Slashdot Mirror
Knocking Infected PCs Off the Internet
nk497 writes "Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. The DNS Changer clean up saw some PCs prevented from accessing the web. Should such tactics be used more often to prevent malware from spreading — or is that taking security a step too far?"
My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet, my university also knocks off computers suspected of internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.
Our internet service providers are often our media providers. Comcast, AT&T, Time Warner, etc, are all interested in the idea of controlling your access to things like that, and if they're given free range to scan your computer and knock them off the internet - they will certainly look for evidence of torrenting as well.
because it will drop the IE part in the browser statistics to zero... :-)
This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.
“He’s not deformed, he’s just drunk!”
It is a perfect scenario when it comes to security - but at some point, so many machines will be offline that this kind of thing would affect the numbers of audiences in several services. So many people would be offline and so many companies will lose money that they will opt for solutions to circumvent this. By the end of the day, it would be uneffective.
...the ISP provides the only outbound connections as solutions to the problem, or only blocks those methods by which that particular detected malware spreads. Additionally the system must assume clean and only cut off for a limited time and automatically assume clean again. Without those protections the system would be ripe for abuse including using the claim of malware to restrict groups.
In short, I don't think that it'll work. If it would, we wouldn't have a malware problem in the first place.
Can someone explain how software developers aren't at least partially legally responsible for their faulty software allowing maliciousness to spread through them in the first place?
Do not look into laser with remaining eye.
...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out when they found me coughing on their salad bars. How dare they stifle my freedoms! Police state!
Active scanning of all those packets would just introduce more latency. It also boils down to who is going to pay and who should?
ISPs would have more support costs which means increased cost for all customers.
End-users could probably be reasonably expected to pay a repair shop to clean their machine if they don't know how.
It boils down to money.
If a security suite detects a virus and doesn't quarantine that computer, it is only putting all the other computers on the network at risk. If quarantining upon detection happened to the majority of networked computers, then there would be "herd immunity" protection for computers both with and without antivirus protection.
Have gnu, will travel.
Why publically introduce censorship, if you can call it "computer infected by malware".
'nuff said.
My ISP xs4all.nl, one of the most reputable when it comes to internet freedom, will shut a subscriber's net access down when there is good indication of infection.
The way they do it is smart, you get a mail on your administrative account and you are diverted to a message explaining why you can only access the net via the ISP's own proxy.
The last is to give you a chance to get on-line help or updates.
Once you can convince the helpdesk you have cleaned up your computer(s) they'll switch you back on.
The helpdesk is also very helpful to the clueless on how to clean up their computer.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The thing is, a malware infected system that is attacking other systems is broken - just usually in a way the user of that system does not notice.
But broken it is, and all blocking/damaging the system does is make it apparent to the user of that system that it is broken, so that they can fix it (or buy a new system).
It's yet another reason why backups are very important...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If it's possible to detect with a relatively high degree of certainty that a given customer's account is being used by a machine that's infected then I very much support turning them off and giving them a phone call/email/letter. But that's (potentially) a big if.
If they had a working anti-malware software on their boxes, this wouldn’t have happened in the first place.
So obviously, they have to download it somewhere. (Obviously with a another non-infected boot medium.)
How will they do that, if you cut their access? (Oh, and how do you know it’s infected anyway? DPI on a port told you? Well, why don't you just block such connections then??)
This is really stupid. A half-assed "solution" for lazy people. But hey, lazy, dumb and ignorant are the new efficient, intelligent, cool! So who am I to know better, with my... *facts*?
They don't need to boot you off the internet, they just need to firewall all ports except TCP 80 and http-redirect all your browser requests to a 'you're infected' page with links to freeware virus scanners for download and a help phone number.
If a PC is infected with, for example, a spam generator, then it's arguably subject to being prevented from sending spam. No more than that, mind you! Cutting off all access because Bill doesn't do security well is cruel and unusual punishment (:-))
To make it past the scrutiny of the courts, we should pattern our response to infected PCs on the existing laws about assault and public health:
If we apply this to ports, a PC could have port 25 blocked with a "599 You have a spam virus, call us at (416) 555-1212 for more information"
Similarly if the virus was one which tries to spread via connections to port 22, you might find you can't use ssh/scp/sftp outbound from your system.
The latter poses a notification problem: it's not easy to capture ssh setup sequences and send message to the user.
