Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Looks like ISP-to-customer notification of possible infection is starting on Comcast in the US now. http://news.cnet.com/8301-27080_3-10370996-245.html --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Up Next: Quarantine Phishing (Was: Dutch ISPs to collaborate and take responsibility for bottedclients)
On Tue, 6 Oct 2009, Jeroen Massar wrote: The problem with all of that boils down to what people have to believe... and how to properly inform them of that... How many people remember this oldie, but goodie? 3.3.2.1.1 Trusted Path The TCB shall support a trusted communication path between itself and users for use when a positive TCB-touser connection is required (e.g., login, change subject security level). Communications via this trusted path shall be activated exclusively by a user of the TCB and shall be logically isolated and unmistakably distinguishable from other paths. Its simple to say, hard to do.
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Eugeniu Patrascu wrote: Gadi Evron wrote: Barton F Bruce wrote: Stopping the abuse is fine, but cutting service to the point that a family using VOIP only for their phone service can't call 911 and several children burn to death could bring all sorts of undesirable regulation let alone the bad press and legal expenses. While a legitimate concern it's also a red herring, as it's a technical problem looking for a technical solution. Gadi. I think the need for someone being able to call 911 from their VoIP outweighs your right to claim that they should be disconnected from the Internet. Again, I don't disagree, but I see it as a technical issue which is solvable. I don't see why this is THE issue. It's really just changing the subject of the discussion. Besides, if that provider wants to help out, he might setup a captive portal or something with information regarding tools to clean their computer. -- Gadi Evron, g...@linuxbox.org. Blog: http://gevron.livejournal.com/
RE: Dutch ISPs to collaborate and take responsibility for bottedclients
-Original Message- From: Eugeniu Patrascu [mailto:eu...@imacandi.net] Sent: Tuesday, October 06, 2009 4:20 AM To: Gadi Evron Cc: NANOG Subject: Re: Dutch ISPs to collaborate and take responsibility for bottedclients . I think the need for someone being able to call 911 from their VoIP outweighs your right to claim that they should be disconnected from the Internet. I believe the FCC requires even deactivated phones to be able to reach 911. Can't confirm, fcc.gov is down. Don't know about CRTC. And I don't know how this could apply to an over-the-top VoIP service--how would an ISP know you're trying to call 911 on Skype? Besides, if that provider wants to help out, he might setup a captive portal or something with information regarding tools to clean their computer. Many providers already do that. Lee
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
On Oct 6, 2009, at 1:20 AM, Eugeniu Patrascu wrote: Gadi Evron wrote: Barton F Bruce wrote: Stopping the abuse is fine, but cutting service to the point that a family using VOIP only for their phone service can't call 911 and several children burn to death could bring all sorts of undesirable regulation let alone the bad press and legal expenses. While a legitimate concern it's also a red herring, as it's a technical problem looking for a technical solution. Gadi. I think the need for someone being able to call 911 from their VoIP outweighs your right to claim that they should be disconnected from the Internet. Besides, if that provider wants to help out, he might setup a captive portal or something with information regarding tools to clean their computer. I disagree... Distributed Denials of Service have gotten to the point where they can actually endanger lives. Think about this... In order to be able to make your 911 VOIP call, the VOIP provider has to be able to process your call. The system that is getting disconnected because it is an active source of abuse may be one of many participating in a DOS against someone elses 911 VOIP provider. Removing them from the internet could be saving more lives than it risks. Someone else pointed out that if the system in question has been botted/owned/pwn3d/whatever you want to call it, then, you can't guarantee it would make the 911 call correctly anyway. Owen
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Re: VOIP, 911, bots Shape their bandwidth down to the minimum required to make a 911 call, around 64Kbps, and capture their web accesses. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Up Next: Quarantine Phishing (Was: Dutch ISPs to collaborate and take responsibility for bottedclients)
mark [at] edgewire wrote: The end problem is still users and really, these users will click on anything that has a bright and shiny button which says, Ok. Really, does setting up a portal help? Perhaps a sandboxed area which has some information on securing their machine and keeping it clean may be the way to go but how much more of a resource will it chew up? And then the nice phisher people come in and they replicate the quarantine website of various providers (just check IP address, you know the ISP and present the appropriate page) after having lured them to some site they control. Then they simply have a nice big Install this cool tool to update your computer link et voila. The problem with all of that boils down to what people have to believe... and how to properly inform them of that... Yes, I think the sandbox/quarantine style things is the way to go for the time being, but there are other more important things that need fixing. (afaik) Most people will get infected by clicking on something at one point in time on some weird website, even after having googled it etc. The problem is that it is really hard to show to the user that a site is 'trustworty' or not, especially as everyone can just get an SSL certificate for faceb0ok.com and m1crosoft.com and soon also for all the nice variants in the IDN space, thus SSL doesn't state anything, it just makes the connection secure (aka unsniffable unless there is a 3 letter acronym doing so, or they have access to either end). And that would not help much either as even Facebook and other such sites have been used to distribute worms, thus it becomes really hard to do it on a domain basis, as what is on a domain at point X in time, will be different at point Y, thus distributing lists becomes problematic too. The company that can come up with a proper universal solution to that problem (and patent it so they can actually get the moneyz) will probly end up doing quite well. Most likely though it means restricting user freedom, which is the counter problem as that is something one doesn't want, and when there is an option to disable it, then people will just disable it. Greets, Jeroen signature.asc Description: OpenPGP digital signature
RE: Dutch ISPs to collaborate and take responsibility for bottedclients
-Original Message- From: Eugeniu Patrascu [mailto:eu...@imacandi.net] Sent: Tuesday, October 06, 2009 4:20 AM To: Gadi Evron Cc: NANOG Subject: Re: Dutch ISPs to collaborate and take responsibility for bottedclients . I think the need for someone being able to call 911 from their VoIP outweighs your right to claim that they should be disconnected from the Internet. I believe the FCC requires even deactivated phones to be able to reach 911. Can't confirm, fcc.gov is down. Authoritatively *NOT* true for hard-wire landlines in the U.S. Cellular may, and I believe _is_, be a different story.
