×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Knocking Infected PCs Off the Internet

samzenpus posted about a year and a half ago | from the and-stay-out dept.

Security 206

nk497 writes "Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. The DNS Changer clean up saw some PCs prevented from accessing the web. Should such tactics be used more often to prevent malware from spreading — or is that taking security a step too far?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

206 comments

Profit! (-1)

Anonymous Coward | about a year and a half ago | (#41215263)

I personally think it's great. More business for the IT people. :)

Not just infected PCs... (5, Insightful)

Howitzer86 (964585) | about a year and a half ago | (#41215307)

My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet, my university also knocks off computers suspected of internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.

Our internet service providers are often our media providers. Comcast, AT&T, Time Warner, etc, are all interested in the idea of controlling your access to things like that, and if they're given free range to scan your computer and knock them off the internet - they will certainly look for evidence of torrenting as well.

Re:Not just infected PCs... (5, Interesting)

Forty Two Tenfold (1134125) | about a year and a half ago | (#41215373)

I used to do this in my dormitory some 7 years ago. My iptables-triggered scripts added the infected PCs to the squid ACL whose members' every web request was redirected to information page that explained what happened and what to do. Well, some idiots claimed that I infected their machines on purpose to cut them from the internet. You just can't fix the users, no matter how hard you try. The only solution I see is a mandatory license to use the electronics akin to drivers license. Believe it or not, the idiot user is not only a nuisance but a danger to others.

Re:Not just infected PCs... (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#41215501)

So when you let your idiot boyfriend use your computer while you're in the shower washing his jissom out of your asshole, and he manages to infect your computer clicking on unscrupulous-looking ads on gay porn websites, does that mean your license to use a PC should be revoked? In my opinion it should, because you sound like a bitch.

-- Ethanol-fueled

Re:Not just infected PCs... (-1)

Anonymous Coward | about a year and a half ago | (#41215635)

So when you let your idiot boyfriend use your computer while you're in the shower washing his jissom out of your asshole, and he manages to infect your computer clicking on unscrupulous-looking ads on gay porn websites, does that mean your license to use a PC should be revoked? In my opinion it should, because you sound like a bitch.

-- Ethanol-fueled

I agree with this.

I am not Ethanol-fueled and I am not trolling. Everything said is true.

Re:Not just infected PCs... (-1)

Anonymous Coward | about a year and a half ago | (#41215821)

Welcome back! We missed you. Have a mod point. +1 insightful.

Re:Not just infected PCs... (2)

Golddess (1361003) | about a year and a half ago | (#41216027)

I don't know how I feel about a license to use a PC, but lets convert this into a car analogy.

So when you let your idiot boyfriend use your car, and he manages to crash the car into another vehicle, does that mean your license to use a car should be revoked?

Depends. Does the BF have a driver's license? If so, then no. But if he did not, and you knew this, and lent your car to him anyway... it seems reasonable for you to share in the blame.

Cars (1)

Anonymous Coward | about a year and a half ago | (#41216131)

In Denmark, if you drive without a valid license, the third time the car can be confiscated and scrapped/sold.
No matter of you own the car or not, as it is illegal to lend your car to someone without license.

Re:Not just infected PCs... (2)

shentino (1139071) | about a year and a half ago | (#41216077)

You cannot stop spam without also stopping free speech, since both use the same methods to get their payload delivered. And at its heart, spam is just speech you don't want to hear, much like dissent is speech the government doesn't want to hear.

There is no way for a computer to reliably distinguish the two, and the only people who can are also biased and have a vested interest in their own agenda.

Re:Not just infected PCs... (1)

icebike (68054) | about a year and a half ago | (#41216139)

I used to do this in my dormitory some 7 years ago. My iptables-triggered scripts added the infected PCs to the squid ACL whose members' every web request was redirected to information page that explained what happened and what to do.

Wait, you OWNED the router in your dorm? or did you merely Pwon it?

Re:Not just infected PCs... (5, Insightful)

girlintraining (1395911) | about a year and a half ago | (#41215507)

My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet,

The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine. That's why only large organizations do this; because they own all the machines and can dictate that policy. It's entirely another matter when the system isn't owned by you, and that's what's under discussion.

The internet was designed to allow free and unfettered communication between any and all nodes. On the internet, every IP address was a peer to every other. But then corporations came, and they started walling things off, messing up the protocols, and trying to convert the internet to an asymetrical content distribution network to push their wares. And then the government came in and offered protection to that corruption of the network. Then other countries joined with the same pattern of uptake; And now countries are starting wars or engaging in war-like acts with each other, all to answer the question: Who will control the internet?

Given that, the question of whether you should be able to attack and offline other nodes on the network, for whatever reason, comes down to whether you believe you should have the same rights on the network as groups, organizations, corporations, and governments. The internet itself doesn't care which side you take -- you're just another peer, and all the ideologies now warring over control of it are heaped on top of it.

If you're an old school hacker, the answer is obvious. If you're a 20-something, you probably accept intellectual property, and the idea that the internet can be owned (as a collective entity, as membership to, not as individual components).

As an old-schooler, I will only say this: The Native Americans believed land couldn't be owned. It's a fine ideal. But the other guys had guns, and it didn't matter who was right, only who was left.

That depends upon the infection. (4, Informative)

khasim (1285) | about a year and a half ago | (#41215543)

The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine.

That depends upon what the infection is.

In many cases, the infection is a worm that attempts to connect to other machines on known ports with known connection strings. This is how network-based Intrusion Detection Systems (IDS) work.

