NNSquad - Network Neutrality Squad
[ NNSquad ] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
i like the option of notification by digitally-signed email or
something verifiable. I am less sure I like the popup idea.
Setting aside the privacy issues of DPI (which are severe), I think it
would be very useful to have some idea whether your computer is
sending out stuff on its own (if this could possibly be determined).
Sometimes bad behavior is hard to detect except by another observer.
vint
[ The notification problem is a tough nut to crack, *especially* to
systems that are already compromised. ISPs may not have an e-mail
address for users that will ever by monitored by the subscriber
(many users never activate any of the ISP-provided mailbox
options, only using the ISP for connectivity). VPN or non-browser
users wouldn't likely see pop-ups. The phone number on file with
the ISP could lead nowhere or to voicemail at the accounts payable
office. It's not even clear how to track changes in contact
information that would relate to this problem. Authenticating
warnings is another issue, as has already been noted. Trying to
inject ISP messages into 3rd party, existing Web streams via DPI
strikes me as problematic from a number of angles.
In fact, what of systems that run unattended most or all of the
time? Who is ever going to see a pop-up or other system-based
notification in such cases?
Of course, shutting down the Internet service would certainly get
the user's attention eventually, but what of important operations
that could be disrupted in the process? And how confusing would it
be for a user to reach someone at a big ISP's call center --
sometimes far, far away at the end of a poor quality VoIP
connection, to explain what's going on and how to get going again?
A fine mess.
-- Lauren Weinstein
NNSquad Moderator ]
- - -
On Oct 11, 2009, at 2:45 AM, Rahul Tongia wrote:
> Perhaps I missed this, but what are the non-networking implications
> of anything found in the due course of applying this system (for
> network good). If they find something in what was scanned that isn't
> a networking issue, do they keep it, re-use it, have the rights to
> share/send/sell it, etc.? What about law-enforcement? Short of a
> direct (individualized, as opposed to blanket) court order, I hope
> they don't hand stuff over?
>
> Rahul
>
> On Sun, Oct 11, 2009 at 6:28 AM, Peter Eckersley <pde@eff.org> wrote:
> I should add, for those who aren't actually on Comcast's network,
> that Comcast
> notifies users that it is the source of the DNS ads, and offers an
> opt-out.
> In my book, that goes a long way in moving this from being a network
> neutrality
> issue towards being a service quality issue.
>
> Perhaps a similar strategy would be appropriate for user-
> notification-via-
> http-hijacking too? Users could have an account configuration
> option allowing
> them to choose between HTTP hijacking, email, a phone call, and
> possibly other
> notification protocols.
>
> On Sat, Oct 10, 2009 at 05:45:24PM -0700, Peter Eckersley wrote:
> > David,
> >
> > I share your concern about browser hijacking as a form of user
> notification
> > and authentication. It's a hack and it tends to break things,
> including
> > security. One puts up with it on hotel networks and similar
> because one has
> > no choice, but it would be troubling to see it become commonplace
> on paid
> > Internet subscriptions.
> >
> > To be fair, we should talk about what the altneratives are -- are
> there better
> > technical options than browser hijacking? Has anyone tried to
> define a
> > network-related notification protocol, possibly as part of DHCP?
> What would
> > it look like, and could it be done securely? Do people on this
> list think
> > that ISPs should be using email or phone calls instead to inform
> their users
> > of important facts like apparent botnet infection?
> >
> > On your other point David, I've also had plenty of problems from
> Comcast's DNS
> > based advertising. In the past few weeks I've seen legitimate
> browser
> > requests to sites including wikipedia.org, openstreatmap.org and
> > singaporeairlines.com hijacked by it. I suspect that the root
> problem is in
> > Comcast's DNS infrastructure (I do have a NAT router as my first-
> hop DNS, but
> > it's hard to see how it could be the cause of a DNS query failure
> *and* get
> > the advertising server's IP at the same time). Perhaps Jason or
> someone else
> > from Comcast could comment?
