back to article ISPs turn blind eye to million-machine malware monster

Several weeks ago, security researcher Lawrence Baldwin dispatched an urgent email to abuse handlers at OptimumOnline, the broadband provider owned by Cablevision, warning that one of its customers stood to lose more than $60,000 to cyber crooks. "He's got a keylogger on his system . . . below is a log of the miscreant …

COMMENTS

This topic is closed for new posts.
  1. Ian

    I find it funny...

    That companies like Tipex and Comcast actively try to disrupt bit torrent traffic for the sake of their precious oversold bandwidth and yet do not bother mindless fools with malware infested computers.

    You'd think they'd be able to traffic shape people who send over x amounts of e-mails a day.

  2. Steven Hewittt

    Neutrality?

    How come ISP's can't AFFORD to let us use 4OD, iPlayer and the like due to the P2P traffic - yet they can't be bothered / afford to filter malware?

    They seem to be able to afford to throttle the traffic on my BitTorrent traffic - why not use ITM devices (Cisco, FortiGate, Foundry) at the carrier level to screen nasties?

    They'd save a fortune on traffic at the central pipe (which they pay BT per GBit of anyway)

  3. Anonymous Coward
    Anonymous Coward

    is it ISP or OS fault ?

    This old argument - why should it be blamed on the ISP if the people who make the operating system have issues in writing a proper operating system.

    The real issue is windows not your ISP's these worms that propagate around the net from my firewall logs most of it is designed to hit windows ports and windows services that have been badly written from day 1.

    And since 90% of the planet uses windows well serves you all right

    Stay clean of key loggers spyware and trojans run linux !

    I sometimes hear oh if Linux was the main OS the worms would be written for Linux. Well considering linux is already open source and that contribution is made globally rather than privately I doubt even if there was worms written to the same extent as windows if it would last last as long or systems remain as vulnrable.

    The reality is there is fundamental issues with windows as it is closed source - when you install a bran new install your are completely open to all these attacks you need to get online to get hold of fix packs but whilst your doing this how do you protect yourself from getting done ?

    Linux network install has got around this by doing latest install of latest applications

    Windows has a long long way to go their focusing on piracy I think they should focus on good code writing and once they can create an OS that is complete hack proof then go around asking people for money !

    Cheek of Microshite

  4. Anonymous Coward
    Anonymous Coward

    Re: is it ISP or OS fault ?

    At least the Windows keyboard has a full set of punctuation keys.

  5. Anonymous Coward
    Anonymous Coward

    RE: is it ISP or OS fault?

    Is that why the Linux Kernel is free then, because it isn't completely hack proof? :)

    All software has bugs, that is an inevitable fact of life, be it OSS or Closed Source, commercial or free, it all has bugs.

    I'm not defending Windows BTW, I do think it has a really dodgy permissions system, which is where a lot of the problems stem from, but then again if Linux had been in active use on as many desktops as Windows has for as long, we'd see a lot more Linux related issues as well - Just because you might need to enter the root password to do something stupid, it doesn't mean the user wouldn't do it. Time will prove that with UAC and Vista.

  6. Ralph B

    Let the customer inform themselves?

    Nice that a researcher can identify n% of PCs as being spambots. Nice that they inform the ISPs even if the ISPs don't respond. But do they provide some mechanism whereby the ISP's customer can inform themselves if they might have the spambot running? Like a website they could connect to, that informs them if their IP address has been seen sending thousands of spams? That would be useful, wouldn't it?

  7. David Willis

    ISPs play a part

    So far 99% of illegal activity has been caused by criminals. These people use limitations in national legislation to make money.

    The only response so far has been by many countries increasing their local legislation to ban such activities. Great if the guy cracking your system is German and the German government lock him up. Not so great if he is Russian or Chinese, as the German government have no control.

    So if national legislation doesn't work what about international legislation?

    Great idea, lets ban all bad activity.

    Ok, bad news 1% of illegal activity is government inspired. Either through the direct creation of government sponsered bodies (Chinese Army) or through covert support of criminal groups (Russia). This 1% is increasing.

    So here is a scary thought. All the good countries have banned people doing bad things. The hackers we used to employ to protect our networks are now in prison and their tools have been banned (Hi to everybody in Germany!). Who is going to stop the wave of future attacks from individuals/countries who have a different opinion as to the responsibilities of an internet citizen.

    Should national governments be allowed to monitor all traffic and tell us what we can and can't do ? or would we prefer our ISP to help us when things start going pear shaped ?.

    The national government idea could work, but would you really want nanny state extened into the internet ? ( I'd love to see the network equivilant of a Gatso Camera and love to hear the explanation). Would you TRUST these people?

    The ISP idea WOULD work. Charge a little extra for the net connectivity, a code of conduct, and a decent customer service team. The model is out there lets make use of it.

    ISP's must play their part before the entire net grinds to a halt.

  8. David Eddleman

    Wrong name there, buddy.

    Not "Cheek of Microshite". It should be "Crock of Shit". Because hearing you yammer on about "omg Linux!!!1one" shows that you're a faceless and ignorant *nix fanboy who knows absolutely sod-all about Windows save what the earpieces you so desperately cling to tell you. If you'll skip back to the letters of about 2 or 3 weeks ago, you'll see a comment that I made came true -- the iPhone was attacked by malware en masse simply due to the fact that it's a popular device -- just like how Windows is attacked because it's a popular OS.

    When you're ready to remove your anonymity and realize that this is a news site, not your local 4chan /moron/ section, you can reply in a coherent manner. Erstwhile, I'll be notifying the GNAA that one of their own has escaped and they need to claim them.

    Anyways.

    Similar situation. I had to deal with a machine that was constantly flooding my network with virii-laden e-mails. This was back in 2003/4 or so, when Sobig and Swen were in power. The ISP? Charter. Total number of communications needed to get the infected machine pulled so my network wouldn't get hammered with e-mails every (literally) 5 minutes? About ten, including several phone calls to the NOC.

    I do feel sorry for those poor sods. I just hope that ISPs will realize, before it's too late, that having a successful abuse and security department will help them in the long run.

  9. This post has been deleted by its author

  10. Simon Greenwood

    re: is it ISP or OS fault ?

