Slashdot Mirror
Should ISPs Cut Off Bot-infected Users?
richi writes "There's no doubt that botnets are a major threat to the safety and stability of the internet — not to mention the cleanliness of your inbox. After years of failure to act, could we finally be seeing ISPs waking up to their responsibilities? While ISPs can't prevent users getting infected with bots, they are in a superb position to detect the signs of infection. Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as bot infection would be contrary to the terms of the ISP's acceptable-use policy."
Should ISPs cut off P2P users that infringe copyrights? Contractually, the ISP would be reasonably justified in cutting off a user from the internet, as copyright infringement would be contrary to the terms of the ISP's acceptable-use policy.
What about posting opinions that the ISP company doesn't like? It's not like its suppressing free speech as they are a private company.
Or what about if we just let ISPs be what they are supposed to be, common carriers, before this goes to slippery slope?
Should ISPs Cut Off Bot-infected Users?
Yes. Some ISPs already cut off P2P users. By comparison botnets are a real threat.
Trolling is a art,
Yes, yes! A million times YES!
A doctor would quarantine a contagious patient. An ISP should quarantinean infected PC.
If I were God, wouldn't I protect my churches from acts of me?
>"Should ISPs Cut Off Bot-infected Users?"
After a suitable warning to the customer/administrator, yes. Absolutely. But it should be made very easy for the customer/administrator to reactivate their service, too.
This is an open door for abuse by ISPs to shut off anyone they think is costing them to much bandwidth.
Yes.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
If it was spelled out this would constitute a usage violation, then fine, I see no problem.
"I use a Mac because I'm just better than you are."
Of cour
They should not, for the same reason ISP's should not filter ports (25 anyone) like a lot of them are doing now. Also to see if someone has an infection you would have to monitor the traffic. While that can be automated it is none of their business. They just rent an internetpipe to me. How I care for the security of that pipe is up to me. That's what I am paying for. I can see that this would benefit some users and would help make the internet 'safer' but installing a good firewall and virusscanner wil keep you reasonable safe also. And one thing still goes btw... if your system is mission critical... consider if it really has to be on a public network. A lot of times it doesn't have to be.
Yes, but not before first providing ample warning notifications by e-mail, SMS, and robocall.
If you cut somebody off from the net straight away, that prevents the person from downloading the necessary file to take the steps necessary to remove the bot.
To blog is sublime
Don't you cut out gangrene flesh?
My cable ISP cut me off in 2001, when my roomate got a worm/bot infection due to bad P2P settings. I understand the good intentions, but it then became difficult to reach the right person who could reinstate service once I convinced them my network was clean.
For all the information the ISPs track from us, they have a responsibility. Pleasing cost (razor thin margins) is no excuse to engage in restless behavior. In a capitalist society we recognize that if you can't pay for the costs of doing business, you go out of business and your competitors eat your lunch. Preventing crime that involves using your service is a reasonable and legitamate business cost. After all, the botnets tend to be one of the major user of ISP resources - particularly if they are doign a Denial of Service attack. So shutting them down lowers the ISP costs, increasing their thin margins.
excitingthingstodo.blogspot.com
Sure it's fair.
Once you're infected the rest of the Internet with crap, you're costing them more money in tech support calls from people complaining about you. Why would they pay to keep launching your crap packets into the core? Be your own ISP if that's your agenda. If you take care of your network, you won't run into this.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Restrict them to a subnet that only contains pages related to removing the malicious software.
ISPs should be responsible for filtering out bot activity, but it's not really fair to anyone to cut them off entirely. After all, it's not entirely their fault they got infected... hell even if they're responsible with updates and activity they could have been compromised by some new vulnerability.
Has firewall technology not been able to keep up with bulk ISP traffic or something?
I understand that users ought to control their own home firewall, but ISPs should have firewalls / filters they control further upstream, where they can add rules to block certain types of traffic only when necessary. But I guess if they have it, then that means they're kinda liable for configuring it effectively and can thus be held responsible for attack traffic that does get through.
Anyway, I don't like the idea of being cut off from network access without at least a few weeks' advance notice and time to respond. Which is virtually an eternity in botnet time... which makes that whole approach somewhat pointless.
They could just redirect them to a portal, where they get informed that their computer is sending out viruses.
The portal would offer a free virus scanner and the option to have several ports closed by the ISP (checked by default) ;)
- ports that could later be reopened by going to the "experts"-page
If the user insists, they of course can go on and use the internet anyway. But only after clicking "ok" to a sentence declaring that they are now informed and
"solely liable to any damage they might do to the internet"
"Your internet service has been suspended due to a virus infection. Please call or email us to get reconnected". .
"Common sense will be the death of us all"
ISPs should hand out routers which utilize Network Access Protection by default.
The router should verify if the endpoint is clear for internet access, and if it's not, it should limit user access to antivirus vendors, known OS upgrade services etc and requesting user to follow this link to repair their computer(or have it cleaned by someone skilled enough).
There are (or should be!) multi-platform NAP/NAC solutions to do this.
Of course, users should have opt-out option, which allows them to disable the NAP, and take responsibility of maintaining their systems themselves without "middle-maintenance".
Opted out systems would receive direct disconnect until user verifies by phone to the operator that their misbehaving system has been fixed. (for example, spam zombie)
There are no atheists when recovering from tape backup.
