the problem. Telstra rocks!
from what i heard from my australian friend, broadband is so expensive in australia, that the the monthly cost for broadband is more expensive than here in the states (i forget how much). not only that, it's slower for the price and it caps the user to 5gb a month or some silly low number.
that said, the only thing keeping my friend from switching to broadband is the fact that his dialup account gives him unlimited bandwidth, although capped @ 56k. so just a little under 9 days, he is able to exceed the 5gb limit using his dial up account (thought that requires d/ling non-stop), but that was for calculation purposes only.
but i heard things are slowly changing, and more people are demanding cheaper and better broadband.
HD Trailers
And now im affected and the isp doesnt let me connect, how do i get some removal utility?
Redirecting also is much more intuitive than a simple "cannot connect" error.
HI O WISE PRINCE. WHT TOOK U SO DAM LONG?
When computers here (utwente.nl) are infected it is usually automatically detected, resulting in every webrequest going to "you're in quarantaine, you can download clean-up tools HERE, and when you're clean send us a message HERE. apart from that you can connect to nothing." If you're interested, it's run by the guys from http://snt.student.utwente.nl
I'm surprised it's taken them this long. When one of our customers gets infected with a virus / open proxy / etc... We *gasp* pay attention, shutdown their connection and immediately contact them and help them fix the problem.
It's amazing how quickly you can get your network under control doing this. And 9 times out of 10 the end user is greatful that you were willing to work with them to help them correct the problem.
Fixing infected machines on your network only makes the network a better place for everyone using it.
At one time had a virus that turned my computer into POP3 server, the next morning I was disconnected. This itself was perfectly fine, but a few things bugged me. They did nothing to notify me before or after hand about why they disconnected me. To get myself reconnected I had to go through a long process of obtaining the number of the central office of the ISP, calling them between a specific number of hours even though this office was located in a different timezone and then after all this they told me I needed to get the person who had their name on the account to call.
We've been doing this since the late 90's, what's "news" here? Customers get contacted in several ways, including personally by telephone. If they don't clean their open proxy/smtp relay/virus/worm after that, they get cut off. There'd be a lot less worms and spam around if all ISPs acted this responsibly, what a shame it's taken these guys until now to catch on.
As soon as Bigpond starts disconnecting users based on P2P is the day Bigpond loses out on a HUGE customer base, and their already horrible rep will go further down the drain. No, they won't be disconnecting users based on p2p activities until there is some kind of law (AUSTRALIAN law) requiring them to do so.
...just one more step towards ISPs preventing you from connecting unless you have Trusted Hardware (which is effectively unforgeable) and DRM-enforcement laden software, so we can all be able to run lovely Microsoft operating systems forever and be unable to burn songs we've bought online to CD. Hooray.
I work for a phone company here in Oz, and among other things we resell Telstra ADSL.
I've seen Telstra claim that a customer on a 512/128 line (512kb/s down, 128kb/s up) uploaded 4GB in 20 hours. When I pointed out that this was impossible, they suggested that maybe the user's computer had been infected by a virus - and insisted that I check this before they would investigate.
I then spent some time explaining the concept of arithmetic to the Telstra support desk...
I use Linux, you insensitive clod!
Honestly, though, that presupposes that all zombied PC's are Windows. Why not say so?
Send the effected customers (better yet, all customers) a CD with a free anti-virus, free anti-spyware, a free firewall, an alternative browser, and the latest updates for all of the above plus Windows and Office (including support for ME, NT, 2000, 98 SE, 98, and 95). With it include a letter explaining courtiously and simply why security is important. Sure, you'd probably have to get permission from a dozen different legal departments to do distribution of nominally free software on a wide scale like that, but some companies I know would jump at having their demo version shipped.
Back this up with your regular tech support. Yes, some users will be too clueless but a good deal won't. A fair percentage of the clueless ones will catch on quickly when their internet gets shut off and stays off. I can guarentee you the network traffic they'd get would drop to a third of the levels seen before.
Actually, in this perspective AOL's lackluster virus and spyware protection make perfect sense.
With most such set-ups your Internet connection is generally not totally blocked, just severely restricted. Any web request gets proxy-redirected to a page with instructions on how to clean your machine up, and download links from the ISPs local mirrors. Anything else is locked down.
I don't know if this is what bigpond are doing, but that's the usual way to handle this and it seems to work extremely well. My ISP uses a similar trick when users go over quota.