Re:Not just infected PCs... (5, Informative)

amorsen (7485) | about a year and a half ago | (#41215581)

The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine.

In many cases it doesn't. Sometimes it just requires noticing that one customer is responsible for 30% of all traffic flows in a particular core router. You can call that privacy intrusion, but in most of Europe doing flow monitoring is mandated by law, so you might as well run statistics.

And yes, the ISP I work for has in a few cases blocked customer traffic from infected machines. It is a medium-sized ISP, so that can be done without angering the infected customers. It can be difficult to get hold of the right people at the customer, and the large ISP's probably only have billing contacts for most customers.

Re:Not just infected PCs... (5, Informative)

FaxeTheCat (1394763) | about a year and a half ago | (#41215837)

The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine. That's why only large organizations do this; because they own all the machines and can dictate that policy. It's entirely another matter when the system isn't owned by you, and that's what's under discussion.

The company I work for block computers with certain malware off the network, and also block computers running torrents (after which you get a polite visit from the IT department) . It does this ONLY through network traffic analysis. Viruses/malware need to create network traffic to spread. Also many of them contact a "home" server. There is a rootkit out now which is only detectable through network analysis. No intrusion on the PC. Just looking at network packages.

Re:Not just infected PCs... (1)

dropadrop (1057046) | about a year and a half ago | (#41215843)

Not necessarily, for example you could discover a lot of malware that tries to spread because they have outbound traffic to addresses that are not in your routing table. You could also detect traffic to known botnet command nodes, rogue DNS servers etc.

Sure there is also malware you can't detect, but even for some of these you can get trustworthy data, and if not you just don't do anything.

Re:Not just infected PCs... (1)

shentino (1139071) | about a year and a half ago | (#41216083)

Detecting an infected computer requres a judgement call that cannot be taken away from the blatant conflict of interest possible with those who could enforce it.

Re:Not just infected PCs... (2, Insightful)

icebike (68054) | about a year and a half ago | (#41216167)

What?

That makes no sense, even at the level of basic english sentence structure, let alone in the real world.

Re:Not just infected PCs... (2)

Anonymous Coward | about a year and a half ago | (#41215873)

I do tech support for one of the ISP's you mentioned, and you know what one of the first comments we here most often from infected customers? 'Why didn't you stop this from happening?' Everyone wants us to protect them from the bad, but do it in a way that they can continue to be reckless. We don't currently block infected machines, but if we see bot like activity we email them.

As to the torrenting, we will work with a customer to port forward their router, even if it's to get their torrent client working. The torrent client has a legitimate use and we have no desire / legal reason to prevent it. This question comes up every so often, and each time we're told 'we are not the internet police. If the customer is downloading copyrighted material it's mot our concern until someone shows up with a subpeona.'

Microsoft will object to this (5, Funny)

Anonymous Coward | about a year and a half ago | (#41215313)

because it will drop the IE part in the browser statistics to zero... :-)

It should be more than obvious (4, Insightful)

fustakrakich (1673220) | about a year and a half ago | (#41215319)

This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.

Re:It should be more than obvious (4, Insightful)

pla (258480) | about a year and a half ago | (#41215599)

This will be abused.

No kidding, it stuns me that anyone would even consider allowing this as a precedent.

Two major problems, as I see it:

First, how do you know my PC doesn't mean to send out thousands of emails an hour? That may come from an infection; I could works as a (semi-legitimate) spammer; or perhaps it just means I run a large listserv. How do you know that I don't mean to port-scan thousands of IPs per hour? That could come from an infection; I could work as a researcher collecting vulnerability statistics; or I might work as a consultant paid to do penetration testing for dozens of companies on an ongoing basis. Opting for a "solution" that would also block legitimate activity counts as a great big "no-no".

Second, who gets to define "malware"? The major ISPs in the US would love to have even the thinnest possible excuse to outright ban P2P traffic; for an example, look at what happened to NNTP - Once considered a "must-have" ISP service, as soon as Cuomo gave them an out (on the basis of a mere 88 out of 80k groups), they all ditched their USENET servers ASAP. And aside from the opportunity to ban legitimate but undesirable traffic, try explaining to Grandma that the "coupon program" she keeps reinstalling can and will use her machine like a Columbian prostitute. Some people will choose to use spyware, even knowing that fact, for whatever service it provides them; should the ISPs have the right to tell a adult what they can and can't do online?


All that said, I would still like to see it made legal to hunt down and painfully kill malware authors and spammers. Fix the problem at the source, not the destination.

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41215781)

try explaining to Grandma that the "coupon program" she keeps reinstalling can and will use her machine like a Columbian prostitute.

Thanks! I took your advice, and she paid a lot more attention this time. The costume really helped.

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41215827)

Fix the problem at the source, not the destination.

With today's malware, the destination becomes the source.

Re:It should be more than obvious (1)

dropadrop (1057046) | about a year and a half ago | (#41215855)

All that said, I would still like to see it made legal to hunt down and painfully kill malware authors and spammers. Fix the problem at the source, not the destination.

I'm sure everyone would be queuing for flights to ex russian states!

Re:It should be more than obvious (5, Informative)

FaxeTheCat (1394763) | about a year and a half ago | (#41215865)

First, how do you know my PC doesn't mean to send out thousands of emails an hour? That may come from an infection; I could works as a (semi-legitimate) spammer; or perhaps it just means I run a large listserv. How do you know that I don't mean to port-scan thousands of IPs per hour? That could come from an infection; I could work as a researcher collecting vulnerability statistics; or I might work as a consultant paid to do penetration testing for dozens of companies on an ongoing basis. Opting for a "solution" that would also block legitimate activity counts as a great big "no-no".

