[AusNOG] Telstra manipulating DNS to block botnets

Discussion:

[AusNOG] Telstra manipulating DNS to block botnets

Martin - StudioCoast

2012-06-14 06:54:50 UTC

http://www.computerworld.com.au/article/427613/telstra_trial_detects_5_4_per_cent_botnet_infection_rate/
<http://www.computerworld.com.au/article/427613/telstra_trial_detects_5_4_per_cent_botnet_infection_rate/#closeme>

Surely contacting the domain registrars to get these domains taken down
is a better approach than altering dns records at the ISP end.
I guess this leads to a question to all network operators of Australian
ISPs, do you modify DNS records in your cache and if so what for?

Jake Anderson

2012-06-14 08:24:00 UTC

mucking with DNS sets a bad precedent.
Many of the arguments against dns based block lists (great firewall of
conroy) were based on dns blocking would slow things down etc.

I think law changes or AUP changes allowing or perhaps mandating
infected computers be "quarantined" would be a much better root causes fix.

You don't need to be a jerk about it, emails, click through warnings,

Rod Veith

2012-06-14 08:23:38 UTC

Quote "Surely contacting the domain registrars to get these domains taken
down is a better approach than altering dns records at the ISP end."

I wholeheartedly agree with you. Trouble is many overseas registrars do not
agree with us. Unless 'bad' registrars around the world are forced from the
business, the problem continues and continues to grow.

One personal example of mine. On a quiet day a few months ago I was tired of
some spam getting through filters so I identified the registrar for a spam
site that the spam email wanted me to visit. This registrar happened to be
in Turkey so I wrote a polite email to the registrar and attached the
offending spam email to my request for de-registration of the domain.
Thinking "that might fix the problem, if not, I'm no worse off" I moved on
to more productive work.

I was WRONG, it got worse. I now receive spam emails from Turkey!!! when I
never did before. I do not think this is a coincidence. Rightly or wrongly,
now my impression is that some registrars operate with little regard for the
general well-being of the industry and probably the laws of their own
country.

While the move of serious organised crime into the internet needs addressing
and ISPs are concerned enough to take some action to protect customers from
criminals, this does then raise other important issues that if ISPs start
this process, then it opens the door to allowing other insidious evils such
as censorship or legal issues around 'duty of care' and probably more.
Telstra may be able to claim they are merely doing what is necessary to
protect their own ISP network but not being a lawyer I do not know if that
is sufficient or even a valid claim.

Me looks ahead and sees a gentle slippery slope starting here.

I'm thinking the correct and best approach (and probably harder) is to sue
registrars for failing in their responsibilities and leave 'tampering of
DNS' alone.

Rod

From: ausnog-***@lists.ausnog.net
[mailto:ausnog-***@lists.ausnog.net] On Behalf Of Martin - StudioCoast
Sent: Thursday, 14 June 2012 4:55 PM
To: ***@lists.ausnog.net
Subject: [AusNOG] Telstra manipulating DNS to block botnets

http://www.computerworld.com.au/article/427613/telstra_trial_detects_5_4_per
_cent_botnet_infection_rate/
<http://www.computerworld.com.au/article/427613/telstra_trial_detects_5_4_pe
r_cent_botnet_infection_rate/#closeme>

Surely contacting the domain registrars to get these domains taken down is a
better approach than altering dns records at the ISP end.
I guess this leads to a question to all network operators of Australian
ISPs, do you modify DNS records in your cache and if so what for?

Eric Pinkerton

2012-06-14 23:24:39 UTC

I think that as Rod has elegantly demonstrated, simply contacting the registrars dosen't cut the mustard, any more than Spamhaus et al's attempts to get ISP's to disconnect known spammers have made SPAM disappear in the last decade.

Even in an ideal futuristic utopia where registrars were held to account, spammers will come up with any number of ways to sidestep such controls in minutes, until such time people stop clicking on links.

So at risk of a good old flaming, I think this is a bold move by Telstra, and actually quite commendable. Also let's face it they have been 'tampering with DNS' for years now with sponsored adds for nxdomain, and more recently the Interpol blacklist, and to my knowledge the sky hasn't actually fallen down yet. Some people opted out, perhaps some of them churned but we aren't all eating soylent green just yet.

I don't agree that this opens the door to censorship, that door has been off it's hinges for quite some time, and let's face it using DNS to effect censorship is like making suicide illegal to save lives.

Eric
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

Barrie Hall

2012-06-15 01:57:42 UTC

I think that as Rod has elegantly demonstrated, simply contacting the
> registrars dosent cut the mustard, any more than Spamhaus et als attempts
> to get ISPs to disconnect known spammers have made SPAM disappear in the
> last decade.****
>
> ** **
>
> Even in an ideal futuristic utopia where registrars were held to account,
> spammers will come up with any number of ways to sidestep such controls in
> minutes, until such time people stop clicking on links. ****
>
> ** **
>
> So at risk of a good old flaming, I think this is a bold move by Telstra,
> and actually quite commendable. Also lets face it they have been
> tampering with DNS for years now with sponsored adds for nxdomain, and
> more recently the Interpol blacklist, and to my knowledge the sky hasnt
> actually fallen down yet. Some people opted out, perhaps some of them
> churned but we arent all eating soylent green just yet.****
>
> ** **
>
> I dont agree that this opens the door to censorship, that door has been
> off its hinges for quite some time, and lets face it using DNS to effect
> censorship is like making suicide illegal to save lives. ****
>
> **
>

Well put Eric :)

Barrie

Burt Mascareigne

2012-06-15 01:38:38 UTC

I find this line of though dangerous.

The Sky Hasn't fallen, isn't a valid reason / justification

Do you think they will stop at Interpol blacklist? What about Certain "repulsive" Porn, that's OK to DNS manipulate right? What about Fringe Group Political advocating violence? We Want to stop that right? What about... <Insert progressively less 'dangerous' topic here>

But it does open the door to censorship, saying it isn't doesn't make it not.....(triple negative score!)

When we talk $$, we're talking about Spikes in traffic and elevating that to investigations. That's preservation of $$. DNS manipulation will not work, it's SO easy to get around, it will be by-passed by the culprits and the innocent will be abused. Sorry to add to a potential flame war, but, this logic infuriates me.

Regards

[cid:priority-computer-solutions_logo_01]

Burt Mascareigne
Technician
Mob: 0414 450 962

[cid:priority-computer-solutions_logo_03] [cid:priority-computer-solutions_logo_04]

From: ausnog-***@lists.ausnog.net [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Eric Pinkerton
Sent: Friday, 15 June 2012 9:25 AM
To: ***@lists.ausnog.net
Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets

I think that as Rod has elegantly demonstrated, simply contacting the registrars dosen't cut the mustard, any more than Spamhaus et al's attempts to get ISP's to disconnect known spammers have made SPAM disappear in the last decade.

Even in an ideal futuristic utopia where registrars were held to account, spammers will come up with any number of ways to sidestep such controls in minutes, until such time people stop clicking on links.

So at risk of a good old flaming, I think this is a bold move by Telstra, and actually quite commendable. Also let's face it they have been 'tampering with DNS' for years now with sponsored adds for nxdomain, and more recently the Interpol blacklist, and to my knowledge the sky hasn't actually fallen down yet. Some people opted out, perhaps some of them churned but we aren't all eating soylent green just yet.

I don't agree that this opens the door to censorship, that door has been off it's hinges for quite some time, and let's face it using DNS to effect censorship is like making suicide illegal to save lives.

Eric

Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.
http://www.mailguard.com.au/mg

David Hooton

2012-06-15 02:33:22 UTC

Hi Burt,

On 15/06/2012, at 11:38 AM, Burt Mascareigne wrote:
> The Sky Hasnt fallen, isnt a valid reason / justification

Like it or not, the sky has been falling for many, many years in one way or another on the internet. Be it spam, botnets, state sponsored espionage or "NBN Hackers", there is a clear and present danger in plugging any device into the internet.

> Do you think they will stop at Interpol blacklist? What about Certain repulsive Porn, thats OK to DNS manipulate right? What about Fringe Group Political advocating violence? We Want to stop that right? What about <Insert progressively less dangerous topic here>

We are network operators not politicians. Sadly we live under the rule of both politicians and law, if you're unhappy with policy get involved in the development process, its surprisingly easy to do so and you'll be impressed how excited those who are writing it often are to have your help.

> DNS manipulation will not work, its SO easy to get around, it will be by-passed by the culprits and the innocent will be abused. Sorry to add to a potential flame war, but, this logic infuriates me.

Theres an important distinction to remember here.. This particular exercise is not about censorship, its about security. The bit that is important here is communication. Customers need to know what is happening to their data and they need to be made aware in the event that they have been compromised. They also need to be made aware of a way to opt out of anything that is interfering with their connectivity. Wether it can be gotten around or not is not really the point of this exercise, in this instance its about providing customers and the greater internet with protection from malicious software - Telstra being a better internet citizen (High-Five Telstra).

Sadly wether we like it or not, most customers DO need to be protected from themselves and its our job to make sure they know when we are helping them do the thinking.

Cheers!

Dave

Mark Andrews

2012-06-15 02:46:49 UTC

In message <EC3BB498-2C8D-4598-9C6A-***@hooton.org>, David Hooton writ
es:
> Sadly wether we like it or not, most customers DO need to be protected =
> from themselves and its our job to make sure they know when we are =
> helping them do the thinking.

Returning NXDOMAIN is not protecting them from themselves. It is
hiding / masking the problem. A infected machine is open to
re-infection unless the path that introduced the infection is closed.

One of best ways to prevent re-infection is to ensure that all
software is up-to-date.

"clean and update" or "re-install and update"

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Martin - StudioCoast

2012-06-15 02:56:07 UTC

> This particular exercise is not about censorship, its about security.

I know this is not what you meant exactly, but the "security, not
censorship" thing has been the doublespeak of governments for decades.
My view is there are numerous options available to an ISP to deal with
these sorts of issues without putting a sledgehammer to net neutrality.

Contacting the customer for example....

Paul Brooks

2012-06-15 04:01:19 UTC

On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
>
>
> My view is there are numerous options available to an ISP to deal with these sorts
> of issues without putting a sledgehammer to net neutrality.
>
> Contacting the customer for example....

Would be nice if contacting the customer was easy, but its not.
Apparently only around 1 customer in 7 reads their ISP-provided email address, and
most don't read a monthly invoice because of automatic direct debit.
Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm from (large
ISP) and I'm here to help you, we've detected that your machine is infected with a
virus, let me step you through the steps to clean it" while occasionally the call gets
reported to the ACCC ScamWatch site.

Apart from sending a tech around to knock on the customer's door, contacting the
customer isn't always easy or automatable.

P.

