NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
I should add, for those who aren't actually on Comcast's network, that Comcast
notifies users that it is the source of the DNS ads, and offers an opt-out.
In my book, that goes a long way in moving this from being a network neutrality
issue towards being a service quality issue.
Perhaps a similar strategy would be appropriate for user-notification-via-
http-hijacking too? Users could have an account configuration option allowing
them to choose between HTTP hijacking, email, a phone call, and possibly other
notification protocols.
On Sat, Oct 10, 2009 at 05:45:24PM -0700, Peter Eckersley wrote:
> David,
>
> I share your concern about browser hijacking as a form of user notification
> and authentication. It's a hack and it tends to break things, including
> security. One puts up with it on hotel networks and similar because one has
> no choice, but it would be troubling to see it become commonplace on paid
> Internet subscriptions.
>
> To be fair, we should talk about what the altneratives are -- are there better
> technical options than browser hijacking? Has anyone tried to define a
> network-related notification protocol, possibly as part of DHCP? What would
> it look like, and could it be done securely? Do people on this list think
> that ISPs should be using email or phone calls instead to inform their users
> of important facts like apparent botnet infection?
>
> On your other point David, I've also had plenty of problems from Comcast's DNS
> based advertising. In the past few weeks I've seen legitimate browser
> requests to sites including wikipedia.org, openstreatmap.org and
> singaporeairlines.com hijacked by it. I suspect that the root problem is in
> Comcast's DNS infrastructure (I do have a NAT router as my first-hop DNS, but
> it's hard to see how it could be the cause of a DNS query failure *and* get
> the advertising server's IP at the same time). Perhaps Jason or someone else
> from Comcast could comment?
>
> PS -- there's a cautionary lesson to be learned from the BareFruit story (see
> http://www.wired.com/threatlevel/2008/04/isps-error-page/ ); the
> takehome lesson there is that XSS vulnerabilities in these advertising
> services can allow remote attackers to steal an ISP's customers' passwords to
> arbitrary websites.
>
> On Fri, Oct 09, 2009 at 09:53:40PM -0400, David P. Reed wrote:
> > I don't see where Comcast is being transparent about *how* they do
> > this, or giving customers a chance to opt-in or -out.
> >
> > If I send a lot of email, why does that make me a "bot"? Maybe I
> > just send a lot of email.
> >
> > If the contents of my communications are being "scanned", why is
> > that legal? Why does Comcast care?
> >
> > I might choose (if it were explained to me what was happening and
> > what the risks are to my privacy or being accused of a crime or
> > hauled off as a "suspected child pornographer" because I sent
> > pictures of my naked child) to have this service, or not.
> >
> > But to be honest, in most markets, Comcast is the only real choice,
> > and imposing their "features" on me might not be what I want, even
> > if they "market" it as a *good thing*. If there were serious
> > competition (multiple providers, and no special "franchise" deals
> > with local governments that block new competitors, perhaps customers
> > would have a choice. However, most do not have other choice for
> > highspeed Internet, except Hobson's: "take that or nothing at all").
> >
> > I'm really not impressed by these moves by Comcast. Livingood
> > already sent out an email saying that they redirect DNS service to a
> > service that sends certain names to hosts that do not have those
> > names registered, but which will respond with advertising-only
> > websites.
> >
> > This is not the way the Internet is designed to work.
> >
> > Comcast supposedly cleaned up its act. Now it's backsliding -
> > forcing secret and invasive services on customers. On day one,
> > they will "love it" (especially in the Comcast-authored press
> > release).
> >
> > [ I am personally willing to give Comcast the benefit of the
> > doubt for the moment on this project and see where it leads.
> > It could potentially be useful, but it would also be easy for
> > Comcast to overplay its hand.
> >
> > A number of possible issues:
> >
> > - How intrusive will monitoring be? Will packet payloads be scanned?
> > If so, this likely is immediately a serious privacy problem.
> >
> > - How often will their scanning operations trigger firewall
> > or other protective alerts that users already have
> > installed?
> >
> > - False positives? Non-evil bots and other innocent
> > applications falsely categorized as evil bots?
> >
> > - Legit e-mail sending daemons categorized as spam senders?
> >
> > Notifications: The implication is that they plan a browser pop
> > up. That may mean interfering directly with the TCP/IP
> > stream. True, this shouldn't happen frequently to any given
> > user for such security notices, but once Comcast has such a
> > capability (if that is indeed their methodology) the
> > inclination to use it for other less critical purposes as well
> > could be strong.
> >
> > I think the success of this project will depend largely on how
> > transparent Comcast is about exactly what they're doing and
> > how they react to any problems that their system may cause.
> > If Comcast takes a "We can't tell you exactly what we're doing
> > because that would reveal too much to the bad guys" approach
> > then we potentially could have a significant dilemma on our
> > hands.
> >
> > -- Lauren Weinstein
> > NNSquad Moderator ]
>
> --
> Peter Eckersley pde@eff.org
> Staff Technologist Tel +1 415 436 9333 x131
> Electronic Frontier Foundation Fax +1 415 436 9993
--
Peter Eckersley pde@eff.org
Staff Technologist Tel +1 415 436 9333 x131
Electronic Frontier Foundation Fax +1 415 436 9993