Actually, my terms of service forbid most of what you describe. Want to do that? Get a business subscription.

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41215889)

Your ToS doesn't mean shit if laws say it's invalid. *If* they did, anyway. And I hope they would.

Re:It should be more than obvious (1)

fast turtle (1118037) | about a year and a half ago | (#41216053)

except for the fact that the TOS is referenced in any and all Residential contracts as being the determining factor along with the ability of the ISP to update at any time and your continual use of said service is aproval of the new Updated/Restrictions. Although I live in California where an EULA is not a valid contract, it has been ruled by the courts that a TOS can be and is a valid part of a consumer contract.

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41216127)

That assumes that they are going to try to detect which PCs are infected rather early in the process. I'd be happy with a way for me to complain that I was receiving spam from IP w.x.y.z and tell whoever manages that IP to fix it. The short term fix could be removing the node from the internet. The longer term fix would be cleaning the infected PC (or adjusting the mailing list in some cases). Note that this does not involve guessing the purpose. It would be based on complaints from the target.

Re:It should be more than obvious (3, Informative)

dropadrop (1057046) | about a year and a half ago | (#41215699)

This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.

Well the current situation is definitely abused... Now the question of course is what kind of a solution is used to treat the problem, but personally I'd like to be notified if I had a contagious desease that I did not know about and could be harmful for me too.

Here's how one ISP handled it: http://www.net-security.org/article.php?id=1703 [net-security.org]

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41216011)

The answer is to continue to harden the targets. Not to shut the pipes or throttle anyone.

We need to focus on hardening network access -- make it immune to DNS attacks, make sure that what is coming in the port is what's expected and nothing else (there ought to be a layer that does this... "I want a text string, a,z only, 100 chars or less. force zero termination"... that sort of thing.

Languages need hardened, bounds-and-error checked input mechanisms, and we need to use them.

Regulating the pipes is a bad idea. Doing things to other people's machines is a bad idea. Invading other people's privacy is a bad idea.

Re:It should be more than obvious (1, Interesting)

betterunixthanunix (980855) | about a year and a half ago | (#41215815)

The problem is that allowing infected machines to remain connected also has the potential to be abused. Governments are already releasing malware onto the Internet to further their political aims, and they are able to do so because machines that have malware running are not being denied access.

The problem is that we took a network designed by and for people who all trust each other, and allowed a bunch of untrustworthy, greedy, and politically ambitious people to run wild with it. I would like to say we need a new approach, but the people in control now seem to think that "security" means "making sure dinosaur business tactics remain profitable," so any effort to retool the network would easily be hijacked by the people whose abuse we wish to stop.

Re:It should be more than obvious (0)

Anonymous Coward | about a year and a half ago | (#41215931)

There's either this or people will have to be held responsible for the actions of their systems. You and me would probably prefer the latter, but the vast majority would stop using computers if they had to bear the risk of being liable.

I should also note that ISPs enforcing proper behavior was the norm before the internet went mainstream. You could lose access if you flooded other systems with packets or spam mail. Entire ISPs that didn't police their clients ended up "banned from the internet". Look up Internet Death Penalty.

Up until a point (0)

Anonymous Coward | about a year and a half ago | (#41215321)

It is a perfect scenario when it comes to security - but at some point, so many machines will be offline that this kind of thing would affect the numbers of audiences in several services. So many people would be offline and so many companies will lose money that they will opt for solutions to circumvent this. By the end of the day, it would be uneffective.

Re:Up until a point (1)

Howitzer86 (964585) | about a year and a half ago | (#41215407)

People react. All it would take is for it to be done just enough that everyone knows at least one person who was kicked off the internet for an illegal download. When that point is reached, the fear of having their connection interrupted would be enough to keep the rest of the population in line.

Re:Up until a point (1)

Anonymous Coward | about a year and a half ago | (#41215483)

.... When that point is reached, the fear of having their connection interrupted would be enough to keep the rest of the population in line.

So terrorism is okay if we let the corporations do it?

Re:Up until a point (0)

Anonymous Coward | about a year and a half ago | (#41215849)

I don't think the pro-quarantine people are thinking this through. They don't seem to realize that the scope of the action could be expanded to include sources of malware. The malware on users' pc's had to come from somewhere, and if users are going to be thrown off the internet for having infected machines, there's going to be a great cry for also shutting down the sources of infection, i.e, infected servers, or server which host infected files. It makes no sense to only go after the end user if you still have servers on the internet hosting malware. By doing so, you're getting into some Grade A Drug War like stupidity. You can bet that companies and ISP's support for this kind of initiative will dry up in a hurry when their bottom lines are impacted.

This could work if... (2)

TWX (665546) | about a year and a half ago | (#41215333)

...the ISP provides the only outbound connections as solutions to the problem, or only blocks those methods by which that particular detected malware spreads. Additionally the system must assume clean and only cut off for a limited time and automatically assume clean again. Without those protections the system would be ripe for abuse including using the claim of malware to restrict groups.

In short, I don't think that it'll work. If it would, we wouldn't have a malware problem in the first place.

Can someone explain how software developers aren't at least partially legally responsible for their faulty software allowing maliciousness to spread through them in the first place?

Re:This could work if... (1)

ldobehardcore (1738858) | about a year and a half ago | (#41215439)

It's a Turing Oracle problem. There's no way to know all the things a system can do without testing every possible situation.

