Welcome to WebmasterWorld Guest from 188.8.131.52
From their press release on Oct 8, 2009:
As part of this effort, starting today in Denver, CO, Comcast will begin to trial an in-browser notification “Service Notice”, which will alert customers whose computers appear to be infected with a bot (or virus) and request that they go to the Anti-Virus Center and follow a set of instructions to assist with removing the bot from their computer and thereby prevent it from spreading to other users.
Apparently the current Denver trial allows users to close the warnings without taking action, but cannot opt out of getting them.
I will assume that eventually the next step, if the user doesn't take these warnings seriously after 15-30 days of inaction, is that Comcast will block them from the web until it's fixed.
This is a massive win in the "score one for bot blockers" column.
Note that this is right on the heals of the DHS announcing adding 1000 new cyber security employees [webmasterworld.com], perhaps a preemptive strike by Comcast to keep government out of their business?
I've been advocating such action on the part of ISPs for a couple of years now and I'm glad to see Comcast taking the first steps to making it happen.
However, if the US takes steps to become botnet clean, will that leave us at odds with the rest of the infected world that will present a security risk if they refuse to take care of their problem?
I am glad someone is helping out on this.
And one great part of this is that most of the really bad part of the web could be scrubbed in a heartbeat if more took this approach.
[edited by: encyclo at 4:54 pm (utc) on Oct. 12, 2009]
[edit reason] fixed typo [/edit]
If major ISPs in the US and elsewhere take similar steps to Comcast's, then that reduces the number of botnets working to infect users all over the world, so everyone benefits.
It's also great that first steps are being taken toward 'prevention' at the network/ISP level rather than relying on individual users to keep their machines 'bot free. Now if only we could see a similar attitude about e-mail spam!
Stopping these problems at their source would be so much better than requiring everyone on earth to run increasingly bloated and performance-draining ant-virus, anti-malware, and anti-spam applications, firewalls, etc. Many of these applications could be 'slimmed-down' if steps could be taken higher-up in the network to prevent bad stuff from propagating in the first place -- I'm certainly not advocating their elimination, but checks at the network layer could very well reduce the burden at the client level.
With 'client activity' monitoring in place, there's also the possibility to collect data needed to locate the 'command and control centers' for botnets. This may raise the perceived risk in running botnets, and if the C&C centers can be quickly shut down or blocked, it will also raise the cost of operating a botnet. So as long as steps are taken to guard ISP users' privacy (by monitoring only for 'bot-related activity and tossing out all other transaction data), it sounds good to me.
How do you see that anti-botnet approach putting the US at odds with the rest of the world?
Let me qualify I see it as putting us at odds against the countries that predominantly run the botnets, which probably brings in quite a bit of income for some places.
If you don't think the botnet herders will retaliate at some level then read what happened with Blue Frog by Blue Security [en.wikipedia.org].
Obviously there's a big difference in approach as Blue Frog was actively going after the advertisers in the spam, but cutting off someone's livelihood can invoke repercussions which Blue Frog and some seriously hardened hosting companies were ill prepared to deal with.
Imagine the panic that could be caused if they attacked sites like eTrade or Wells Fargo and kept people away from their money for a day or more.
Let's just hope Comcast can weather any storm it might cause ;)
It is good for Every body.
I would welcome such activity IF it didn't in itself degrade my computer performance. The problem is, if your machine is behind a router or firewall, how does the ISP get in?
Or are the ISPs using traffic through their service to detect bot activity? In which case there is the recent concern about traffic interception (as in phorm and nebuadd).
I'd be interested in how comcast were getting around these objections. As I said, I'm in favour - providing bot detection is as far as it goes.
On a different note, my web server gets a LOT of bad-bot traffic from comcast but I'm never sure if it's virus-related or hackers.
I don't know how well Comcast is prepared to evade a DDOS attack, but I support their decision to proceed. Otherwise, they (figuratively, we) put ourselves in an ethical quagmire such as that of ignoring blatantly-obvious child abuse because the abusive daddy, you know, might get mad at us if we said anything to anyone...
DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network. So attacking an entity that is already monitoring, recording, and acting upon malicious network activity might not be such a smart thing to do.
DDOS is a doubled-edged sword: Sure it disrupts (or at least inconveniences) the attacked party, but it also reveals the members of the attacking network
DDOS also reveals our weaknesses which in the case of Blue Frog and a few others turned out to be the DNS servers which was a massive problem because DDOS'ing the DNS servers knocked out all the customers, not just a single target.
It's the wrong approach: users ignore all pop-up warnings , or act on all of them.