It might be hard to complain about being blocked from spamming, but if you aren't informed you have a virus, you can't stop spamming, and can legitimately complain about being blocked "secretly". It might be necessary to use a scheme to redirect http to a notification page before letting it go elsewhere, somewhat like hotels do. In any case, the person doing the blocking would need to make a serious, good-faith effort to notify the person who's being blocked.
Blocking is a new problem for computer science to debate, but it's very similar to long-solved "public health" problems in the world where viruses are composed of atoms, so we can borrow some of the cures from there.
--dave
Of course it's taking it too far!
A random remote PC should not affect you in any meaningful way. If it does, we have bigger problems to solve first.
Also: define 'infected'. This is just asking for trouble..
The DNS Changer clean up saw some PCs prevented from accessing the web.
No the maleware would have done that after the fraudulent DNS servers got shutdown. DNS change is a case where COMPROMISED SYSTEMS WERE ACTIVELY KEPT ON THE NETWORK, what should have been done is those machines should have been allowed to fail to resolve hosts, after the fake DNS servers where shut down, than would have had them fixed literally months sooner.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
My ISP, xs4all blocks my connection automatically when trojans or other malware starts to make outbound connections.
I know this as I am responsible for several people on this connection, one of them connected a laptop which triggered this.
When this happens all my ports are closed at the ISP and I get a notice to connect to their proxyserver so that I can download protective means.
When I solve the issue I get a checkup and after that all goes well, the ports are reconnected.
Your 14.99USD a month means you can play how you want. The other 24 raiders' 359.76USD says know how to play your role or gtfo. (Or something along those lines.)
Non-Warcraft version: Yeah, you pay for your Internet access (probably), but when you start interfering with other people's access (at the very least)... Yeah, you can kiss your access goodbye until you clean the infection. Go ask some neighborhood kid if you need help doing that.
That depends upon what the infection is.
In many cases, the infection is a worm that attempts to connect to other machines on known ports with known connection strings. This is how network-based Intrusion Detection Systems (IDS) work.
Let's not bullshit around here. The idea of kicking people off the Internet because of "malware" is about the opposite of security.
We've already had the RIAA and MPAA try to portray any copied media as malware. There are hacks that will allow you to play you legitimately-purchased game without having to have the disk in the drive that are seen as malware by the major antivirus software.
How many times over the years have you had to tell your antivirus software to ignore a false positive? What if you'd been thrown off the Internet every time that happened? How long before the big content providers start using this approach to create an ad hoc "two strikes" policy? Or "one strike"?
Now how about if Comcast decides that if your system is kicked off the Internet for having "malware" that they won't let you use your broadband connection until they are allowed to scan your system remotely?
Anything that smacks of this kind of centralized, or even potentially centralized control is bad news. Even if it's not centralized now, you know it will be if Comcast (and others) have their way.
Look, just provide broadband to my house. I'll protect myself and you protect yourself. Unfortunately, the days of just getting "plain old broadband" to your house and then being left alone seem to be dwindling. More and more our use of the Internet is being monitored, tracked. How long before we're knocked off if we don't allow ads in our browsers? Maybe they'll declare ad-block to be "malware".
You are welcome on my lawn.
Who defines what is malware if this happens.
I have no doubt that if the isp in question is also a media company, programs that access the internet and are of their competitor's 'might' occasionally be flagged as malware.
I can also see that alternative o.s.'s could theoretically be flagged as such.
But above 'all' how could they determine if malware is installed simply from the isp side and without requiring special programs on their customer's pc's to access their services.
Back in olden days, this went without saying. If your system was infected with a worm and you didn't take prompt action to clean it up, you were disconnected from the net. Likewise with other conduct unbecoming of a host on the internet, like forging Usenet cancels or sending spam. After all, access to the Internet was a privilege, not a right. A college with net access was expected to police its users, the university or cooperative that provided the college with access was expected to police them, and so on. There was a chain of responsibility all the way from the end-user to the backbone. That all changed over the course of the 1990s, as the Internet was opened to anyone with an adequate checking account, and the proliferation of commercial ISPs made it trivially easy for a cracker to move from one account to another, so the threat of being banished from the net lost its teeth.
http://alternatives.rzero.com/
It really depends on where the "knocking off" happens. If the FBI knocks off some bot's C&C network, then it's fair game. If an ISP were to start blocking ports, addresses, etc, for "spam" reasons, it's the start a slippery slope. I've always been against sender-side spam mitigation for this exact reason.
