Slashdot Mirror
Knocking Infected PCs Off the Internet
nk497 writes "Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. The DNS Changer clean up saw some PCs prevented from accessing the web. Should such tactics be used more often to prevent malware from spreading — or is that taking security a step too far?"
My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet, my university also knocks off computers suspected of internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.
Our internet service providers are often our media providers. Comcast, AT&T, Time Warner, etc, are all interested in the idea of controlling your access to things like that, and if they're given free range to scan your computer and knock them off the internet - they will certainly look for evidence of torrenting as well.
because it will drop the IE part in the browser statistics to zero... :-)
This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.
“He’s not deformed, he’s just drunk!”
...the ISP provides the only outbound connections as solutions to the problem, or only blocks those methods by which that particular detected malware spreads. Additionally the system must assume clean and only cut off for a limited time and automatically assume clean again. Without those protections the system would be ripe for abuse including using the claim of malware to restrict groups.
In short, I don't think that it'll work. If it would, we wouldn't have a malware problem in the first place.
Can someone explain how software developers aren't at least partially legally responsible for their faulty software allowing maliciousness to spread through them in the first place?
Do not look into laser with remaining eye.
...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out when they found me coughing on their salad bars. How dare they stifle my freedoms! Police state!
Why publically introduce censorship, if you can call it "computer infected by malware".
'nuff said.
My ISP xs4all.nl, one of the most reputable when it comes to internet freedom, will shut a subscriber's net access down when there is good indication of infection.
The way they do it is smart, you get a mail on your administrative account and you are diverted to a message explaining why you can only access the net via the ISP's own proxy.
The last is to give you a chance to get on-line help or updates.
Once you can convince the helpdesk you have cleaned up your computer(s) they'll switch you back on.
The helpdesk is also very helpful to the clueless on how to clean up their computer.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The thing is, a malware infected system that is attacking other systems is broken - just usually in a way the user of that system does not notice.
But broken it is, and all blocking/damaging the system does is make it apparent to the user of that system that it is broken, so that they can fix it (or buy a new system).
It's yet another reason why backups are very important...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The DNS Changer clean up saw some PCs prevented from accessing the web.
No the maleware would have done that after the fraudulent DNS servers got shutdown. DNS change is a case where COMPROMISED SYSTEMS WERE ACTIVELY KEPT ON THE NETWORK, what should have been done is those machines should have been allowed to fail to resolve hosts, after the fake DNS servers where shut down, than would have had them fixed literally months sooner.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
My ISP, xs4all blocks my connection automatically when trojans or other malware starts to make outbound connections.
I know this as I am responsible for several people on this connection, one of them connected a laptop which triggered this.
When this happens all my ports are closed at the ISP and I get a notice to connect to their proxyserver so that I can download protective means.
When I solve the issue I get a checkup and after that all goes well, the ports are reconnected.
That depends upon what the infection is.
In many cases, the infection is a worm that attempts to connect to other machines on known ports with known connection strings. This is how network-based Intrusion Detection Systems (IDS) work.
Let's not bullshit around here. The idea of kicking people off the Internet because of "malware" is about the opposite of security.
We've already had the RIAA and MPAA try to portray any copied media as malware. There are hacks that will allow you to play you legitimately-purchased game without having to have the disk in the drive that are seen as malware by the major antivirus software.
How many times over the years have you had to tell your antivirus software to ignore a false positive? What if you'd been thrown off the Internet every time that happened? How long before the big content providers start using this approach to create an ad hoc "two strikes" policy? Or "one strike"?
Now how about if Comcast decides that if your system is kicked off the Internet for having "malware" that they won't let you use your broadband connection until they are allowed to scan your system remotely?
Anything that smacks of this kind of centralized, or even potentially centralized control is bad news. Even if it's not centralized now, you know it will be if Comcast (and others) have their way.
Look, just provide broadband to my house. I'll protect myself and you protect yourself. Unfortunately, the days of just getting "plain old broadband" to your house and then being left alone seem to be dwindling. More and more our use of the Internet is being monitored, tracked. How long before we're knocked off if we don't allow ads in our browsers? Maybe they'll declare ad-block to be "malware".
You are welcome on my lawn.
Who defines what is malware if this happens.
I have no doubt that if the isp in question is also a media company, programs that access the internet and are of their competitor's 'might' occasionally be flagged as malware.
I can also see that alternative o.s.'s could theoretically be flagged as such.
But above 'all' how could they determine if malware is installed simply from the isp side and without requiring special programs on their customer's pc's to access their services.
Back in olden days, this went without saying. If your system was infected with a worm and you didn't take prompt action to clean it up, you were disconnected from the net. Likewise with other conduct unbecoming of a host on the internet, like forging Usenet cancels or sending spam. After all, access to the Internet was a privilege, not a right. A college with net access was expected to police its users, the university or cooperative that provided the college with access was expected to police them, and so on. There was a chain of responsibility all the way from the end-user to the backbone. That all changed over the course of the 1990s, as the Internet was opened to anyone with an adequate checking account, and the proliferation of commercial ISPs made it trivially easy for a cracker to move from one account to another, so the threat of being banished from the net lost its teeth.
http://alternatives.rzero.com/
It really depends on where the "knocking off" happens. If the FBI knocks off some bot's C&C network, then it's fair game. If an ISP were to start blocking ports, addresses, etc, for "spam" reasons, it's the start a slippery slope. I've always been against sender-side spam mitigation for this exact reason.
Yes, spam/bots are annoying as hell, but it's not the ISP's responsibility. Anything less threatens the very nature of the Internet as an open platform.