It's impossible to make a bugproof program of any real use, or any nontrivial complexity.

Re:This could work if... (1)

Hizonner (38491) | about a year and a half ago | (#41215883)

The cases that prove that program property X is undecidable and program property Y is superexponential to determine are almost universally pathological ones that nobody would want to do anyway. When they're not, they can often be worked around.

You CAN prove useful things about large classes of bugs in programs. No, you can't prove those things about every program you can run on a Turing machine, but that's irrelevant, and clinging to it causes serious defeatism that sets back the field. You don't have to be able to prove every arbitrary program; you just have to be able to construct a program you can prove.

If anything, the hard part is formulating what you want to prove. There will always be holes in that, but that doesn't mean it's not worth doing what you can.

Re:This could work if... (1)

Hizonner (38491) | about a year and a half ago | (#41215921)

Oh, yeah, and to take it back to the topic, the question of whether some random black box computer is infected with something is also undecideable. And, worse, impractical to even make a good guess at.

Re:This could work if... (0)

Anonymous Coward | about a year and a half ago | (#41215467)

You can answer that question yourself, when you managed to write world's first bug-free non-trivial program. :P

I think it's taking it a step too far... (4, Insightful)

Revotron (1115029) | about a year and a half ago | (#41215349)

...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out when they found me coughing on their salad bars. How dare they stifle my freedoms! Police state!

I don't know about a food worker deciding ... (1)

Anonymous Coward | about a year and a half ago | (#41215655)

On topic, if my machine was infected, I wouldn't have a problem being booted off the 'Net because it probably means that my security software didn't catch it. And it also means, that if I'm kicked off, then any malware couldn't be uploading my criticals information - like logins to my banks. Then I can go and fix the problem if I can.

Re:I think it's taking it a step too far... (1)

Attila the Bun (952109) | about a year and a half ago | (#41215711)

...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out

The trouble is that (following your analogy) the hospitals are inside the restaurants.

Re:I think it's taking it a step too far... (1)

Anonymous Coward | about a year and a half ago | (#41216179)

Not hospitals, just restaurant employees trained to recognize public health threats.

Too slow and costly (0)

Anonymous Coward | about a year and a half ago | (#41215381)

Active scanning of all those packets would just introduce more latency. It also boils down to who is going to pay and who should?

ISPs would have more support costs which means increased cost for all customers.

End-users could probably be reasonably expected to pay a repair shop to clean their machine if they don't know how.

It boils down to money.

Herd Immunity (1)

joelwhitehouse (2571813) | about a year and a half ago | (#41215387)

If a security suite detects a virus and doesn't quarantine that computer, it is only putting all the other computers on the network at risk. If quarantining upon detection happened to the majority of networked computers, then there would be "herd immunity" protection for computers both with and without antivirus protection.

Re:Herd Immunity and blocking ports (4, Informative)

davecb (6526) | about a year and a half ago | (#41215659)

[I commented on part of this below, but wan't logged in...] Blocking infected PCs is a new problem for computer science to debate, but it's very similar to long-solved "public health" problems in the world where viruses are composed of atoms, so we can borrow some of the cures from there. This is also a good way to keep from looking stupid in front of the courts!

People who are being spammed by your PC can legitimately use the minimum force necessary to stop the harm, not including shooting it or you. This is the starting point in law: a harmed individual, who has some limited rights to respond in self-defense.

If your PC is trying to infect theirs, they can tell the local board of health, and have have you asked to quarantine yourself until the disease is cured. In this case, the board of health is the ISP, and they're asking you every time you try to send spam/viruses. They're allowed to wear a surgical mask while asking, as well, in this case over their port 25. They're not allowed to put you in an impervious plastic bag to stop you from breathing: that's not minimum force.

If you or your PC resists being quarantined, they can apply to the courts for an order to have the PC locked up and treated against it's will. That'a a real court, with real judges and court orders, not an ISP. In that case you can argue against it, but you'd better have a legally valid reason, not "you can't do that to me". And if necessary you can object, and argue it out before a judge.

--dave

Why introduce censorship, if you can call it (3, Insightful)

someones (2687911) | about a year and a half ago | (#41215421)

Why publically introduce censorship, if you can call it "computer infected by malware".
'nuff said.

Re:Why introduce censorship, if you can call it (1)

Nidi62 (1525137) | about a year and a half ago | (#41215473)

So is quarantining people infected with Ebola infringing on their free speech then?

Re:Why introduce censorship, if you can call it (2)

amorsen (7485) | about a year and a half ago | (#41215633)

So is quarantining people infected with Ebola infringing on their free speech then?

Of course it is, assuming they don't get to communicate (most are probably too busy trying not to die though).

Sometimes infringing on free speech is necessary. The question is simply where the line is.

Re:Why introduce censorship, if you can call it (1)

Anonymous Coward | about a year and a half ago | (#41215705)

That's a real sucky analogy. How 'bout a car one: All motor vehicles which don't meet minimum emissions standards shall be banned from driving on any public roadways. To enforce this, LEO's will have the ability to perform instant emissions check of any vehicle on a public roadway which, if found to be in violation, shall be towed at the owner's expense to a garage where the vehicle will undergo repairs (again at the owner's expense) until the vehicle comes into compliance with the law. If the vehicle cannot be brought into compliance it shall be destroyed. Pollution, global warming, air quality problems fixed! That's surely not free speech infringement, is it? I mean, nobody's stopping the owner from complaining about it!