My local UK ISP has been doing this for a while,a good 20% of my work has been from people who have been cut off until their PC has the infection removed NICE
At the ISP I used to work at more than a decade ago, if we had a customer who wasn't responding to notices by e-mail, we'd move them to a special IP pool, where given ports would be redirected to proxies to make sure they got the message (eg, you're behind on your payments).
You could use this to give them a message they've been infected, while still giving them access to domains / hosts or their anti-virus software.
Of course, in those days, it was all dial-up, so we assigned IP addresses as they came in ... you could still do something when they refresh their DHCP lease. If they get static addresses, your router rules could get big pretty quickly, and you risk a bad rule screwing everyone's traffic up.
Build it, and they will come^Hplain.
They're Internet SERVICE Providers. Not Internet Police, nor Internet Guardians. They exist to provide people with access to the Internet for a fee. Now a lot of ISPs already do plenty that is contrary to the best Interests of the customers. Bad behaviour ranges from price gouging and using misleading advertising, to draconian terms of service (usually because they're able to due to a monopoly or collusion), to playing fast and loose with customer's private data (often in the name of anti-piracy). Do you really want to give these same ISPs the power to take a customer's money and provide them with nothing based on nothing other than their own conclusion that a customer is infected? That's madness. An ISP should be providing a customer with help to remove the infection, not removing their access to the Internet.
These posts express my own personal views, not those of my employer
My parents PC was a fully functional mail server sending out 4-5 GB of e-mail a day, they didn't know this of course and complained about internet speeds all the time, the ISP figured it out pretty fast though and sent someone over to get it off the network and clean it for 'em.
I was quite surprised at how civil they were about it.
crazy dynamite monkey
So on one hand, ISPs should not regulate the type of traffic and should not sniff, etc...
On the other hand, ISPs should cut off virus-infected computers. Apparently, they ARE sniffing or monitoring in some way in order to cut you off.
Just wait for a company to decide that being a torrent feeder is being part of a botnet and thus torrent feeders must be cut off. Good luck getting back on again.
If it is really botnet activity, why not just block the botnet activity but not the non-botnet activity? If you can't determine if it's botnet activity well enough, then how are you going to choose who gets cut off?
(I am not necessarily decidedly against this, but at the moment, it seems to be somewhat hypocritical to be against ISP filtering and for ISP cutting off [on their own]. Enlighten me. :) )
I work at a decent sized regional ISP. If a customer is disrupting the network with blatantly viral traffic (like tens of thousands of simultaneous SMTP connections) we shut them off and have tech support walk them through disinfecting their PC. The exception is if they also have VOIP through us since we don't want to be in the position of having cut off someone's only link to 911. The network engineers don't sit around all day looking for infected boxes, but if performance issues are traced to an infected customer they definitely get cut off.
Rock over London, Rock on Chicago. Wheaties: Breakfast of Champions.
I'm pretty sure I remember Rogers in Toronto cutting me off a years ago due to malware-related data they detected coming from my IP address. They gave me 24hrs notice (but I was away at the time) before cutting me. How a bot-net is considered different is beyond me.
I'm surprised this kind of thing isn't done already worldwide.
At my last university the IT department routinely scanned machines attached to the network and blocked infected machines. Students were required to bring their computers to an IT desk to have the malicious software removed and were instructed on how to properly use a virus scanner or malware removal tool. From what I understand, this policy continues to work well to this day. If ISPs should follow Comcast example by informing individuals their machines are infected, and go the extra step of directing affected parties to paid (or free) scanners that will remove the offending software. Only repeat offenders should lose their privileges (temporarily) to ensure responsible computing habits develop. Just my two cents.
my mom posts on slashdot.
What is it about spam and malware that causes people to completely lose their minds? What are you worried about botnets anyway? Either your system is secure and it won't be a problem for you, or your system is not secure and you are, by your own admission, "part of the problem." This isn't like quarantining carriers of a deadly disease. It's not exactly difficult to secure your own system against the nasties on the internet. But people are here supporting the idea of severing a person's internet connectivity because they've been a victim of some asshole on the internet. I think we can all agree that the internet is culturally revolutionizing, and has already proven itself to be an extremely important tool in the promulgation of free speech. But once you throw this crap in the mix we have people asserting these authoritarian opinions which, quite honestly, scare the shit out of me.
At the very least, if there is some set of criteria for disconnecting somebody from the internet, there must also be criteria for how to get reconnected and a very clear and doable set of instructions how to get back online. Otherwise you will end up permanently silencing people.
If you allow your kids to play with an unsafe computer, or worse yet, with administrative rights, I would imagine that's your problem, not mine. It will certainly teach a lesson, which is the whole point.
This has happened to me once. I got a virus and a couple hours later, my internet was off. I called the service desk and I was told that my computer was infected and get this, I need to download a patch to fix it. "How do I download a patch when my internet is off, I asked." "Bring your computer to the service center when we open on Monday." I instantly canceled my service. I was a college student at that time. Some tasks required the internet. In fact the only way to turn in my physics homework was to upload it to the server by 2am on Tuesdays and Thursdays. I don't need to be worrying about my internet shutting off at random times and having to make a midnight dash to campus to use the library computer.
I try to keep my computer clean. I run firewalls and I have virus scanners, but if you haven't been infected with a virus before then you haven't been on the internet long enough. Sooner or later you'll get infected and god forbid if you rely on the internet. IE VoIP or server hosting. Why do I get punished for what other people do? Should car manufacturers be able to remotely turn off your car when your car starts to leak oil or freon?
