NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
I should add, for those who aren't actually on Comcast's network, that Comcast notifies users that it is the source of the DNS ads, and offers an opt-out. In my book, that goes a long way in moving this from being a network neutrality issue towards being a service quality issue. Perhaps a similar strategy would be appropriate for user-notification-via- http-hijacking too? Users could have an account configuration option allowing them to choose between HTTP hijacking, email, a phone call, and possibly other notification protocols. On Sat, Oct 10, 2009 at 05:45:24PM -0700, Peter Eckersley wrote: > David, > > I share your concern about browser hijacking as a form of user notification > and authentication. It's a hack and it tends to break things, including > security. One puts up with it on hotel networks and similar because one has > no choice, but it would be troubling to see it become commonplace on paid > Internet subscriptions. > > To be fair, we should talk about what the altneratives are -- are there better > technical options than browser hijacking? Has anyone tried to define a > network-related notification protocol, possibly as part of DHCP? What would > it look like, and could it be done securely? Do people on this list think > that ISPs should be using email or phone calls instead to inform their users > of important facts like apparent botnet infection? > > On your other point David, I've also had plenty of problems from Comcast's DNS > based advertising. In the past few weeks I've seen legitimate browser > requests to sites including wikipedia.org, openstreatmap.org and > singaporeairlines.com hijacked by it. I suspect that the root problem is in > Comcast's DNS infrastructure (I do have a NAT router as my first-hop DNS, but > it's hard to see how it could be the cause of a DNS query failure *and* get > the advertising server's IP at the same time). Perhaps Jason or someone else > from Comcast could comment? > > PS -- there's a cautionary lesson to be learned from the BareFruit story (see > http://www.wired.com/threatlevel/2008/04/isps-error-page/ ); the > takehome lesson there is that XSS vulnerabilities in these advertising > services can allow remote attackers to steal an ISP's customers' passwords to > arbitrary websites. > > On Fri, Oct 09, 2009 at 09:53:40PM -0400, David P. Reed wrote: > > I don't see where Comcast is being transparent about *how* they do > > this, or giving customers a chance to opt-in or -out. > > > > If I send a lot of email, why does that make me a "bot"? Maybe I > > just send a lot of email. > > > > If the contents of my communications are being "scanned", why is > > that legal? Why does Comcast care? > > > > I might choose (if it were explained to me what was happening and > > what the risks are to my privacy or being accused of a crime or > > hauled off as a "suspected child pornographer" because I sent > > pictures of my naked child) to have this service, or not. > > > > But to be honest, in most markets, Comcast is the only real choice, > > and imposing their "features" on me might not be what I want, even > > if they "market" it as a *good thing*. If there were serious > > competition (multiple providers, and no special "franchise" deals > > with local governments that block new competitors, perhaps customers > > would have a choice. However, most do not have other choice for > > highspeed Internet, except Hobson's: "take that or nothing at all"). > > > > I'm really not impressed by these moves by Comcast. Livingood > > already sent out an email saying that they redirect DNS service to a > > service that sends certain names to hosts that do not have those > > names registered, but which will respond with advertising-only > > websites. > > > > This is not the way the Internet is designed to work. > > > > Comcast supposedly cleaned up its act. Now it's backsliding - > > forcing secret and invasive services on customers. On day one, > > they will "love it" (especially in the Comcast-authored press > > release). > > > > [ I am personally willing to give Comcast the benefit of the > > doubt for the moment on this project and see where it leads. > > It could potentially be useful, but it would also be easy for > > Comcast to overplay its hand. > > > > A number of possible issues: > > > > - How intrusive will monitoring be? Will packet payloads be scanned? > > If so, this likely is immediately a serious privacy problem. > > > > - How often will their scanning operations trigger firewall > > or other protective alerts that users already have > > installed? > > > > - False positives? Non-evil bots and other innocent > > applications falsely categorized as evil bots? > > > > - Legit e-mail sending daemons categorized as spam senders? > > > > Notifications: The implication is that they plan a browser pop > > up. That may mean interfering directly with the TCP/IP > > stream. True, this shouldn't happen frequently to any given > > user for such security notices, but once Comcast has such a > > capability (if that is indeed their methodology) the > > inclination to use it for other less critical purposes as well > > could be strong. > > > > I think the success of this project will depend largely on how > > transparent Comcast is about exactly what they're doing and > > how they react to any problems that their system may cause. > > If Comcast takes a "We can't tell you exactly what we're doing > > because that would reveal too much to the bad guys" approach > > then we potentially could have a significant dilemma on our > > hands. > > > > -- Lauren Weinstein > > NNSquad Moderator ] > > -- > Peter Eckersley pde@eff.org > Staff Technologist Tel +1 415 436 9333 x131 > Electronic Frontier Foundation Fax +1 415 436 9993 -- Peter Eckersley pde@eff.org Staff Technologist Tel +1 415 436 9333 x131 Electronic Frontier Foundation Fax +1 415 436 9993