Forgot your password?
typodupeerror
Security The Internet Technology

Knocking Infected PCs Off the Internet 206

Posted by samzenpus
from the and-stay-out dept.
nk497 writes "Malware could block your access to the internet – but in some cases by those on the right side of the security fence, who are deploying tactics such as blocked ports, letters in the mail and PCs quarantined from the net to combat the most damaging threats. The DNS Changer clean up saw some PCs prevented from accessing the web. Should such tactics be used more often to prevent malware from spreading — or is that taking security a step too far?"
This discussion has been archived. No new comments can be posted.

Knocking Infected PCs Off the Internet

Comments Filter:
  • by Howitzer86 (964585) on Monday September 03, 2012 @02:57PM (#41215307)

    My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet, my university also knocks off computers suspected of internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.

    Our internet service providers are often our media providers. Comcast, AT&T, Time Warner, etc, are all interested in the idea of controlling your access to things like that, and if they're given free range to scan your computer and knock them off the internet - they will certainly look for evidence of torrenting as well.

    • by Forty Two Tenfold (1134125) on Monday September 03, 2012 @03:07PM (#41215373)
      I used to do this in my dormitory some 7 years ago. My iptables-triggered scripts added the infected PCs to the squid ACL whose members' every web request was redirected to information page that explained what happened and what to do. Well, some idiots claimed that I infected their machines on purpose to cut them from the internet. You just can't fix the users, no matter how hard you try. The only solution I see is a mandatory license to use the electronics akin to drivers license. Believe it or not, the idiot user is not only a nuisance but a danger to others.
      • by shentino (1139071)

        You cannot stop spam without also stopping free speech, since both use the same methods to get their payload delivered. And at its heart, spam is just speech you don't want to hear, much like dissent is speech the government doesn't want to hear.

        There is no way for a computer to reliably distinguish the two, and the only people who can are also biased and have a vested interest in their own agenda.

        • by dreamchaser (49529) on Monday September 03, 2012 @09:30PM (#41218393) Homepage Journal

          You cannot stop spam without also stopping free speech, since both use the same methods to get their payload delivered. And at its heart, spam is just speech you don't want to hear, much like dissent is speech the government doesn't want to hear.

          There is no way for a computer to reliably distinguish the two, and the only people who can are also biased and have a vested interest in their own agenda.

          Bullshit. When spam is served up by compromising users PC's and running a botnet, which is how most spam is sent, it has nothing to do with free speech. Want to sent 1000 emails a day manually from your own PC? That's free speech.

          As for locking people out, I agree wholeheartedly. By now even mainstream media has run story after story that should open peoples' eyes to safe computing practices. If you get infected you should be cut off until you fix the problem.

          • by Culture20 (968837)

            You cannot stop spam without also stopping free speech, since both use the same methods to get their payload delivered. There is no way for a computer to reliably distinguish the two, and the only people who can are also biased and have a vested interest in their own agenda.

            Bullshit. When spam is served up by compromising users PC's and running a botnet, which is how most spam is sent, it has nothing to do with free speech. Want to sent 1000 emails a day manually from your own PC? That's free speech.

            And if you want to send 1,000,000 emails a day via script from your own PCs/hosted servers/etc, that's free speech too. And you might actually have 1,000,000 willing recipients of those emails. But network monitoring tools will still flag your machine.

          • by shentino (1139071)

            And just how do you expect to distinguish the two cases without peeking at the user's hard drive?

        • by vidarlo (134906)

          You cannot stop spam without also stopping free speech, since both use the same methods to get their payload delivered. And at its heart, spam is just speech you don't want to hear, much like dissent is speech the government doesn't want to hear.

          Yes, it is a difference. Free speech is legal, but breaking in to New York Times printing shop to print your opinion is illegal. Paying them for it is legal. Using other peoples computers for sending spam without consent is illegal. Using your ISP's paid pipe for

      • by icebike (68054) *

        I used to do this in my dormitory some 7 years ago. My iptables-triggered scripts added the infected PCs to the squid ACL whose members' every web request was redirected to information page that explained what happened and what to do.

        Wait, you OWNED the router in your dorm? or did you merely Pwon it?