I mean generally 'yes' but why not quarantine them to a network that allows them only access to a handful of services needed to get things working again: - Microsoft ? - a non-partisan collection of anti-virus vendor websites - ISP specific help pages - ISP specific log entries outlining proof and nature of infection. - a page that allows, once a day to get service restored on a probationary period to test for successful eradication. - netbsd.org/freebsd.org/ubuntu.com/fedora.com/etc ...
Yes they should, but only after offering the opportunity to fix the infection (how are users going to download patches or find the fix without internet access?)
But I think it's time to go at least one step further. The ISPs are going to have to take the responsibility of blocking access to countries, ISPs, and sites that are infected or the source of infections. Like it or not, one of the biggest problems we have right now is that a massive amount of the traffic on the internet is related to criminal activities. If people came to your door every day and left 50 fliers for bogus prescription drugs, there would be an outcry. If you received 100 phone calls a day offering porn, there would be an outcry. If 200 people very day walked up to you on the street and tried to trick you out of your bank account numbers, there would be panic in the streets.
But all of this happens to internet users every day, and nothing is done because the perpetrators hide in other countries that can't be bothered to enforce laws, or they have a different interpretation of the word "fraud".
If on the other hand, no one in China, Estonia, Russia, or South Korea could reach the Internet outside their country because the backbone providers were required to cut off all traffic to or from those countries until they make an attempt to enforce laws, things would change.
Then you (The ISP) will be vilified when the user gets a $400 bill.
He'll tell his friends and neighbours.
Your ISP will then become *INFAMOUS*.
Instead, slow down the guy's connections and try to send the guy notices to tell him that he is "Owned".
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
While you're there, throw them a lot of information about why they should have an anti-virus - why they should scan regularly, and while downloading from 'that shady place' is a bad idea.
Maybe it'll stick once they realise they have no internet.
ISPs should be able to identify the IP addresses the bot is contacting and block it from getting out of the ISP.
Then it should track down those IP addresses and inform their ISPs that they are hosting a control node for a botnet.
Backbone providers should shut down access from any ISP that refuses to shut down botnet control nodes.
So if they shut off the connection, then how is the average person (without multiple boxes etc) supposed to access the tools and information they would need to clean it? And what happens when a bot gets loose that doesn't yet have a public fix? Then you just black out large swaths of the internet until somebody gets around to fixing it (again without internet access)?
At that point the ISPs are doing the work of the hackers themselves. Now you don't need a sophisticated attack to shut down huge chunks of the internet, just a good looking threat. Soon we will see attacks that do nothing more than mimic a botnet enough trigger whatever automated shut-off the IPS's implement.
Like Communism, this is an idea that looks great on paper, but is doomed to not only fail, but make everything worse in the process.
Common Sense isn't as Common as people think...
Doing it via the browser is a very bad idea. Not only can it be spoofed, it undermines the "don't click those things" mantra that we are trying to ingrain in users' minds.
Cut them off, instant phone call and/or mailing. If they need it, allow them access to antivirus (I believe Comcast has a deal with McAfee) or mail them a CD.
to help him fix the problem. The customer is probably not the villian here and probably doesn't even know that he is botnet infested (after all, ALL windows machines slow down eventually and have to have the OS re-installed, right?). The ISP should try to contact the customer by phone, email or snail mail and first let him know of the problem. Perhaps send him some general information on how to fix his problem, or just point him to the right URL's on the net where he can find the information he needs to fix his problem. (other than by using an Axe on the computer).
This is going to get more interesting as security (home alarm) companies and medical (help, I've fallen and I can't get up) companies are moving all their services to the user's web connection. Once there are a couple of deaths and a fire that don't get reported, these services are going to come under a lot more pressure to not disconnect people without multiple notices through snail mail, etc. type of process.
Just because I can hook a shark from a boat, I do no offer to wrestle it in the water.
. . .
Because not all of the population of China and Russia are botnet controllers. You are overgeneralising here. I hope you're joking - but my sarcasm meter is broken.
I'd actually appreciate a friendly email from my ISP informing me that they are detecting strange traffic from my IP address and suggesting that I might want to check for a Botnet infection. Detecting sneaky outgoing traffic and other malfeasance is beyond the technical range of many customers.
They might even provide links to resources I could use to detect and remove the Bot. They might even make these resources free, useful (Like pretested and configured against the current signature and MO of the Botnets they're seeing) and come off as concerned and helpful.
This is one area where our interests and the ISP's are aligned. Starting the process with a "cutoff" seems like a lose-lose...
"Knowing everything doesn't help..."
Just as not all of the people who have botnets using their wireless connections in their neighborhood are botnet controllers.
They're a lot more guilty than we are.
-- Tigger warning: This post may contain tiggers! --
actually, maggots get rid of gangrene quite effectively, no MD needed.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Be careful what powers you give to anyone with power already, they're hard to take away once they're given, especially in the monopoly like environment we're in. It's easy to see how this could lead to cutting your service for other reasons that are "bad" for their network.
Does anyone else see how this sounds like that story of boiling the frog alive by slowly turning the heat up?
It doesn't matter how "secure" your network is. If your inbound pipe starts getting flooded with garbage data and fills your pipe, your service is now unavailable. Your local firewall may be super secure and drop all the packets so your server runs along swimmingly - totally irrelevant if your pipe is overloaded. This is the kind of damage that is TRIVIAL for a botnet.