I don't think the ISPs quite thought this plan though. Users aren't going to be able clean up their computers without tools such as ad-aware and spybot search & destroy. These ppl probably don't even have a virus checker at all. The necessary software is freely avaliable online, but without a net connection these ppl will have to buy $100 of stuff at PC World. And that'll need updating online anyway.
A better idea would be to restrict bandwidth and connections on infected computers. The ISP should also post everyone they disconnect a CD with the usual free tools and instructions on how to use them. Along with Firefox and Thunderbird, of course.
I agree though, action should be taken against owners of zombie computers. They're irresponsibly spoiling the internet for others. Such users who think 'Internet Explorer' is the internet and believe the internet = the web.
While such ignorant users should be allowed to run computers in private, once they're connected to the internet, they become a danger to everyone else. The way I see it, I'm not allowed to drive a car on the road without first taking a test to make sure I can use it safely, and recognise and repair common problems (or at least take the car to the garage). This requires knowledge of both how the mechanics of the engine work, and of the highway code. So why are people who have never even seen the inside of computer and don't realise that connecting an unpatched WinXP box to broadband is as dangerous as speeding down a motorway in the opposite direction to all traffic, allowed to do exactly that?
This is great. Especially since I don't have one of the trogans.
I've complained repeatedly to telstra about slow DNS servers and they pretended they had never heard of the problem. However, the DNS servers are not the only thing being swamped. It can take over 2 hours to get through to there call centre.
The fix I used: the Optus DNS. Works well. Maybe telstra should have a chat to optus on how to run an ISP.
Can I see your green card?
Here at the University of Regina my roommate MachinationX had gotten a virus on his WinXP box (why didn't he have antivirus software?! he's an IT consultant!! but I digress) So our ISP (U of R computing services) not only disconnected him from the network, but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned. I happened to have some of my old backups on his machine at the time, but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
My ISP Netcologne disconnects PCs that are infected with trojans and try to infect others. The connection is interrupted and when the costumer tries to connect again he can only access one page, that shows an information. He can download Antivir there, too.
There are two restrictions: Netcologne certainly does not monitor all traffic - they react on abuse-messages. And this "service" is not available to business costumers.
Bigpond's cable internet service requires special authentication software to be running on the end users' computer (most routers can simulate it)
(this software, btw, only runs on windows)
Where was I? Oh yes.
If you are not running this software, bigpond's routers will block your computer from access to the net. So this is why I am so sure about this:
Ever since about the time the blaster worm showed up, the activity light on my cable modem has been on non-stop. Even when there is nothing but a hub (with no attached PCs) plugged into the ethernet port on the modem.
When I reinstalled my WinXP box last year, I didn't bother unplugging the LAN cable. What a mistake.
It took about ten minutes after I had installed the driver CD that came with my mobo. I was in the middle of installing something else when a RPC error thing that the blaster worm causes popped up. 60 secs later, reboot.
So in other words, telstra's own login servers are infected with the blaster worm. And have been for at least a year and a half. And are constantly sending the blaster worm down the wire to all their customers. It's about time they disconnected them.
My Employer, a large national Cable ISP in Britain routinely suspends service to customers due to nasties on the unsuspecting users PC. Our infrastructure runs daily scripts that scan for open mail proxies and other suspicious ports that may be open. It's just part of the normal security process.
However it never used to be, this aggressive step of securing our network was prompted by the ISP being threatened with a Usenet Death Penalty, twice.
Whether this BigPond story is any different (Because it deals with Trojans rather than mail relays) is another matter...
kill elrond
take elrond
put elrond in cupboard
The Business Class cablemodem accounts with Cox Communications are cut off if their security systems catch suspicious activity (DDOS packets, worm traffic, etc.) or open relays on your network connection. They're very polite about it, explain the problem and how to get it fixed. Their security department's not open after hours, either, so you're horked if you figure this out after midnight.
Haven't had to deal with their nice security people myself (No Windows or Linux or Sendmail here!), but I've laughed at colleagues who have. Mostly the same people who believe a $70/month cablemodem or DSL connection can replace their $800/month fiber line for serious webhosting enterprises.
SoupIsGood Food
Amateur radio operators, for example, have a responsibility to make sure their equipment is working properly, properly tuned, and operated without malicious intent so that it doesn't interfere with others.