Yes, spam/bots are annoying as hell, but it's not the ISP's responsibility. Anything less threatens the very nature of the Internet as an open platform.
many blocked users will just buy another computer and get infected again. Education is really the key to fixing this, but I have no idea how we could realistically educate everyone (requiring a license to use the internet is not realistic).
On topic, if my machine was infected, I wouldn't have a problem being booted off the 'Net because it probably means that my security software didn't catch it. And it also means, that if I'm kicked off, then any malware couldn't be uploading my criticals information - like logins to my banks. Then I can go and fix the problem if I can.
People who are being spammed by your PC can legitimately use the minimum force necessary to stop the harm, not including shooting it or you. This is the starting point in law: a harmed individual, who has some limited rights to respond in self-defense.
If your PC is trying to infect theirs, they can tell the local board of health, and have have you asked to quarantine yourself until the disease is cured. In this case, the board of health is the ISP, and they're asking you every time you try to send spam/viruses. They're allowed to wear a surgical mask while asking, as well, in this case over their port 25. They're not allowed to put you in an impervious plastic bag to stop you from breathing: that's not minimum force.
If you or your PC resists being quarantined, they can apply to the courts for an order to have the PC locked up and treated against it's will. That'a a real court, with real judges and court orders, not an ISP. In that case you can argue against it, but you'd better have a legally valid reason, not "you can't do that to me". And if necessary you can object, and argue it out before a judge.
--dave
davecb@spamcop.net
I use internet explorer 6, and make dam sure not to run windows update, reinstall xp ever year with sp2 on all my families computers. My copy is a real fast one from filemonsterswarez.ru so I do not worry about malware. I don't run a router or any other crap that can slow down my computer. My Clean PC says everything is OK so I don't worry. When some asshole threaten to limit my access to the net by blocking all my computers from accessing the web I get really pissed!
Some of the responses I'm seeing so far from other Slashdotters is amazing given the support towards Net Neutrality. You do not get to determine what is "malicious" from your point of view and decide whether to keep it on or off the Internet. It gets sent out, period.
- If my home ISP, workplace, campus connection, etc. has in writing via a TOS they can quarantine me from the rest of the internet for being contagious, I'm good with that.
- If said home ISP, workplace, campus connection, etc. suddenly decides to cut my connection without my consent and without the TOS stating they can do so, then I have problems with that. That changes the TOS by which I chose to interact with the other party originally.
- Give me advanced notice, I can choose to continue using that service or not for Internet connection.
Case in point: I no longer frequent Panera Bread for food+Internet access given certain locations limit how long (usually 30 min) you can use their WiFi during peak periods. They did give notice of their change in TOS in writing prior to my using their Wifi. I will continue to eat at Panera Bread if I don't need internet access ... that didn't change. I will not eat there if I need internet access ... that did change.
It depends on the Terms of Service. Not much more discussion to be had.
We don't let people drive unsafe cars on the roads, or connect non-FCC certified equipment to the telephone network, or fly uninspected airplanes over other people's rooftops, so why should we let infected computers onto the Internet?
If it's clearly infected, you quarantine it and make sure all that can be accessed from that machine is instructions on how to remove the infection, updates for virus scanners, etc. Basic common sense.
I once accidentally connected an unprotected unpatched Windows machine onto the internet--it was a test machine that was not supposed to ever be connected to the wider network. I got an email from my ISP complaining about and informing that they'd cut off its access. The only anger I felt was at myself for having screwed up. My ISP did the right thing, isolating the damage from my mistake to within my own network.
when you think about treacherous computing and remote attestation...
Yes for all cases like DNS Changer the best thing to do is take any C&C systems offline and make no attempt to mitigate any side effects. LEA caused countless thousands to go on about their daily activities with compromised systems and not know about it. Shutting off the damn C&C would have immediatly caused these people to realize they were hacked or hire someone to determine the same. Instead continuing to run the DNS service hid this fact potentially unecessarily endangering people with compromised systems.
Now if the question is should you deliberatly disconnect someone from the Internet if you don't like or suspect the packets they are sending the answer is hell no.
what about false positives? Norton and McAfee had issues with that.