Re:Why introduce censorship, if you can call it (1)

WaffleMonster (969671) | about a year and a half ago | (#41215723)

So is quarantining people infected with Ebola infringing on their free speech then?

It is when you claim they have Ebola just to shut them up.

Re:Why introduce censorship, if you can call it (0)

Anonymous Coward | about a year and a half ago | (#41215779)

I saw WaffleMonster cough! I SAW IT!

Why introduce censorship, if you can infect... (1)

betterunixthanunix (980855) | about a year and a half ago | (#41215853)

Wouldn't it be great if nobody who criticized the government could send their message to anyone who is not already a dissident? Let's write a worm that checks what people are writing, then hides from them the fact that only fellow dissidents are seeing their emails/usenet posts/facebook feeds!

The proper way (4, Interesting)

Teun (17872) | about a year and a half ago | (#41215427)

I think it is only proper for ISP's to limit spreading of viruses or engagement in things like phishing.

My ISP xs4all.nl, one of the most reputable when it comes to internet freedom, will shut a subscriber's net access down when there is good indication of infection.
The way they do it is smart, you get a mail on your administrative account and you are diverted to a message explaining why you can only access the net via the ISP's own proxy.
The last is to give you a chance to get on-line help or updates.
Once you can convince the helpdesk you have cleaned up your computer(s) they'll switch you back on.
The helpdesk is also very helpful to the clueless on how to clean up their computer.

Re:The proper way (1)

Yaa 101 (664725) | about a year and a half ago | (#41215541)

They are my isp too, and I had the same thing happening.

Their helpdesk is the only non scripted helpdesk with a dutch isp, they take the time it takes to solve the problem, instead of playing hide and seek while blaming their customers like most other companies do.

Re:The proper way (0)

Anonymous Coward | about a year and a half ago | (#41215571)

This is ridiculous, unless it's optional. I'd switch ISP immediately if they pulled something like this.
What goes on on my PC is none of their business.

Re:The proper way (1)

FyRE666 (263011) | about a year and a half ago | (#41215641)

Well sure, but if you went out on the streets handing outf hardcore pornographic photos to everyone you met, all day long, every day, wouldn't you expect repercussions? If your PC is an infected piece of crap, spewing junk all over the internet your ISP should unplug you. In fact, I'm sure they'd be very happy with you switching to another ISP so your problem disappears off with you!

Re:The proper way (0)

Anonymous Coward | about a year and a half ago | (#41215967)

This is ridiculous, unless it's optional. I'd switch ISP immediately if they pulled something like this.
What goes on on my PC is none of their business.

And what goes on on the ISP's network is their business.

Yes, should be blocked or attacked (3, Insightful)

SuperKendall (25149) | about a year and a half ago | (#41215433)

The thing is, a malware infected system that is attacking other systems is broken - just usually in a way the user of that system does not notice.

But broken it is, and all blocking/damaging the system does is make it apparent to the user of that system that it is broken, so that they can fix it (or buy a new system).

It's yet another reason why backups are very important...

well... (1)

buddyglass (925859) | about a year and a half ago | (#41215437)

If it's possible to detect with a relatively high degree of certainty that a given customer's account is being used by a machine that's infected then I very much support turning them off and giving them a phone call/email/letter. But that's (potentially) a big if.

And how will they fix the infection then?? (0)

Anonymous Coward | about a year and a half ago | (#41215449)

If they had a working anti-malware software on their boxes, this wouldn’t have happened in the first place.
So obviously, they have to download it somewhere. (Obviously with a another non-infected boot medium.)

How will they do that, if you cut their access? (Oh, and how do you know it’s infected anyway? DPI on a port told you? Well, why don't you just block such connections then??)

This is really stupid. A half-assed "solution" for lazy people. But hey, lazy, dumb and ignorant are the new efficient, intelligent, cool! So who am I to know better, with my... *facts*?

Re:And how will they fix the infection then?? (2)

Teun (17872) | about a year and a half ago | (#41215605)

No it's not stupid, the ISP should give limited access via their proxy so you have a chance to download updates etc.

Re:And how will they fix the infection then?? (2)

Todd Knarr (15451) | about a year and a half ago | (#41215611)

For DNSChanger, you can easily spot an infection by the fact that it's making DNS queries to a known set of DNS servers owned by the malware authors. Spotting that kind of traffic accurately is trivial. For a lot of other malware once the command-and-control network is identified it's easy to spot infections by their attempts to connect to the C&C servers (an uninfected computer wouldn't have any reason to be trying that). So no need for DPI or anything, a simple Perl script parsing the firewall logs will hand you a neat list of subscriber computers grouped by the pieces of malware they're infected with. I have almost the same script running on my firewall, except it's checking inbound traffic and showing me all access attempts grouped by the service they tried to access.

As for how they're going to fix it without access, they won't. For DNSChanger for instance, given the amount of coverage it got and how long the news was out there, anyone who hadn't fixed it by the time the servers were shut down wasn't going to fix it ever. When you've got people that oblivious, the only way to get their attention is to make the net stop working. At that point they suddenly get real attentive. And since they've proven they're either unable or unwilling to fix their own computers (if they weren't, they'd've done something before now), it's probably better if they're forced to take it to someone who can clean it up.

Already the case (0)

Anonymous Coward | about a year and a half ago | (#41215463)

They don't need to boot you off the internet, they just need to firewall all ports except TCP 80 and http-redirect all your browser requests to a 'you're infected' page with links to freeware virus scanners for download and a help phone number.