So our ISP (U of R computing services) not only disconnected him from the network,
So you get your Internet feed through Uni computing services - noted.
but refused to let him back on the network unless he agreed to give them his computer and let *them* run an antivirus scan on it , after which it would be returned.
That's actually not a bad idea. They want to be sure that the system in question is no longer a problem. I'm sure you can see where a user would have motivation to lie about the scan if it would get him back on the network.
but the point is that our ISP can not only watch your internet traffic(as they have been), but if you "get a virus" they can disconnect you and demand they have access to all your personal files at will.
Blows my mind.
Re: watching traffic, disconnecting users - re-read the Terms of Service you signed when you accepted their Internet access; I suspect you will find they've had these capabilities all along.
However, your comment about demand... access to all your personal files at will is completely ridiculous.
First, computing services will only need to examine your PC if it causing a problem for other users; if things have gotten to this point you are either unable or unwilling to maintain the machine yourself and have effectively abdicated this responsibility.
Second, you probably already gave them permission to require such a scan when you agreed to the ToS (see above).
Third, who says your personal files have to remain on the machine if/when you turn it in for virus scanning?? Your roommate was told to deliver the computer; he can sanitize it before he does so. (This should be obvious.)
The University is not a commercial ISP. They provide the Internet access as a tool for you to use to further your education. It is a shared resource, and if you are causing problems they can rectify said problems as necessary based on the ToS. If you don't like their ToS you are free to go back to dial-up or pay for a T1.
I want to drag this out as long as possible. Bring me my protractor.
I wish timothy would post actual news but anyway...
Compromised PCs are not the cause of Telstra's problem. Their unscalable DNS server cannot cope with the large amount of subscribers. Telstra will not admit that they failed to plan accordingly, so after adding more DNS servers they blame it on the end user. Same problem happened with email a while ago. It was taking up to 30 days for email to pass through Telstra's servers. They blamed it on a mail based worm and their solution was to install more mail servers by the truckload. They blamed Sun's ONE products and HP servers (HP/UX) also for this incident.
We have disconnected your computer from our network because we have reason to believe your computer is infected with a virus, causing serious network problems.
Please scan your computer for virusses by going to the following website address....
Hell yeah, I can't count how many people have been killed by lunatics and their unpatched XP boxes.
Let's keep our analogies under control please.
Probably because they are not posing any danger to human life as would have been in your analogy.
I agree with your post completely, but from TFA:
Another said: "I am having problems loading Web pages, I get the 404 [page not found] error. I have to retry five to 10 times to get some places."
I may be daft but I don't understand how a DNS or network capacity problem could cause a web server to respond with an explicit "404 File Not Found" HTML error. I could see a timeout, DNS error, or any number of other errors, but a 404 would mean literally that you contacted the web server, it was unable to find the specific file you requested, and it successfully reported that back to you.
Hopefully the forum poster that is quoted in the article just thinks every HTML error is a 404.
I'm a big tall mofo.
It's rare that an AC leaves a comment that can even see insightful, let alone actually contribute something. At least here in the US the phrase "We reserve the right to refuse service to anyone" would apply. Their network, their rules. If you go into a nightclub and start spewing feces on the other patrons, they don't refund your cover charge when they throw you out.
Deal with it, and clean up your fucking computer.
Never underestimate the power of stupid people in large groups.
Granted, this is a regional ISP in BFE North Dakota but it still counts and ISPs have the right to do this. My M-I-L gets DSL in two weeks, should make for interesting times.
-EB
Do you ever walk alone like a drifter in the dark?
I've worked for 3 ISP's in the midwest, and all of them have had no tolerance policies that allowed them to cut the customer off at the first sign of spam, trojan or virus activity. I personally have cut off dozens of accounts this way, and why not? People are responsible for their own machines, asking them to keep them cleaned up isn't unreasonable in my opinion. In fact, asking us to keep supplying service to them while their rogue systems flood the net with crap is a lot more unreasonable than that imo. This isn't like their bill is a day late or something, this is an active malicious atttack on the network, of course we aren't going to let it go on regardless of whether the customer is home to pick up the phone when we detect it. That's how it should be.
Sigs are awesome huh?
Really??
J.
You're only jealous cos the little penguins are talking to me.
