Safe Computing Practices (aka How Not To Get Viruses, Hacks,

Computers, Gadgets and other Cool Shit

Moderator: Demon Hunters

User avatar
IMajorSmall
Posts: 108

Post#31 » Wed Jan 21, 2009 5:00 pm

That's an interesting thought with the ISP traffic. But would that require the user to set up rules or white-list certain things? Windows tried that, and thus far it's been relatively unpopular.

As for value-added services, I think that would be very possible. Working in a hospital, I see it from that perspective - A decentralized health-care network could be created, and a doctor/nurse/authorized health-care worker could use the patients ID to verify their identity, and then use their own ID along with the patients ID to pull all the information the health-care network has on them. This way it controls access two ways--you get the right information on the right patient quickly and easily, and at the same time, it prevents any random person from getting that same information.

With a standardized, state-issued and verified secure ID, the possibilities are almost endless. Too bad even just a simple state ID card raises people's security concerns. Some people don't realize that most of their information isn't as secret as they think it is.
Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#32 » Wed Jan 21, 2009 5:27 pm

Not a white list as you'd think of it, more like this:

Your ISP routes all traffic coming out of your computer (more specifically, your connection), and it knows your IP address and also any email accounts you've established with their mail server. All IP packets are tagged with the sending as well as the receiving IP address, and all SMTP traffic contains headers identifying the sender of the email (the "From" address).

If your ISP detects outgoing packets whose sender IP doesn't match the IP in the routing table, they get black holed and disappear. If the quantity of bad packets exceeds an established threshold, it triggers an email to your registered account. If it continues to occur, it locks your access so that any attempt to open an Internet address redirects to a page telling you that an infection was detected and giving instructions to reactivate your account. This process would be human-supervised.

Email is trickier. Most bots these days use their own built-in SMTP handler. So, the ISP's goal is to read the headers of all outgoing SMTP packets. If the From address is missing or does not match an email address registered to the ISP account, it is flagged as suspicious. The behavior at that point would depend on a number of factors, possibly including screening the email through a spam filter to see if it triggers a match, or if it contains suspicious attachments, etc - basically the same process ISP use to filter incoming mail. A sufficient accumulation of matches triggers a human alert that can ultimately lock down the account in the same manner as above.

A similar process could be applied to web servers hosted by the ISP user, or if the user is running a private mail host. Many users do run their own hosts/websites, but the ISP could require them to whitelist by submitting an electronic application, basically saying, "Yes, this is my private web server and not a bot." Ideally, this process would require authentication so a bot couldn't simply spoof it.

This would work for two reasons: first, the average non-technical user doesn't host their own websites or mail servers, so there's no reason for them to ever run afoul of the policy unless they get infected. Second, those users who are savvy enough to roll their own servers should be aware of and able to intelligently comply with their ISP's policy.

Webmail complicates this somewhat, unfortunately, and has indeed become increasingly used by hackers for this very reason: some ISPs are getting canny about restricting bot-generated outgoing mail.
Image
Image

User avatar
IMajorSmall
Posts: 108

Post#33 » Wed Jan 21, 2009 6:56 pm

Interesting indeed. I don't think it should fall onto the ISP to do this, however. I think the filter should be applied on a more local level - in each network or computer's firewall.

That way, the ISP doesn't incur the overhead, and the spam is stopped before it even gets out of it's network. A problem with this, however, is it puts it on the network administrators to keep the protection intact for the better of the greater intertubes, but at least it gives them more of an ability to handle it internally.

Imagine this scenario: An intern at Blizzard plugs in a laptop in the server room and starts checking out porn at 4am. He gets infected. Blizzard gets an email saying that they have a problem, and if they don't fix it, the ISP will. What happens if blizzard can't find the source of the problem, because it's an unregistered laptop? Or what if they've just released a patch that completely broke PvP and every dev and network tech they have is scrambling to find solutions, and doesn't have time to respond to the email?

You get ~11.5 million pissed off people is what you get, and probably lots of lost revenue. At least if the filter is in a firewall, blizz can opt to continue dumping the packets before they go out and investigate it when they free up the time and resources.

Now, I know that example is pretty out there, but I'm just illustrating a point with it. There's no real reason it can't be implemented in both places, but like I said, I'm not in favor of allowing ISPs to install filters.
Image

User avatar
100
Lealla
Class Leader
Posts: 3797
Contact:

Post#34 » Wed Jan 21, 2009 7:54 pm

Obviously, the threshold would increase depending on the standard traffic from an ISP. And it would be given plenty of warning to redress the issue. I don't think that enforcing the policy on a local computer would work, because it would be too easy to compromise.

But the threat of losing Internet access completely is the only thing I can think of that's sufficiently harsh to get people to clean up their systems. That or criminal/civil penalties...
Image

Image

Return to “Technical Discussion”

Who is online

Users browsing this forum: No registered users and 1 guest