No it's not stupid, the ISP should give limited access via their proxy so you have a chance to download updates etc.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
For DNSChanger, you can easily spot an infection by the fact that it's making DNS queries to a known set of DNS servers owned by the malware authors. Spotting that kind of traffic accurately is trivial. For a lot of other malware once the command-and-control network is identified it's easy to spot infections by their attempts to connect to the C&C servers (an uninfected computer wouldn't have any reason to be trying that). So no need for DPI or anything, a simple Perl script parsing the firewall logs will hand you a neat list of subscriber computers grouped by the pieces of malware they're infected with. I have almost the same script running on my firewall, except it's checking inbound traffic and showing me all access attempts grouped by the service they tried to access.
As for how they're going to fix it without access, they won't. For DNSChanger for instance, given the amount of coverage it got and how long the news was out there, anyone who hadn't fixed it by the time the servers were shut down wasn't going to fix it ever. When you've got people that oblivious, the only way to get their attention is to make the net stop working. At that point they suddenly get real attentive. And since they've proven they're either unable or unwilling to fix their own computers (if they weren't, they'd've done something before now), it's probably better if they're forced to take it to someone who can clean it up.
People who are being spammed by your PC can legitimately use the minimum force necessary to stop the harm, not including shooting it or you. This is the starting point in law: a harmed individual, who has some limited rights to respond in self-defense.
If your PC is trying to infect theirs, they can tell the local board of health, and have have you asked to quarantine yourself until the disease is cured. In this case, the board of health is the ISP, and they're asking you every time you try to send spam/viruses. They're allowed to wear a surgical mask while asking, as well, in this case over their port 25. They're not allowed to put you in an impervious plastic bag to stop you from breathing: that's not minimum force.
If you or your PC resists being quarantined, they can apply to the courts for an order to have the PC locked up and treated against it's will. That'a a real court, with real judges and court orders, not an ISP. In that case you can argue against it, but you'd better have a legally valid reason, not "you can't do that to me". And if necessary you can object, and argue it out before a judge.
--dave
davecb@spamcop.net
Some of the responses I'm seeing so far from other Slashdotters is amazing given the support towards Net Neutrality. You do not get to determine what is "malicious" from your point of view and decide whether to keep it on or off the Internet. It gets sent out, period.
- If my home ISP, workplace, campus connection, etc. has in writing via a TOS they can quarantine me from the rest of the internet for being contagious, I'm good with that.
- If said home ISP, workplace, campus connection, etc. suddenly decides to cut my connection without my consent and without the TOS stating they can do so, then I have problems with that. That changes the TOS by which I chose to interact with the other party originally.
- Give me advanced notice, I can choose to continue using that service or not for Internet connection.
Case in point: I no longer frequent Panera Bread for food+Internet access given certain locations limit how long (usually 30 min) you can use their WiFi during peak periods. They did give notice of their change in TOS in writing prior to my using their Wifi. I will continue to eat at Panera Bread if I don't need internet access ... that didn't change. I will not eat there if I need internet access ... that did change.
It depends on the Terms of Service. Not much more discussion to be had.
We don't let people drive unsafe cars on the roads, or connect non-FCC certified equipment to the telephone network, or fly uninspected airplanes over other people's rooftops, so why should we let infected computers onto the Internet?
If it's clearly infected, you quarantine it and make sure all that can be accessed from that machine is instructions on how to remove the infection, updates for virus scanners, etc. Basic common sense.
Yes for all cases like DNS Changer the best thing to do is take any C&C systems offline and make no attempt to mitigate any side effects. LEA caused countless thousands to go on about their daily activities with compromised systems and not know about it. Shutting off the damn C&C would have immediatly caused these people to realize they were hacked or hire someone to determine the same. Instead continuing to run the DNS service hid this fact potentially unecessarily endangering people with compromised systems.
Now if the question is should you deliberatly disconnect someone from the Internet if you don't like or suspect the packets they are sending the answer is hell no.
My ISP cut off my internet connection after accusing me of spamming while providing no evidence that I was. I blocked port 25 at my router but that wasn't good enough for them. Since I couldn't connect to the internet I couldn't install any sort of anti-malware software. And once I did, I found it wasn't infected with anything. And I never got anything from my ISP showing what was going on.
They wanted to have a tech come in and check things out and have third party validation that my computers were clean. I told them the only tech coming in my house would be a competing ISP. And they could pound sand if they thought I was going to pay someone to inspect my computer which I need running and on-line to do my job of web development.
All without any actual documentation to show what they were accusing me off. They didn't even contact me before shutting off my internet to see if we could do a quick fix if needed. It's a good thing their competitor is Century Link (previously known as Qwest).
The only reason I got quick resolution is because they had a local office I went to and started in on them there. Their phone support kept trying to pass me off and just refused to do anything. They had customers hearing about how they just shut off my internet connection for no reason and with no warning so that was a bit of motivation for them to stop being morons.
I really hate that Qwest is the only competitor. I unblocked port 25 recently and if they give me grief again I'm done since there's no other option. Turns out, sites in progress have various email features that need to be checked.
Work Safe Porn
Simple.
Treat spam as spam no matter who is sending it.
If you get credible complaints, shut the user's access down, period.
Users who are willfully blind to computer security are aiding and abetting.
Here you go. Fill it out yourself:
Your post advocates a
( ) technical ( ) legislative ( ) market-based ( ) vigilante
approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)
( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business
Specifically, your plan fails to account for
( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook
and the following philosophical objections may also apply:
( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( ) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough
Furthermore, this is what I think about you:
( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!
Jesus was all right but his disciples were thick and ordinary. -John Lennon