Trojans and malware are a normal part of free software. Do you really expect to get something for free? Are you saying we shouldn't install freeware any more? I didn't think so. What the hell is with this "DNS" anyway? I'm sure glad America Online doesn't force that on me. Anyway, if they did have it I sure wouldn't request it. I think I've got some spray that would take care of it, but I don't need that hassle. No fuckin' thanks!
--- What?
I've seen it done up here before when the Nachi worm thing was going around. It's a Good Thing, IMHO.
-m
http://www.invisik.com
If they indeed talk to their customers and try to get the trojans removed, then this may be a good idea.
I find it kindof funny however that problems with their nameservers is what finally got them to act, while they can quite prevent such infected PCs from messing up for their other customers.
A while ago I wrote a bit about preventing flooding of a nameserver that with a bit of tuning would quite help to prevent the slowness of their nameservers regardless of those trojans. What is more, it would make trojaned PCs that flood the nameservers mostly unusable without hindering normal clients, giving their customers more of an incentive to deal with it themselves.
Nothing stopping you from a setting up a local DNS server.
Unless this DNS server can connect to other DNS servers on port 53, having a DNS server isn't going to do you much good with respect to accessing the public Internet.
...I'm disconnected... I call tech support... they tell me why I am disconneted...
...and if I do have a connection... how am I supposed to keep my Windows clean long enough to patch it ??
How am I going to patch my system if I don't have a connection ??
I really hate you "WHY IS THIS NEWS?!!!!" crybabies. It's news because this particular ISP is doing something which it previously was not. See how that works? Something HAPPENS, and then someone REPORTS that it happened, and then the story gets posted here because its subject matter appeals to a large portion of this site's readership. Are you so blindingly stupid as to actually need this explained to you? It's the fucking dictionary definition of news.
By the way, most ISPs still are NOT doing this. Time Warner's Road Runner, for instance, never even looks in the direction of a trojaned machine on their network - at least in my area.
I sniff our network and suspend them (drop their DSL link), if they are sending out a whack of spam or viruses. I call their house and leave a message explaining why they won't be able to get on the internet and how to fix their PC. When they think they have it clean, I turn them back on, sniff again, and let them know what the deal is. I haven't had one mad person yet. People understand (when I explain it to them) that their machine will infect their friends machines, and so on, and so on, and eventually the network will be clogged. I would never cancel a customers account because they got infected, but I will suspend them for a few days.
You create your own reality - Leave mine to me.
Are "over-rated" mods ever put up for metamoderation. Is "overrated" just a cowardly way of dinging a post you don't like? Or is there more to it?
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
(Sorry, part of that was venting. I didn't mean for it to be as caustic as it might read. I had a guy call in expecting for us to keep his computer clean of viruses the other day, so that's fresh in my mind.)
XS4ALL, a large Dutch ISP who tries to maintain an elite status amongst nerds here in holland by suing Scientology, has the nasty and undocumented habit of shutting down people's based on one complaint and with a 2 hour mail notice up front.
/Marijn
They have cut me off a few times because i was sending legitimate traffic on a port which was used by the current Windows virus. So much for experienced system operators...
This is not a liability issue,
This is like the ISP Road Department analogy from a story yesterday, The ISP is not so much checking the contents of passing cars on a highway for contraband.
This is more like the Highway department kicking cars off the road because their owners have allowed them to degrade to horse drawn carts and all the horseshit on the road is causing problems with slow traffic and time and money to clean up the mess, I say this is a good move.
I tell customers to either go to a friends house and burn the new software (I give them all the URLs), or I burn them a custom CD and have them come into the office to pick it up. I don't charge them for the CD, and I use it to distribute Firefox/Thunderbird/Spybot,Stinger, etc, etc, etc. Eventually I will set the network up so I can just redirect users to a webserver with all the needed tools on it.
You create your own reality - Leave mine to me.
Telstra / BigSwamp doesn't exactly have the brighest reputation in the anti-spam community. However at least they're starting to do something about the problem, they should at least get credit for that. It's too bad service providers have to turn into AGIS before they start taking proactive measures to be a good netizen.
It's true no man is an island, but if you take a bunch of dead guys and tie 'em together, they make a good raft.
Did the same to me when my fooling around with the proxy made it a bit too open (at one point had it open to my work IP, later changed the firewall rules not remembering the proxy was active and made it open to the world).
In under a week, and with a few complains, Telus had canned my connection. Of course, I had already found the problem a few days earlier on my own (thanks to slashdot, which will tell you if you have a known open proxy, thanks slashdot!).