    As long as people are dim enough to randomly click on links and *then* download 'authentication software', which is how Storm propagates, then there will be viruses. Storm uses some clever social engineering to distribute itself, by sending a link disguised as a notification of an e-card or something else along those lines. Once you click on the link you are invited to download 'authentication software' which is the payload itself, which then installs a web server and mail server and glub knows what else on your system.

    If anything is the fault of Windows, it's its ubiquity. As far as most people are concerned, Windows is what computers run, in the same way as IE is the Internet. While Windows XP comes with a firewall and most OEM PCs get Norton Internet Security and/or AntiVirus (which are, quite frankly, rubbish), there is no education about data security as most PC sellers are box shifters who don't care about what happens when the PC leaves the shop, unless they can make some easy money removing viruses, pop-ups and other malware that people often install themselves (I once found some software on a machine that purported to be anti-spam software, and while it did work to some extent, also installed a plugin in IE that served pop-up ads independently of the sites it ran on - way to go). The first thing that new PC users should be taught these days is to be careful, not how to sell Bazooka Joe comics on eBay.

  11. This post has been deleted by its author

  12. Anonymous Coward
    Anonymous Coward

    Re Re ? OS or ISP ?

    [quote]At least the Windows keyboard has a full set of punctuation keys.[/quote]

    FYI sadly due to the 90% factor i am currently using windows @ work for that last post

    hence your comment is invalid the punctuation errors were user and not OS

  13. Anonymous Coward
    Anonymous Coward

    Cox are right

    Just sandbox the infected machines. Don't bother about helping them to fix it either - what is being sold is an internet connection, not a PC support contract.

    If all ISPs did that then people would have no choice but to learn/pay someone local to fix the problem.

    There are two problems with that however :

    1) People (in the UK anyway) won't pay sensible money for PC support/maintenance/training. They'll pay upwards of £35/hour for some barely literate chav to work on their car, but rarely will they pay more than £15/hour for someone to fix their PC;

    2) All ISPs won't do it. Comcast/Roadrunner and really just about every other US ISP don't see the logic/don't give a toss. UK ISPs are pretty much the same too - there's a few exceptions, but they ARE exceptions. Metronet (as was) had decent staff and AAISP probably still do but I can't think of any others who do more than pay lipservice to security issues.

    So yes it IS the ISPs problem as ultimately it's their bandwidth being stolen and them being blacklisted.

    However, being an "ISP" doesn't necessarily mean you have a clue what you're doing - just ask (for eg) Plusnet ;-)

  14. Steve Groom

    It's not just the ISPs

    Recently one of my servers was hacked as a phising site gathering account information of Bank of America clients. I was contacted by my ISP with a take down notice and promptly removed the offending phishing site. I then tried to contact Bank of America in order to let them know the names of the victims that were recorded in my server logs.

    Three attempts to call BoA customer service - via the phone number listed on their website, several minutes of going round the automated response system, I eventually got hold of someone who would not help me as I was not a customer, finally he gave me an email address that has never replied.

    BoA customers you should be nervous about the safeguards that are in place.

    SG

  15. Marcus Bointon

    Blocking port 25 not a good idea

    By blocking port 25, ISPs effectively nullify one of the few decent tools that is available for combating spam - SPF. If SPF records have to be extended to include the very ISPs that are spam sources, then they are rendered useless. Anyone with any sense is using SPF with -all set and fetching their email over POP or IMAP with SSL and authentication only from their permitted servers anyway.

    There's also the possibility of password exposure - because ISPs may transparently redirect SMTP connections to their own servers rather than blocking them, they will get failed logins to what users think are their own servers (if they don't use properly signed SSL certs), which exposes their passwords - it's effectively a man-in-the-middle attack by the ISP.

  16. Steven Hewittt

    RE: is it ISP or OS fault ?

    Um, it's irrelevant - If i'm a complete twat and run a malicious application on any OS with the right access rights then my machine is compromised.

    Human nature will ensure that we will always have malware - it was in existance long before Windows was popular.

    Remember, malware/badware/viruses etc. are just applications. Small programs that people are often unaware of and don't know what their real payload is.

    All it takes is two clicks - regardless of the platform.

  17. Remy Redert

    OS security

    I'm fairly certain that you'll find a good number of security bugs in Linux, for one no program with more then 10 lines can be bug free from the start and a program the size of an OS will never be bug free.

    However, there is most certainly a major difference between Open Source software, where everyone can look at the source code, report bugs and even fix them themselves if they're suitably decent at coding. In Windows, you often can't even see what's causing a problem in the first place, let alone figure out exactly why you're having a problem.

    Then there's the kernel, the so called foundations, of the OS. In Vista, there are many things sitting in the kernel, like the DRM and tilt bits, which can easily be the target of an attack and which, if successfully attacked, can easily cripple a machine. No such parts exist in the Linux kernel, and access to the kernel is much more restricted in Linux to further reduce these risks.

    Then ofcourse there's the permission system, which in linux means that almost all malware that you do manage to contract, it will after all be pretty much inevitable that you get your machine infected with malware at one point once Linux becomes a popular OS, will end up running on user priviledges and as such will be an easy target to any anti-malware program, which would be running at an admin or kernel level.

    Personally I'm in favour of a mandatory exam before a person is allowed to have administrator access to a computer. If you can't make the test, you're only allowed to use a computer that is administrated by someone who could, or a dumb terminal being administrated automatically by the ISP itself.

  18. Jason Clery

    comments

    "They'll pay upwards of £35/hour for some barely literate chav to work on their car, but rarely will they pay more than £15/hour for someone to fix their PC;"

    factor in the cost of a garage, cost of equipment, etc for a mechanic and you can see the cost. Check the price of Snap-On tools vs Homebase Basics.

    "Blocking port 25"

    great, people who have their own email servers get screwed then.

  19. simon croft

    Business opportunity ?

    As others have said - ISPs are existing on threadbare margins. This is their own fault as they have just been competing on price which has driven down levels of customer service across the board.

    Surely there is a market for a full service ISP that will 'hold the hands of users' and talk numpties through problems. Watch out for malware and spam and give a protected environment.

    - I'm sure someone will tell me they already exist, If they do they are not very good at publicity. There maybe a high level of ignorance out there but there is also a good deal of concern about online fraud which could be translated into willingness to pay a bit more for a service that that had antivirus anti spam, alert services. There is a considerable market for AV - with £30 annual fees so the money=concern is there.