Mark Andrews

2012-06-15 04:22:57 UTC

In message <***@layer10.com.au>, Paul Brooks writes:
> On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
> >
> >
> > My view is there are numerous options available to an ISP to deal with thes
> e sorts
> > of issues without putting a sledgehammer to net neutrality.
> >
> > Contacting the customer for example....
>
> Would be nice if contacting the customer was easy, but its not.
> Apparently only around 1 customer in 7 reads their ISP-provided email address
> , and
> most don't read a monthly invoice because of automatic direct debit.
> Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm fr
> om (large
> ISP) and I'm here to help you, we've detected that your machine is infected w
> ith a
> virus, let me step you through the steps to clean it" while occasionally the
> call gets
> reported to the ACCC ScamWatch site.
>
> Apart from sending a tech around to knock on the customer's door, contacting
> the
> customer isn't always easy or automatable.

It's always automatable. Quarantine the client. They will call
you if they don't see the self help pages in the quarantine walled
garden.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Rod Veith

2012-06-15 04:49:27 UTC

I don't like the idea of protecting customers from themselves. We are not a
nanny state and I don't want to live in one. People have to learn to take
responsibility for their own actions. We are all supposed to be adults or
adults supervising kids access. If people are too lazy to protect themselves
that is their problem. Too many times I've heard courts be lenient because
people say "I didn't know that could happen, I didn't understand what I was
doing, I was too drunk/drugged when I hit him that hard, but I was only
looking at my phone when I stepped in front of the car etc etc" and courts
actually lend some weight to their excuses.

It seems that some in our industry want to extend the reasoning "people have
to be protected from themselves" to the internet. I clearly and
unequivocally reject this. If people expect they have rights, they need to
also accept the responsibilities that come with the rights.

I believe we and the Government have a duty to inform people of the risks
when connecting to the internet and how people can minimise risk, but not to
control what they access or what they do or don't do to protect themselves.

I can understand network operators taking action to protect the integrity
and uptime of their networks but that action must only be for that reason.
It must not be to protect customers from the customers own
actions/inactions.

My 4 cents.

Rod

-----Original Message-----
From: ausnog-***@lists.ausnog.net
[mailto:ausnog-***@lists.ausnog.net] On Behalf Of Paul Brooks
Sent: Friday, 15 June 2012 2:01 PM
To: ***@lists.ausnog.net
Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets

On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
>
>
> My view is there are numerous options available to an ISP to deal with
> these sorts of issues without putting a sledgehammer to net neutrality.
>
> Contacting the customer for example....

Would be nice if contacting the customer was easy, but its not.
Apparently only around 1 customer in 7 reads their ISP-provided email
address, and most don't read a monthly invoice because of automatic direct
debit.
Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm
from (large
ISP) and I'm here to help you, we've detected that your machine is infected
with a virus, let me step you through the steps to clean it" while
occasionally the call gets reported to the ACCC ScamWatch site.

Apart from sending a tech around to knock on the customer's door, contacting
the customer isn't always easy or automatable.

P.

Joshua D'Alton

2012-06-15 05:03:07 UTC

No.. it isn't just protecting them from themselves at all. It is directly
useful to the business. Can you imagine how many support calls Telstra is
saving themselves? Can you imagine the millions of spam emails they are
potentially not sending? Not having customers with viruses or whatever *is*
directly part of the integrity of the network and the integrity of the
business at large. Think bottom line.

Until we are in some Gibson style global-net where there aren't really ISPs
any more, this sort of utopia is a very naive ideal that will only cause it
to take longer to reach that globenet. The internet is extremely disjointed
and disconnected in general, and even more so when you look at geopolitical
borders. And it will only keep growing in that direction. Most of the
traffic might be between US/EU now, given that is where the content is
generated, but with new pipes going all over the globe, it won't be very
long until the traffic figures come more in line. Australia might be a
content importer now, (well including local caching, actual traffic on the
international pipes is not nearly as asynchronous), but that will cease to
be the case in the next 10 years especially with NBN.

This isn't about protecting customers, it is about protecting business for
offering whatever access they want to the "internet". To give an extreme
example, if someone wants to run a NBN ISP that *only* connects those
customers in some sort of national peering WAN, let them (actually I
believe there are a couple ISPs that already do this on an exchange-level
basis). Complaining they don't provide 'internet' access is just as
absurdly archaic as the media companies ideals on copyright.

On Fri, Jun 15, 2012 at 2:49 PM, Rod Veith <***@rb.net.au> wrote:

> I don't like the idea of protecting customers from themselves. We are not a
> nanny state and I don't want to live in one. People have to learn to take
> responsibility for their own actions. We are all supposed to be adults or
> adults supervising kids access. If people are too lazy to protect
> themselves
> that is their problem. Too many times I've heard courts be lenient because
> people say "I didn't know that could happen, I didn't understand what I was
> doing, I was too drunk/drugged when I hit him that hard, but I was only
> looking at my phone when I stepped in front of the car etc etc" and courts
> actually lend some weight to their excuses.
>
> It seems that some in our industry want to extend the reasoning "people
> have
> to be protected from themselves" to the internet. I clearly and
> unequivocally reject this. If people expect they have rights, they need to
> also accept the responsibilities that come with the rights.
>
> I believe we and the Government have a duty to inform people of the risks
> when connecting to the internet and how people can minimise risk, but not
> to
> control what they access or what they do or don't do to protect themselves.
>
> I can understand network operators taking action to protect the integrity
> and uptime of their networks but that action must only be for that reason.
> It must not be to protect customers from the customers own
> actions/inactions.
>
> My 4 cents.
>
> Rod
>
> -----Original Message-----
> From: ausnog-***@lists.ausnog.net
> [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Paul Brooks
> Sent: Friday, 15 June 2012 2:01 PM
> To: ***@lists.ausnog.net
> Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets
>
> On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
> >
> >
> > My view is there are numerous options available to an ISP to deal with
> > these sorts of issues without putting a sledgehammer to net neutrality.
> >
> > Contacting the customer for example....
>
> Would be nice if contacting the customer was easy, but its not.
> Apparently only around 1 customer in 7 reads their ISP-provided email
> address, and most don't read a monthly invoice because of automatic direct
> debit.
> Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm
> from (large
> ISP) and I'm here to help you, we've detected that your machine is infected
> with a virus, let me step you through the steps to clean it" while
> occasionally the call gets reported to the ACCC ScamWatch site.
>
> Apart from sending a tech around to knock on the customer's door,
> contacting
> the customer isn't always easy or automatable.
>
> P.
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

Daniel Kingshott

2012-06-15 04:56:07 UTC

Wow, you should move here to america

Sent from my iPhone

On Jun 14, 2012, at 9:49 PM, "Rod Veith" <***@rb.net.au> wrote:

> I don't like the idea of protecting customers from themselves. We are not a
> nanny state and I don't want to live in one. People have to learn to take
> responsibility for their own actions. We are all supposed to be adults or
> adults supervising kids access. If people are too lazy to protect themselves
> that is their problem. Too many times I've heard courts be lenient because
> people say "I didn't know that could happen, I didn't understand what I was
> doing, I was too drunk/drugged when I hit him that hard, but I was only
> looking at my phone when I stepped in front of the car etc etc" and courts
> actually lend some weight to their excuses.
>
> It seems that some in our industry want to extend the reasoning "people have
> to be protected from themselves" to the internet. I clearly and
> unequivocally reject this. If people expect they have rights, they need to
> also accept the responsibilities that come with the rights.
>
> I believe we and the Government have a duty to inform people of the risks
> when connecting to the internet and how people can minimise risk, but not to
> control what they access or what they do or don't do to protect themselves.
>
> I can understand network operators taking action to protect the integrity
> and uptime of their networks but that action must only be for that reason.
> It must not be to protect customers from the customers own
> actions/inactions.
>
> My 4 cents.
>
> Rod
>
> -----Original Message-----
> From: ausnog-***@lists.ausnog.net
> [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Paul Brooks
> Sent: Friday, 15 June 2012 2:01 PM
> To: ***@lists.ausnog.net
> Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets
>
> On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
>>
>>
>> My view is there are numerous options available to an ISP to deal with
>> these sorts of issues without putting a sledgehammer to net neutrality.
>>
>> Contacting the customer for example....
>
> Would be nice if contacting the customer was easy, but its not.
> Apparently only around 1 customer in 7 reads their ISP-provided email
> address, and most don't read a monthly invoice because of automatic direct
> debit.
> Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm
> from (large
> ISP) and I'm here to help you, we've detected that your machine is infected
> with a virus, let me step you through the steps to clean it" while
> occasionally the call gets reported to the ACCC ScamWatch site.
>
> Apart from sending a tech around to knock on the customer's door, contacting
> the customer isn't always easy or automatable.
>
> P.
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog

Alistair Weddell

2012-06-15 05:03:51 UTC

Darwinian Internet Policies - I like it!

-----Original Message-----
From: ausnog-***@lists.ausnog.net [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Rod Veith
Sent: Friday, 15 June 2012 2:49 PM
To: ***@lists.ausnog.net
Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets

I don't like the idea of protecting customers from themselves. We are not a nanny state and I don't want to live in one. People have to learn to take responsibility for their own actions. We are all supposed to be adults or adults supervising kids access. If people are too lazy to protect themselves that is their problem. Too many times I've heard courts be lenient because people say "I didn't know that could happen, I didn't understand what I was doing, I was too drunk/drugged when I hit him that hard, but I was only looking at my phone when I stepped in front of the car etc etc" and courts actually lend some weight to their excuses.

It seems that some in our industry want to extend the reasoning "people have to be protected from themselves" to the internet. I clearly and unequivocally reject this. If people expect they have rights, they need to also accept the responsibilities that come with the rights.

I believe we and the Government have a duty to inform people of the risks when connecting to the internet and how people can minimise risk, but not to control what they access or what they do or don't do to protect themselves.

I can understand network operators taking action to protect the integrity and uptime of their networks but that action must only be for that reason.
It must not be to protect customers from the customers own actions/inactions.

My 4 cents.

Rod

-----Original Message-----
From: ausnog-***@lists.ausnog.net
[mailto:ausnog-***@lists.ausnog.net] On Behalf Of Paul Brooks
Sent: Friday, 15 June 2012 2:01 PM
To: ***@lists.ausnog.net
Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets

On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
>
>
> My view is there are numerous options available to an ISP to deal with
> these sorts of issues without putting a sledgehammer to net neutrality.
>
> Contacting the customer for example....

Would be nice if contacting the customer was easy, but its not.
Apparently only around 1 customer in 7 reads their ISP-provided email address, and most don't read a monthly invoice because of automatic direct debit.
Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm from (large
ISP) and I'm here to help you, we've detected that your machine is infected with a virus, let me step you through the steps to clean it" while occasionally the call gets reported to the ACCC ScamWatch site.