Now think of how bad it can be if say windows based systems got flagged and kicked off.
anyone who needs a service and cant access it? call your helpdesk. if you know you need a port, or domain name, or ip accessible to you? call them. if you are connecting to a specific port 50 times a day that isnt a specified normal type service...one phone call can make it open up. but millions of zombies on a huge botnet are a problem....to everyone. more spam, more network traffic, etc. cut all known access with a 100% failsafe by email or phone call of the alleged victim. net neutrality in some technical definitions aside, people can access all free speech, all content, etc...just takes a phone call if they mimic infected machines
Wouldn't it be great if nobody who criticized the government could send their message to anyone who is not already a dissident? Let's write a worm that checks what people are writing, then hides from them the fact that only fellow dissidents are seeing their emails/usenet posts/facebook feeds!
Palm trees and 8
One problem in large environments is PCs trying to write infected files to shares. I found one way to address this is to flag the users writing the files. Some antivirus solutions would give you the account name trying to write the infected file to the server and even send an email to an admin. A group can be created in AD for these infected users. A GPO can be pushed out for "deny network logon" to the group. The users can be removed from the group when their PCs are marked clean. It might take some time for the user's group membership to update.
q-net ( http://www.quarantainenet.nl/ - dutch ) has been doing this for some years now, but in a user friendly way. They deply honeypots which find hosts that are actively trying to infect other hosts and put them in a seperate quarantined subnet. If a users computer is in this net, any http request is routed to a webpage explaining that his/her computer is infected and what to do about it. Some domains are still working, namely those needed to fix it, e.g. microsoft.com or antivirus software suppliers. All other webpages are redirected to the help page.
This software is something that your provider or company installs to help protect the whole network. I don't think this needs to be inherently evil, but you do need to provide options for users for self help and options to remove themselves from the quarantine once they have fixed the problem. Using honeypots or other non intrusive detection mechanisms also prevents any privacy problems.
PS. I'm not an employee of quarantainenet, but I know most of them :)
My ISP cut off my internet connection after accusing me of spamming while providing no evidence that I was. I blocked port 25 at my router but that wasn't good enough for them. Since I couldn't connect to the internet I couldn't install any sort of anti-malware software. And once I did, I found it wasn't infected with anything. And I never got anything from my ISP showing what was going on.
They wanted to have a tech come in and check things out and have third party validation that my computers were clean. I told them the only tech coming in my house would be a competing ISP. And they could pound sand if they thought I was going to pay someone to inspect my computer which I need running and on-line to do my job of web development.
All without any actual documentation to show what they were accusing me off. They didn't even contact me before shutting off my internet to see if we could do a quick fix if needed. It's a good thing their competitor is Century Link (previously known as Qwest).
The only reason I got quick resolution is because they had a local office I went to and started in on them there. Their phone support kept trying to pass me off and just refused to do anything. They had customers hearing about how they just shut off my internet connection for no reason and with no warning so that was a bit of motivation for them to stop being morons.
I really hate that Qwest is the only competitor. I unblocked port 25 recently and if they give me grief again I'm done since there's no other option. Turns out, sites in progress have various email features that need to be checked.
Work Safe Porn
It is not as though you will be shot in the head if malware is detected. You call up your ISP and ask to know what happened, they explain, and then you tell them that you were running some application that is not actually malware, and you should get reconnected, at least in theory. In practice, things are probably going to be a bit different, but again, this is not permanent.
Palm trees and 8
In Denmark, if you drive without a valid license, the third time the car can be confiscated and scrapped/sold.
No matter of you own the car or not, as it is illegal to lend your car to someone without license.
So other than Windows Defender Offline what livecds are available that can be updated without downloading a full disc EVERY TIME??
(bonus if you can load the payload onto flash media for systems without a ROM drive and Double Bonus if a single copy can do both 32 and 64 bit)
Why did AV publishers stop doing live install cds??
Any person using FTFY or editing my postings agrees to a US$50.00 charge
While I think kicking infected computers off-line is a good idea, it does raise serious questions as to how malware is defined and detected. For example, I once talked with an ISP rep, years ago, who said their company was trying to cut down on malware. To get on-line they required their customers to install their anti-virus and protection software. I guess the software would report home with its status and that would cause the ISP to allow/block the computer. The kicker was the software was Windows-only, meaning users of OS X, Linux, etc were out of luck.