    How about a layered offering:

    Gold - for granny : fully filtered , high security setting, 0870 helpline.

    Silver - family : good kiddie protection, medium but with exe blocking etc

    Bronze - for DIY experts like El Reg readers - alerts and feedback from the ISP in case of infestation only.

  20. Anonymous Coward
    Anonymous Coward

    Flip Side of the Fence

    Well ISP's hands are tied. There is good pieces of kit that can tackle this sort of thing.. 1 installing something like the Juniper SDX.. They log in to the "internet" only to be sent to a redirect page saying your machines been infected and sort it out.. You have automated scripts going through the abuse mailboxes that suspend the user and the suspension (usually in ldap) is read for the users profile which in turn triggers the sdx to apply a set profile to the user which redirects them to a local site that allows them to download appropriate software to clean their machines..

    Or locking down mail systems to only allow a client to send 5 emails every minute and if they exceed this to block them off for half an hour..

    The problem is the customers will then call and complain.. How many cheap skate businesses rely on cheap home broadband connections to run their business from and napt 1 public ip to 100 lrfc1918 connections ? Thats the biggest problem, people abuse mail systems verging on being spammers legitly and others are spam bots.. Targetting the spam bots without pissing off the rest of the customer base is a bit hard. Ultimately the customer pays money for the business and doesnt give a rats ass as they want what they paid for.. New rules try to be enforced by the lowly sys admins to tackle the problems and management scream no no no.

    For isps to tackle the issues they require management with a set of balls and a ruleset defined by all isps that is strict enough to let the customers know that no matter where you jump to expect the same thing.. You abuse the system either knowingly or unknowingly you are gonna get locked out of that particular service..

    Basically you need an international body.. NOT GOVERNMENT, because as soon as government steps in they introduce a new bullshit tax and make the situation worse.. that writes a standard for the acceptable amount of emails that a customer is entitled to send etc etc.. All isps then adhere to this set standard and problem solved.. Of course exceptions can be added to the mail systems or alternately if it is a business they can set up their own mta..

    This would solve 99% of the problems..Its still a lot of work at the end of it and it costs money.. Alot of money..

    The other half of the problem is windows and inept users.. Yes social engineering plays a part lets face it if all computers had a predefined security mechanism like se-linux then we wouldnt have the plague of trojans/worms/viruses that we do have.. Even if the user does the wrong thing the system wouldnt allow it to run.. If the system is told that it should never act like a mail server well then you wouldnt have spam bots because the system would itself be able to block the shit code from opening up a port and spamming crap out even if the user was conned into installing said crap code.

    If the user is savvy enough to know what a mail server is then they can by all means allow for the port etc to be opened up on the local machine.. If they dont know squat then the system should self regulate around the idiot.. Something Microsoft in all its time has never managed to get right,, great marketing... shit software...

    The problem is getting something like se-linux into a usable state for everyone. It has come a long way but still has a long way to go..

    What malware are you specifically talking about for the iphone btw ? do you mean this ?

    http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1265178,00.html

    because thats what I have found so far and thats a poc (proof of concept)

  21. John

    Another side..

    Bad communication works both ways. I work for a hosting provider and sometimes deal with abuse issues. Getting a follow up to questions is next to impossible. Half of the notifications sent out are automatic and you can't ask for more information or anything, for that matter. Although the case mentioned can not be defended, give some ISPs a chance to help.

  22. Anonymous Coward
    Anonymous Coward

    is it os or ISP ?

    FYI David Eddleman

    Not "Cheek of Microshite". It should be "Crock of Shit". Because hearing you yammer on about "omg Linux!!!1one" shows that you're a faceless and ignorant *nix fanboy who knows absolutely sod-all about Windows save what the earpieces you so desperately cling to tell you

    I use both thanks very much windows at work and linux at home.

    I am forced to use windows at work and if i had the choice would wipe it clean.

    Faceless nix fanboy ? knows sod all about windows

    Dude why are u commenting about users whom u know nothing about

    I have used windows from when it first came out as MSDOS and watched its servers i.e NT (Blue screens of death) trying to server up IIS which had issues such as 200 max sites per server compared to apache made it look like a babies toy with its constant fall overs and patching YUK YUK YUK

    Anyways we are talking here about desktops

    I know this much

    If I build a fresh windows system and connect it to broadband and leave on without even opening a browser I can be targetted and comprised

    I know if I also install a linux machine with no firewall no anti virus no anti spyware and connect online nothing will happen

    The reality is if you want to run windows you have to pay for Virus checkers Pay for firewalls (unless you want cheap ones that dont work or pop up YOUR TRIAL has ended lol) , anti-spyware and much more to slow your nice new pc right down to dogs speed so you have privilage of using windows.

    And once you have all this you then have to run daily scans and clear out all the new trojans, I used to spend 30 mins + a night doing this hence why i gave up with it

    Its pant and you know it the only reason why your supporting windows is cos you dont know any better thats for sure very clear

    further more

    https://sourceforge.net/projects/bastille-mon

    thats what i wrote i aint anonymous and I aint faceless

    Thats pro -active monitoring on your server firewall running on LINUX try doing that on windows lol without needing to install perl compilers and running a firewall that is free and easy to manipulate on windows

    Story is over

  23. Svein Skogen

    ISPs consider handling abuse "bad for sales".

    I used to work at one of the larger national ISPs in Norway. Among my jobs, was handling abuse for that ISP.

    This led to me being the most hated person among the sales department, and to all the KAM (Key Acoount Manager)s hating my very person. Why? Because when you start blocking infected customers from creating more havoc, they don't _WANT_ to fix their shite, so they call their KAM and says "reconnect me or I'm switching ISP".

    Thus, when they downsized, and the sales people laid all their weight on the management, the two first persons to be downsized, was the company's security officer, and then me. Needless to say, I sincerely wish that companies getting infected by a worm, sue the ISP of the origination of the infection for the price of cleaning up, since the ISP _NOT_ handling abuse is guilty of neglect aswell.

    Regards, Svein Skogen

  24. Chris Miller

    Just block spoofed packets

    The DSLAM (or analogous device if you're not using ADSL) 'knows' the IP address of each connection. Any IP packets arriving from these end-points with a non-matching source address should just be dropped. While this wouldn't prevent DDoS or spam, at least we'd have a decent chance of identifying where they'd come from.

