Re: dumb. Comcast pop-ups

[Rich Kulawiec <rsk () gsp org>]

On Sat, Oct 10, 2009 at 05:59:40PM -0500, Toralv_Dirro () mcafee com wrote:
> And prevent their customers from some activity on the internet that
> may be extremely urgent and important? As much as I would prefer such
> an approach personally, I'm afraid this is not a realistic option in
> the real world.

It is the ONLY acceptable solution.  Anything less is incompetent
and abusive -- which is why Comcast, for a while, was the world's #1
spammer.  I see no reason at all why the entire rest of the Internet
should suffer abuse and attacks at the hands of Comcast's, or anyone
else's, negligently-operated network.

And I'm appalled that *anyone* working in security does not recognize
the basic principle that once a system is known-compromised, it must
be immediately removed from the network.  It's enemy territory as much
as if it were physically hosted at the RBN.  It no longer belongs,
in any real sense, to its putative owner.  Nothing it does can be
trusted.  And it is extraordinarily foolish to believe that it will
carry out any task assigned to it by its putative (former) owner,
from sending a piece of email to accessing a web site to controlling
an external device to making a VOIP call to executing some
anti-malware software package.

This should be burned into the brain of everyone working in security:

        If someone else can run arbitrary code on your computer,
        it's not YOUR computer any more.

And allowing computers known-owned by the enemy to operate on
one's network is off-the-scale stupid.

Now, I'm sorry it's inconvenient for Comcast.  But I didn't built
their network: THEY did.  It is therefore 100% their responsibilty
to manage it properly.  If they're not up to that task, then (a) maybe
they shouldn't have built something they can't control and (b) they
should immediately shut down all operations until they can.

That's what responsible people do. [1]  They certainly don't allow their
festering sewer of an operation to carry out seven years of spam runs,
DoS attacks, ssh probes, phishing schemes, etc. against the entire
rest of the Internet because they lack the integrity, the courage and
the wit to stop it.

> And I'm sure they are open to suggestion how to solve this with the
> least negative impact on them and their customers.

First: This Is Not My Problem.  See above and note again that I didn't
build their network: they did.  Why, exactly, should I spend my
valuable time attempting to instruct them in the rudiments of proper
network operational practice?  Shouldn't they have learned these
Network 101 fundamentals *before* they built a huge network?  Moreover,
as someone who has had to spend his time and money dealing with the unceasing
abuse emanating from Comcast, why should I spend MORE time and money
telling my abusers how to make it stop?  That's absurd.

Second: The time to "solve this with the least negative impact" on
everyone, not just their customers, who are insignificant in the big
scheme of things compared to the entire rest of the Internet, was
6-7 years ago.  The proper response from Comcast at that time was
to bring in all available staff (hiring more on-the-fly if necessary)
and work the problem around-the-clock until resolution.  That's what
responsible professionals do.

And third: actually, no, they are not.  Comcast, among others,
in conspicuous by its absence from the forums in which senior people
working in the field figured out what was going on in late 2002/early
2003 and began debating solutions.  Subsequent actions by Comcast,
including their deployment of DNS forgery techniques, strongly indicate
that they are far more interested in maximizing revenue than they are
in behaving as responsible participants in the Internet community.

Had Comcast been paying attention to those with a keen grasp of
the situation 6-7 years ago, it *might* have been possible to address
this problem before it became large enough to present serious
scalability issues.  However, thanks to their own bumbling and ineptness,
it's now a huge problem (and not just at Comcast).  For example, from
July 2003 on the Spam-L list, which of course all minimally-competent
practitioners in the field read, this snapshot of observed spam sources
by month from one monitoring point:

        And by certain ISPs, e.g. Comcast:

              7 Jan
             27 Feb
             32 Mar
           2147 May
           2498 Jun

Anyone looking at that and not immediately grasping that this indicated
alarmingly non-linear growth should not be running a network.  And of
course this is but a tiny snippet out of a lengthy series of discussions
which made it crystal-clear that they had an already-serious and
quickly-growing problem on their hands.  One obvious course of action
available at that time was to request logs from everyone who cared
to contribute them and thereby identify many of the compromised
systems  on their network [2], disable all of those systems, and
then effect repairs.  

Yes, this would be expensive. This is also Not My Problem: I don't
build networks that I cannot afford to operate properly because I know
that's irresponsible and unprofessional.  Of course, given that Comcast
was busy trying to spend $54B at the same time to buy Disney, I think
we may safely dismiss any feeble protest on their part about costs.

---Rsk

[1] And that's not just talking the talk.   We physically unplugged
our entire campus from the 'net on 11/3/88 in an attempt to prevent
our known-infected operation from becoming a hazard to others.  It
was obviously the right thing to do, and if similar circumstances
presented themselves, it'd be done again.

[2] Certainly not all, as any which were compromised but not spewing
spam wouldn't show up.  But at least this would nail the visible ones,
and in doing so, would diminish the scope of the problem while no doubt
providing further insight into how best to deal with the remainder.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.