Apart from sending a tech around to knock on the customer's door, contacting the customer isn't always easy or automatable.

P.
_______________________________________________
AusNOG mailing list
***@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

_______________________________________________
AusNOG mailing list
***@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

________________________________

This email, including attachments, is intended only for the addressee and may be confidential, privileged and subject to copyright. If you have received this email in error, please advise the sender and delete it. If you are not the intended recipient of this email, you must not communicate to others content that is confidential or subject to copyright, unless you have the consent of the content owner.

James Hodgkinson

2012-06-15 06:08:16 UTC

What about protecting one customer from another?

Incredibly oblique example: If the guy next doors' bin was smelly and the
council could spray some deodoriser stuff into it for negligible cost
(which I've seen a few councils do) then I'd be happier than if they said
"not my problem, they can stink out the street if they want!" :)

Similarly, if the ISP is stopping infection vectors - since this is what
we're talking about, not blocking inappropriate content based on government
choice - I'd be OK with that as long as it was managed carefully. Obviously
the "managed carefully" part is a problem, since I'm sure it'd be a
gargantuan task to keep something like that accurate and not cause false
positives.

James

-----Original Message-----
> From: ausnog-***@lists.ausnog.net [mailto:
> ausnog-***@lists.ausnog.net] On Behalf Of Rod Veith
> Sent: Friday, 15 June 2012 2:49 PM
> To: ***@lists.ausnog.net
> Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets
>
> I don't like the idea of protecting customers from themselves. We are not
> a nanny state and I don't want to live in one. People have to learn to take
> responsibility for their own actions. We are all supposed to be adults or
> adults supervising kids access. If people are too lazy to protect
> themselves that is their problem. Too many times I've heard courts be
> lenient because people say "I didn't know that could happen, I didn't
> understand what I was doing, I was too drunk/drugged when I hit him that
> hard, but I was only looking at my phone when I stepped in front of the car
> etc etc" and courts actually lend some weight to their excuses.
>
> It seems that some in our industry want to extend the reasoning "people
> have to be protected from themselves" to the internet. I clearly and
> unequivocally reject this. If people expect they have rights, they need to
> also accept the responsibilities that come with the rights.
>
> I believe we and the Government have a duty to inform people of the risks
> when connecting to the internet and how people can minimise risk, but not
> to control what they access or what they do or don't do to protect
> themselves.
>
> I can understand network operators taking action to protect the integrity
> and uptime of their networks but that action must only be for that reason.
> It must not be to protect customers from the customers own
> actions/inactions.
>
> My 4 cents.
>
> Rod
>
> -----Original Message-----
> From: ausnog-***@lists.ausnog.net
> [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Paul Brooks
> Sent: Friday, 15 June 2012 2:01 PM
> To: ***@lists.ausnog.net
> Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets
>
> On 15/06/2012 12:56 PM, Martin - StudioCoast wrote:
> >
> >
> > My view is there are numerous options available to an ISP to deal with
> > these sorts of issues without putting a sledgehammer to net neutrality.
> >
> > Contacting the customer for example....
>
> Would be nice if contacting the customer was easy, but its not.
> Apparently only around 1 customer in 7 reads their ISP-provided email
> address, and most don't read a monthly invoice because of automatic direct
> debit.
> Plus we've taught them to ignore calls from call centres claiming 'Hi, I'm
> from (large
> ISP) and I'm here to help you, we've detected that your machine is
> infected with a virus, let me step you through the steps to clean it" while
> occasionally the call gets reported to the ACCC ScamWatch site.
>
> Apart from sending a tech around to knock on the customer's door,
> contacting the customer isn't always easy or automatable.
>
> P.
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> ________________________________
>
> This email, including attachments, is intended only for the addressee and
> may be confidential, privileged and subject to copyright. If you have
> received this email in error, please advise the sender and delete it. If
> you are not the intended recipient of this email, you must not communicate
> to others content that is confidential or subject to copyright, unless you
> have the consent of the content owner.
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

Mark Delany

2012-06-15 06:10:44 UTC

On 15Jun12, Rod Veith allegedly wrote:
> I don't like the idea of protecting customers from themselves. We are not a
> nanny state and I don't want to live in one. People have to learn to take

I'm not so sure it's nannying; more that consumers have an expectation
that when they get a PC and an Internet connection they should "just
work".

Just as people don't check the oil in their cars (heck, some cars
don't even come with a dip-stick anymore), nor do they care to meddle
under the hood of their PC/tablet/Internet connection.

And frankly, in 2012, that's not an unreasonable expectation.

If anything the OS vendors should be held to account for selling
products that are so vulnerable that they need constant maintenance
and the purchase of expensive adds-ons to keep them working
properly. Something they don't mention in their ads or fine-print.

Just because OS Vendors have thus far managed to externalize the cost
of their product faults doesn't mean that the burden should fall on
consumers to pick up these costs. Nor should it fall on ISPs of
course...

Mark.

Barrie Hall

2012-06-15 06:52:16 UTC

On 15Jun12, Rod Veith allegedly wrote:
> > I don't like the idea of protecting customers from themselves. We are
> not a
> > nanny state and I don't want to live in one. People have to learn to take
>
> I'm not so sure it's nannying; more that consumers have an expectation
> that when they get a PC and an Internet connection they should "just
> work".
>
> Just as people don't check the oil in their cars (heck, some cars
> don't even come with a dip-stick anymore), nor do they care to meddle
> under the hood of their PC/tablet/Internet connection.
>
> And frankly, in 2012, that's not an unreasonable expectation.
>
> If anything the OS vendors should be held to account for selling
> products that are so vulnerable that they need constant maintenance
> and the purchase of expensive adds-ons to keep them working
> properly. Something they don't mention in their ads or fine-print.
>
> Just because OS Vendors have thus far managed to externalize the cost
> of their product faults doesn't mean that the burden should fall on
> consumers to pick up these costs. Nor should it fall on ISPs of
> course...
>
>
Managing and ensuring the quality and timeliness of the poisoning data is
the *big issue* with this technology but we are seeing very good results
now.

Barrie

Mark Delany

2012-06-15 07:25:17 UTC

> > Just because OS Vendors have thus far managed to externalize the cost
> > of their product faults doesn't mean that the burden should fall on
> > consumers to pick up these costs. Nor should it fall on ISPs of
> > course...
> >
> >
> Managing and ensuring the quality and timeliness of the poisoning data is
> the *big issue* with this technology but we are seeing very good results
> now.
>
> Barrie

It'd be interesting to know what your customers think of this
"intervention". Do they welcome that their ISP has detected a problem
and wants to help them or is it viewed as an unwelcome impost?

It's a difficult situation that I don't envy. You're trying to solve a
problem you didn't create, you're trying to do the right thing for
your customers, your network and the general good, but the consumer
probably sees it as an inconvenience and a possible cost.

I imagine the "messaging" has a lot to do with the consumer
response.

If I mis-remember, Earthlink used to be pretty pro-active like this
and did a pretty good messaging job in the email space: here's one
example
http://support.earthlink.net/articles/email/email-blocked-by-earthlink.php

Mark.

Barrie Hall

2012-06-15 09:43:47 UTC

> > Managing and ensuring the quality and timeliness of the poisoning data is
> > the *big issue* with this technology but we are seeing very good results
> > now.
> >
> > Barrie
>
> It'd be interesting to know what your customers think of this
> "intervention". Do they welcome that their ISP has detected a problem
> and wants to help them or is it viewed as an unwelcome impost?
>
> It's a difficult situation that I don't envy. You're trying to solve a
> problem you didn't create, you're trying to do the right thing for
> your customers, your network and the general good, but the consumer
> probably sees it as an inconvenience and a possible cost.
>
> I imagine the "messaging" has a lot to do with the consumer
> response.
>
> If I mis-remember, Earthlink used to be pretty pro-active like this
> and did a pretty good messaging job in the email space: here's one
> example
> http://support.earthlink.net/articles/email/email-blocked-by-earthlink.php
>
> Mark,
>

So far we have only run a limited trial which yielded some good data. No
customers were impacted :)

Barrie Hall

2012-06-15 09:53:07 UTC

> > Managing and ensuring the quality and timeliness of the poisoning data is
> > the *big issue* with this technology but we are seeing very good results
> > now.
> >
> > Barrie
>
> It'd be interesting to know what your customers think of this
> "intervention". Do they welcome that their ISP has detected a problem
> and wants to help them or is it viewed as an unwelcome impost?
>
> It's a difficult situation that I don't envy. You're trying to solve a
> problem you didn't create, you're trying to do the right thing for
> your customers, your network and the general good, but the consumer
> probably sees it as an inconvenience and a possible cost.
>
> I imagine the "messaging" has a lot to do with the consumer
> response.
>
> If I mis-remember, Earthlink used to be pretty pro-active like this
> and did a pretty good messaging job in the email space: here's one
> example
> http://support.earthlink.net/articles/email/email-blocked-by-earthlink.php
>
>
>
Mark,

My views are my own on this email list so I can't get into what Telstra is
and isn't doing. I will say that I am happy to discuss the value of DNS
"purity" vs using DNS to solve some nasty problems we face every day.

DNS is a valuable "control plane" which allows ISP's to deliver a better
service with some tweaking. It is public knowledge that a number of ISP's
are using DNS to suppress access to "the worst of the worst" child
exploitation material on the Internet. I don't think that there is any
doubt that this has been a success.

Using DNS to surpress Botnets seems to me to be a "no brainer".

Barrie

Anand Kumria

2012-06-15 10:35:30 UTC

Until, of course, we have client side apps which check the DNSSEC
trust bits. And then the whole approach is doomed.

It'll happen sooner than you expect (is already happening with SSH for example).

I'm with Mark. If you have a customer you suspect of infection, rather
than allowing them to continue using the Internet - quarantine them.

It'll result in a short-term spike in support calls, but by doing it
on an exchange by exchange basis initially.

You ought to be able to control the resultant incoming calls.