Not PC's, ports! (0)

Anonymous Coward | about a year and a half ago | (#41215493)

If a PC is infected with, for example, a spam generator, then it's arguably subject to being prevented from sending spam. No more than that, mind you! Cutting off all access because Bill doesn't do security well is cruel and unusual punishment (:-))

To make it past the scrutiny of the courts, we should pattern our response to infected PCs on the existing laws about assault and public health:

  • - people who are being spammed by your PC can legitimately use the minimum force necessary to stop the harm, not including shooting it or you!
  • - if your PC is trying to infect theirs, they can tell the local board of health, and have it quarantined until the disease is cured
  • - if your PC resists being quarantined, they can apply to the courts for an order to have the PC locked up and treated against it's will

If we apply this to ports, a PC could have port 25 blocked with a "599 You have a spam virus, call us at (416) 555-1212 for more information"
Similarly if the virus was one which tries to spread via connections to port 22, you might find you can't use ssh/scp/sftp outbound from your system.

The latter poses a notification problem: it's not easy to capture ssh setup sequences and send message to the user.

It might be hard to complain about being blocked from spamming, but if you aren't informed you have a virus, you can't stop spamming, and can legitimately complain about being blocked "secretly". It might be necessary to use a scheme to redirect http to a notification page before letting it go elsewhere, somewhat like hotels do. In any case, the person doing the blocking would need to make a serious, good-faith effort to notify the person who's being blocked.

Blocking is a new problem for computer science to debate, but it's very similar to long-solved "public health" problems in the world where viruses are composed of atoms, so we can borrow some of the cures from there.

--dave

Are we kidding? (1)

Anonymous Coward | about a year and a half ago | (#41215503)

Of course it's taking it too far!

A random remote PC should not affect you in any meaningful way. If it does, we have bigger problems to solve first.

Also: define 'infected'. This is just asking for trouble..

Re:Are we kidding? (1)

betterunixthanunix (980855) | about a year and a half ago | (#41216057)

If it does, we have bigger problems to solve first.

Newsflash: We have big problems when it comes to Internet security. The network was designed by and for people who all trust each other, and it is being used by people who are not trustworthy.

DNS changer (2)

DarkOx (621550) | about a year and a half ago | (#41215517)

The DNS Changer clean up saw some PCs prevented from accessing the web.

No the maleware would have done that after the fraudulent DNS servers got shutdown. DNS change is a case where COMPROMISED SYSTEMS WERE ACTIVELY KEPT ON THE NETWORK, what should have been done is those machines should have been allowed to fail to resolve hosts, after the fake DNS servers where shut down, than would have had them fixed literally months sooner.

Already done... (2)

Yaa 101 (664725) | about a year and a half ago | (#41215519)

My ISP, xs4all blocks my connection automatically when trojans or other malware starts to make outbound connections.
I know this as I am responsible for several people on this connection, one of them connected a laptop which triggered this.

When this happens all my ports are closed at the ISP and I get a notice to connect to their proxyserver so that I can download protective means.
When I solve the issue I get a checkup and after that all goes well, the ports are reconnected.

Re:Already done... (0)

Anonymous Coward | about a year and a half ago | (#41215751)

Once upon a time (3-4 years ago) I used an open accesspoint (at that time it was illegal to use others APs without explicit consent) to try to ssh to my home machine. Since it was illegal I tried to use TOR to cover my tracks, resulting in xs4all "disconnecting" the subscriber, suddenly nothing works and any http request would result in the warning you mentioned. Soon after the AP was "secured" with WEP. This time I "broke the encryption" and just started TOR again to get them locked out for a second time, not to long after that the AP was secured with WPA.

WoW Raiding Philosophy (0)

Anonymous Coward | about a year and a half ago | (#41215533)

Your 14.99USD a month means you can play how you want. The other 24 raiders' 359.76USD says know how to play your role or gtfo. (Or something along those lines.)

Non-Warcraft version: Yeah, you pay for your Internet access (probably), but when you start interfering with other people's access (at the very least)... Yeah, you can kiss your access goodbye until you clean the infection. Go ask some neighborhood kid if you need help doing that.

Re:WoW Raiding Philosophy (0)

Anonymous Coward | about a year and a half ago | (#41215683)

Go ask some neighborhood kid if you need help doing that.

Most kids are not technology savvy, the most they know is how to use an iPhone..

You'd be best looking for some kid who has glasses and acne, I'm sure he could help you.

Hell no. (3, Insightful)

PopeRatzo (965947) | about a year and a half ago | (#41215545)

Let's not bullshit around here. The idea of kicking people off the Internet because of "malware" is about the opposite of security.

We've already had the RIAA and MPAA try to portray any copied media as malware. There are hacks that will allow you to play you legitimately-purchased game without having to have the disk in the drive that are seen as malware by the major antivirus software.

How many times over the years have you had to tell your antivirus software to ignore a false positive? What if you'd been thrown off the Internet every time that happened? How long before the big content providers start using this approach to create an ad hoc "two strikes" policy? Or "one strike"?

Now how about if Comcast decides that if your system is kicked off the Internet for having "malware" that they won't let you use your broadband connection until they are allowed to scan your system remotely?

Anything that smacks of this kind of centralized, or even potentially centralized control is bad news. Even if it's not centralized now, you know it will be if Comcast (and others) have their way.

Look, just provide broadband to my house. I'll protect myself and you protect yourself. Unfortunately, the days of just getting "plain old broadband" to your house and then being left alone seem to be dwindling. More and more our use of the Internet is being monitored, tracked. How long before we're knocked off if we don't allow ads in our browsers? Maybe they'll declare ad-block to be "malware".