      • by bdwoolman (561635)

        The only solution I see is a mandatory license to use the electronics akin to drivers license. Believe it or not, the idiot user is not only a nuisance but a danger to others.

        I have often pondered the idea of an internet license. I reject it on philosophical grounds, especially since it would require that at some level one would be forced to forgo anonymity. But one would think it to be a great temptation to the US authorities at the state and federal level.. Not to mention more-repressive governments elsewhere. You need a radio license. And a driver's licence. And, depending on the state, a gun license. Then there is the hunting license the fishing license etc etc. An internet

      • While I sympathize... I can't agree to this. If you start relying on the government to hand out and enforce licenses to use basic technology - you're going to have bad people work around it, and the people affected negatively will be the ones who try to do the right thing. It's like DRM.
    • by girlintraining (1395911) on Monday September 03, 2012 @03:27PM (#41215507)

      My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the internet,

      The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine. That's why only large organizations do this; because they own all the machines and can dictate that policy. It's entirely another matter when the system isn't owned by you, and that's what's under discussion.

      The internet was designed to allow free and unfettered communication between any and all nodes. On the internet, every IP address was a peer to every other. But then corporations came, and they started walling things off, messing up the protocols, and trying to convert the internet to an asymetrical content distribution network to push their wares. And then the government came in and offered protection to that corruption of the network. Then other countries joined with the same pattern of uptake; And now countries are starting wars or engaging in war-like acts with each other, all to answer the question: Who will control the internet?

      Given that, the question of whether you should be able to attack and offline other nodes on the network, for whatever reason, comes down to whether you believe you should have the same rights on the network as groups, organizations, corporations, and governments. The internet itself doesn't care which side you take -- you're just another peer, and all the ideologies now warring over control of it are heaped on top of it.

      If you're an old school hacker, the answer is obvious. If you're a 20-something, you probably accept intellectual property, and the idea that the internet can be owned (as a collective entity, as membership to, not as individual components).

      As an old-schooler, I will only say this: The Native Americans believed land couldn't be owned. It's a fine ideal. But the other guys had guns, and it didn't matter who was right, only who was left.

      • by khasim (1285) <brandioch.conner@gmail.com> on Monday September 03, 2012 @03:32PM (#41215543)

        The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine.

        That depends upon what the infection is.

        In many cases, the infection is a worm that attempts to connect to other machines on known ports with known connection strings. This is how network-based Intrusion Detection Systems (IDS) work.

        • by rew (6140)

          A botnet is a nuisance because it DOES annoying things.

          If the botnet is instructed to send spam, you can detect computers sending "too much" Email. If the botnet is instructed to DDOS a certain host, you can detect it sending the malicious requests.

          If a host in a botnet is a "sleeper", it doesn't matter much if you firewall it off. But the hosts doing the malicious, detectable stuff should be firewalled off.

          The problem is that if a botnet consists of 2 million computers, and the spammer wants to send off 2

      • by amorsen (7485) <benny+slashdot@amorsen.dk> on Monday September 03, 2012 @03:39PM (#41215581)

        The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine.

        In many cases it doesn't. Sometimes it just requires noticing that one customer is responsible for 30% of all traffic flows in a particular core router. You can call that privacy intrusion, but in most of Europe doing flow monitoring is mandated by law, so you might as well run statistics.

        And yes, the ISP I work for has in a few cases blocked customer traffic from infected machines. It is a medium-sized ISP, so that can be done without angering the infected customers. It can be difficult to get hold of the right people at the customer, and the large ISP's probably only have billing contacts for most customers.

        • by DarkOx (621550)

          Its all a matter of degree. As to if its a privacy violation. I think there are some bright lines though.

          If all you doing is statistics on traffic flows and ports used that is ok. Its just like the real world when you send mail from your house you expect the postal carrier will know who the addressee is, but you would not expect them to know anything about the content of a sealed envelop.