Anand

On 15 June 2012 11:53, Barrie Hall <***@mypond.net> wrote:
>
>
>>
>> > Managing and ensuring the quality and timeliness of the poisoning data
>> > is
>> > the *big issue* with this technology but we are seeing very good results
>> > now.
>> >
>> > Barrie
>>
>> It'd be interesting to know what your customers think of this
>> "intervention". Do they welcome that their ISP has detected a problem
>> and wants to help them or is it viewed as an unwelcome impost?
>>
>> It's a difficult situation that I don't envy. You're trying to solve a
>> problem you didn't create, you're trying to do the right thing for
>> your customers, your network and the general good, but the consumer
>> probably sees it as an inconvenience and a possible cost.
>>
>> I imagine the "messaging" has a lot to do with the consumer
>> response.
>>
>> If I mis-remember, Earthlink used to be pretty pro-active like this
>> and did a pretty good messaging job in the email space: here's one
>> example
>> http://support.earthlink.net/articles/email/email-blocked-by-earthlink.php
>>
>>
>
> Mark,
>
> My views are my own on this email list so I can't get into what Telstra is
> and isn't doing. I will say that I am happy to discuss the value of DNS
> "purity" vs using DNS to solve some nasty problems we face every day.
>
> DNS is a valuable "control plane" which allows ISP's to deliver a better
> service with some tweaking. It is public knowledge that a number of ISP's
> are using DNS to suppress access to "the worst of the worst" child
> exploitation material on the Internet. I don't think that there is any doubt
> that this has been a success.
>
> Using DNS to surpress Botnets seems to me to be a "no brainer".
>
> Barrie
>
>
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

--
“Don’t be sad because it’s over. Smile because it happened.” – Dr. Seuss

Roland Chan

2012-06-16 02:25:50 UTC

The problem with that approach is the potential for a customer to be
permanently stuck in quarantine because they lack the knowledge to clean
their computer.

I don't think that is an acceptable outcome, at least not while they're
paying for service.
On Jun 15, 2012 8:36 PM, "Anand Kumria" <***@acm.org> wrote:

> Until, of course, we have client side apps which check the DNSSEC
> trust bits. And then the whole approach is doomed.
>
> It'll happen sooner than you expect (is already happening with SSH for
> example).
>
> I'm with Mark. If you have a customer you suspect of infection, rather
> than allowing them to continue using the Internet - quarantine them.
>
> It'll result in a short-term spike in support calls, but by doing it
> on an exchange by exchange basis initially.
>
> You ought to be able to control the resultant incoming calls.
>
> Anand
>
> On 15 June 2012 11:53, Barrie Hall <***@mypond.net> wrote:
> >
> >
> >>
> >> > Managing and ensuring the quality and timeliness of the poisoning data
> >> > is
> >> > the *big issue* with this technology but we are seeing very good
> results
> >> > now.
> >> >
> >> > Barrie
> >>
> >> It'd be interesting to know what your customers think of this
> >> "intervention". Do they welcome that their ISP has detected a problem
> >> and wants to help them or is it viewed as an unwelcome impost?
> >>
> >> It's a difficult situation that I don't envy. You're trying to solve a
> >> problem you didn't create, you're trying to do the right thing for
> >> your customers, your network and the general good, but the consumer
> >> probably sees it as an inconvenience and a possible cost.
> >>
> >> I imagine the "messaging" has a lot to do with the consumer
> >> response.
> >>
> >> If I mis-remember, Earthlink used to be pretty pro-active like this
> >> and did a pretty good messaging job in the email space: here's one
> >> example
> >>
> http://support.earthlink.net/articles/email/email-blocked-by-earthlink.php
> >>
> >>
> >
> > Mark,
> >
> > My views are my own on this email list so I can't get into what Telstra
> is
> > and isn't doing. I will say that I am happy to discuss the value of DNS
> > "purity" vs using DNS to solve some nasty problems we face every day.
> >
> > DNS is a valuable "control plane" which allows ISP's to deliver a better
> > service with some tweaking. It is public knowledge that a number of ISP's
> > are using DNS to suppress access to "the worst of the worst" child
> > exploitation material on the Internet. I don't think that there is any
> doubt
> > that this has been a success.
> >
> > Using DNS to surpress Botnets seems to me to be a "no brainer".
> >
> > Barrie
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > ***@lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
>
>
>
> --
> Dont be sad because its over. Smile because it happened. Dr. Seuss
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

Mark Andrews

2012-06-17 05:39:47 UTC

In message <***@mail.gmail.com>
, Roland Chan writes:
>
> The problem with that approach is the potential for a customer to be
> permanently stuck in quarantine because they lack the knowledge to clean
> their computer.
>
> I don't think that is an acceptable outcome, at least not while they're
> paying for service.

There are hundreds of places where people can take their machines to be
fixed.

If you have a un-roadworth car you get it fixed before you go back
on the road. As the owner of the car it is your responsability to
get it fixed either by doing the repairs yourself or paying someone
to do it for you. It is a implicit part of owning a car.

The same should apply to compromised machines. You do the work
yourself or you pay someone to do it for you. Can you tell me
anyone who buys a machine these days that is not aware that machines
get compromised? About the only thing that may not be aware of is
that they should be fixing their machines when they get compromised
and yes that may be a additional cost.

Mark

> On Jun 15, 2012 8:36 PM, "Anand Kumria" <***@acm.org> wrote:
>
> > Until, of course, we have client side apps which check the DNSSEC
> > trust bits. And then the whole approach is doomed.
> >
> > It'll happen sooner than you expect (is already happening with SSH for
> > example).
> >
> > I'm with Mark. If you have a customer you suspect of infection, rather
> > than allowing them to continue using the Internet - quarantine them.
> >
> > It'll result in a short-term spike in support calls, but by doing it
> > on an exchange by exchange basis initially.
> >
> > You ought to be able to control the resultant incoming calls.
> >
> > Anand
> >
> > On 15 June 2012 11:53, Barrie Hall <***@mypond.net> wrote:
> > >
> > >
> > >>
> > >> > Managing and ensuring the quality and timeliness of the poisoning da=
> ta
> > >> > is
> > >> > the *big issue* with this technology but we are seeing very good
> > results
> > >> > now.
> > >> >
> > >> > Barrie
> > >>
> > >> It'd be interesting to know what your customers think of this
> > >> "intervention". Do they welcome that their ISP has detected a problem
> > >> and wants to help them or is it viewed as an unwelcome impost?
> > >>
> > >> It's a difficult situation that I don't envy. You're trying to solve a
> > >> problem you didn't create, you're trying to do the right thing for
> > >> your customers, your network and the general good, but the consumer
> > >> probably sees it as an inconvenience and a possible cost.
> > >>
> > >> I imagine the "messaging" has a lot to do with the consumer
> > >> response.
> > >>
> > >> If I mis-remember, Earthlink used to be pretty pro-active like this
> > >> and did a pretty good messaging job in the email space: here's one
> > >> example
> > >>
> > http://support.earthlink.net/articles/email/email-blocked-by-earthlink.ph=
> p
> > >>
> > >>
> > >
> > > Mark,
> > >
> > > My views are my own on this email list so I can't get into what Telstra
> > is
> > > and isn't doing. I will say that I am happy to discuss the value of DNS
> > > "purity" vs using DNS to solve some nasty problems we face every day.
> > >
> > > DNS is a valuable "control plane" which allows ISP's to deliver a bette=
> r
> > > service with some tweaking. It is public knowledge that a number of ISP=
> 's
> > > are using DNS to suppress access to "the worst of the worst" child
> > > exploitation material on the Internet. I don't think that there is any
> > doubt
> > > that this has been a success.
> > >
> > > Using DNS to surpress Botnets seems to me to be a "no brainer".
> > >
> > > Barrie
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > AusNOG mailing list
> > > ***@lists.ausnog.net
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> > >
> >
> >
> >
> > --
> > =93Don=92t be sad because it=92s over. Smile because it happened.=94 =96 =
> Dr. Seuss
> > _______________________________________________
> > AusNOG mailing list
> > ***@lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
>
> --14dae9340921c6623904c28da6a4
> Content-Type: text/html; charset=windows-1252
> Content-Transfer-Encoding: quoted-printable
>
> <p>The problem with that approach is the potential for a customer to be per=
> manently stuck in quarantine because they lack the knowledge to clean their=
> computer. </p>
> <p>I don't think that is an acceptable outcome, at least not while they=
> 're paying for service. </p>
> <div class=3D"gmail_quote">On Jun 15, 2012 8:36 PM, "Anand Kumria&quot=
> ; <<a href=3D"mailto:***@acm.org">***@acm.org</a>> wrote:<br =
> type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
> 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Until, of course, we have client side apps which check the DNSSEC<br>
> trust bits. And then the whole approach is doomed.<br>
> <br>
> It'll happen sooner than you expect (is already happening with SSH for =
> example).<br>
> <br>
> I'm with Mark. If you have a customer you suspect of infection, rather<=
> br>
> than allowing them to continue using the Internet - quarantine them.<br>
> <br>
> It'll result in a short-term spike in support calls, but by doing it<br=
> >
> on an exchange by exchange basis initially.<br>
> <br>
> You ought to be able to control the resultant incoming calls.<br>
> <br>
> Anand<br>
> <br>
> On 15 June 2012 11:53, Barrie Hall <<a href=3D"mailto:***@mypond.net"=
> >***@mypond.net</a>> wrote:<br>
> ><br>
> ><br>
> >><br>
> >> > Managing and ensuring the quality and timeliness of the poiso=
> ning data<br>
> >> > is<br>
> >> > the *big issue* with this technology but we are seeing very g=
> ood results<br>
> >> > now.<br>
> >> ><br>
> >> > Barrie<br>
> >><br>
> >> It'd be interesting to know what your customers think of this<=
> br>
> >> "intervention". Do they welcome that their ISP has detec=
> ted a problem<br>
> >> and wants to help them or is it viewed as an unwelcome impost?<br>
> >><br>
> >> It's a difficult situation that I don't envy. You're t=
> rying to solve a<br>
> >> problem you didn't create, you're trying to do the right t=
> hing for<br>
> >> your customers, your network and the general good, but the consume=
> r<br>
> >> probably sees it as an inconvenience and a possible cost.<br>
> >><br>
> >> I imagine the "messaging" has a lot to do with the consu=
> mer<br>
> >> response.<br>
> >><br>
> >> If I mis-remember, Earthlink used to be pretty pro-active like thi=
> s<br>
> >> and did a pretty good messaging job in the email space: here's=
> one<br>
> >> example<br>
> >> <a href=3D"http://support.earthlink.net/articles/email/email-block=
> ed-by-earthlink.php" target=3D"_blank">http://support.earthlink.net/article=
> s/email/email-blocked-by-earthlink.php</a><br>
> >><br>
> >><br>
> ><br>
> > Mark,<br>
> ><br>
> > My views are my own on this email list so I can't get into what Te=
> lstra is<br>
> > and isn't doing. I will say that I am happy to discuss the value o=
> f DNS<br>
> > "purity" vs using DNS to solve some nasty problems we face e=
> very day.<br>
> ><br>
> > DNS is a valuable "control plane" which allows ISP's to =
> deliver a better<br>
> > service with some tweaking. It is public knowledge that a number of IS=
> P's<br>
> > are using DNS to suppress access to "the worst of the worst"=
> child<br>
> > exploitation material on the Internet. I don't think that there is=
> any doubt<br>
> > that this has been a success.<br>
> ><br>
> > Using DNS to surpress Botnets seems to me to be a "no brainer&quo=
> t;.<br>
> ><br>
> > Barrie<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > AusNOG mailing list<br>
> > <a href=3D"mailto:***@lists.ausnog.net">***@lists.ausnog.net</a>=
> <br>
> > <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"=
> _blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> ><br>
> <br>
> <br>
> <br>
> --<br>
> =93Don=92t be sad because it=92s over. Smile because it happened.=94 =96 Dr=
> . Seuss<br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href=3D"mailto:***@lists.ausnog.net">***@lists.ausnog.net</a><br>
> <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"_blan=
> k">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> </blockquote></div>
>
> --14dae9340921c6623904c28da6a4--
>
> --===============1099887076636401106==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> --===============1099887076636401106==--
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Damien Gardner Jnr