    Or am I missing something?

  25. vahid

    not flaming pointing out obvious here

    David Eddleman I dont mean to start a flame war but FYI again

    When you had Sobig and Swen (I presume unix spyware)

    had you hardened your linux servers or was you running all ports and running as a server

    you heard of lsof ? backtrack what app is using what port ? does windows have these nice utilities ?

    further more did you try Se-Linux ? is there an equivalent on Windows ahh yes the new windows which will be MSDOS lol hahahhahahaha

    Also Mr Eddleman and who ever else thinks its to with popularity

    Lets take a step back lets look at an application

    IIS Vs Apache

    I know Apache is more used according to netcraft and yet most issues and site hacks are done on IIS even though apache is open source? (how is that rule apply here then ???)

    Reality is you all make assumptions since oh windows gets attacked cos most people use it absolute rubbish - windows gets hacked cos microsoft produces absolute rubbish that they try to sell to you on a yearly basis if you dont buy it oh we dont support old version.

    This is why they get hacked its their campaign of making money and their campaign to get the last pennies out of poorer people like the indians and chinese etc etc .. same goes for iphones etc

    Its the hate they make for themselves

  26. Anonymous Coward
    Anonymous Coward

    MOT for PCs...

    Yousef Syed wrote: "I think it is time that all numpties out there with PC/Macs should have it mandated that their PCs pass a regular safety test before they are permitted on to the Internet - ISPs should demand to see their valid certificates before allowing them online."

    While your intentions are commendable, remember that for this to work, *you* would have to take *your* PCs in for it too. Even if you're running Fedora Core on your electric toothbrush, if you want to take it online then you'll need that certificate. Do you want to give a third party root access to your system, looking through your hard drive, stored emails, connection logs etc?

    User education is the way forward. But it wouldn't hurt for the ISPs to take a bit more responsibility and take action against the malware-related traffic sliming its way through their pipes.

  27. Chris Silver badge

    Story is over...

    "The reality is if you want to run windows you have to pay for Virus checkers Pay for firewalls (unless you want cheap ones that dont work or pop up YOUR TRIAL has ended lol) , anti-spyware and much more to slow your nice new pc right down to dogs speed so you have privilage of using windows."

    The only paid-for security software I use is on the PC I use at work, where I have no say in the matter. On any box I have control over, free tools (combined with basic user security awareness) have been more than sufficient to keep them malware-free for more years than I can recall. And since each of the free tools does exactly what it needs to and no more, rather than trying to be an all encompassing one-stop security system wrapped up in a cosy front-end like the home user versions of the commercial stuff, their resource requirements are practically nil.

    "And once you have all this you then have to run daily scans and clear out all the new trojans, I used to spend 30 mins + a night doing this hence why i gave up with it"

    What were you doing wrong? If I have to spend 30 minutes a *month* cleaning the 4 XP boxes at home, I consider it unusual. Malware removal is made so much easier if you don't allow it to infect your systems in the first place...

  28. Rick Taylor

    As an aside...

    Has anyone ever considered attempting to subvert a botnet... It could be entertaining to use the infected machines to make an assault back onto other infected machines, effectively using the already compromised network to 'clean' itself.

    I'm not sure of the legality of such an action, but it might be interesting nonetheless...

  29. Andy Silver badge

    Port 25 blocking does work

    Proxad/Free.fr used to be as much of a spam source as Wanadoo-doo in France, until it started blocking random SMTP traffic. I'm a customer, and I run my own mail server. I am very happy that they blocked port 25. How come? Because I can configure the terminal equipment (the "freebox") to open the port. By default it's closed, and the vast majority of users will never need to open it. End of problem.

    -A.

  30. Brett Leach

    re ISP or OS.

    In my experience it's the idiot on the end of the line as often as not. I can point to several computers I've "fixed", for friends and family. And despite words of warning delivered with mono-syllabic simplicity. Almost invariably I'm back in a week to clean up exactly the same infection.

    About the third time I formatted his C drive without attempting any sort of data recovery, my brother finally woke up to the fact that I was heartily sick of cleaning up after his perusal of various dodgy websites. He stopped asking for my help. He did not change his browsing habits.

    There is no protecting some people from their own suicidal stupidity. Why the F*** should we attempt to?

    Far too many people today think the rest of the world should clean up after them. This part of the world is sick of it. Come to me in ignorance, fair enough, but be prepared to learn. Come back because you refused to learn, and I will quite cheerfully send the only extant copy of your doctoral thesis into oblivion.

  31. Matt Jordan

    Car analogies...

    The problem with the 2 car/pc analogies in the comments are...

    Very few people die from their home PC crashing...

  32. Chris Wood

    Quarantining users seems like a good idea

    Seems like some other UK ISPs are going down the quarantine route using a hardware solution:

    http://www.streamshield.com/

  33. Ian Michael Gumby

    The article is spot on, but the are some issues....

    ISPs are not inclined to build up an abuse desk because its not a money maker. Its a cost center. Unless they are forced to do something, they wont.

    It is possible to issue a UDP or a credible threat of a UDP (Usenet Death Penalty - A process of all packed being dropped by their peers, essentially cutting them off from the rest of the net.) is probably the best way to get their attention.

    Besides getting their attention, there's an issue that the author raises that should not be a concern of the ISP.

    If a customer's machine is so badly infected, then it shouldn't be the responsibility of the ISP, but that of the user to clean their own machines. After all, its their property.

    In these cases, the consumer can always call upon a "Geek Squad" or some other "local" resource to help.

    If you want to blame the OS, you can. However, there are probably enough Linux and Mac boxes on the net that could be the next malware targets. Remember the Morris Worm? Even 10 years later, some of the exploits he had used were still not closed...

    What you really need to do is to charge the bot hearders with a terrorist act. You can bet that might put a dent in their activity...

  34. Brian Miller

    Error is between keyboard and chair

    Hmm, the user doesn't install a quality virus scanner and browses to questionable sites. And the ISP is to blame?

    I think that proactive filtering is an excellent idea. Filter until the user complains, then open up the ports.

  35. John A Blackley

    Fun comments

    Y'know, I knew this would be a fun article to read the comments on.