I was connecting to home from work to download some docs and suddenly the connection canned. When I went back to check (I needed those docs to finish my job) I found a message on my machine stating I'd be shut down and to call them.
However, it wasn't too big a hassle as I just called Telus and informed them that the proxy was unintentional and had already been closed sometime earlier. A few moment later, and I was back up and running.
Though this was a personal inconvenience I'd much rather have my ISP nuking the spamming idiots etc than letting them pollute the internet. I *did* update their phone records with my cellular # so that they can catch me before they disconnect my service next time though.
"Joe Sixpack would be better off if the ISP would install a centrally adminsitered system administration client on his machine that automatically scans and deploys the latest anti-virus program"
Windows XP already has this. Automatic Windows updates should do just that for their pet AV program.
There is also a huge liability issue for the ISP implementing such a process. They don't want to be responsible for a software failure on someone's box.
As for opting out... I work in the Acceptable Use dept for a broadband ISP and I wish I had a nickel for every Joe-Sixpack who thought he was too l33t to be pwn3d.
All that is moot however as the issue here is with TROJANS which anti-virus programs are useless against.
The customers have to be educated. If their car is unsafe to drive and the police yank it off the road until it's road-worthy the driver can't demand assistance from the government that gave them their driver's license, the state of the vehicle is the owner's responsibility. And so it is for ISPs. ISPs aren't in the business of computer repair.
I'd like to say it again:
ISPs aren't in the business of computer repair.
If shutting down their cable modems until they have a real PC tech secure the system is required then that is what ISPs need to do.
This has been done in Finland by Elisa Communications for some time allready..
If your machine has a large amount of traffic outwards from shady ports, theyll disconnect it, and forward all http requests to their announcement of the matter.. The funny thing is, their customer service sucks, and its a tad hard to for eg. get a firewall when theyve just cut your only way to fetch it..
Is a simple "Good" too apathetic?
Ok...
Computers should be like pets in my opinion; if you can't be bothered to clean them up and make sure they are ok you shouldn't be allowed to have one.
Addtionally if your "pet pc" hurts someone else because you don't look after it right... How about you become legally responsible for it; just like if your dog goes postal and eats a local kid.
Mandatory IQ tests for online computer usage!
Just in case: I am not being 100% serious here. You never know on /. someone may not get it...)
www.whitedust.net
personally, i think this sends the right message. if you're a complete idiot you don't deserve an internet connection, especially when other people have to suffer because of your idiocy.
I've had some phone calls lately from clients that were disconnected from Roger's Highspeed Cable becuase they were trojaned or mass mailing. After inspecting 3 systems, they were all infected with NetskyP and Bugbear.
Both were very easy to remove, I even used Microsoft's Malicious Software Removal Tool (gasp) that was quick and easy. I wish they would kick all of these infected PC's offline and we wouldn't be dealing with these erratic spikes that have now made turned FPS gaming into a modem like affair.
I bet a few of the "free" antivirus companies, like AVP could make a killing sending out "AOL Like" demo cd's that cure the ails of all these banished network newbies.
I use BitTorrent to download and upload lots of music on my DSL line - all of it legal concert tapes from etree etc. or free downloads. And I also use it for Linux and other software distributions.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
The way I see it... connecting an unpatched WinXP box to broadband is as dangerous as speeding down a motorway in the opposite direction to all traffic, allowed to do exactly that?
Yeah I remember just the other day when that unpatched box killed 3 people by being connected to the internet.
Simply put, "the way you see it" is wrong.
It's a bit hard to moderate "overrated" well, because you'd really want to know what the rating was when the moderator moderated it.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Stange. I've metamoderated a couple dozen times now, and have never seen an 'underrated' or 'overrated'. I will keep an eye out, though.
See my journal for slashdot ID's by year. Mine created in 2005. http://slashdot.org/journal/289875/slashdot-ids-by-year
For about 2 months now, my Bellsouth DSL service has been slooooooow, and it sounds like it's the same issue: DNS requests. About 75% of the time when I try to go to a web page, Firefox just sits there with a "Looking up %host%..." message in the status bar.