2012-06-17 06:59:01 UTC

On 17/06/2012 3:39 PM, Mark Andrews wrote:
> If you have a un-roadworth car you get it fixed before you go back on
> the road. As the owner of the car it is your responsability to get it
> fixed either by doing the repairs yourself or paying someone to do it
> for you. It is a implicit part of owning a car. The same should apply
> to compromised machines. You do the work yourself or you pay someone
> to do it for you. Can you tell me anyone who buys a machine these days
> that is not aware that machines get compromised? About the only thing
> that may not be aware of is that they should be fixing their machines
> when they get compromised and yes that may be a additional cost. Mark

The problem with your analogy there, is that for a decent proportion of
folk, if their car breaks down, they'll simply go 'well, I can't afford
to fix it, we'll cancel the rego and let it sit..'. If ISP's are going
to force users to get their computer 'fixed', or not have access to the
internet, then they'll need to be willing to let the user out of
whatever contract their in, with no break fee, if they cannot afford to
fix said computer.. Otherwise I can just see them lining up at the
TIO's doorstep for 'non-provision of services' or the like..

--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
***@rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder

Matthew Palmer

2012-06-17 08:11:49 UTC

On Sun, Jun 17, 2012 at 04:59:01PM +1000, Damien Gardner Jnr wrote:
> On 17/06/2012 3:39 PM, Mark Andrews wrote:
> >If you have a un-roadworth car you get it fixed before you go back
> >on the road. As the owner of the car it is your responsability to
> >get it fixed either by doing the repairs yourself or paying
> >someone to do it for you. It is a implicit part of owning a car.
> >The same should apply to compromised machines.

[...]

> The problem with your analogy there, is that for a decent proportion
> of folk, if their car breaks down, they'll simply go 'well, I can't
> afford to fix it, we'll cancel the rego and let it sit..'. If ISP's
> are going to force users to get their computer 'fixed', or not have
> access to the internet, then they'll need to be willing to let the
> user out of whatever contract their in, with no break fee,

"with no break fee"... hah! I assume you've never tried to get the unused
portion of your rego and insurance back. I can say for sure and certain
that you don't get anywhere *close* to a fair percentage of the unused
period.

- Matt

--
Java/XML are the hammer and the Internet is the thumb.
-- rone, in a place that does not exist

Roland Chan

2012-06-17 09:01:34 UTC

I'd go further than that. The analogy is flawed in many ways, but the
2 most salient are:

- Roadworthiness is not an implicit part of owning a car (at least not
one that's driven on public roads). It's an explicit requirement of
operating a vehicle mandated by law. No such corresponding thing
exists for computers, and given the current state of technology I
believe it would impossible to define and enforce.
- Roadworthiness is the ability of the vehicle to perform when
operated lawfully, and says nothing about the ability of the vehicle
to perform when under attack or used as a weapon. Up to date security
measures on a computer do not provide anywhere near as much confidence
about the protection from compromise as a roadworthiness certificate
does for mechanical reliability of a car.

I'll torture the analogy a bit further though: imagine losing your
licence because your car was stolen and used in an armed robbery.
Flawed again, but I couldn't help myself. I hate analogies and
torturing them gives me pleasure. ;)

I do agree with Damien that a service provider that does not have
explicit T&Cs dealing with this scenario may well end up in trouble,
and a provider that does have these T&Cs will have a significant
customer service issues that will generate immense cost to the
business, to say nothing of the reputational impact.

I don't agree that we're talking about a short term support cost spike
either. Users will be repeatedly compromised, quarantined and calling
in for support.

Quarantine is painful for the customer and the provider, and does not
deliver sufficient long term benefit to the user, the provider or the
Internet at large to balance the cost, at least in my opinion. If
there were cheap, reliable and easily deployable measures a user could
take to secure their computers in the long term I would probably think
differently. Until then, I'm happy with mucking about with DNS to take
a chunk out of the problem (Disclosure: I used to lead the group that
designed all the stuff in the BigPond network that Barrie's been
talking about, including the Interpol filtering).

Roland

On Sun, Jun 17, 2012 at 4:59 PM, Damien Gardner Jnr <***@rendrag.net> wrote:
> On 17/06/2012 3:39 PM, Mark Andrews wrote:
>>
>> If you have a un-roadworth car you get it fixed before you go back on the
>> road. As the owner of the car it is your responsability to get it fixed
>> either by doing the repairs yourself or paying someone to do it for you. It
>> is a implicit part of owning a car. The same should apply to compromised
>> machines. You do the work yourself or you pay someone to do it for you. Can
>> you tell me anyone who buys a machine these days that is not aware that
>> machines get compromised? About the only thing that may not be aware of is
>> that they should be fixing their machines when they get compromised and yes
>> that may be a additional cost. Mark
>
>
> The problem with your analogy there, is that for a decent proportion of
> folk, if their car breaks down, they'll simply go 'well, I can't afford to
> fix it, we'll cancel the rego and let it sit..'. If ISP's are going to
> force users to get their computer 'fixed', or not have access to the
> internet, then they'll need to be willing to let the user out of whatever
> contract their in, with no break fee, if they cannot afford to fix said
> computer.. Otherwise I can just see them lining up at the TIO's doorstep
> for 'non-provision of services' or the like..
>
> --
> Damien Gardner Jnr
> VK2TDG. Dip EE. GradIEAust
> ***@rendrag.net - http://www.rendrag.net/
> --
> We rode on the winds of the rising storm,
> We ran to the sounds of thunder.
> We danced among the lightning bolts,
> and tore the world asunder
>

Mark Andrews

2012-06-17 22:27:22 UTC

In message <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=***@mail.gmail.com>
, Roland Chan writes:
> I'd go further than that. The analogy is flawed in many ways, but the
> 2 most salient are:
>
> - Roadworthiness is not an implicit part of owning a car (at least not
> one that's driven on public roads). It's an explicit requirement of
> operating a vehicle mandated by law. No such corresponding thing
> exists for computers, and given the current state of technology I
> believe it would impossible to define and enforce.
> - Roadworthiness is the ability of the vehicle to perform when
> operated lawfully, and says nothing about the ability of the vehicle
> to perform when under attack or used as a weapon. Up to date security
> measures on a computer do not provide anywhere near as much confidence
> about the protection from compromise as a roadworthiness certificate
> does for mechanical reliability of a car.

This is more like, you have been pulled over for bald tires. There
are obvious signs that you are infected and you are being pulled
off the net for everyone elses saftey.

> I'll torture the analogy a bit further though: imagine losing your
> licence because your car was stolen and used in an armed robbery.
> Flawed again, but I couldn't help myself. I hate analogies and
> torturing them gives me pleasure. ;)

And is pointless in this case because you are not being told you
can't use any computers. You are just being told you can't use
particular computers until you get them fixed.

> I do agree with Damien that a service provider that does not have
> explicit T&Cs dealing with this scenario may well end up in trouble,
> and a provider that does have these T&Cs will have a significant
> customer service issues that will generate immense cost to the
> business, to say nothing of the reputational impact.

You do it well you will get a positive reputation.

> I don't agree that we're talking about a short term support cost spike
> either. Users will be repeatedly compromised, quarantined and calling
> in for support.

> Quarantine is painful for the customer and the provider, and does not
> deliver sufficient long term benefit to the user, the provider or the
> Internet at large to balance the cost, at least in my opinion.

Tell that to those that are suffering DDoS and other attacks from
compromised machines.

> If
> there were cheap, reliable and easily deployable measures a user could
> take to secure their computers in the long term I would probably think
> differently. Until then, I'm happy with mucking about with DNS to take
> a chunk out of the problem (Disclosure: I used to lead the group that
> designed all the stuff in the BigPond network that Barrie's been
> talking about, including the Interpol filtering).

This will always be a catchup game but if you get the systems
upgraded to have the latest fixes you reduce the number of machines
that can get infected and be used to attack others before the C&C
machines are discovered.

What percentage of these machines are infected via known and fixed
vulnerablities and what are infected by yet to be fixed vulnerabilities.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Eric Pinkerton

2012-06-17 23:47:14 UTC

Let's also not forget, that it's more and more the case today that people have multiple machines connected to their home router including smartphones, laptops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and so quarantining the entire connection because one of those machines is infected can be far more disruptive to your customers than it once was.

Eric
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

Rod Veith

2012-06-18 00:31:55 UTC

DNS should not be an ISP problem.

It seems to me that if the problem is killed off at the source (ie Domain
registration and Nameservers), then a large proportion of the problem goes
away.
As many sources of infection are websites specifically built to infect PCs,
who does have responsibility for policing the registrars? ICANN?

If so, pressure should be increased to have at least one infection vector
better controlled. There can be increasing penalties leading to eventually
withdrawal of accreditation used against registrars if they continue to
allow fraudulent domain name registrations and fail to act when notified of
'bad' websites. I imagine It wouldn't take too long once a few registrars
were put out of business for the others to clean up their act and reduce the
problem to more manageable levels.

What I don't know is how we can increase pressure on ICANN to clean up the
DNS system they have allowed to get out of control. Me saying something to
them is not likely to work :( Does anyone know of any practical way this
can be achieved?

Rod

-----Original Message-----
From: ausnog-***@lists.ausnog.net
[mailto:ausnog-***@lists.ausnog.net] On Behalf Of Eric Pinkerton
Sent: Monday, 18 June 2012 9:47 AM
To: ***@lists.ausnog.net
Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets

Let's also not forget, that it's more and more the case today that people
have multiple machines connected to their home router including smartphones,
laptops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and
so quarantining the entire connection because one of those machines is
infected can be far more disruptive to your customers than it once was.