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Exactly correct. The number one priority, which trumps all others, is making the abuse stop. Yes, there are many other things that can and should be done, but that's the first one. Stopping the abuse is fine, but cutting service to the point that a family using VOIP only for their phone service can't call 911 and several children burn to death could bring all sorts of undesirable regulation let alone the bad press and legal expenses. As far as the Ducth situation with one of the largest providers (KPN) goes this is solved by using a seperate VLAN for VOIP traffic. Only the data VLAN is being blocked or actually policy routed towards a walled garden in which users are able to clean themselves up. -- Nils Kolstein SSCPlus
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Perhaps someone has said this but a potential implementation problem in the US are anti-trust regulations. Sure, they may come around to seeing it your way since the intent is so good but then again we all decided to get together and blacklist customers who... is not a great elevator pitch to an attorney-general no matter how good the intent. Obviously there are ways around that (e.g., it's ok to do credit checks) but one has to be up-front and get approval. I'm just sayin': a) consult with legal counsel before doing anything in collusion with competitors. b) this is probably not for smaller ISPs until the legal way is cleared by those with plenty of money for lawyering and lobbying. (I did say IN THE USA, right?) -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Login: Nationwide Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
On Oct 5, 2009, at 11:23 AM, Barry Shein wrote: Perhaps someone has said this but a potential implementation problem in the US are anti-trust regulations. Sure, they may come around to seeing it your way since the intent is so good but then again we all decided to get together and blacklist customers who... is not a great elevator pitch to an attorney-general no matter how good the intent. That's not what is being discussed from my understanding. From my understanding, the intent is to share names of known abusers and data necessary to help in tracking DDOS. I don't believe that any ISP is expected to necessarily take any particular action determined by the group with respect to the list of names they are given. I do think that it is reasonable to have an agreement among an industry organization or collaboration which states that ISPs which determine that abuse is being sourced from one of their customers (either through their own processes or by notification from another participant) should be expected to take the necessary steps to mitigate that abuse from exiting said ISPs autonomous system. Obviously there are ways around that (e.g., it's ok to do credit checks) but one has to be up-front and get approval. I don't think that's true. I think that as long as your privacy policy and terms of service state that you will share certain information with other operators regarding abuse complaints and (possibly) abusive activities, you are free to share that information. Having a coalition rule that says any member must refuse to service any party on the list would be an anti-trust violation. Having a list, alone, without any rules about how the list is used, is not an anti-trust violation. Just like agreeing ahead of time on the price of gas amongst multiple competitors is an anti-trust violation, posting the price of gas at your service stations is not. Modifying your price to match the price across the street also is not. I'm just sayin': a) consult with legal counsel before doing anything in collusion with competitors. Definitely. b) this is probably not for smaller ISPs until the legal way is cleared by those with plenty of money for lawyering and lobbying. I'm not so sure that is true, but, they should seek good legal counsel about whatever they plan to do regardless of size. Owen
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
On Mon, Oct 05, 2009 at 03:55:02PM -0700, Owen DeLong wrote: On Oct 5, 2009, at 11:23 AM, Barry Shein wrote: Perhaps someone has said this but a potential implementation problem in the US are anti-trust regulations. Sure, they may come around to seeing it your way since the intent is so good but then again we all decided to get together and blacklist customers who... is not a great elevator pitch to an attorney-general no matter how good the intent. That's not what is being discussed from my understanding. From my understanding, the intent is to share names of known abusers and data necessary to help in tracking DDOS. I don't believe that any ISP is expected to necessarily take any particular action determined by the group with respect to the list of names they are given. I do think that it is reasonable to have an agreement among an industry organization or collaboration which states that ISPs which determine that abuse is being sourced from one of their customers (either through their own processes or by notification from another participant) should be expected to take the necessary steps to mitigate that abuse from exiting said ISPs autonomous system. In a way, this is kind of like stores keeping a list of bad check writers. The whole information sharing thing can get more than a little touchy from a legal perspective. Then again, an independant database could also be viewed as a sort of internet credit agency. Stuff in a name, get a score back and certain flags and make your judgement based on that. I'm sorry, I can't give you an email account. Your internet-karma rating came back below our minimum levels. -Wayne --- Wayne Bouchard w...@typo.org Network Dude http://www.typo.org/~web/
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Hi! Sounds great but who cover the costs? If done right, such a treaty here in the US and elsewhere thing would be a major win for the Internet. The ISP's will pick up the costs. A cleaner customer base is also a win for them. First implementations wont be next week however but the start is beeing made. Bye, Raymond.
Re: Dutch ISPs to collaborate and take responsibility for bottedclients
Exactly correct. The number one priority, which trumps all others, is making the abuse stop. Yes, there are many other things that can and should be done, but that's the first one. Stopping the abuse is fine, but cutting service to the point that a family using VOIP only for their phone service can't call 911 and several children burn to death could bring all sorts of undesirable regulation let alone the bad press and legal expenses.