    "It's all the fault of the users - numpties, (insert any other insulting, I'm-so-superior-to-the-average-user word here.)"

    "It's all the fault of the operating system. No it isn't. Yes it is. etc., etc., etc.,"

    "It's all the fault of the ISP. Profit-driven swine/poor, marginal, barely-surviving entrepeneurs."

    Internet access is a utility - like electricity, water or gas. In the early days of the electric companies, I imagine those people with insufficient knowledge who wired their own houses - and subsequently died horrible, flaming deaths - were called the time's equivalent of 'numpty' by some. I also imagine that others blamed the electric companies. Certainly, some came out against the demon electricity itself.

    Eventually, such problems were addressed by standardisation and regulation. Ultimately, the same will happen to the utility that is internet access (to the delight of some, the dismay of others). Until it happens, friends, try to be prudent and not get burned too badly.

  36. Alex Hawdon

    IIS vs Apache (digression.... whatever...)

    We digress, but I like this argument. The stats here are ripe for (IMHO) misinterpretation to support agendas, usually those of the *nix fanboy...

    The vast majority of websites are built by unskilled people working with resold packaged services running on faceless server farms. The fact that Apache is free software and runs on free operating systems means that it is well suited as a webserver for this business model (software costs do not scale with capacity in the same way that licensed software does) and, more importantly, is more likely to be administered by technical professionals that know how to properly configure and secure their servers.

    IIS, on the other hand, is marketed as a good choice for everyone else. Due to its ease of use it's more likely to be used by non-tech businesses with less skilled IT staff and as such it's more likely to be left with an insecure configuration.

    Viewed this way we can see that the disparities between attack success rates on IIS and Apache are more a result of marketing and economics than other factors. There are many companies who have successfully implemented complex, high-volume websites running on IIS and complementary proprietary back-end languages and do so pretty securely. The fact that these are rarer than their F/OSS counterparts is more complicated than some simplistic 'Microsoft/Closed-source is rubbish' arguments would suggest...

    And in case you're wondering my home network consists of 3 Linux boxes, which work very nicely - for the most part! I accept that neither Linux nor Windows is going to be problem-free but I can generally solve problems encountered on Linux a little faster then I can on Windows, though I'm confident I, or anyone else competent enough, could happily run a spam-free Windows network if necessary.

  37. Anonymous Coward
    Anonymous Coward

    How are ISPs not profitable????

    Ok, Cox has 3.5 million subscribers.

    Let's not concentrate on cable TV etc, let's just talk internet.

    They get about $50 per month for their internet. That's $175,000,000 (175 million USD) per month. Um, I could run a full fledge space program on that. I think Cox can afford to lay some cable now and then.

    If they claim they are losing money, they are lying.

  38. Andre Thenot

    Smart ISPs vs. dumb pipes

    Many people, myself included, like to see the ISP as a "dumb pipe" for bits. We want a basic connection in full-IP to the internet and could care less about any extra services.

    I'd venture to say that this is exactly how the IPSs hate to be seen, for it makes them a commodity on the same level as a water or power company. Instead, they try to come up with some "added value" so they can be seen as delivering a service.

    The problem is when they try to argue both sides at once: in the dumb pipe scenario, they are not responsible for anything but pushing packets through the wire. If they choose to play the "service" card, then maybe they could look into assuming some kind of responsibilities.

  39. Joe

    Auto-redirect

    If I try to connect to a pay-for-WiFi network in a hotel, whatever my browser tries to load it gets redirected to the hotel's sign-up page for access.

    Most innocent (i.e. non-techy) users fire up their browser to get straight to the web, even to check their email (most of my friends find it strange that I don't use Hotmail or a web interface to check my email!)

    So if someone's PC is suspected of harbouring viruses, why can't the ISP direct them to a page letting them know about this? Giving them details of AV software? Telling them that access will be restricted until they call a certain number and enter a code saying it's clean?

    Surely that's not beyond modern science?

  40. Morely Dotes

    @ Marcus Bointon

    "By blocking port 25, ISPs effectively nullify one of the few decent tools that is available for combating spam - SPF. "

    Bollocks. SPF does *NOTHING* at the user's machine. There's no legitimate reason to allow unathenticated outbound connections on Port 25 from end-user computers. If they have a legitimate need to connection to a different ISP's outbound mail server, then they are probably competent to use a different port (587 is provided for that purpose, and we also provide another "high" port for our customers who are firewalled in - as they should be).

    On the other hand, if ISPs were held legally responsible for distribution of malware and spam from their networks, to the tune of, say, $10,000 per day per machine that continued to send such traffic 24 hours after their abuse desk was notified (or an attempt was made to notify them - Verizon, for one, has a habit of rejecting abuse reports which contain the very spam I have tried to report), then I suspect they would *find* the resources they need to fight the problem effectively.

    As long as it's cheaper for the ISPs to ignore the problem, the biggest offenders will continue to offend.

  41. Morely Dotes

    @ Steven Hewitt

    "All it takes is two clicks - regardless of the platform."

    Wrong, Steven. On Linux,(1) BS and Mac OSX, it requires a password to install a software package. Granted, a moron with root could still do it - but he couldn't do it *without knowing he installed something*. That's more than "two clicks."

    On Windows, as it comes "out of the box," *everyone* is root, and anyone can install anything simply by following a Web link. ActiveX (the most-common attack vector) is *desinged* to do that - it's almost as if Microsoft's esoftware engineers sat down at a design meeting and asked, "how can we most effectively ensure that all PCs running our software will be vulnerable to hijacking without the user realizing it's happened?"

    (1) - I specifically exempt Lindows/Linspire from the Linux camp - it was designed to be a free competitor to Windows, and as such, it's done an admirable job reproducing the vulnerabilities inherent in the Windows design.

  42. Keith T

    The law of liability on this must be changed

    "To be fair, legal liability and economic realities sometimes make it hard for ISPs to respond to the threat in a meaningful way."

    It is economic suicide for an ISP to voluntarily help a customer when there is no reason to.

    1. The law must be changed to make ISPs legally liabel for damages resulting from their failure to take action once advised of the existence of a problem.

    2. ISPs should start competing on security. Most retail customers are know-nothing customers, they have no knowlege of internet security, and they don't want to learn anything about internet security. They are prepared to pay a premium to have someone else (e.g. their ISP) do it for the.