Eric
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content
filtering.http://www.mailguard.com.au/mg

Christopher Pollock

2012-06-18 02:07:32 UTC

Just to drag the analogies back on topic a little more:

If you knew that a certain peer of yours was advertising a bad route to
you, let's say they're severely slowing down traffic for whatever reason.
If you knew that a certain route being advertised to you, that was causing
suboptimal behaviour for you, your customers, and other peers to whom you
were re-advertising it, what would you do?

--
Christopher Pollock,
io Networks Pty Ltd.
e. ***@ionetworks.com.au
p. 1300 1 2 4 8 16
d. 07 3188 7588
m. 0410 747 765
skype: christopherpollock
twitter.com/chrisionetworks
http://www.ionetworks.com.au
In-house, Outsourced.

On Mon, Jun 18, 2012 at 10:31 AM, Rod Veith <***@rb.net.au> wrote:

> DNS should not be an ISP problem.
>
> It seems to me that if the problem is killed off at the source (ie Domain
> registration and Nameservers), then a large proportion of the problem goes
> away.
> As many sources of infection are websites specifically built to infect PCs,
> who does have responsibility for policing the registrars? ICANN?
>
> If so, pressure should be increased to have at least one infection vector
> better controlled. There can be increasing penalties leading to eventually
> withdrawal of accreditation used against registrars if they continue to
> allow fraudulent domain name registrations and fail to act when notified of
> 'bad' websites. I imagine It wouldn't take too long once a few registrars
> were put out of business for the others to clean up their act and reduce
> the
> problem to more manageable levels.
>
> What I don't know is how we can increase pressure on ICANN to clean up the
> DNS system they have allowed to get out of control. Me saying something to
> them is not likely to work :( Does anyone know of any practical way this
> can be achieved?
>
> Rod
>
>
> -----Original Message-----
> From: ausnog-***@lists.ausnog.net
> [mailto:ausnog-***@lists.ausnog.net] On Behalf Of Eric Pinkerton
> Sent: Monday, 18 June 2012 9:47 AM
> To: ***@lists.ausnog.net
> Subject: Re: [AusNOG] Telstra manipulating DNS to block botnets
>
> Let's also not forget, that it's more and more the case today that people
> have multiple machines connected to their home router including
> smartphones,
> laptops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and
> so quarantining the entire connection because one of those machines is
> infected can be far more disruptive to your customers than it once was.
>
>
> Eric
> --
> Message protected by MailGuard: e-mail anti-virus, anti-spam and content
> filtering.http://www.mailguard.com.au/mg
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

Mark Delany

2012-06-18 02:36:06 UTC

> What I don't know is how we can increase pressure on ICANN to clean up the
> DNS system they have allowed to get out of control. Me saying something to
> them is not likely to work :( Does anyone know of any practical way this
> can be achieved?

Many moons ago a significant representation of US providers pitched to
the FTC that - with a little inter-departmental discussion - they
might convince the DoC to get involved in the problem of untraceable
registrants. This was in an email context, but the same problem
applies.

The obvious argument being that soon people would predominantly deal
with domains so a lack of jurisdiction was going to make their number
one job "To prevent business practices ... that are deceptive or
unfair to consumers" impossible.

The general idea was to have well defined jurisdictions that
registrants could attach to their domain - one choice being "none of
the above".

Sort of a voluntary trust assignment by the registrant but bound to a
legal entity and thus a jurisdiction. Amazon might saying "the FTC can
sue me" (once proving they exist as a legal US entity of course) and
thus come under the purview of various LEAs and regulators.

Amazon would have to go through hurdles for their registration but my
personal domain rego with "none of the above" would proceed exactly as
it does today. Amazon would want to go through hurdles because tools
would be able to positively act on what is effectively a risk
assignment.

(Note that the technical sketch had it that jurisdiction was
orthogonal to the namespace but one could imagine an alignment, such
as .com.au and ASIC - it was but a sketch).

The minimal goal was to at least get discussion going around when
domain registrants should move from the wild-west days of the early
Internet to something a little more, er, 21st century.

Of course, ICANN could have done this on their own volition without a
DoC nudge; or with a greater sense of responsibility for the billions
of vulnerable consumers. But that seems not to have happened in the
intervening years.

Mark.

Mark Andrews

2012-06-18 02:31:45 UTC

In message <***@sssydmail01.stratsec.l
ocal>, Eric Pinkerton writes:
> Let's also not forget, that it's more and more the case today that people hav
> e multiple machines connected to their home router including smartphones, lap
> tops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and so qu
> arantining the entire connection because one of those machines is infected ca
> n be far more disruptive to your customers than it once was.

Which in turn makes it all the more important that the customer is
informed of the problem so they can rectify the problem. All those
machines are within the home network so there is potential for
elevated levels of trust of the infected machine.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Jake Anderson

2012-06-18 03:23:59 UTC

On 18/06/12 12:31, Mark Andrews wrote:
> In message<***@sssydmail01.stratsec.l
> ocal>, Eric Pinkerton writes:
>> Let's also not forget, that it's more and more the case today that people hav
>> e multiple machines connected to their home router including smartphones, lap
>> tops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and so qu
>> arantining the entire connection because one of those machines is infected ca
>> n be far more disruptive to your customers than it once was.
> Which in turn makes it all the more important that the customer is
> informed of the problem so they can rectify the problem. All those
> machines are within the home network so there is potential for
> elevated levels of trust of the infected machine.
>
> Mark
If it was to work a quarantine system would need to be applied at pretty
much all ISP's so people don't just churn to somebody who doesn't block.

This is something the Govt could actually do real good with. Some sort
of Govt lead industry body that identifies infected networks and
quarantines them. They already do this for infected people and the wider
population accepts it.

It need not be massively disruptive, the process of placing a host into
quarantine could be gradual and if the client is on the ball there need
be no loss of service.
5 business days from detection to quarantine say.
You email them the moment its detected with a warning and put them into
monitoring.
2 days later if its still ongoing another email (or phone call if you
have a "premium" provider)
4 days after detection start redirecting them to clickthroughs that
their network is going to be shut down tomorrow
5 days after detection its walled garden time.

Support costs should be minimal, "you have a virus on your computer, go
get it fixed then call us back bye -click-"

In terms of contract, drop the customers to line rental rates whilst
they are infected and pause the duration of the contract (also offer
"pauses" to the clients so people don't get infected just to take a
holiday).

If all ISP's in .au did it I can see some drastic improvements in the
overall health of "the network" reduced bank fraud and the like, net win
for society as a whole.

The kiddies would be exposed to far less porn if their computers were
clean of redirecting viruses than the great firewall will prevent.
(i know the firewall isn't/wasn't sposed to protect the kiddies eyes but
thats the way it always sounds in the media)

Roland Chan

2012-06-18 11:27:29 UTC

Would anyone like to try that with a real unskilled customer and get back
to us with the response?
On Jun 18, 2012 1:24 PM, "Jake Anderson" <***@vapourforge.com> wrote:

> On 18/06/12 12:31, Mark Andrews wrote:
>
>> In message<**60828CFFDBEBA946AC54D9293505E8*****@sssydmail01.*
>> *stratsec.l
>> ocal>, Eric Pinkerton writes:
>>
>>> Let's also not forget, that it's more and more the case today that
>>> people hav
>>> e multiple machines connected to their home router including
>>> smartphones, lap
>>> tops, DVD players, Tablets, Games Consoles, Media Centres etc etc - and
>>> so qu
>>> arantining the entire connection because one of those machines is
>>> infected ca
>>> n be far more disruptive to your customers than it once was.
>>>
>> Which in turn makes it all the more important that the customer is
>> informed of the problem so they can rectify the problem. All those
>> machines are within the home network so there is potential for
>> elevated levels of trust of the infected machine.
>>
>> Mark
>>
> If it was to work a quarantine system would need to be applied at pretty
> much all ISP's so people don't just churn to somebody who doesn't block.
>
> This is something the Govt could actually do real good with. Some sort of
> Govt lead industry body that identifies infected networks and quarantines
> them. They already do this for infected people and the wider population
> accepts it.
>
> It need not be massively disruptive, the process of placing a host into
> quarantine could be gradual and if the client is on the ball there need be
> no loss of service.
> 5 business days from detection to quarantine say.
> You email them the moment its detected with a warning and put them into
> monitoring.
> 2 days later if its still ongoing another email (or phone call if you have
> a "premium" provider)
> 4 days after detection start redirecting them to clickthroughs that their
> network is going to be shut down tomorrow
> 5 days after detection its walled garden time.
>
> Support costs should be minimal, "you have a virus on your computer, go
> get it fixed then call us back bye -click-"
>
> In terms of contract, drop the customers to line rental rates whilst they
> are infected and pause the duration of the contract (also offer "pauses" to
> the clients so people don't get infected just to take a holiday).
>
> If all ISP's in .au did it I can see some drastic improvements in the
> overall health of "the network" reduced bank fraud and the like, net win
> for society as a whole.
>
> The kiddies would be exposed to far less porn if their computers were
> clean of redirecting viruses than the great firewall will prevent.
> (i know the firewall isn't/wasn't sposed to protect the kiddies eyes but
> thats the way it always sounds in the media)
> ______________________________**_________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/**mailman/listinfo/ausnog<http://lists.ausnog.net/mailman/listinfo/ausnog>
>

Jake Anderson

2012-06-18 12:24:38 UTC

My better half worked tech support for banks.
When the problems wasn't theirs, SOP was to dump the call as
expeditiously as possible.
If its an industry wide code of practice then I don't see it being any
different to people who call their ISP asking for help using MS Word.