I know an swedish internet provider named Telia, Who also does this. Accept what they do, Is redirect all your HTTP request's to an site with "You've been blocked off." And information about why this have been done. My school mate (An girl :O :P) wanted me to help her out, since they'd got blocked off the internet. I spent 3 hours cleaning off like 30 diffrent kinds of viruses, 5-7 of the same one. 400 spyware, ETC ETC.
Well, Atleast I got payed to do it. I like her Dad, coming in.. and he's like.. "oh finaly.. Thanks for helping us out, would you like some payment?" I mean.. Should I say no? Haha :D
Hope more of theese ISP's do this.
(P.S) By the way, all other port's traffic was disabled. So only traffic on 80 (to their "Your blocked page") was "activated".
w00p
In the Soviet Union, signatures writes you!
The user should be responsible for their machine.
If users started getting fined for trojaned PCs they would start holding manufacturers accountable and user better software.
How many people here on /. is the family and friend IT department?
Fight Spammers!
say a spam email takes a second to delete. zombie computer sending thousands a day. run for a month wasted hours. average life expectancy 70 years. yeah, if you were your zombie computer sending spam for a couple of milleni you have wasted three person lives. it's not killing one person, it's killing everyone else very slightly.
Wrong. Overrated and underrated are immune to M2.
They're supposed to be used to override other moderators. For example, if a comment is scrolled +5, Insightful but only deserves a +3, then a moderator could mod it Overrated since its score is too high. Following this reasoning, because you don't know the original score of the post at the time it was modded when doing M2, Overrated and Underrated are not M2ed.
The problem is that they're always available. So if a post currently has 3 up-mods, you can still mod it overrated/underrated. If a post has 2 down-mods, it can also be moderated Overrated, despite that fact that it's already been rated down.
Overrated and Underrated are supposed to, in theory, be used by moderators to keep other moderators in check. They don't always get used that way. (Although sometimes they do.)
Personally, I believe they should be removed.
Real privatization usually has some market distortions, because the former monopoly is usually in a strong position, and it takes a while for competition to build up. But it's better than not doing it. On the other hand, bogus privatization, e.g. spinning off the company into a profit-making corporation but letting them keep monopoly power through regulatory mechanisms and owned by friends&relatives of the politicians in power is usualy worse. (Not always - even a quasi-monopoly can occasionally see that it makes more money if its customers like it and if it has higher-value services to offer.) A typical problem in places like Carribbean islands was that the monopoly PTT was Cable&Wireless with a few highly-paid positions for high politicians, and they'd insist on maintaining an expensive and antiquated wired telephone system because it "creates jobs" for lots of people, when it would be cheaper to replace the whole system with a couple of cell towers stuck on different sides of the mountain.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I use those all the time. There are some things that I think people should read (i.e. be modded highly) which aren't "interesting" or "insightful." Say, for instance, instructions on removing spyware from Windows or something. In those cases, "underrated" seems to be the best moderation fit.
Although I think the moderation catagories need to be re-thought. In particular, there needs to be more use of "redundant," I'm getting fucking sick of seeing the same lame-ass jokes over and over again.
Comment of the year
But a spammer *could* adapt to this by using DNS servers that aren't from the local ISP, or using spamware that downloads the victim's IP address along with their domain name. It's an arms race. Blocking Port 25 is more effective - Blocking it for everybody is a Bad Thing, but blocking it by default and letting users enable it themselves is fine. But until the spammers start working around DNS servers, they're a potentially useful hook for identifying problem customers.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Also, it's a lot harder to tell what's really spyware - most of the spyware products I've used complain if they see cookies from Usual Suspects, but some of them have complained about the adware in Sponsored-Mode Eudora (yes, it's there, and it's the cost of using the free version of the software.) Some of it has even complained about things in found in my Windows Recycle Bin
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Also, "broken" printers *can* be a problem for desktop supporters. Sometimes the problem is the printer hardware, or the ink running out, or the coffee-cup holder on their machine breaking, but often the problem is something with Windows setup. I'm using a work-managed Windows 2000 laptop, and there's some sort of permissions problem that keeps me from using my USB printer at home (it can support it on a parallel port, but if I plug in non-storage USB devices it says I'm not allowed to do that.) My home PC supported the same printer ok until XP SP2 came along, and now it complains about drivers every time I reboot because I'm using the vendor's driver and not Microsoft's (it still works fine - *because* I'm using the vendor's driver and not Microsoft's :-)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I wish you would stand up for what you believe in by logging in. Moderation is clearly broken and needs to be fixed. Another problematic moderation is "Funny". I wish people would just use interesting. It exposes you to loss of karma. Karma is easy enough to get but some people don't post that much and I feel that humor is at least as important as anything else around here.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
But there are several other protocols for sending email that don't look like Port 25 to the ISP. There are a couple of SMTP-submission protocols which let you set up a connection to a mail server where you have an account and do various kinds of authentication, including some that use SSL encryption. Alternatively, you can do SSH or IPSEC or other VPN tunnels to your email provider. And then for us old folks, there's always "login to a shell account" :-) (Kids can use webmail instead.)