I guess what I'm getting at is, removing legitimately infected machines from the network may be good, but I'm not sure I would trust any ISP to know what is really malware, what is an unknown and what is simply high (and legitimate) network use.
that is if you get stuck with the call center script readers who may just say reload your OS or make maybe even say delete the app called windows explorer (talking about the system one) as they may just need the name of the flagged app or even say as part of your isp account you get Norton Security Suite for free so install that and run a scan even when say microsoft security essentials is way better.
This sounds like it will work exactly as well as DMCA counternotices.
Most reasonable people will see suspending internet access to machines that are highly probable to be infected to be a good idea.
Every time this thread comes up, a few trolls file in and insist it's a privacy violation to notice your dorm pc is sending out 500,000 emails a day, or that it's somehow not the user's responsibility to keep their machine from being an aggressive problem/danger to the internet if they're not computer-savy.
We all know it's a good idea, for the same reason that requiring passing a driving test to get a license (and taking it away if you can't stop running into people) is a good idea. Support it, do it, end.
I work for the Department of Redundancy Department.
Disagree with the consensus and your posts will be modded down and hidden away.
the security of those around you depends on your security, people with little knowledge should be offline permanently
What they should be doing is random monitoring of packets looking for malware coming across. Once they locate one of the systems as having malware, they could simply give the PC a local address and re-direct all output to a master system that will then notify the system on HTTP request that it is infected.
By taking such an action, they simply bump off infected systems until they clean it up, or call the ISP's help desk and prove that it is NOT malware.
By the same token, if an ISP notices that a system is coming from an ISP that has an infected system, they might want to say that once a certain percentage of systems are infected that they will cut off ALL of their systems. This would actually pressure ISPs to clean up.
I prefer the "u" in honour as it seems to be missing these days.
we license drivers of cars on public roads so we can have a basic level of competance on the roads we all use and need. we demand cars are smogged and registered so we can all breathe and don't have unsafe clunkers on those same public roads. why isn't there a demand for a basic level of competance for the user of a system that is connected to our public Internet? why isn't there a test to ascertain if it is safe to connect a system to the public Internet? I clean malware-riddled systems for a living, and the worst offenders are the computer-illiterate users who will click on ANY link put in front of them. if we had some kind of mandatory public education and testing for these people BEFORE they connect to the public resource we now need, there would be a drop in malware prolifertion of an order so far unseen. at the risk of losing my current livelihood, i say "Trust but Verify".
Yes, but which OS does all this malware run on?
Would this be reasonable to implement for ISPs? I thought that their systems were designed to route packets, and in some cases to throttle traffic, not to scan for malware. It seems that the memory and CPU required for consumer ISPs to implement this would be too great. Maybe that's the reason why speeds aren't faster, they're trying to put all this intelligence in the network.
How long until someone snail-mail spams entire communities with install media for a supposedly mandatory security software package purportedly from the Internet provider who has the dominant market share? Seems like faking a mandatory install security software CD/DVD would be a wonderful way to root unsuspecting sheeple with whatever flavor of malware a blackhat desired.
You know, this reminds me of this quote: "You know how to cure AIDS? Kill everyone who has AIDS." It's not right.
~Jarmihi
Nobody is proposing a solution with that level of finality. What we are saying is; like your car, there are times that you can't pass a safety inspection. We've tried asking nicely, but some people just won't get those brake lights fixed. So, we're having it impounded. You can have it towed to a repair shop, get it fixed and be on your way. And only be out a few hundred dollars.
Have gnu, will travel.
Or more accurately, a former ISP, I used to do this all the time. I had a dynamic list of ports that were blocked at the router and was updated it pretty much daily, as well as measures to divert infected customers to a "You are infected with a virus" web page. Pretty much 90% of the customers affected by these measures were grateful for them (i.e. only 10% of them bitching and moaning about being 'abused' by being blocked).
The 10% that moaned were politely reminded again of our TOS. Many of them closed their accounts. Double win for me - get them off my network AND get them onto a competitor's network.
That was in 1998. I left in 2001 but the ISP in question remains that country's biggest and most successful ISP.
Who's to say what constitutes an "infected" PC? How is that to be determined? Who decides the criteria for this? I see a LOT of danger in such pre-emptive actions.
I've seen way too many people who don't know any better doing bad things. People have been quarantining sick people --interfering with the spread of infection-- for centuries. The digital world is no different. We need to stop infections in their tracks. Some people don't mind spreading disease like HIV and AIDS and ILUVYOU, but we have to stop them. Kick infected machines off the net? Give them notice, and shut them down!