On 18/06/12 21:27, Roland Chan wrote:
>
> Would anyone like to try that with a real unskilled customer and get
> back to us with the response?
>
> On Jun 18, 2012 1:24 PM, "Jake Anderson" <***@vapourforge.com
> <mailto:***@vapourforge.com>> wrote:
>
> On 18/06/12 12:31, Mark Andrews wrote:
>
> In
> message<***@sssydmail01.stratsec.l
> ocal>, Eric Pinkerton writes:
>
> Let's also not forget, that it's more and more the case
> today that people hav
> e multiple machines connected to their home router
> including smartphones, lap
> tops, DVD players, Tablets, Games Consoles, Media Centres
> etc etc - and so qu
> arantining the entire connection because one of those
> machines is infected ca
> n be far more disruptive to your customers than it once was.
>
> Which in turn makes it all the more important that the customer is
> informed of the problem so they can rectify the problem. All
> those
> machines are within the home network so there is potential for
> elevated levels of trust of the infected machine.
>
> Mark
>
> If it was to work a quarantine system would need to be applied at
> pretty much all ISP's so people don't just churn to somebody who
> doesn't block.
>
> This is something the Govt could actually do real good with. Some
> sort of Govt lead industry body that identifies infected networks
> and quarantines them. They already do this for infected people and
> the wider population accepts it.
>
> It need not be massively disruptive, the process of placing a host
> into quarantine could be gradual and if the client is on the ball
> there need be no loss of service.
> 5 business days from detection to quarantine say.
> You email them the moment its detected with a warning and put them
> into monitoring.
> 2 days later if its still ongoing another email (or phone call if
> you have a "premium" provider)
> 4 days after detection start redirecting them to clickthroughs
> that their network is going to be shut down tomorrow
> 5 days after detection its walled garden time.
>
> Support costs should be minimal, "you have a virus on your
> computer, go get it fixed then call us back bye -click-"
>
> In terms of contract, drop the customers to line rental rates
> whilst they are infected and pause the duration of the contract
> (also offer "pauses" to the clients so people don't get infected
> just to take a holiday).
>
> If all ISP's in .au did it I can see some drastic improvements in
> the overall health of "the network" reduced bank fraud and the
> like, net win for society as a whole.
>
> The kiddies would be exposed to far less porn if their computers
> were clean of redirecting viruses than the great firewall will
> prevent.
> (i know the firewall isn't/wasn't sposed to protect the kiddies
> eyes but thats the way it always sounds in the media)
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net <mailto:***@lists.ausnog.net>
> http://lists.ausnog.net/mailman/listinfo/ausnog
>

David Walker

2012-06-18 16:52:37 UTC

On 18/06/2012, Roland Chan <***@chan.id.au> wrote:
> Would anyone like to try that with a real unskilled customer and get back
> to us with the response?

>

Roland Chan

2012-06-18 11:51:47 UTC

I think you have to quarantine the entire connection, at least until v6
becomes the default and you get to look behind the gateway.

I'd like to talk about regular servicing meaning that tread problems are
predictable, whereas infection is not, but I think that analogy has
finally shuffled off to rhetorical device heaven.

We could ask an AV Vendor to provide useful stats on AV efficacy but I
suspect it might undermine their marketing. In the last year I've seen a
nonrepresentative sample of people get done while their security
subscriptions are valid. (Hi mum!)

Sorry for the top replies. Anything else is too hard on a phone.
On Jun 18, 2012 8:27 AM, "Mark Andrews" <***@isc.org> wrote:

>
> In message <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=
> ***@mail.gmail.com>
> , Roland Chan writes:
> > I'd go further than that. The analogy is flawed in many ways, but the
> > 2 most salient are:
> >
> > - Roadworthiness is not an implicit part of owning a car (at least not
> > one that's driven on public roads). It's an explicit requirement of
> > operating a vehicle mandated by law. No such corresponding thing
> > exists for computers, and given the current state of technology I
> > believe it would impossible to define and enforce.
> > - Roadworthiness is the ability of the vehicle to perform when
> > operated lawfully, and says nothing about the ability of the vehicle
> > to perform when under attack or used as a weapon. Up to date security
> > measures on a computer do not provide anywhere near as much confidence
> > about the protection from compromise as a roadworthiness certificate
> > does for mechanical reliability of a car.
>
> This is more like, you have been pulled over for bald tires. There
> are obvious signs that you are infected and you are being pulled
> off the net for everyone elses saftey.
>
> > I'll torture the analogy a bit further though: imagine losing your
> > licence because your car was stolen and used in an armed robbery.
> > Flawed again, but I couldn't help myself. I hate analogies and
> > torturing them gives me pleasure. ;)
>
> And is pointless in this case because you are not being told you
> can't use any computers. You are just being told you can't use
> particular computers until you get them fixed.
>
> > I do agree with Damien that a service provider that does not have
> > explicit T&Cs dealing with this scenario may well end up in trouble,
> > and a provider that does have these T&Cs will have a significant
> > customer service issues that will generate immense cost to the
> > business, to say nothing of the reputational impact.
>
> You do it well you will get a positive reputation.
>
> > I don't agree that we're talking about a short term support cost spike
> > either. Users will be repeatedly compromised, quarantined and calling
> > in for support.
>
> > Quarantine is painful for the customer and the provider, and does not
> > deliver sufficient long term benefit to the user, the provider or the
> > Internet at large to balance the cost, at least in my opinion.
>
> Tell that to those that are suffering DDoS and other attacks from
> compromised machines.
>
> > If
> > there were cheap, reliable and easily deployable measures a user could
> > take to secure their computers in the long term I would probably think
> > differently. Until then, I'm happy with mucking about with DNS to take
> > a chunk out of the problem (Disclosure: I used to lead the group that
> > designed all the stuff in the BigPond network that Barrie's been
> > talking about, including the Interpol filtering).
>
> This will always be a catchup game but if you get the systems
> upgraded to have the latest fixes you reduce the number of machines
> that can get infected and be used to attack others before the C&C
> machines are discovered.
>
> What percentage of these machines are infected via known and fixed
> vulnerablities and what are infected by yet to be fixed vulnerabilities.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ***@isc.org
>

Damien Gardner Jnr

2012-06-18 20:59:29 UTC

Oh, and I should have pointed out earlier.. This 'quarantining' will
still need to allow the customer to still use things like remote
desktop, teamveiwer, logmein, etc to contact their regular remote support..

I don't know about the others here, but my parents' first point of tech
support is usually myself, not one of the 'hundreds' of local computer
stores (I've tried getting them to go to the local computer store
first.. But that just resulted in every issue becoming a reinstall of
windows. And was completely useless..). I can only imagine the hell my
mother would let lose on the poor fellow on the Bigpond helpdesk (and
about 5 minutes later, her local MP, who does take her calls..) who
tried to tell her 'Sorry, you have a virus, we have disconnected you
from the internet until you fix it. No, we can't let you have enough
internet access for your son to fix it remotely'.

For that matter, same would go for quite a few of our remote-support
customers as well - except then you're not dealing with a pensioner on a
rampage, you're dealing with a business owner screaming 'loss of
income!'. Or does this quarantining still allow the customer to
send/receive emails etc?

Don't get me wrong, I appreciate the idea of trying to help customers,
and reduce the amount of infections, etc - it just seems like it's going
to cause more problems than it's worth..?

--DG

On 18/06/2012 9:51 PM, Roland Chan wrote:
>
> I think you have to quarantine the entire connection, at least until
> v6 becomes the default and you get to look behind the gateway.
>
> I'd like to talk about regular servicing meaning that tread problems
> are predictable, whereas infection is not, but I think that analogy
> has finally shuffled off to rhetorical device heaven.
>
> We could ask an AV Vendor to provide useful stats on AV efficacy but I
> suspect it might undermine their marketing. In the last year I've
> seen a nonrepresentative sample of people get done while their
> security subscriptions are valid. (Hi mum!)
>
> Sorry for the top replies. Anything else is too hard on a phone.
>
> On Jun 18, 2012 8:27 AM, "Mark Andrews" <***@isc.org
> <mailto:***@isc.org>> wrote:
>
>
> In message
> <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=***@mail.gmail.com <mailto:***@mail.gmail.com>>
> , Roland Chan writes:
> > I'd go further than that. The analogy is flawed in many ways,
> but the
> > 2 most salient are:
> >
> > - Roadworthiness is not an implicit part of owning a car (at
> least not
> > one that's driven on public roads). It's an explicit requirement of
> > operating a vehicle mandated by law. No such corresponding thing
> > exists for computers, and given the current state of technology I
> > believe it would impossible to define and enforce.
> > - Roadworthiness is the ability of the vehicle to perform when
> > operated lawfully, and says nothing about the ability of the vehicle
> > to perform when under attack or used as a weapon. Up to date
> security
> > measures on a computer do not provide anywhere near as much
> confidence
> > about the protection from compromise as a roadworthiness certificate
> > does for mechanical reliability of a car.
>
> This is more like, you have been pulled over for bald tires. There
> are obvious signs that you are infected and you are being pulled
> off the net for everyone elses saftey.
>
> > I'll torture the analogy a bit further though: imagine losing your
> > licence because your car was stolen and used in an armed robbery.
> > Flawed again, but I couldn't help myself. I hate analogies and
> > torturing them gives me pleasure. ;)
>
> And is pointless in this case because you are not being told you
> can't use any computers. You are just being told you can't use
> particular computers until you get them fixed.
>
> > I do agree with Damien that a service provider that does not have
> > explicit T&Cs dealing with this scenario may well end up in trouble,
> > and a provider that does have these T&Cs will have a significant
> > customer service issues that will generate immense cost to the
> > business, to say nothing of the reputational impact.
>
> You do it well you will get a positive reputation.
>
> > I don't agree that we're talking about a short term support cost
> spike
> > either. Users will be repeatedly compromised, quarantined and
> calling
> > in for support.
>
> > Quarantine is painful for the customer and the provider, and
> does not
> > deliver sufficient long term benefit to the user, the provider
> or the
> > Internet at large to balance the cost, at least in my opinion.
>
> Tell that to those that are suffering DDoS and other attacks from
> compromised machines.
>
> > If
> > there were cheap, reliable and easily deployable measures a user
> could
> > take to secure their computers in the long term I would probably
> think
> > differently. Until then, I'm happy with mucking about with DNS
> to take
> > a chunk out of the problem (Disclosure: I used to lead the group
> that
> > designed all the stuff in the BigPond network that Barrie's been
> > talking about, including the Interpol filtering).
>
> This will always be a catchup game but if you get the systems
> upgraded to have the latest fixes you reduce the number of machines
> that can get infected and be used to attack others before the C&C
> machines are discovered.
>
> What percentage of these machines are infected via known and fixed
> vulnerablities and what are infected by yet to be fixed
> vulnerabilities.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 <tel:%2B61%202%209871%204742>
> INTERNET: ***@isc.org <mailto:***@isc.org>
>

--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
***@rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder

Noel Butler

2012-06-18 23:11:07 UTC

On Tue, 2012-06-19 at 06:59 +1000, Damien Gardner Jnr wrote:

> Oh, and I should have pointed out earlier.. This 'quarantining' will
> still need to allow the customer to still use things like remote
> desktop, teamveiwer, logmein, etc to contact their regular remote
> support..
>

Pfft, why is it always the ISP's problem the end user has a virus, I've
suspended many services cold "until you fix your system" over the last
decade, this includes all types from all walks of life, I only ever
recall one person demanding his service back as I had no right to cut
him off, guess what, he stayed cut off until he got his act together,
99.999% of people were appreciative of the action which was always
preceded with a warning email.

> For that matter, same would go for quite a few of our remote-support
> customers as well - except then you're not dealing with a pensioner on
> a rampage, you're dealing with a business owner screaming 'loss of
> income!'. Or does this quarantining still allow the customer to
> send/receive emails etc?
>

ISP's first and foremost responsibility is to its network and services
integrity, people who spend more time bitching about you suspending
their service rather than getting off their useless arse and fixing up
the problem they introduced to themselves are not worth bothering with,
a suspension is a suspension, we did it, I think Exetel still does it,
and there's likely others out there that do it.

