Comcast Warns Customers Suspected of Bot Infection 196
eldavojohn writes "Comcast is pushing a new program nationwide that warns customers if they might have a bot infection. It puts a semitransparent overlay on the top of the website you're viewing, warning you that you may have a bot installed if the provider detects botnet traffic from your residence. Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
Re:Mixed feelings (Score:2, Informative)
FTFA:
Douglas said the bot intelligence is coming from Damballa, an Atlanta-based security company that monitors botnet activity and identifies botnet control networks. If Damballa spots a Comcast Internet address that is phoning home to one of these botnet command centers, Comcast’s system flags that customer’s address for a service notice.
Re:Mixed feelings (Score:5, Informative)
That's a good point, but the screenshot [krebsonsecurity.com] does look pretty reasonable. It could have been done a lot worse, but it looks like they're at least acknowledging the trust issue.
That being said, it's not difficult to figure out which ISP a certain IP belongs to and for someone to forge these things.
Re:Wait, what? (Score:5, Informative)
They do send an e-mail, at first. If the traffic continues unabated, they redirect port 80 traffic (only) through a proxy which adds the notice to the server response (the web page you request). It doesn't break or tamper with anything else.
Personally, I don't see a problem with this, since, if you're allowing botnet traffic, you're already abusing the TOS (with or without your knowledge -- and after the notice, certainly ignorance isn't an excuse), and as such you're not really entitled to "unbroken" service, or any service at all for that matter. I think providing this notice is a good compromise.
Rather than making a separate post, I also want to address one of the points in TFS: "Of course, if you have multiple machines running behind a router or modem then you're going to have a difficult time pinning down which machine might have the infection."
This is rather missing the point -- realistically, if any machine inside your network has been compromised, you should assume that the entire network has been compromised, and you should be inspecting/sanitizing/protecting all of the machines accordingly. You should likewise assume that all of your online accounts have been compromised, change your passwords from a trusted location, and check for any unauthorized activity.
Re:Norton? Really? (Score:1, Informative)
Re:Wait, what? (Score:3, Informative)
I didn't say they don't deserve service, I said they don't have a right to it. What people deserve is only rarely related to what they get. Moreover, their presence on the network is necessarily degrading the experience for everyone else who's being responsible with their activity. Do responsible users *deserve* to be inundated with attacks from the machines of people who, for whatever reason, aren't "advanced user interested in computers and all things technical?" What if we were discussing dogs instead of computers? Would the behavior of their animals be justified by ignorance, incompetence, or apathy?
As I said I think an adequate balance is struck in this case -- there's no disruption of service, *especially* as far as the non-technical user is concerned, and as for erring on the side of caution (false positives) if you think that's a mistake, then I hope you're not an admin.
Re:Mixed feelings (Score:3, Informative)
Re:Mixed feelings (Score:3, Informative)
This is no different than the telephone company "inspecting" the line for a 2600Hz tone when the phone was placed off hook. A lot can be done without looking at the content of the data.