Can just tell by your attitude that you are somehow connected with the people who want more government snooping and control.
Go back to your Ministry of Truth and do not presume to attempt mind control on me again.
But I tend to rely to Internet for information about removal of malware or software download to remove them. What about a ISP level antivirus/malware detection mechanism. If I pay for my bandwidth and I got cut-off because of malware, I expect a full refund for the loss of service plus compensation for the trouble.
Tomorrow is another day...
Yes, and then send them to a 'captive portal' when they try to access the web telling them what has happened and what they need to do to fix it - along with the ISP's contact number and maybe even a reference or case number.
fak3r.com
If ISP's care about how their bandwidth is being used up, they should/would definitely disconnect users for even unintentional abusive behavior for this.
Used to work at a WISP, and malware infected customers were a huge source of network problems. Anyone suspected of being infected was contacted immediately, and potentially disconnected from the network if they were unreachable and/or immediate attempts to resolve their spyware problems weren't successful.
Perhaps wired ISP's aren't so concerned about this...
I used to do computer work for a guy that was contacted by his ISP (Insight communications) and they told him he had a virus and would only be allowed back online once he was cleaned up. He only noticed when he woke up the next day and had no service. This was the first and only time I witnessed an ISP taking a role in cutting off an infected PC.
My understanding was some of the largest botnets for spam emails were actually run from the US/UK. you proposing to cut them off form the net too?
Back in the dark ages of dial-up access. They would lock out the account with a message to call an 800 number. They would step you through the process of getting rid of it. I just had to update my son's scanner and run it. Of course, that meant all 5 of us were locked out, even though 2 of them were at college!
Never trust a man wearing a coat and tie!
Brilliant! Also, that makes good business sense, as they would have to use the email service that you, as an ISP, kindly provide ... for a fee. We really can't allow those lusers to manage their own mail, oh no sirree.
I would think it was fine if ISP's set up new accounts with most ports closed *and then provided a good, efficient interface for users to open what they want to be open* ... but most (most! there are some good ones out there) ISP staff get that deer-caught-in-the-headlights look when you start to ask questions about outgoing ports. Seriously; I've had the privilege of being told that yes, I would certainly be able to surf the web, when I asked about accessing my own file/media server from the WAN side. Sigh.
"Good news, everyone!"
Being able to connect to any port and to receive connections on any port is the definition of Internet access. I absolutely should be able to run a mail server on my home machine.
Now, if the ISP were to block incoming port 25 by default, and people who wanted it could fill out a quick form or something, maybe that would be okay.
So you propose that as soon as an ISP detects an infected computer, they send someone to wipe the computer and install Ubuntu? :-)
The Tao of math: The numbers you can count are not the real numbers.
Getting users to download an "antivirus" every time they see a page like that is a BAD idea.
No sig today...
Fuck you. The internet is not a consumer distribution network. Each host is a client and a server. And if i want to receive mail at my home it is not of your business.
Peer should be killed for their bad behavior, not for their capability. They should be disconnected for sending spam, not because they have a mta or a botd. It should be up to the owner to decide if he want to 1. Remain disconected, 2. Stop willingly sending spam or 3. Remove the botd that send spam without his knowledge.
No, those we can go after on a county by county basis.
-- Tigger warning: This post may contain tiggers! --
I mean they don't already? My ISP (Cox) does. Back in the day one of my roommates got a worm. Didn't know this, of course. I came home, my Internet wasn't working. Called the ISP, they told me what was up. I said "Ok computer is unplugged I'll have him clean it when he gets home." They said "Good deal, your net is back on."
Seems like a good idea to me.
If it were up to me, I'd just shunt the customer to a remediation server that has downloads of some decent AV utilities.
Physical example: If an apartment complex in a good section of town had a tenant who took the door off his place, let all kinds of transients in to clog up the toilet so the sewage ran off the balcony, left crack pipes all around the facility, and had people trying nearby apartments to see if they could break in, that tenant would be history. Same with ISPs. Why should an ISP have to deal with the fallout due to a customer who cannot follow basic security precautions?
Everyone makes mistakes and even the pros get hacked, so a warning should be given obviously. However, network security comes first before some subscriber's pr0n habit, so if they can't or won't fix a botnet, then they get axed and either download utilities to address the problem from a remediation server, get their PCs reinstalled, or move to a more malware-unfriendly platform.
Making Joe Sixpack responsible for his own security is a good thing in the long run. As of now, there are no consequences for him to allow his machines to become a server for botnets. He doesn't see the damage he is doing with his neglect. However, if it is made known to him that he will be cut from the boobie pics if he continues to display gross negligence, he might actually update his copy of Norton or ask a friend about some strange software called Firefox and AdBlock.
Else how could an ISP charge more for the same service re-labeled as "business Internet?" Meh. You're quite simply wrong, and apparently a noobie.
"National Security is the chief cause of national insecurity." - Celine's First Law
An (enlightened) ISP I used in the past kept traffic statistics on all customers. An automated daily check would occasionally spit out an e-mail that essentially said something like: "We noticed an unusual spike in upload activity from your network on port at . If you understand why, then ignore this message. Call if you need help." This was great, because it alerted you to a problem pretty much right away, but didn't try to second-guess what you were doing. Like credit card fraud protection, it only was triggered by unusual (for you) activity. Unfortunately, this kind of e-mail isn't all that helpful for the typical grandma, but for the customer base of this particular ISP it worked reasonably well.