    As for whether it is the OS or the ISP, ISPs are not compelled to network systems -- it is their option to or not to.

    Therefore, even if there is a problem with the OS (be it Windows or MAC or Unix or z/OS), it is the ISP that is taking money in return for connecting the machine to the internet, therefore it is still the ISP that who is responsible (once the ISP is notified for a problem) when an infected retail customer is causing a problem for other customers.

    The problem is that the internet is anarchy -- almost totally lawless. The internet has been in production use for gaming, music sharing, commerce, education, medical, and life-safety applications for years now, and the rules of the internet still do not provide the basic security levels required for any one of those legitimate uses.

  43. Keith T

    large number of hacked Linux and Unix boxes

    So Morely, how do you account for the large number of hacked Linux and Unix boxes out there -- many of which are professionally administered machines?

    The answer is simply there are more ways to hack into a linux machine that you are aware of.

    Sad to say, those who are saying there is no such thing as a truely secure full-function multi-purpose operating system are correct. Complex software is inherently insecure. External measures, technical and legal, are necessary to secure it.

  44. g e

    Ohh.... stuff

    At home we each have a PC plus I have a server under the stairs. All machines are windows except the server as I'd never connect a windows box directly to the internet. The ADSL uses a router not a modem. My machine and the other 1/2's machine are directly NAT'd to the net through the router, the kids' PC's are routed through the Linux box which forces them to go through Squid proxy, denying any URL's I don't want them to access. The Linux box destroys any open network connections from the kids' machines at 9pm every night and Squid rejects new connections from 9pm to 9am except weekends.

    We run Thunderbird and Firefox (IE and Lookout Express are banned), every 'doze machine runs Zone Alarm and no machine trusts any other machine other than the Linux server. Other than these restrictions everyone has free reign on the LAN/Intarweb to do what they want. In 7 years I've only ever found one virus that was unable to propagate due to the zero trust rule. I destroyed that virus with the (imho) great Trend Micro free online checker (housecall.trendmicro.com).

    I find it ironic to the point of fraud that MS distribute an antivirus program for their own OS, never mind how useless it actually is. I've known McAfee installations to miss 80% of viruses on various machines that were later diagnosed to have dozens of nasties on them.

    Ban ADSL modems, make everything go through a router that drops all incoming connections and restricts outbound to the more common ports like http, pop3, imap, ftp, etc as the default config. If you understand how to manage a router then you probably know what ports you need open.

    "Windows is what computers run, in the same way as IE is the Internet." If you believe the w3schools stats only about 56% of people use IE6 or IE7 with Firefox now being just over 1/3rd of browsers in use (about the same as IE6). Windows is what most USERS run, there's a lot of servers out there sat on the internet that don't run windows, most of those that are compromised are because numpties install e.g. BBS software with well known vulns in them.

    Agree completely that ISP's taking some form of action against malware traffic would greatly reduce their bandwidth bills, there must be some 'implementation' cost in doing it that stops them.

  45. g e

    P.S.

    ... oh, and why would I never connected a windows machine directly to the internet?

    Simply because the one time when we decided to test the claim that you have 15 minutes (we were taking bets around the 3-5 minute time) to secure a windows box with patch downloads before it's pwnd, the laptop we routed a direct net connection to having just installed a fresh copy of XP on survived thirty SECONDS before magically rebooting and coming back up under someone else's control...

    God knows how you're supposed to patch windows if you have an ADSL modem instead of a router.

  46. Peter Simpson

    I don't buy the liability argument

    Have you seen Comcast's conditions of service document? They've written it so they can do pretty much anything they want to you. All you need to do is to look at people complaining about the "one strike and you're out" top-secret bandwidth limit.

    So, if Comcast is crying "liability" as a reason for not addressing zombies, they're pulling your leg.

  47. Anonymous Coward
    Anonymous Coward

    @any expert

    >> I know if I also install a linux machine with no firewall no anti virus no anti spyware and connect online nothing will happen

    Presumably ellipsis for "nothing bad will happen".

    So is it a sandbox to run Linux virualized on Windo$e and only connect from Linux?

  48. BitTwister

    @Remy Redert

    > I'm fairly certain that you'll find a good number of security bugs in Linux, for one no program with more then 10 lines can be bug free from the start and a program the size of an OS will never be bug free.

    Huh. One of those silly axioms which is all the more ridiculous for being quoted at all. 10 lines of *what*, for one thing. I've written several large programs and I can assure you that they are/were totally bug free and did exactly what they were designed to do. Nothing more, nothing less.

    But a 'bug' isn't necessarily a security issue in any OS, although it is interesting to compare and contrast those potential security issues which pop up occasionally in Linux and the way in which they might be exploited - with those which pop up in Windows and the ease with which they are exploited. It's simplistic to just say 'there are security issues' without taking into account the details.

    > Then ofcourse there's the permission system, which in linux means that almost all malware that you do manage to contract, it will after all be pretty much inevitable that you get your machine infected with malware

    What Linux malware? Go on, find some. Linux uses the same security model as Unixen - go on, find some for that while you're looking. Shouldn't be too hard because it's very popular and in one form or another, has been around since 1970-odd.

    > once Linux becomes a popular OS, will end up running on user priviledges and as such will be an easy target to any anti-malware program, which would be running at an admin or kernel level.

    This tired old "if Linux was popular" chestnut is nonsense. All you're basically saying is that if everyone drove a Ferrari there would be more occurrences of <some common problem found on cheap run-abouts> - on the basis that both are cars. What you miss for each car/OS is the different design and quality of workmanship and that one was built from the ground up with high-quality mechanics/security designed in from day one.

    You seem to have a rather mixed idea of user privileges. In order for anything to run with root privileges, one must first become root to be able to do anything destructive to the OS or a running process - and in order to become root, you must first gain access to the OS. That's *considerably* difficult to achieve - even allowing for the odd security issue cropping up.

    > Personally I'm in favour of a mandatory exam before a person is allowed to have administrator access to a computer.

    I'd much rather see the OS manufacturer being properly dealt with for continuing to market such an insecure mess. Why *should* users have to be careful with attachments, or get paranoid about some websites, or dance around ensuring virus libraries are up to date?

  49. Anonymous Coward
    Anonymous Coward

    Who has the say?

    Who gets to say what should be filtered or not.

