Slashdot Mirror
Knocking Infected PCs Off the Internet
nk497 writes "Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. The DNS Changer clean up saw some PCs prevented from accessing the web. Should such tactics be used more often to prevent malware from spreading — or is that taking security a step too far?"
My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet, my university also knocks off computers suspected of internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.
Our internet service providers are often our media providers. Comcast, AT&T, Time Warner, etc, are all interested in the idea of controlling your access to things like that, and if they're given free range to scan your computer and knock them off the internet - they will certainly look for evidence of torrenting as well.
because it will drop the IE part in the browser statistics to zero... :-)
This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.
“He’s not deformed, he’s just drunk!”
...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out when they found me coughing on their salad bars. How dare they stifle my freedoms! Police state!
Why publically introduce censorship, if you can call it "computer infected by malware".
'nuff said.
My ISP xs4all.nl, one of the most reputable when it comes to internet freedom, will shut a subscriber's net access down when there is good indication of infection.
The way they do it is smart, you get a mail on your administrative account and you are diverted to a message explaining why you can only access the net via the ISP's own proxy.
The last is to give you a chance to get on-line help or updates.
Once you can convince the helpdesk you have cleaned up your computer(s) they'll switch you back on.
The helpdesk is also very helpful to the clueless on how to clean up their computer.
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
The thing is, a malware infected system that is attacking other systems is broken - just usually in a way the user of that system does not notice.
But broken it is, and all blocking/damaging the system does is make it apparent to the user of that system that it is broken, so that they can fix it (or buy a new system).
It's yet another reason why backups are very important...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
That depends upon what the infection is.
In many cases, the infection is a worm that attempts to connect to other machines on known ports with known connection strings. This is how network-based Intrusion Detection Systems (IDS) work.
Let's not bullshit around here. The idea of kicking people off the Internet because of "malware" is about the opposite of security.
We've already had the RIAA and MPAA try to portray any copied media as malware. There are hacks that will allow you to play you legitimately-purchased game without having to have the disk in the drive that are seen as malware by the major antivirus software.
How many times over the years have you had to tell your antivirus software to ignore a false positive? What if you'd been thrown off the Internet every time that happened? How long before the big content providers start using this approach to create an ad hoc "two strikes" policy? Or "one strike"?
Now how about if Comcast decides that if your system is kicked off the Internet for having "malware" that they won't let you use your broadband connection until they are allowed to scan your system remotely?
Anything that smacks of this kind of centralized, or even potentially centralized control is bad news. Even if it's not centralized now, you know it will be if Comcast (and others) have their way.
Look, just provide broadband to my house. I'll protect myself and you protect yourself. Unfortunately, the days of just getting "plain old broadband" to your house and then being left alone seem to be dwindling. More and more our use of the Internet is being monitored, tracked. How long before we're knocked off if we don't allow ads in our browsers? Maybe they'll declare ad-block to be "malware".
You are welcome on my lawn.
Who defines what is malware if this happens.
I have no doubt that if the isp in question is also a media company, programs that access the internet and are of their competitor's 'might' occasionally be flagged as malware.
I can also see that alternative o.s.'s could theoretically be flagged as such.
But above 'all' how could they determine if malware is installed simply from the isp side and without requiring special programs on their customer's pc's to access their services.
Back in olden days, this went without saying. If your system was infected with a worm and you didn't take prompt action to clean it up, you were disconnected from the net. Likewise with other conduct unbecoming of a host on the internet, like forging Usenet cancels or sending spam. After all, access to the Internet was a privilege, not a right. A college with net access was expected to police its users, the university or cooperative that provided the college with access was expected to police them, and so on. There was a chain of responsibility all the way from the end-user to the backbone. That all changed over the course of the 1990s, as the Internet was opened to anyone with an adequate checking account, and the proliferation of commercial ISPs made it trivially easy for a cracker to move from one account to another, so the threat of being banished from the net lost its teeth.
http://alternatives.rzero.com/
It really depends on where the "knocking off" happens. If the FBI knocks off some bot's C&C network, then it's fair game. If an ISP were to start blocking ports, addresses, etc, for "spam" reasons, it's the start a slippery slope. I've always been against sender-side spam mitigation for this exact reason.
Yes, spam/bots are annoying as hell, but it's not the ISP's responsibility. Anything less threatens the very nature of the Internet as an open platform.
People who are being spammed by your PC can legitimately use the minimum force necessary to stop the harm, not including shooting it or you. This is the starting point in law: a harmed individual, who has some limited rights to respond in self-defense.
If your PC is trying to infect theirs, they can tell the local board of health, and have have you asked to quarantine yourself until the disease is cured. In this case, the board of health is the ISP, and they're asking you every time you try to send spam/viruses. They're allowed to wear a surgical mask while asking, as well, in this case over their port 25. They're not allowed to put you in an impervious plastic bag to stop you from breathing: that's not minimum force.
If you or your PC resists being quarantined, they can apply to the courts for an order to have the PC locked up and treated against it's will. That'a a real court, with real judges and court orders, not an ISP. In that case you can argue against it, but you'd better have a legally valid reason, not "you can't do that to me". And if necessary you can object, and argue it out before a judge.
--dave
davecb@spamcop.net
We don't let people drive unsafe cars on the roads, or connect non-FCC certified equipment to the telephone network, or fly uninspected airplanes over other people's rooftops, so why should we let infected computers onto the Internet?
If it's clearly infected, you quarantine it and make sure all that can be accessed from that machine is instructions on how to remove the infection, updates for virus scanners, etc. Basic common sense.
Yes for all cases like DNS Changer the best thing to do is take any C&C systems offline and make no attempt to mitigate any side effects. LEA caused countless thousands to go on about their daily activities with compromised systems and not know about it. Shutting off the damn C&C would have immediatly caused these people to realize they were hacked or hire someone to determine the same. Instead continuing to run the DNS service hid this fact potentially unecessarily endangering people with compromised systems.
Now if the question is should you deliberatly disconnect someone from the Internet if you don't like or suspect the packets they are sending the answer is hell no.
My ISP cut off my internet connection after accusing me of spamming while providing no evidence that I was. I blocked port 25 at my router but that wasn't good enough for them. Since I couldn't connect to the internet I couldn't install any sort of anti-malware software. And once I did, I found it wasn't infected with anything. And I never got anything from my ISP showing what was going on.
They wanted to have a tech come in and check things out and have third party validation that my computers were clean. I told them the only tech coming in my house would be a competing ISP. And they could pound sand if they thought I was going to pay someone to inspect my computer which I need running and on-line to do my job of web development.
All without any actual documentation to show what they were accusing me off. They didn't even contact me before shutting off my internet to see if we could do a quick fix if needed. It's a good thing their competitor is Century Link (previously known as Qwest).
The only reason I got quick resolution is because they had a local office I went to and started in on them there. Their phone support kept trying to pass me off and just refused to do anything. They had customers hearing about how they just shut off my internet connection for no reason and with no warning so that was a bit of motivation for them to stop being morons.
I really hate that Qwest is the only competitor. I unblocked port 25 recently and if they give me grief again I'm done since there's no other option. Turns out, sites in progress have various email features that need to be checked.
Work Safe Porn