Or you could take the easy way and educate users on how to care for their current computer and install some decent protection on their computer and be smart about browsing? Or your alternative and convince them to switch operating systems because they are not YET as vulnerable as Windows machines.
If the ISP can detect the bot activity, then they can stop forwarding it. In the meantime they redirect the user's web traffic to a download page for the bot removal tool. If the user doesn't act within a reasonable timeframe, then they suspend the account. The only downside is that eventually all retail ISP customers will be forced to install security software from whichever vendor offers their ISP the greatest kickback.
Why should I be stopped from running my own mail server, which I'll keep with me wherever ISP I'll go ?
Yes, definitely remove bot-infected machines from the internet.
But, also provide a clear, readable description of the reasons for the cutoff.
And, most importantly, a simple way to quickly reestablish service once the infection has been removed.
And by the way, simple does NOT mean 45 minutes on hold waiting to talk to some dude in India
It is not the end user who wants bots on his computer. It is the criminal who arranges them to reside there. And those criminals should be the only ones to suffer. Sure it is easy to punish the owner of the infected PC. But how does easy become morally acceptable?
We are a NS customer. We had an offsite machine with one of our email addresses get infected and started to send out spam. Within a few minutes, they shut down our entire email service. It crippled our business, then it happened again a few times before we found out what the problem was. We were hopping mad at NS until we found out it was our error.
I hate being bipolar; it's awesome!
Seriously? Yes, they should.
I've worked at an ISP for 10 years, and we cut people off the second we find out that they're infected with a bot and trying to infect others. When they call and ask why their Internet connection isn't working, we tell them strait up what the issue is and that the'll have to clean off their computer (have it done 'professionally' if they can't do it themselves) and then report back to us to get their connection reinstated.
It's a hard lesson to learn, but I think it's necessary.
To use the obligatory car metaphor; if your car starts to leak gasoline while driving down the road, you can't just keep driving it like that since it's 'not your fault' that you gas line ruptured. Even if you do all the preventative maintenance that is recommended, stuff can still happen and it's up to you to get it fixed, even if that means taking it to a professional to fix it.
Most large companies, I've worked for Intel and HP, will search their network for know "issues". I remember one time the worm was severe enough if you're system wasn't patched they turned off the port and blocked the MAC address until you patched your system. This was after 72 hours of blocking port 80 traffic to slow the thing down.
Combine the above realities with DMCA takedown notices and I think it's time. Most ISPs have a 3 strikes you are out policy for violating DMCA and Copyright. The precedent is already set. There are many ways to detect bots and it's time to have the ISPs turn them down and make folks take appropriate steps to clean up their own systems.
"Don't fear death... fear not living..." -me
The fact that you would make such a ridiculous statement shows that you literally lack even the most basic understanding of Operating Systems and computer security.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
A few years back someone brought their computer over to my house for me to fix it. They had the usual excuse. "It's being slow". So I hook it up, and download the latest anti-malware stuff. (I was in a hurry, so I just plugged it into my router.)
About half an hour after doing that, I tried to access a website, and instead got a security notice from my ISP (a cable company) saying that my internet had been cut-off and asking me to call a number. I called them up, they told me that my connection was sending out an unusual amount of mail and that it had automatically been suspended. I told them what was up, and they agreed to release the suspension right away.
Know what? I was HAPPY that they did that. It means they're serious about proper network security. Not like the other big cable company around here (Rogers) that simply blocks all outgoing mail ports, making life difficult for everybody.
Does it make you happy you're so strange?
Or you could take the easy way and educate users
You don't work in IT, do you?
In that process of training & service for PCs don't forget the possibility that it might not be the computer that is infected:
There are viruses now that can infect routers and modems.
I can only imagine how pissed off a customer is going to be if their ISP insisted that they pay a professional to clean their computer and are still being denied internet access because their router is infected.
Warning: This sig is not thread safe. For more information see Slashdot's sig policy.
I used to work for Shaw Cablesystems up here in Canada. While I was working there, they did this exact practice. It was handled by the AUP team, a Caller would call up Tech Support and say "Hey, my Internet isn't working, what gives?", the AUP team would say "Well, you've been (Spamming our Customers with Junk Mail, Participating as part of a Botnet, Etc)" and would offer solutions to how to fix this. If they were using our in house Anti Virus software, there was a team of Techs who would walk the customer through some fixes, reconnect the Internet so they could VPN in to fix it, or worst case scenario, send one of our own techs to go fix it. Getting the Internet turned back on was the easy part.
Or you could take the easy way and educate users on how to care for their current computer and install some decent protection on their computer and be smart about browsing?
You think that's the easy way, huh? Who are your users, MIT students?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Seems like there should be a partial quarantine state where the infected user's service is severely reduced however the isp is still able to network with the computer to provide an avenue for removal tools and resolution. The Internet is the primary source of information for many, and the people unknowingly hosting sentinels in a malicious network are in severe need of information. There must be a compromise or providers risk losing customers..
I would say the PWN to Own contests prove you wrong. Linux and OSX are still smaller in numbers then windows. Since bot nets, malware, and the rest are going for profits not fame, hitting more machines with the same attack is better. If OSX or Linux, or (enter OS of choice here) was 60%+ of all computers you actually believe that there would not be malware, bot net programs, etc. written for it?