> >
> > PS -- there's a cautionary lesson to be learned from the BareFruit
> story (see
> > http://www.wired.com/threatlevel/2008/04/isps-error-page/ ); the
> > takehome lesson there is that XSS vulnerabilities in these
> advertising
> > services can allow remote attackers to steal an ISP's customers'
> passwords to
> > arbitrary websites.
> >
> > On Fri, Oct 09, 2009 at 09:53:40PM -0400, David P. Reed wrote:
> > > I don't see where Comcast is being transparent about *how* they do
> > > this, or giving customers a chance to opt-in or -out.
> > >
> > > If I send a lot of email, why does that make me a "bot"? Maybe I
> > > just send a lot of email.
> > >
> > > If the contents of my communications are being "scanned", why is
> > > that legal? Why does Comcast care?
> > >
> > > I might choose (if it were explained to me what was happening and
> > > what the risks are to my privacy or being accused of a crime or
> > > hauled off as a "suspected child pornographer" because I sent
> > > pictures of my naked child) to have this service, or not.
> > >
> > > But to be honest, in most markets, Comcast is the only real
> choice,
> > > and imposing their "features" on me might not be what I want, even
> > > if they "market" it as a *good thing*. If there were serious
> > > competition (multiple providers, and no special "franchise" deals
> > > with local governments that block new competitors, perhaps
> customers
> > > would have a choice. However, most do not have other choice for
> > > highspeed Internet, except Hobson's: "take that or nothing at
> all").
> > >
> > > I'm really not impressed by these moves by Comcast. Livingood
> > > already sent out an email saying that they redirect DNS service
> to a
> > > service that sends certain names to hosts that do not have those
> > > names registered, but which will respond with advertising-only
> > > websites.
> > >
> > > This is not the way the Internet is designed to work.
> > >
> > > Comcast supposedly cleaned up its act. Now it's backsliding -
> > > forcing secret and invasive services on customers. On day one,
> > > they will "love it" (especially in the Comcast-authored press
> > > release).
> > >
> > > [ I am personally willing to give Comcast the benefit of the
> > > doubt for the moment on this project and see where it leads.
> > > It could potentially be useful, but it would also be easy for
> > > Comcast to overplay its hand.
> > >
> > > A number of possible issues:
> > >
> > > - How intrusive will monitoring be? Will packet payloads
> be scanned?
> > > If so, this likely is immediately a serious privacy
> problem.
> > >
> > > - How often will their scanning operations trigger firewall
> > > or other protective alerts that users already have
> > > installed?
> > >
> > > - False positives? Non-evil bots and other innocent
> > > applications falsely categorized as evil bots?
> > >
> > > - Legit e-mail sending daemons categorized as spam senders?
> > >
> > > Notifications: The implication is that they plan a
> browser pop
> > > up. That may mean interfering directly with the TCP/IP
> > > stream. True, this shouldn't happen frequently to any given
> > > user for such security notices, but once Comcast has such a
> > > capability (if that is indeed their methodology) the
> > > inclination to use it for other less critical purposes as well
> > > could be strong.
> > >
> > > I think the success of this project will depend largely
> on how
> > > transparent Comcast is about exactly what they're doing and
> > > how they react to any problems that their system may cause.
> > > If Comcast takes a "We can't tell you exactly what we're doing
> > > because that would reveal too much to the bad guys" approach
> > > then we potentially could have a significant dilemma on our
> > > hands.
> > >
> > > -- Lauren Weinstein
> > > NNSquad Moderator ]
> >
> > --
> > Peter Eckersley pde@eff.org
> > Staff Technologist Tel +1 415 436 9333 x131
> > Electronic Frontier Foundation Fax +1 415 436 9993
>
> --
> Peter Eckersley pde@eff.org
> Staff Technologist Tel +1 415 436 9333 x131
> Electronic Frontier Foundation Fax +1 415 436 9993
>