    I support disconnecting infected computers from the internet. If they have a problem, they'll have to call up and find out what happened.

    Much better than having your internet access monitored and filtered just because some people should'nt own a computer to begin with.

  50. Adam White

    RE: Blocking port 25 not a good idea

    Not sure what you're trying to say there Marcus. SPF uses DNS, not SMTP. If you're concerned about the affect blocking SMTP will have on people who really do want to run a mail server from home, these people should be able to negotiate such a provision with their ISP. Allowing SMTP to and from home connections should be the exception, not the rule.

  51. Craig Small

    Port 25 blocking can work

    My ISP blocks port 25 outbound and it works rather well. I run my own mailserver but forward all outbound mail to the ISP's server.

    Alternatively, if I wanted to, I could go to the ISP's toolbox page and remove the filtering. It's on by default, but you can remove it if you want.

    This means, say, 90% of the users it just works and it protects the Internet from some overtaken PC. The ISP also tracks the outbound email and if it thinks you are sending spam will warn you, either on a website or part of the download counter on your desktop.

    It seems like a pretty easy and sensible approach to me. For the great majority of ISP's customers they wouldn't even know it was there, until they got infected and the little user thing pops-up and says "hey you have a problem".

  52. chris

    personal responsibility

    I have a hard time with putting this on the Isp's; I pay for a pipe, not a security service. If you computer is part of this criminal 'Bot-net', then call your Security provider, such as norton, McAfee, AVG ect.

    We as a society Need to be more tech savy, our survival depends on it. And I for one, don't think that it is some one elses job to do it for me, and if it becomes some elses job they need to get Paid for it.

    As for the 'one of the worlds largest supercomputers, not owned by a large corpation or government part, why not, in america we have the right to bear arms, here we have a weapon, not really owned by any one, propogated by our collective computer ignorance.

    If you really want to stop the bot nets/graywhere, educate Gramma, not point fingers.

  53. Anonymous Coward
    Anonymous Coward

    @BitTwister

    Slapper. Been around since 2002 and there are still plenty of Linux webserver infected with this....

    Lots of people don't update their desktops/servers... any server, regardless of OS is very vulnerable if the security fixes don't get applied and as there are frightening amounts of people that do not regularly update their *nix servers I'm not convinced about the argument that the OS is at fault.

    Poor sysdamins can open up any multipurpose OS quite easily.

    Its perfectly possible to lock down Windows, and perfectly possible to lock down *nix. Personally I'm not as good on Windows as I am on Linux and some UNIXes, but that doesnt mean it's not possible to achieve. I have seen some very secure Windows installs in my time....

  54. Anonymous Coward
    Anonymous Coward

    Last thing

    >I have seen some very secure Windows installs in my time....

    Yep So Have I - But you know what using mmc messing with Security template etc etc, this is not what microsoft expects off of basic home users surely ? They should have some tutorial on first install to allow you to choose what type of install you want.

    Where as on a linux install - a basic build will be good enough.

    >So Morely, how do you account for the large number of hacked Linux and Unix boxes out there -- many of which are professionally administered machines?

    >The answer is simply there are more ways to hack into a linux machine that you are aware of.

    Are you talking about servers or desktops here ?

    If we are talking about servers then are you taking into account the same amount of Windows server in comparison ? I promise you I seen a lot of windows comprised on servers too with people who dont know how to fine tune either unix or windows.

    If we are talking about desktops well the truth is I been running linux desktop for last 5 years solid and I never come across a pop up or a trojan or a spyware

    I think the whole topic was ‘ISPs turn blind eye to million-machine malware - which means computers infected with trojans and spyware from simply visiting a site not being hacked by professionals.

  55. James Anderson

    Its A Public Health Issue

    It is pointless to argue who is reasonable for the current malware epidemic.

    Yes it may be lax OS providers or it may be uncaring ISP or it may be dumb users.

    However, this is like arguing who/what is responsible for a Cholera epidemic.

    The discipline of Public Health can trace its origin to the day the good doctor John Snow removed the handle from the water pump in Broad Street, and put an end to a Cholera epidemic.

    Some similar action is needed to put an end to the BotNet plague and ISPs are best placed to do it. If they wont do it willingly then they should be given some incentives to do so. All it needs is for a key logging victim to sue thier ISP for negligence.

  56. Rune Moberg

    Please educate me about why Linux is so great

    I just don't get it.

    The problem is identical.

    How do you keep the system safe from the ignorant user?

    - Well, take away his admin privs.

    But how then will he install apps?

    - Let him install to his home dir ($home)

    But he isn't the only user of the system...

    - oh, create a common directory for all apps (/usr/bin)

    Other users should not have write permission to the app folder

    - make...uhm... make that directory only writable for admins

    but you just took away his admin rights -- the guy is no longer root

    - kernel panic! kernel panic! Abandon ship!

    --

    Rune (I'll just stick with Windows -- I've used WinNT and its descendants since 1993 and never been infected -- except Adobe keeps sticking things in my notification tray which I suspect they would do under other OSes as well)

  57. Patrick Ernst

    @Morely Dotes

    Quote (1) - I specifically exempt Lindows/Linspire from the Linux camp - it was designed to be a free competitor to Windows, and as such, it's done an admirable job reproducing the vulnerabilities inherent in the Windows design. /Quote

    I've been using Linspire since 2002. This is a rhubarb which is reiterated by people who haven't bothered to do their homework. Specifically the issue was Lindows ran as root user from installation without prompting to create a non-root user. That was v3 and prior. WINE was installed by default to run windows apps. This was discontinued. v4x prompted for a user create. v5x and later defaulted to non-root user. v6 is based on Ubuntu 7.04 code base.

    I think you have to disclose what vulnerabilities you are refering to. Default to an Admin (root) account. Yesterday's news (and well debated on the Linspire forums). The ability like windows to simply run an executable by clicking on it. It never happened in Lindows nor in Linspire. Standard POSIX permissions still applied. Nothing was executable by default. Lindows and later came with the firewall on by default. In one notable experiment, Linspire was used with otehr OSes in a honeypot experiment.

    http://www.usatoday.com/money/industries/technology/2004-11-29-honeypot_x.htm

    Bad manners do not pay.

