Slashdot Mirror
OpenDNS To Block and Monitor Conficker Worm
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
Heh, didnt they cash in enough on the Kempinsky non-disclosure-scare already, getting a large user base for their information trading business (heh, as if they offer costly service "for free". Get real! It'll cost you no money but your privacy.) /. the platform for pusing bogus services?
I'm not sure why people around here seem positive about using OpenDNS (as opposed to running your own say).
When I make a type I get an Address Not Found error and THAT'S THE WAY I LIKE IT.
Well if this is censorship (and that's debatable) then it's "opt-in". Personally I have no problem with that, as long as you know and have opted FOR it, then that seems fine.
The biggest problem with censorship is it distorts your ability to know the truth - if you say: "Don't show me this or that" you still have the ability to know the truth, you're just choosing what you see and what you don't. But we do this everyday, we read one newspaper over another, we listen to particular commentators over others - we all self-censor.
Agree'd. The "Open" in their name is misleading. In reality many consider OpenDNS to be a scam operation.
Furthermore nobody should rely on a DNS provider (of all things!) to report worm infections. The idea is so wrong, it reminds me of the TV scams where they want to sell you a worthless product, bundled with 5 other, totally unrelated worthless products. "Buy this quality home-trainer for only $499 and you'll get this USB-stick, a bar of soap, two lightbulbs and a chinese ipod-knockoff, for free!".
If you're concerned with worm infections then you run antivirus software and maybe an IDS (e.g. snort) on your internet gateway.
Both will report malicious traffic much more reliable than OpenDNS because that's what they're designed to do.
.....instructs its drone machines to report to 250 different internet addresses each day. Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year.
Wouldn't blocking "this weeks" known IP addresses stop the addition of new ones, rendering the infection impotent?
Enlightenment? It's just a flush in the pan.
Boy, talk about not understanding Internet protocols.
NTP packets are basically "I think it's this time...what do you think", while DNS is "I want to know the IP for www.childpr0n.com".
There just isn't any possible privacy issue with NTP packets, while DNS is basically a record of everything you visit. Heck, if OpenDNS were to modify the TTL in their DNS replies, they could even get more complete data about how often you request each site.
Actually, I must be wrong about you misunderstanding. Nobody could be that dumb, so you must work for OpenDNS (or another company that benefits from their data collection).
In the same manner that you give another entity access to all your NTP syncs.
OpenDNS is basically the same thing as the NTP pool.
Put the tinfoil down, and back away slowly...
I'm really not sure why people keep comparing OpenDNS to NTP. NTP shares the current time, in UTC. This information is not secret and is not a privacy violation because it was already available to anyone who wants it. If knowing your system time helps an attacker to i.e. guess your TCP sequence numbers, that is a weakness in your (pseudo)random number generator, not a weakness in running an NTP daemon.
Compare that to the data that OpenDNS can collect. They can see every hostname you resolve with their service. Not unlike application-level techniques used by various advertisers (web bugs, third-party cookies, redirections, HTTP "ping", etc.) to track your browsing, a list of every hostname you resolve can certainly compromise your privacy. Every site I visit, when I visited it, and an idea of how often I visited it is not "already available to anyone who wants it." Normally, to obtain this sort of information, an attacker would need to either break into this computer and install a program to log and transmit it, or they would need to conduct a man-in-the-middle type of attack against my ISP's network. There's a reason for that.
Why would I volunteer this data to a third-party who otherwise would have no access to it? What's my incentive to unnecessarily trust them in exchange for a service I don't need? It's not like there is anything difficult about running my own caching DNS server (and you can bet I don't use BIND), not to mention that DNS has to be one of the worst ways to deal with the problem of host security. It's just not a tool that was ever designed for this type of job; meanwhile, better tools that are designed for this job are readily and freely available. This might tempt someone who doesn't want to take responsibility for their own security and thinks anyone else should handle it for them, but I recognize that as a personal shortcoming, a flawed idea. The product of a flawed idea is also flawed, so with this arrangement you are merely trading one threat (the Conflicker worm) for another threat (reduced privacy). I can't call that a solution with a straight face.
It is a miracle that curiosity survives formal education. - Einstein
What you're showing is that the troll succeeded in making you rage. He'll now be more motivated to post it over and over, because he knows it works.
I think trying to explain this to people is a lot like back when AOL tried so hard to tell customers that their staff will never ask for their account password. Despite repeated warnings and prompts, the password phishers never seemed to have any problems. Those hardheaded users preferred the convenience of refusing to stop and think or to change their habits because both of those require a small amount of effort.
Likewise, people who feed trolls prefer their little emotional outbursts and the righteous feelings they get from them and are not interested in whether they are part of the problem. The idea that they are doing exactly what the troll wanted them to do does not get their attention. They may claim otherwise or feel inclined to argue with me about that, but this is very simple: when a person's words tell me one thing and their actions tell me another, I disregard their words every time. They don't really give me a choice in the matter.
It is a miracle that curiosity survives formal education. - Einstein
Guess what browsers and web-proxies have done for, umm, 10 years? Mine says "Name Error: The domain name does not exist". What could OpenDNS possibly add to this simple message, other than their spam?
Better approach to what?
Why not just use your ISPs nameserver?
So, you are equating all ads with spam?
If I use my ISP's nameservers,I get slower responses plus error pages from the ISP with ads on them.
The notion that OpenDNS is evil because they run ads is juvenile. So is the notion that they're evil because they keep logs and records. Name me a Unix system or any provider of any kind of Internet services that doesn't keep logs and records.
The phone company knows who you call. What are you doing about that great evil?
It seems you want me to be indifferent about the possibility that endless anonymous admins might get curious about my net behavior, but I'm supposed to be paranoid about OpenDNS?
-- Slashdot: When Public Access TV Says "No"