Re:Hell no. (0)

Anonymous Coward | about a year and a half ago | (#41215913)

I have never had to tell antivirus software to ignore a false positive. Maybe something really is wrong with your computer.

Re:Hell no. (0)

Anonymous Coward | about a year and a half ago | (#41215995)

You beat me to it. Well played, Sir.

the question will become. (4, Insightful)

Truekaiser (724672) | about a year and a half ago | (#41215565)

Who defines what is malware if this happens.
I have no doubt that if the isp in question is also a media company, programs that access the internet and are of their competitor's 'might' occasionally be flagged as malware.
I can also see that alternative o.s.'s could theoretically be flagged as such.

But above 'all' how could they determine if malware is installed simply from the isp side and without requiring special programs on their customer's pc's to access their services.

responsibility (3, Interesting)

tverbeek (457094) | about a year and a half ago | (#41215583)

Back in olden days, this went without saying. If your system was infected with a worm and you didn't take prompt action to clean it up, you were disconnected from the net. Likewise with other conduct unbecoming of a host on the internet, like forging Usenet cancels or sending spam. After all, access to the Internet was a privilege, not a right. A college with net access was expected to police its users, the university or cooperative that provided the college with access was expected to police them, and so on. There was a chain of responsibility all the way from the end-user to the backbone. That all changed over the course of the 1990s, as the Internet was opened to anyone with an adequate checking account, and the proliferation of commercial ISPs made it trivially easy for a cracker to move from one account to another, so the threat of being banished from the net lost its teeth.

Dumb pipe (3, Insightful)

Oceanplexian (807998) | about a year and a half ago | (#41215593)

It really depends on where the "knocking off" happens. If the FBI knocks off some bot's C&C network, then it's fair game. If an ISP were to start blocking ports, addresses, etc, for "spam" reasons, it's the start a slippery slope. I've always been against sender-side spam mitigation for this exact reason.

Yes, spam/bots are annoying as hell, but it's not the ISP's responsibility. Anything less threatens the very nature of the Internet as an open platform.

I feel this is pointless because (1)

s0nicfreak (615390) | about a year and a half ago | (#41215653)

many blocked users will just buy another computer and get infected again. Education is really the key to fixing this, but I have no idea how we could realistically educate everyone (requiring a license to use the internet is not realistic).

Windows is safe on the net PERIOD (1)

Anonymous Coward | about a year and a half ago | (#41215671)

I use internet explorer 6, and make dam sure not to run windows update, reinstall xp ever year with sp2 on all my families computers. My copy is a real fast one from filemonsterswarez.ru so I do not worry about malware. I don't run a router or any other crap that can slow down my computer. My Clean PC says everything is OK so I don't worry. When some asshole threaten to limit my access to the net by blocking all my computers from accessing the web I get really pissed!

Depends on the Terms of Service (2)

perlith (1133671) | about a year and a half ago | (#41215673)

Some of the responses I'm seeing so far from other Slashdotters is amazing given the support towards Net Neutrality. You do not get to determine what is "malicious" from your point of view and decide whether to keep it on or off the Internet. It gets sent out, period.

- If my home ISP, workplace, campus connection, etc. has in writing via a TOS they can quarantine me from the rest of the internet for being contagious, I'm good with that.
- If said home ISP, workplace, campus connection, etc. suddenly decides to cut my connection without my consent and without the TOS stating they can do so, then I have problems with that. That changes the TOS by which I chose to interact with the other party originally.
- Give me advanced notice, I can choose to continue using that service or not for Internet connection.

Case in point: I no longer frequent Panera Bread for food+Internet access given certain locations limit how long (usually 30 min) you can use their WiFi during peak periods. They did give notice of their change in TOS in writing prior to my using their Wifi. I will continue to eat at Panera Bread if I don't need internet access ... that didn't change. I will not eat there if I need internet access ... that did change.

It depends on the Terms of Service. Not much more discussion to be had.

Public infrastructure (4, Insightful)

LourensV (856614) | about a year and a half ago | (#41215685)

We don't let people drive unsafe cars on the roads, or connect non-FCC certified equipment to the telephone network, or fly uninspected airplanes over other people's rooftops, so why should we let infected computers onto the Internet?

If it's clearly infected, you quarantine it and make sure all that can be accessed from that machine is instructions on how to remove the infection, updates for virus scanners, etc. Basic common sense.

Absolutely! (1)

sribe (304414) | about a year and a half ago | (#41215687)

I once accidentally connected an unprotected unpatched Windows machine onto the internet--it was a test machine that was not supposed to ever be connected to the wider network. I got an email from my ISP complaining about and informing that they'd cut off its access. The only anger I felt was at myself for having screwed up. My ISP did the right thing, isolating the damage from my mistake to within my own network.

This gets really scary (0)

Anonymous Coward | about a year and a half ago | (#41215689)

when you think about treacherous computing and remote attestation...

Just say no..I mean yes. (3, Insightful)

WaffleMonster (969671) | about a year and a half ago | (#41215695)

Yes for all cases like DNS Changer the best thing to do is take any C&C systems offline and make no attempt to mitigate any side effects. LEA caused countless thousands to go on about their daily activities with compromised systems and not know about it. Shutting off the damn C&C would have immediatly caused these people to realize they were hacked or hire someone to determine the same. Instead continuing to run the DNS service hid this fact potentially unecessarily endangering people with compromised systems.