OSX will get hit really hard if it does take the numbers crown. Most of the OSX people I see will enter in their password at that prompt without a second thought. Most non computer people do that no matter the OS. That is what the malware writer is counting on. That people will not think and just press OK or enter in their password to allow the installation. Maybe there should be a computer use test or license. At least then people might have some idea that if they are looking up directions to some store and are prompted for their password to not enter in their password.
How am I supposed to get my computer fixed if I get completely cut off from the Internet?
I would be much more in favor of rather than being completely cut off, such users were quarantined to a small sub-net with access to sites such as Microsoft.com, common anti-virus providers, etc.
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
>>>In the scenario you propose the person is ignorant,
Or they could be me like me, someone with two college degrees whose been around computer for three decades, and yet he has a computer infected with a Virus that nobody, not even experts, has been able to remove. Seriously. After trying all kinds of programs, including bootblock editors, the online experts told me to just wipe my drive and do a clean install. (Good thing I kept the original disks.)
.
>>>switch to a real OS such as Linux or OS X.
OS X won't run on the user's existing IBM PC-compatible hardware, so that's poor advice. Linux OS is virus free (mostly) but now you've got a user trying to run familiar programs like MS Word or IE or Flash, and unable to make them work, so that's poor advice as well. Are you sure when you used the word "ignorant" you weren't speaking of yourself? Maybe that's why you were modded "-1 troll".
"I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
Because you know, they're all salivating over metering based on bandwidth, where botnets will just raise their revenue. In the long run, the ISPs may end up being the actual source of some of those botnets.
At the very least, they're not in the habit of offering services without charging for them-- so you could expect to see a "botnet detection" fee on your bill if they work out a detection scheme that is workable.
I work at a university helpdesk. A fuckload of the issues I see are caused by people not understanding things. We could could cut down a lot of work if we gave a series of lectures regarding basic computer use over the course of a couple months.
Issues like:
"How to install antivirus"
"How to install windows"
"What is malware"
"OH GAWD! I HAS MALWARE! WHAT DO?"
"Illegal operation does not mean call the police"
"Printing documents for fun and for profit"
"10 ways the internet is different from a dumptruck"
So let me see if I have the objections correctly summarized. For nonspecific values of "you":
Does that cover it all?
Everybody gets what the majority deserves.
Whoops, hit post too soon.
My point is that you can save yourself a lot of time and hastle if you just give your users a bit of education. You have the choice of explaining to people why it's a bad idea to plug a wireless router into an ethernet port, or rebuilding half your network when a hacker gets in and tears the place up.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
You don't seem to understand that it is not a matter of "writing a botnet for it." The problem comes when you try to actually get said malware to install on a secure OS. Since it cannot install itself, it cannot propagate. Game Over.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Since you just clearly posted a response that has far more intentional "troll" to it than my completely factual non-troll post, I guess we'll see if the mods are fair or biased ;-)
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Fuck yeah they should cut them off, and they should have started doing it years ago. In my mind, the fact that most ISPs don't do this makes them as much to blame for the situation as the people who create and run botnets.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
If they tell the ISPs that they can "suspend" their service until they fix it but keep billing them and can't be sued over it, they'll pass that thing tomorrow in congress. In fact, they won't even wait for congress to make it a law, they'll just do it voluntarily. I mean free money + less expenses + seriously lower bandwidth usage over the long term + sticking it to assholes who catch viruses = YAY! That's equation is actually listed in every ISP's accounting materials. Seriously, go look it up on wikipedia, it's true lol.
Google's Super Secret Search Algorithm: SELECT @search_results FROM internet WHERE @search_results = 'good'
Yep that's right, many EDUs, which are ISPs for many thousands, do not tolerate malware on the network and block infected systems upon detection.
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
The fact that you would make such a ridiculous statement shows that you literally lack even the most basic understanding of Operating Systems and computer security.
Sometimes even an understanding of OSes and computer security isn't enough to override that annoying "all viewpoints are equally valid" undercurrent that corrupts many otherwise good-natured discussions about the whole "Linux/OSX vs Windows" topic. If the person in question were disinclined to be swayed by this unstated undercurrent, then the fact that Windows requires so much third-party software just to begin to achieve basic security would be a huge tip-off.
It is a miracle that curiosity survives formal education. - Einstein
I worked at an ISP in the midwest and we started doing this as early as late 2001/early 2002. Yes, customers were pissed and we lost some because of it. But as a result we saved alot more time and money then having to deal with abuse complaints, FBI subpoenas, saturated networks, etc. It is not the ISP's responsibility to protect the customer but it is their responsibility to protect their network. 'If you don't like you can blow me' should be the attitude of the network administrator.
Fuck Ajit Pai
Well, I've run a home email server since I was 16. In 1987 it was running a UUCP stack Dale Schumacher wrote/ported for Atari ST series computers, but I was on the UUCP map and had a bang path. I was just as real a server as anybody else.
I was one of the very first DSL customers in my area, and as soon as I had it I had my own SMTP server running. That was about 1998 or so.
The only time I've ever generated any kind of bot traffic is when I inadvisably provided hosting for a friend's Windows 2000 Server box. I figured out it quickly and disconnected his machine.
So, I think you're wrong. And while I think I'm pretty unusual, I do think there are a fair number of other people like me. Tossing me out on my keister because I'm just doing something you find to be somehow 'just wrong' is the wrong approach.