I can see the re-tweets now:
"Your computer is infected and internet access has been disabled. Click Here[www.malware-infection.site] to restore."
Javascript, cookies, flash, and ActiveX must be enabled in order to view this sig.
They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.
Read that. Then memorize it. Then never forget. Please. Thanks.
The problem with that quote is that the people who like to use it never analyze what "essential" or "temporary" mean, either in the context of the original quote or in their personal situation.
This kind of shit got me kicked from our campus network. Why?
The combination of OpenSuSE + IRC was clear evidence my system was infected by malware and controlled by a C&C server.
I'm professional Russian, so I got VPN network from friend Yuri back at home. Now everything is fine again, but f*ck that BOFH!
"Let he without fault cast the first stone"
(replace "he" with "she" if you're a monty python fan)
I'm intrigued. Do you also have part-time Russians? And what they do when they're not Russians?
Just curious..
Clueless BOFHs are always an irritation, because there is a curious correlation between how clueless they are and how deeply they suffer from a God complex..
(and yes, I've been known to take a number of them down a couple of pegs).
It is not as though you will be shot in the head if malware is detected. You call up your ISP and ask to know what happened, they explain, and then you tell them that you were running some application that is not actually malware, and you should get reconnected, at least in theory. In practice, things are probably going to be a bit different, but again, this is not permanent.
I can't believe you're saying this. I had come to respect you; you usually post great comments that speak to the values I hold dear, but this one is utter garbage.
Others have addressed how this would be abused by corporate/government interests. I will add that I share access with two other people, and I personally transfer approximately 100 gigabytes/day. I don't have the time or inclination to fool around with a goddamn telephone every time this corporation (which is paid to provide a reliable service) fucks up my connection because they didn't like a packet they shouldn't have inspected. If you want it... I can't fix that... but I would still oppose it, because I actually give a shit about the freedoms that you and others have.
Thank you, Edward Snowden.
"Arguments from authority are worthless." —Carl Sagan
Well, I am flattered that you have faith in me, so let me defend what I said.
Yes, this can abused; however, the Internet is already being used to spread malware written by governments, which are being used in some cases to spy on dissidents and suppress free speech. If I saw something like FinFisher or Stuxnet on a network I control, you can bet that I would disconnect that system. If there was, in fact, a good reason for that software to be running, the person running it can take a few minutes to explain what they are doing, and I can reconnect them.
Sure, a government could silence dissidents by sending them malware and getting their ISP to disconnect them, but that is not the direction that we are seeing. Governments tend to prefer to spy on dissidents, then use that insider knowledge to shape their own propaganda. We have also started to see governments "desynchronize" communication, so that dissidents are only communicating with other dissidents, thus reducing the chance that they will become aware that they are not actually getting their message out.
Now, if you are concerned about your packets being inspected, you should encrypt your traffic and possibly route it through Tor or I2P. I would prefer to see that become more widely deployed than to say that we should allow botnet nodes that are actually being used for harm (say, to run a denial of service attack) to remain connected to the Internet, or that the FBI should be maintaining DNS servers for people who are not even aware that they have some worm installed. I already assume that anything I do online is being monitored, because everything I do online is actually being monitored (I am at a university that has little respect for privacy).
Look, we already block spammers with this sort of thing, and there are few who would really complain about it. We can still protect our privacy by encrypting our mail and using anonymous remailers, and we are not stuck relying on the services of large corporations. Yes, spammers still find a way, and I am sure that malware writers will still find a way; but the freedoms you care about are not going to be threatened by having ISPs stop malicious systems from connecting, any more than spam greylisting and filtering has threatened your freedom (and if FinFisher mail was dropped by the mail server, a lot of dissidents in Bahrain and Turkmenistan would be safer).
Palm trees and 8
Let the customer choose.
At the time he signs up for service, the customer can get 3 choices:
* Please put me in a walled garden if I seem to be infected, and send me instructions to bypass the walled garden if it's a mistake and I'm not infected.
* I know what I'm doing, please just alert me if I appear infected and I'll take care of it.
* I value my privacy. Don't monitor my computers at all.
Those who take the last two choices and who are actually infected and causing harm to others will get a limited number of opportunities before they are forced to accept choice one.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.