Now if the question is should you deliberatly disconnect someone from the Internet if you don't like or suspect the packets they are sending the answer is hell no.

what about false positives? norton and McAfee had (1)

Joe_Dragon (2206452) | about a year and a half ago | (#41215721)

what about false positives? Norton and McAfee had issues with that.

Now think of how bad it can be if say windows based systems got flagged and kicked off.

Re:what about false positives? norton and McAfee h (1)

betterunixthanunix (980855) | about a year and a half ago | (#41216107)

It is not as though you will be shot in the head if malware is detected. You call up your ISP and ask to know what happened, they explain, and then you tell them that you were running some application that is not actually malware, and you should get reconnected, at least in theory. In practice, things are probably going to be a bit different, but again, this is not permanent.

Re:what about false positives? norton and McAfee h (1)

Joe_Dragon (2206452) | about a year and a half ago | (#41216171)

that is if you get stuck with the call center script readers who may just say reload your OS or make maybe even say delete the app called windows explorer (talking about the system one) as they may just need the name of the flagged app or even say as part of your isp account you get Norton Security Suite for free so install that and run a scan even when say microsoft security essentials is way better.

Re:what about false positives? norton and McAfee h (0)

Anonymous Coward | about a year and a half ago | (#41216195)

This sounds like it will work exactly as well as DMCA counternotices.

not too far. call your isp (0)

Anonymous Coward | about a year and a half ago | (#41215773)

anyone who needs a service and cant access it? call your helpdesk. if you know you need a port, or domain name, or ip accessible to you? call them. if you are connecting to a specific port 50 times a day that isnt a specified normal type service...one phone call can make it open up. but millions of zombies on a huge botnet are a problem....to everyone. more spam, more network traffic, etc. cut all known access with a 100% failsafe by email or phone call of the alleged victim. net neutrality in some technical definitions aside, people can access all free speech, all content, etc...just takes a phone call if they mimic infected machines

Kicking off users Active Directory (1)

zorac80 (1528939) | about a year and a half ago | (#41215897)

One problem in large environments is PCs trying to write infected files to shares. I found one way to address this is to flag the users writing the files. Some antivirus solutions would give you the account name trying to write the infected file to the server and even send an email to an admin. A group can be created in AD for these infected users. A GPO can be pushed out for "deny network logon" to the group. The users can be removed from the group when their PCs are marked clean. It might take some time for the user's group membership to update.

This is already being done (0)

Anonymous Coward | about a year and a half ago | (#41215951)

q-net ( http://www.quarantainenet.nl/ - dutch ) has been doing this for some years now, but in a user friendly way. They deply honeypots which find hosts that are actively trying to infect other hosts and put them in a seperate quarantined subnet. If a users computer is in this net, any http request is routed to a webpage explaining that his/her computer is infected and what to do about it. Some domains are still working, namely those needed to fix it, e.g. microsoft.com or antivirus software suppliers. All other webpages are redirected to the help page.

This software is something that your provider or company installs to help protect the whole network. I don't think this needs to be inherently evil, but you do need to provide options for users for self help and options to remove themselves from the quarantine once they have fixed the problem. Using honeypots or other non intrusive detection mechanisms also prevents any privacy problems.

PS. I'm not an employee of quarantainenet, but I know most of them :)

Stupid (3, Interesting)

KalvinB (205500) | about a year and a half ago | (#41216081)

My ISP cut off my internet connection after accusing me of spamming while providing no evidence that I was. I blocked port 25 at my router but that wasn't good enough for them. Since I couldn't connect to the internet I couldn't install any sort of anti-malware software. And once I did, I found it wasn't infected with anything. And I never got anything from my ISP showing what was going on.

They wanted to have a tech come in and check things out and have third party validation that my computers were clean. I told them the only tech coming in my house would be a competing ISP. And they could pound sand if they thought I was going to pay someone to inspect my computer which I need running and on-line to do my job of web development.

All without any actual documentation to show what they were accusing me off. They didn't even contact me before shutting off my internet to see if we could do a quick fix if needed. It's a good thing their competitor is Century Link (previously known as Qwest).

The only reason I got quick resolution is because they had a local office I went to and started in on them there. Their phone support kept trying to pass me off and just refused to do anything. They had customers hearing about how they just shut off my internet connection for no reason and with no warning so that was a bit of motivation for them to stop being morons.

I really hate that Qwest is the only competitor. I unblocked port 25 recently and if they give me grief again I'm done since there's no other option. Turns out, sites in progress have various email features that need to be checked.

LiveCD Anti[Redated]ware for free?? (1)

RobertLTux (260313) | about a year and a half ago | (#41216149)

So other than Windows Defender Offline what livecds are available that can be updated without downloading a full disc EVERY TIME??

(bonus if you can load the payload onto flash media for systems without a ROM drive and Double Bonus if a single copy can do both 32 and 64 bit)

Why did AV publishers stop doing live install cds??

Depends on how malware is definted and detected (0)

Anonymous Coward | about a year and a half ago | (#41216157)

While I think kicking infected computers off-line is a good idea, it does raise serious questions as to how malware is defined and detected. For example, I once talked with an ISP rep, years ago, who said their company was trying to cut down on malware. To get on-line they required their customers to install their anti-virus and protection software. I guess the software would report home with its status and that would cause the ISP to allow/block the computer. The kicker was the software was Windows-only, meaning users of OS X, Linux, etc were out of luck.

I guess what I'm getting at is, removing legitimately infected machines from the network may be good, but I'm not sure I would trust any ISP to know what is really malware, what is an unknown and what is simply high (and legitimate) network use.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...