I'm not sure which is worse with all the malware that presents itself as "let us clean your PC from malware".
It's bad to showcase this to the bad guys as they'll adapt to it. And more importantly: use it against the users with fake warnings in the hopes they'll act on it.
It's too late: others have been doing better stuff for many years.
The solution is to detect the infected customers and put them in a "walled garden" where they cannot do damage, but can get their problem properly fixed.
Others have been walling of their infected customers for years now. E.g. Qwest's CIPP (Customer Internet Protection Program) program launched in October 2007.
It's never too little, never too late, that's defeatist talk.
The Qwest program doesn't sound all that different from the Comcast version really except Comcast is a few years behind in implementation.
It does seem too little too late, Comcast is focused only on making the quickest buck and allowed these machines to be on their network far to long (hey, as long as they pay their 59/month we're happy!).
Browser popup is also entirely the wrong thing to do.. how long will it be before spyware/botnets popup similar warnings and install their own "security" software..
The only solution is to segregate machines into their own network with limited or no access until the consumer gets their crap straight.
This would function similarly to the HCF opcode (Halt and Catch Fire) in early computer instruction sets, and to the RBT (Rewind and Break Tape) command in early magnetic storage controllers.
Comcast doesn't have to get everything perfect the first time out. They can learn from Quest's methodology or they can figure it out by themselves over time just like everyone else does -- What will you be doing today at 1:00 PM Pacific Standard Time? (Hint, it's the second Tuesday of the month in Redmond, WA).
I'm sure they're already getting feedback from security experts across the planet on the pitfalls of in-browser notification (I'm not sure where the "pop-ups" phrase came from), and may switch to a better method before deployment. Warning their customers to "type in" the address and to ignore warnings from other entities that offer clickable links (a la PayPal) for security issues will also help mitigate the potential exploits of the system.
I'd also like to point out that although there is a potential for further abuse by spoofing of ComCast's security alerts, the fact is that the client is still inside ComCast's 'firewalled network,' so these follow-on exploits can be stopped or reduced as well.
After Paying 59 for 7 years, I called last month and they droped it to 32/12 month, no contract, plus router fee. FIOS moved in couple of month ago so they are starting to feel the pinch already, at least localy.
That is not the point of this thread.
Installing ToolBars and offering Free Software(antiVirus) is not a way to go. I remember couple of years ago I was talking to one of the techs from Comcast and he said I had to install a software on all of my PCs in the network to fix the Connection Issues. Nahhhhh.
Block the PC from internet without any soft installed to monitor traffic, not like they don't know where I had my "Lo Mein" last time via my IP.
It doesn't hurt to offer free software, as long as it's from a trusted source. Given that we can assume that most of these infected users are "low-tech" people, the timing of Microsoft's release of their free "Security Essentials" --formerly know as OneCare-- is serendipitous (or perhaps even related). A free Microsoft product would be an 'easy sell' to such customers, and the 'trust issue' is moot since all infected users are most likely to be running Windows in the first place.
I had a similar requirement with another provider some seven years ago. After I threw a bloody fit when their requirement changed some settings and default options on my computer, it took tech support at least a couple of hours to lead me through the process of un-installing all the individual modules entirely.
Recently with the same provider I was required to throw another fit because the 3rd party tech support could not comprehend that I was unwilling to install additional software, which same tech had previously told me would NOT be required.
The 3rd party tech support by these providers creates the entire mess and/or lack of communication. They simply don't understand or comprehend the English language.
Totally ridiculous initiative.
If Comcast is so good at detecting bot traffic, why don't they block it?
The big question is how will they determine what is legit traffic vs something initiated by a zombie.
"A recommendation for a voluntary code for ISPs relating to the detection of, and effective dealing with, malware infected machines in the UK. If this voluntary approach fails to yield results in a timely manner, then Ofcom should unilaterally create and impose such a code on the UK ISP industry."
Summary of the report on the UK nodpi site.
If Comcast is so good at detecting bot traffic, why don't they block it?
Because it doesn't give the user a chance to protest in case of a false positive?
Regarding popups, if Comcast can detect bot traffic, then can't they also detect regular browsing traffic? And then use DNS redirection without any extra software or toolbar?
So when Comcast flags a machine and the user tries to visit a website, Comcast redirects them to a warning page about a possible trojan. The user can override this warning screen for x times or x days. After that deadline, Comcast clamps down on all traffic until the machine is clean.
They don't have to stop 100% of the abusive traffic, they just have to raise the cost of developing successful exploits. Do that, and the low end of the market falls out, and a majority of the abuse goes away.