Eric Pinkerton

2012-06-19 00:54:40 UTC

>ISP's first and foremost responsibility is to its network and services integrity, people who spend more time bitching about you suspending their service rather than getting off their useless arse and fixing up the problem they introduced to themselves are not worth bothering with.

LOL, This network was awesome before some idiot put customers on it!

And to think, us geeks are still getting unfairly labelled as socially awkward!

;-) E
--
Message protected by MailGuard: e-mail anti-virus, anti-spam and content filtering.http://www.mailguard.com.au/mg

David Hooton

2012-06-19 01:42:33 UTC

On 19/06/2012, at 6:59 AM, Damien Gardner Jnr wrote:

> Oh, and I should have pointed out earlier.. This 'quarantining' will still need to allow the customer to still use things like remote desktop, teamveiwer, logmein, etc to contact their regular remote support..

There are "spook" style appliances starting to rear their heads in enterprise world that can "restore" quarantined PC's back to a "compliant" state. This is obviously not something that the Aussie ISP market is ready for yet, but I would hazard a guess that something like that could become a product vendors will be tapping on our doors to flog in the not too distant future to offer customers as a managed service.

Again, as I said earlier - the key to any "value added network behaviour" is communication - the customer has to be aware you're doing it and be willing to participate. All the RFC's, utopian tech concepts and best practices in the world don't matter much if they aren't serving a legitimate customer requirement. Lets face it, in this market we are more often than not spending the majority of our time helping the market catch up with what they actually need, the ways we do this ARE important but lets not rule out legitimate options just because they lack technical purity.

Cheers

Dave

Narelle

2012-06-19 08:10:27 UTC

On Sat, Jun 16, 2012 at 12:25 PM, Roland Chan <***@chan.id.au> wrote:
> The problem with that approach is the potential for a customer to be
> permanently stuck in quarantine because they lack the knowledge to clean
> their computer.
>
> I don't think that is an acceptable outcome, at least not while they're
> paying for service.

And in this era you have people now completely reliant on the internet
for access to banking, centrelink and their emergency telephone
services.

This isn't an acceptable outcome for users at all.

We have to have an overall quality improvement approach to user side,
services side and hardware.

The only case I can see it being remotely acceptable is where the user
was was propagating a mightily virulent strain of the online ebola
equivalent. Rabid stuxnet anyone?

The fact is, however, that even the malware writers now see the latter
as being counterproductive.

--

Narelle Clark
***@isoc-au.org.au

Mark Andrews

2012-06-20 01:40:50 UTC

In message <CACRMD1FpMAfNA25KaEEYd80epDZ56k+JwMTh_h-H05PvsB56-***@mail.gmail.com>, Narelle writes:
> On Sat, Jun 16, 2012 at 12:25 PM, Roland Chan <***@chan.id.au> wrote:
> > The problem with that approach is the potential for a customer to be
> > permanently stuck in quarantine because they lack the knowledge to clean
> > their computer.
> >
> > I don't think that is an acceptable outcome, at least not while they're
> > paying for service.
>
> And in this era you have people now completely reliant on the internet
> for access to banking, centrelink and their emergency telephone
> services.
>
> This isn't an acceptable outcome for users at all.
>
> We have to have an overall quality improvement approach to user side,
> services side and hardware.
>
> The only case I can see it being remotely acceptable is where the user
> was was propagating a mightily virulent strain of the online ebola
> equivalent. Rabid stuxnet anyone?
>
> The fact is, however, that even the malware writers now see the latter
> as being counterproductive.

Telephone service can be and is seperated today from the rest of
the ip traffic. Often it a completely different IP address with
different QoS tagging. The only thing in common is the physical
equipment. You plug the phone jack on the modem into the internal
house telephone wiring / wireless phone hub. That jack is often
designed to continue working for a while on power outage. The lan
jack isn't as the modem goes into power saving mode.

When I suggested this earlier in the thread users got the ablility
to clear the quarantine with grace periods to enable them to fix
the problems themselves.

As for access to banking the machine that is compromised is likely
to be the same machine being used to do the banking.

As for centerlink there are alternatives to using the home internet.

> --
>
>
> Narelle Clark
> ***@isoc-au.org.au
> _______________________________________________
> AusNOG mailing list
> ***@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Damien Gardner Jnr

2012-06-20 01:57:58 UTC

On 20/06/2012 11:40 AM, Mark Andrews wrote:
> As for centerlink there are alternatives to using the home internet.
>
The scary thing is, unless you want to brave the local library (and can
find someone to talk you through doing it), they're very quickly pushing
everyone to have the internet at home..

My mother was telling me last week how they had to help their 90yo
neighbour setup a gmail account, and then sign up for centrelink online
services, because the *only* way to claim the new carbon rebate for
pensioners (where they get $x/year back for running a CPAP, electric
wheelchair, etc), is via the centrelink website - and it's not from a
section available via the computers that you can use *at* centrelink?!
that rather blew me away as stupidity in the extreme..?

Cheers,

DG

--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
***@rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder

Mark Andrews

2012-06-20 02:08:39 UTC

In message <***@rendrag.net>, Damien Gardner Jnr writes:
> On 20/06/2012 11:40 AM, Mark Andrews wrote:
> > As for centerlink there are alternatives to using the home internet.
>
> The scary thing is, unless you want to brave the local library (and can
> find someone to talk you through doing it), they're very quickly pushing
> everyone to have the internet at home..
>
> My mother was telling me last week how they had to help their 90yo
> neighbour setup a gmail account, and then sign up for centrelink online
> services, because the *only* way to claim the new carbon rebate for
> pensioners (where they get $x/year back for running a CPAP, electric
> wheelchair, etc), is via the centrelink website - and it's not from a
> section available via the computers that you can use *at* centrelink?!
> that rather blew me away as stupidity in the extreme..?

Did you report it to centerlink staff? Did the staff do the update
from their computers?

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Damien Gardner Jnr

2012-06-20 02:20:11 UTC

On 20/06/2012 12:08 PM, Mark Andrews wrote:
> Did you report it to centerlink staff? Did the staff do the update
> from their computers?

I didn't do anything, but mum tells me she went into Centrelink to
complain about her neighbour effectively being denied the new rebate,
and was told no, you cannot apply for the rebate at a centrelink
shopfront, not even from their computers - seemed rather daft to me :(

--
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
***@rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
We ran to the sounds of thunder.
We danced among the lightning bolts,
and tore the world asunder

Mark Andrews

2012-06-20 02:27:52 UTC

In message <***@rendrag.net>, Damien Gardner Jnr writes:
> On 20/06/2012 12:08 PM, Mark Andrews wrote:
> > Did you report it to centerlink staff? Did the staff do the update
> > from their computers?
>
> I didn't do anything, but mum tells me she went into Centrelink to
> complain about her neighbour effectively being denied the new rebate,
> and was told no, you cannot apply for the rebate at a centrelink
> shopfront, not even from their computers - seemed rather daft to me :(

I suspect there is some ombudsman she could complain to. Situations
like this are ridiculous.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

Mark Andrews

2012-06-15 02:26:25 UTC

If you can identify C&C domains lookups you can quarantine the site
with self release with a progressively long hold times for repeat
offenders. Add a grace period or restricted access to the net to
allow for self cleanup.

If you are a C&C researcher, computer repair shop, etc. you need
to get yourself onto a exclusion list.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

48 Replies
1 View
Permalink to this page
Disable enhanced parsing

Thread Navigation

Martin - StudioCoast 2012-06-14 06:54:50 UTC

Jake Anderson 2012-06-14 08:24:00 UTC

Rod Veith 2012-06-14 08:23:38 UTC

Eric Pinkerton 2012-06-14 23:24:39 UTC

Barrie Hall 2012-06-15 01:57:42 UTC

Burt Mascareigne 2012-06-15 01:38:38 UTC

David Hooton 2012-06-15 02:33:22 UTC

Mark Andrews 2012-06-15 02:46:49 UTC

Martin - StudioCoast 2012-06-15 02:56:07 UTC

Paul Brooks 2012-06-15 04:01:19 UTC

Mark Andrews 2012-06-15 04:22:57 UTC

Rod Veith 2012-06-15 04:49:27 UTC

Joshua D'Alton 2012-06-15 05:03:07 UTC

Daniel Kingshott 2012-06-15 04:56:07 UTC

Alistair Weddell 2012-06-15 05:03:51 UTC

James Hodgkinson 2012-06-15 06:08:16 UTC

Mark Delany 2012-06-15 06:10:44 UTC

Barrie Hall 2012-06-15 06:52:16 UTC

Mark Delany 2012-06-15 07:25:17 UTC

Barrie Hall 2012-06-15 09:43:47 UTC

Barrie Hall 2012-06-15 09:53:07 UTC

Anand Kumria 2012-06-15 10:35:30 UTC

Roland Chan 2012-06-16 02:25:50 UTC

Mark Andrews 2012-06-17 05:39:47 UTC

Damien Gardner Jnr 2012-06-17 06:59:01 UTC

Matthew Palmer 2012-06-17 08:11:49 UTC

Roland Chan 2012-06-17 09:01:34 UTC

Mark Andrews 2012-06-17 22:27:22 UTC

Eric Pinkerton 2012-06-17 23:47:14 UTC

Rod Veith 2012-06-18 00:31:55 UTC

Christopher Pollock 2012-06-18 02:07:32 UTC

Mark Delany 2012-06-18 02:36:06 UTC

Mark Andrews 2012-06-18 02:31:45 UTC

Jake Anderson 2012-06-18 03:23:59 UTC

Roland Chan 2012-06-18 11:27:29 UTC

Jake Anderson 2012-06-18 12:24:38 UTC

David Walker 2012-06-18 16:52:37 UTC

Roland Chan 2012-06-18 11:51:47 UTC

Damien Gardner Jnr 2012-06-18 20:59:29 UTC

Noel Butler 2012-06-18 23:11:07 UTC

Eric Pinkerton 2012-06-19 00:54:40 UTC

David Hooton 2012-06-19 01:42:33 UTC

Narelle 2012-06-19 08:10:27 UTC

Mark Andrews 2012-06-20 01:40:50 UTC

Damien Gardner Jnr 2012-06-20 01:57:58 UTC

Mark Andrews 2012-06-20 02:08:39 UTC

Damien Gardner Jnr 2012-06-20 02:20:11 UTC

Mark Andrews 2012-06-20 02:27:52 UTC

Mark Andrews 2012-06-15 02:26:25 UTC

about - legalese

Loading...