Need a Python, C++, Unix, Linux develop
Seems this is the toe-hold into deep packet inspection that they've always wanted. This is the rationalization that is needed for ISP operated behavioral data collection and now it is no big deal to sponsor inspection of user activities for the software and Hollywood cabals.
Don't like it? Well then I guess we can't turn off those dirty bot-nets.
Wow. The fact that this got upmodded to 4, Interesting says more about the state of slashdot demographics than any editorial could...
Not because it's against any policy but as good internet citizens, if they cut my connection I'm going to ask why, I find out it's because I'm infected, I just have to clean the infection and I'm back online. Whose rights, freedoms, expressions are being affected in any way from this?
Most internet users (don't just think /. crowd) would appreciate this type of action. One ISP where I live had this policy in place 4-5 years ago and I helped my cousin get rid of virii that he didn't know he had until this happened. Some advanced uses might be upset, just like pirateers are upset when TPB goes down, but those people will find ways around and still be able to do what they want to do.
i work at a computer repair shop. most the infected machines we work on have processes setup by malware to automatically proxy all internet traffic, making it pretty difficult for the user to even stay connected to the net. you don't hafta cut off bot infected machines, half the time they cut THEMSELVES off! =] windows users: enjoy paying money to fix that scrap pile. god i'd buy an apple if i had the money. btw i'm a linux user.
If you take care of your network, you won't run into this.
You've never done user tech support, have you?
Tell that to Jo(e)(sephine) Average User, who has no idea what a virus, or even a network, is. Or even what an operating system is.
Proper and prompt notification of why you've been cut off - and perhaps suggestions as to local techs who can properly clean your system - are at least fair.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Being able to connect to any port and to receive connections on any port is the definition of Internet access.
If you want Internet access, upgrade to the ISP's plan that allows Internet access. Comcast, for example, calls its Internet access plan "business class".
A simple "your zombie PC has been disconnected, please contact us to reconnect" followed by instructions on cleaning malware would cut the problem in half.
If I saw a screen like that, my first instinct would be fake antivirus. I've had to clean it off Windows PCs four times.
I would say the PWN to Own contests prove you wrong.
Oh, those contests where people write clever, specialized code and willingly execute it to create an artificial problem? That's a far cry from catching an exploit in the wild.
Some day, somewhere, someone MIGHT be able to crack OS X with an automatic exploit and everyone will rejoice, even though more successful exploits happen on Windows every two minutes than happened on Macs in the last 25 years.
Your basic wording on the rest is right on the money, though. On OS X and Linux, you have to be sitting at the keyboard with the Admin password to install most anything. What you're talking about is phishing and trojans, not automatically executing, unauthenticated, self propagating viruses which is the domain of Windows. People typing their passwords without knowing what they're doing is stupid and nothing can protect you when you're being stupid.
I think of it this way; the Taliban has an AK-47 round which will penetrate Kevlar vest 70% of the time but it will only penetrate a shear-thickening liquid armor vest .00003% of the time. Which vest would you like to wear in the wild?
Most of the stuff on
Speakeasy.net cut me off in 1999 when a Windows server I had at home was exploited (MSSQL Server...grr) and infected. I called them, they explained what was up and how to fix it. I 'fixed' it, called them back, and they put me back online...and then offline again 12 hours later because I hadn't cleaned it all up properly. (My then-girlfriend-now-wire really wanted to play Quake 3 Team Arena...I didn't have time to fight Windows!) I fixed it for real, and they put me right online again.
It was frustrating at the time, but I knew then and I know now that what they did was what I wish more companies did.
Time Warner (Austin, TX) has bee doing this going back at least 2003. I should know, I worked as TSR agent. If a customer calls in to troubleshoot a connectivity issue, their account might be flagged by security as a source of spam and viri activity. Once we re-activated their cable modem, they would be directed to http://www.rrsecurity-abuse.com/index.php. They would be then be forced to fill out an online form.
THIS IS OLD NEWS!!!
Life is not for the lazy.
When we had lots of little ISPs, they knew their users, and this kind of thing would be easy cheezy. Now that we've got big, "who gives a fuck" ISPs, it's some kind of dilemma, related to somehow making more money by doing less, and scale.
My smaller ISP simply called me on my cell, when it happened. We had a short conversation that went like this:
Hey user, it's Joel.
Hi Joel, what's going on?
User, I think one of your machines has been hacked.
Jesus! Really? What is it doing?
Right now, it's fetching a lot of data, and sending SPAM.
Crap!
What do you want to do?
Ok, pull the plug, wait three hours, then put it back in. I will have arrived home, taken the box offline to start the work of getting it all sorted.
No sweat, do I start right now?
Yeah, thanks.
*click*
So I went home, pulled the machines off line and waited for a time. Net came back up, and I powered on the machines, looking for the offending one. Found it. Bastards! Sent a quick note to Joel about the state of things, asking if he would keep a close eye out for the next day or two. Done.
Now I realize the average Joe is probably going to handle that poorly. I got my stuff sorted, and brought my Internet stuff back up, happy chappy.
I've since moved, and am just out of range for that ISP. My current one, big ass, ugly, ISP with a name you all would recognize, and cringe at, wouldn't give two shits. They would pull the plug, not tell the support people, and ask for a "reconnect fee", well just because they can.
Not sure what the real answers are here, but somehow I prefer a world where I can get that phone call, maybe be clueless, and know the folks on the other end are just trying to limit the damage, as opposed to it just not working, followed up DAYS later with a nasty-gram, and charges, but that's just me.