  58. Anonymous Coward
    Anonymous Coward

    * Sigh *

    Almost predictable. The OS wars continue. Ah well, never mind. It's not as if I need to pick a side, given that I run Linux and Windows off the same connection at home and Unix and Windows at work.

    Guess what? Most of my Internet usage goes via RISC OS! So nyah to the lot of ya!

  59. max allan

    Re : Please educate me about why Linux is so great

    Hi Rune,

    You wrote :

    How do you keep the system safe from the ignorant user?

    - Well, take away his admin privs.

    But how then will he install apps?

    - Let him install to his home dir ($home)

    But he isn't the only user of the system...

    - oh, create a common directory for all apps (/usr/bin)

    NO, NO, NO!

    Why can't other users run the app from his home directory? You don't need to write to an app's directory to run it.

    This is what makes Unix different from Windows (well one of the things) : A better separation between data and application.

    Data should live in your home directory, you get to choose whether to share it or not.

    System applications should live in system directories (/usr /opt ...).

    If you have a user application it can be installed and run from a user's home directory without needing any write permissions to the OS. So any other user can guarantee his OS is still safe and secure. If a user is abusive, delete him and all his files, your OS is still fine.

    Of course if you start running apps from other people's home dirs then you run the risk of them changing the code to be malicious, so you should only run code from people you trust. (Like you can trust the OS or 'system' applications).

    There really is no need for a user to have unrestricted 'root' access to their Unix box if it's properly set up.

    Even admin tasks can be done with a sudo command or setuid program.

    A lot of so called "security holes" in Unix are because people just don't understand the implications of what they've done. (like adding . to root's path, running bash as root .....)

    Note Linux is not the only Unix like OS. Even for PC hardware there is linux, BSD and Solaris. If you get into big iron there is AIX, HPUX Solaris and more.

    Max

  60. Rune Moberg

    Re : Please educate me about why Linux is so great

    Max:

    "This is what makes Unix different from Windows (well one of the things) : A better separation between data and application."

    Not really. Few Windows apps store settings in their own directory. One of the main requirements for getting certified ("Designed for Vista") is that your app must not do this. (note the AppData folder under %userprofile%)

    If an user installs apps under his/her home directory, then that user must modify the permissions to his own home directory to allow others to share the joy. (incidentally, I've never seen a Unix installation where I can say: "I own this file, but I want Linda to be able to read it too" -- I have to mess with group ownership and such) Such an approach invites several installed instances of the same application spread accross your system's drives.

    The situation isn't really that different. If anything, the situation is actually worse than Windows. (unless permissioning is now more advanced than it used to be with Unices of yore)

    The real problem is that there are more apps available for Windows. The complexity is worse. And of course, more users. (including easy-to-fool users who will gladly "su -" at the drop of a hat if suggested to do so by an anonymous e-mail)

  61. BitTwister

    @Anonymous Coward

    > Slapper. Been around since 2002 and there are still plenty of Linux webserver infected with this....

    That's an SSL vulnerability, not a Linux vulnerability. Splitting hairs? Not at all: SSL isn't part of the Linux OS and isn't required to run Linux. Slapper is also specific to i386 machines and makes an assumption about the location of 'sh'.

    Given that it first appeared in 2002 you can bet your bottom dollar that SSL was fixed within days and vulnerable versions of SSL haven't been available since.

    Can you point me at something which accurately quantifies "Plenty of Linux webservers"? Symantec just has it as "Number of infections: more than 1,000" (along with "Removal: Easy", "Threat Containment: Easy", and "Damage Level: Low") - but with no date. For all this says there could be zero infections today. The details are a little old too: Ubuntu "Feisty" runs 0.9.8c and a what, 4-year old(?) SUSE 9.3 installation runs 0.9.7e so neither is vulnerable to Slapper "out the box".

    > any server, regardless of OS is very vulnerable if the security fixes don't get applied

    ITYM any *Windows* OS not sheltered behind a good firewall/crap filter is very vulnerable. I regularly trap several spam mails per day, either containing malicious code designed to take advantage of some vulnerability or other, or links pointing to the same thing on a website but I'm really not bothered by this: they're all Windows-related binaries. And even if, one day, they become Linux-related binaries I'm still going to have to 'get out and push' to allow them to work. It's already easy to mail a one-line noddy script which, with the right permissions and making a few assumptions, would delete every file on the system without comment - but the recipient would really need to work on it (and know the root password) before it was able to delete any files. There is not and there never will be a means of executing anything arriving inside a mail body, for very obvious reasons.

    Linux *might* be occasionally vulnerable to *potential* exploits within a narrow range of supplied applications: not that that's any reason to avoid keeping things ship-shape & updated - but it's still an entirely different ball-game to that other OS.

  62. Sabahattin Gucukoglu

    Port 25

    What we need is port 25 blocking by default by the ISPs as their own exception to otherwise perfect pipe provisioning, with the clear option to turn this off (quick call to customer services, could even be automated using a ringback to the customer's number taken from records). In any event, the filtering, together with ingress filtering, should be done where it's going to make the most sense, at the ISP's sprawl.

    BTW: yes, I'll be the first to turn off that block as I run my own MTA and with good reason. I paid for network access, which means I get to choose how I route my email and DNS. If I want to do that myself, then so be it - for those admins who disagree, you're just encouraging another subtle form of net discrimination (read: treating your customers as shit, and second-rate shit at that).

    Cheers,

    Sabahattin

  63. Anonymous Coward
    Anonymous Coward

    I know the answer.

    It's Microsnot's fault. All they need to do is stop distributing the "Malicious software removal tool" through boring old Windows Update as a "Critical security update" and distribute it via popup ads on popular websites masquerading as a stock-trading utility from a Bank of America subsidiary in Lagos that can make you $100,000 quickly and reduce your mortgage while giving you a bigger penis.

    Then it might appeal to its target audience.

    TeeCee

  64. Rune Moberg

    attack by mail

    "There is not and there never will be a means of executing anything arriving inside a mail body, for very obvious reasons."

    I once received an e-mail containing detailed steps on how to unzip its contents, rename the executable (it didn't have an .exe extension -- for obvious reasons) and run the thing. Asking the user to perform su - and chmod a+x as well? That could happen. And that will catch some people as long as the executable is named "keiranude" or similar.

    Don't confuse "number of steps" with "security".

This topic is closed for new posts.

Other stories you might like