As far as email-over-telepathy goes, Dan Kaminsky recently demonstrated IP-over-DNS tunnelling at Codecon. It's really really evil - he was even able to do video-over-IP-over DNS by coopting about 25000 DNS servers. I'm pretty sure he was the guy who did a lot of the IP-over-HTTP tunnelling a couple of years back, and he;s done lots of other creative work with detailed protocol analysis.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
That's because Bill doesn't know what he's talking about -- Overrated and Underrated do not show up in metamod, and thus are a favorite choice for abusive moderators. The problems with this scheme have been explained to the Powers that Be, repeatedly, ever since the current metamoderation scheme was implemented. However, as with most things, Taco apparently either doesn't care or happens to like the ability to moderate without accountability.
How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
The reason zombies are heavy DNS users is that they're trying to send a million emails a day, so they need to look up probably 10K-100K recipient's domains, depending on how much reuse they can get away with, and even if they're running on a PC with a caching DNS server, they're going to blow out the cache if they don't have them all sorted (and they probably *don't* have them all sorted, because they're trying to evade spam detection on the recipients' ISPs.) Also, the spamware probably doesn't have very intelligent DNS handling in it - if it did, it would probably go to some other DNS server or do something else to evade detection, though using the ISP's server does scale well if the ISP is competent.
An intermediate step they could take would be to put heavy DNS users on different DNS servers than the light users. Most PCs get their DNS server addresses from DHCP configuration, so they can do fancy things at DHCP lease renewal time like load-balance their server assignments, but they can also concentrate the heavy users. That might be a good way to put their email connections through more thorough spam-filtering than the average user gets as well.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I wish more ISPs would do this. I'm STILL getting Code Red and Nimda traffic!
Every time I tried to connect a Usenet site for help I was refused access because I was root.
Maybe another idea for the Telstras of the future...
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
I dont' know what is funnier, your analogy or the fact you felt it was so important a point that you made it bold. Like they say in the cartoons; settle down Beavis.
DKone
No, they won't be disconnecting users based on p2p activities until there is some kind of law (AUSTRALIAN law) requiring them to do so.
It's called the "free" trade agreement, or more accurately to some critics, the "all your law are belong to U.S." agreement.
Disconnecting from the net is the only way to do this,
I get your point though, regular cleaning and maintenance and the use of Firefox, spyware removal tools, and AVG Antivirus all definitely help.
I wonder after enough people get disconnected if they will switch to Linux.
...the light emanating from the cathode ray tube display, the only remaining light in his parents' basement, winked out.
He was now faced with the prospect of climbing up the stairs, to face the outside world. At least, starting with the living room.
The Internet service provider -- Australia's largest -- said the number of bogus requests to its domain name server (DNS) had "on occasion" reached a level where some customers have reported slow responses to their legitimate requests for Web sites or e-mail.
Someone trying DNS cache poisoning attacks?
I would agree with you, but almost everything marked as "funny" is the same 5 jokes over and over and over again, and they are only funny the first time. What really needs to happen is that the weirdos marking these are "funny" over and over again need to start making use of "redundant."
Comment of the year
Man the number of issues I had getting my pc to work with bigpond cable.
And, yes, I was suffering DNS issues big time. So much so I gave up the DHCP configured DNS servers and configured my PC to use specific ones in Optus and TelstraClear (in New Zealand).
About the only thing that runs CORRECTLY on BigPond is peer-to-peer without the requirement of DNS..
I feel sorry for the poor Gumbys who are getting cut off. Sure they're the cause of many a problem, etc and this is good in many ways but I work in a University and we already do this to residents of our on campus accomodation.
Let me tell you how it works. Someone gets a trojan and it makes a nuisance on the network. We disconnect them until they "clean it". Here's the rub - you're now relying on someone who is clueless enough to get infected in the first place to FIX THEIR OWN PROBLEM... WITHOUT A NET CONNECTION.