Blogging because I can...
Yes, but they shouldn't be allowed to bill you for the time you were disconnected. Thus their interest will be getting you cleaned and back on-line ASAP.
You also have better control of which software users will be installing when maintaining repositories of software instead of having users go to random and possibly infected sites to download executables.
Can we please cut off Microsoft from the Internet for creating an unsecure OS, instead of random old ladies that are just trying to browse after some recipes and don't even know what a virus is, or that there is a support number to ISPs? Thank you.
Yet another potential problem that no one seems to have mentioned yet is that of shared houses. If my flatmate has a virus (which he doesn't any more because I cleaned it off last night) then the whole house is going to be seen as "infected" and four innocent people will be cut off the internet due to the indiscretions of one person. This could be made all the worse if the person owning the infected computer is on holiday for a week.
ISPs are in a great position to significantly impact bot activity but the first adopters of this kind of policy will lose customers to more forgiving ISPs as customers get angry about being cut off, whether this anger is justified or not. ISPs will have to ease their way into this kind of policy, being very careful not to alienate their customers.
Sig matters not. Judge me by my sig, do you?
"10 ways the internet is different from a dumptruck"
Which would be? Just curios.
You can make an OS as secure as you want, but assuming that it still allows the user to execute arbitrary applications, there will be always be plenty of people happy to click the "Yes please download and run this mysterious app as administrator" button. At the moment, there's likely to be far less of those people running Linux, and even OS X, than there are running Windows. But if either of them became dominant, then you'd start to see plenty of malware hanging off the back of free downloadable screensavers etc.
Rogers Canada used to cuts my brothers internet off all the time (he lives in a house with like 12 people) I think its a good policy, though they are not very helpful in tracking it down. They also cut the internet at my work recently. On this occasion they were able to tell us the servers it was trying to access and the times it tried, which was helpful in tracking down the infection but for the most part they just tell you to get rid of the infection or else we cut you off for good.. I told my brother to make sure everyone in the house ran malwarebytes a few times every now and then and the problem went away.
you know you can fry stuff putting things into things that dont like the things you put into it...
ROTFLMAO. You've clearly never used a real OS. There quite literally is no such option when using a real OS.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
However, ISPs can offer several types of service:
* A level where they cut you off if you appear to be infected,
* A level where they monitor you and page you and if you don't fix the problem within a few hours, fine you or if you prefer, cut you off.
* A level where you do not want monitoring and take responsibility for your own network, and they find you if you are infected.
In any case, if you are interfering with their other customers, they have a right to block traffic from you to their other customers. If you are causing physical or electrical harm e.g. if you connect something other than proper equipment to their wires and it disrupts their equipment, they have a right to cut you off. If you or your infected computer is attempting to attack their equipment they have a right to cut you off.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
What OS are you referring to? I've certainly never come across a home OS that doesn't allow users to run apps as superuser.
>the ISP would be reasonably justified in cutting off a user from the internet,
the ISP would be reasonably justified in temporarily cutting off a user from the internet while contacting the client with proper info as to which infection they had, or which port they were sending info from, or even some basic help to figure out what to look for , maybe even offer a qualified technician's number, all the while making sure that the user was not billed for those days where they were cut off from the internet, as it is in the contract that they can not stop the service,....
There fixed that for you.!
You are either intentionally mixing up terms or you just don't understand them. Linux does not allow users to click a button and suddenly run as root. You need to enter the root (administrator) password.
Of course all of this is moot, since most malware does not propagate this way, but rather uses exploits to take advantage of the 1000's of blatant security holes in the Windows OS.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
By any chance, does the K. stand for "Kilgore"?
For crying out loud - how about we stop demanding that the victims be punished (ie: cut off from the net) and try to figure out how to detect and kill these Bot-nets on the infected computer. What are you guys? The RIAA? People with Bot-net infected PCs are victims just as much as those who receive the deluge of spam they produce. Maybe more-so since most spam gets caught by the ISPs these days. I got hit by a bot-net infection recently that stole 15GB of traffic off me before I had a chance to spot the problem. I'm astounded that after all this time the so-called leaders in anti-malware software still seem to be unable to prevent, detect, or remove Bot-net infections (and maybe I'm just under-informed about the nature of the problem). But since they don't seem to have a handle on a solution, how about the Slashdot community just stops fantasising about how great it would be if all the noobs got taken off the internet and start realising that the noobs PAY for the services we all enjoy (we couldn't afford this thing on our own). We have to understand that ISPs don't have the luxury of cutting access to huge chunks of their customer base just to stop bot-nets. They'd go broke and we'd lose OUR access (unless of course we had millions from our startup successes to pay for our own private uplinks, but without noobs to buy our new online services there won't BE any more startup sucess stories). So the real solution to Bot-nets is YOU. Not the ISPs, because they CAN'T solve it. Not simply to "ban the noobs" because we'd suffer too. YOU guys need to spin up the brain-turbines and figure out how to find and kill these day things, because you're the only ones who CAN. We're counting on you. Go for it, and good luck.
It was customary for the sysadmin to block users that he saw a lot of traffic on various ports the bots use (back when bots always used a specific port). The part that I didn't aggree with was he would just cut them off. Then when they call in to tech support pissed off that their internets are down we realize they were shutoff because they had spyware. It was mainly cut the user off so they didn't waste company resources than it was looking out for the users.