Oh sure "just download this patch". "I can't, you disconnected me..." "Oh yeah.."
See the issue?
SO what happens is they just lie. They say they've fixed it and they haven't. Or they remove the virus but don't fix the cause of the virus in the first place, so you reconnect them and 10 seconds later they're infected again.
Now this is hard enough with 1000 odd students. Imagine having to queue up for an hour on the BigPond help desk only to find out they only reconnect people between normal office hours? Or you have to jump through many hoops to get back online?
I feel pity for the people this happens to...
P2P etc are not a reason for the ISP to disconnect but if the ISP does nothing about trojans their service is cut because people like this site, /., will block whole blocks of IP addresses if that block is attacking them. I was cut off in this manner because someone on my ISP had a trojan that was attacking /. So the ISP gets blocked and the customers get unhappy and say things like 'do something now or I go elsewhere'. They must do something to protect their business.
I pay for unlimited use and do not want that unlimited use disturbed by morons that cannot keep their machines clean. I am also downloading some of the latest Linux goodies on P2P.
I love stacking my barbecues in the shed at the end of summer - you can't beat a bit of grill on grill action.
Here is the thing, and this is not a Microsoft bitch either.
I do not and can not understand why ISP's won't block TCP/UDP Ports 135 137 138 139 445 554 on their routers.
There is absolutely no reason to be using these services on the Internet.
In fact if you are stupid enough to want to use these services on the internet, the ISP's have a duty of care to protect you from your own stupidity.
It would not solve all problems, but it would solve a hell of a lot of them.
These ports are meant to be used Private Internal networks where there are logs and usernames and passwords with enforceable consequences when you do something your not supposed to, and generally a reasonable amount of sharing of information is prefered over locking everything up.
Its the same tired old chart of security versus accessability/useability.
There are flaws in Microsofts Operating systems, but to be honest, if you leave open access to any Operating System across the Internet, it is going to be compromised sooner or later, its just that the Microsoft ports (as I call them) are such a visible and easy to exploit problem, that can be readily solved with little to no difficulty for anybody!
...how far away is slashdot from comment #12345678?
Got time? Spend some of it coding or testing
because it is not, people don't die from unpached XP machines.
Having said that I do agree that people who run zombied machines are A**HOLES
I use telstra/bigpond at work and in the last month and a half it's almost become unuseable at times with page errors on google and other big sites, they already block ports(25)to stop infected machine send spoofed spam, but i think there is still more they should be doing.
Telstra/bigpond would never disconnect me for heavy usage, I use the internet everyday for everythi...[CONNECTION LOST]...
well they say you can't complain about the service when there is none. [sVen]
Ahhh to be caught by a bigfish in a little pond, it will cost you, paying through the gill, this big fish will not only spy on you, but also hack into your credit rating. the sweet sound of sickly customer service, with very little actual service, dont forget the shares being traded around the globe ATT an amaizing rate, oh yes and i think the fedgov want to sell it off all togerther, maybe the lumbering infrastructure has got old. i do remember aussies all proudly saying how this was the way to get call costs down to next to nothing,never happened, it costs you to be EXcluded from their directory, or to be DISconnected, but whose going to look after all the sub services sharing their lines when it is finally sold off to ,yes you guessed it right, US.
I think meta-moderation causes problems with the redundant rating.
I doubt if many meta-moderators really look at the context of the comment when they review the moderation. They see Redundant and think to themselves "hey, that's actually funny/informative/etc, I'll mark it as unfair".
I don't think I've ever seen redundant come up when I've meta moderated, I'm hoping that the Slashdot chaps realised this problem and deliberately filtered them out.
-- Using the preview button since 2005
I see redundant all the time, and I do look at context before I metamoderate those mods. Generally speaking, however, I only mod those fair if they are redundant to a parent comment, or to the story submission itself. Thanks to the way slashdot caches content, and the time it takes to write a comment someone might actually want to read, you often end up with redundant comments. It seems silly to penalize people for being slow typists, and/or for doing research and RTFAing.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
They will happily unblock the port for you at your request. No questions asked.
LOAD ".SIG"
PRESS PLAY ON TAPE
I get moderated redundant about twice a day( thank god for the rather large ammount of +5 insightfulls that cover the stain up )