          Certainly if you make any attempt to break into an encrypted flow, you have crossed the privacy line. I would say on

      • by FaxeTheCat (1394763) on Monday September 03, 2012 @04:14PM (#41215837)

        The problem is that detecting infected computers invariably requires some level of privacy intrusion, and possibly committing numerous felonies to probe the machine. That's why only large organizations do this; because they own all the machines and can dictate that policy. It's entirely another matter when the system isn't owned by you, and that's what's under discussion.

        The company I work for block computers with certain malware off the network, and also block computers running torrents (after which you get a polite visit from the IT department) . It does this ONLY through network traffic analysis. Viruses/malware need to create network traffic to spread. Also many of them contact a "home" server. There is a rootkit out now which is only detectable through network analysis. No intrusion on the PC. Just looking at network packages.

      • Not necessarily, for example you could discover a lot of malware that tries to spread because they have outbound traffic to addresses that are not in your routing table. You could also detect traffic to known botnet command nodes, rogue DNS servers etc.

        Sure there is also malware you can't detect, but even for some of these you can get trustworthy data, and if not you just don't do anything.

      • by shentino (1139071)

        Detecting an infected computer requres a judgement call that cannot be taken away from the blatant conflict of interest possible with those who could enforce it.

        • Re: (Score:3, Insightful)

          by icebike (68054) *

          What?

          That makes no sense, even at the level of basic english sentence structure, let alone in the real world.

      • The Native Americans believed land couldn't be owned. It's a fine ideal. But the other guys had guns, and it didn't matter who was right, only who was left.

        That's a pretty compelling case for accepting the idea of intellectual property. If the good guys don't assert ownership and control then the bad guys certainly will. The thing is, not everyone agrees on who the good guys are...

      • It does give pause for thought. I was reading about how you guys had meet ups where you traded software and designs in the old days. The people were like Wozniak, they didn't have an interest in making money, only doing something cool and having fun. As nice as that is, and being the 20-something that I am, I totally understand were Bill Gates was coming from when he appealed to that crowd to stop pirating software.

        It should have probably ended there. A bit of a reminder so that people know that they wer

    • by Anonymous Coward

      I do tech support for one of the ISP's you mentioned, and you know what one of the first comments we here most often from infected customers? 'Why didn't you stop this from happening?' Everyone wants us to protect them from the bad, but do it in a way that they can continue to be reckless. We don't currently block infected machines, but if we see bot like activity we email them.

      As to the torrenting, we will work with a customer to port forward their router, even if it's to get their torrent client working.

    • by hairyfeet (841228)

      The problem with this is that your ISP, not any kind of neutral authority, gets to decide what is "infected" and what isn't. I had to finally threaten to sue to get my money back from a local WISP because they kept screaming "U r teh infected!" and turning me off, so finally a marched down there, threw my Xandros business laptop on the table and said "okay smartass show me this infection" and what did they do? Try to install Norton on Linux! Basically to them anyone who didn't match the usage pattern of you

      • by DarkOx (621550)

        My suggestion. Clean the system again, preferably fresh install. Flash the router with its latest firmware (downloaded from an other location), this way if its image has been compromised it should get over written. Configure the router ( before you put it back online ) to drop any traffic OUTBOUND that is not 80, or 443. Sounds like this person only really used web. If its possible log all the outbound connections; you might stand up another box to host the log server. That box could be any old PC but

      • by Nethead (1563)

        Just a guess but maybe coming in via IPv6?

      • Years ago a friend ran into the "gnat's ass" virus. It embedded itself into everything: executables, the MBR, even the BIOS. Wiping the machine didn't dislodge it. If your client got infected by a variant, he's got problems. At the time, my buddy had to boot and run Norton from a rescue disk with the /force option on, and even then had to re-start it 7 times before it finally got that crap out of his BIOS. You may have to swap the motherboard and HDs to get a grip against this monster. Don't forget to check

      • by Culture20 (968837)

        So I did the usual recommmendations, change passwords, scan PC

        Wrong order, and not specific enough regarding the scanning. Don't change passwords on a suspect machine; keyloggers make changing passwords pointless. Don't Malware/AV scan from a suspect machine (or from anything but a known-good machine), because rootkits make local AV scanners pointless while the infected OS is running. It's often best to backup then nuke the OS. Never reinstall from a HDD based "restore". It could be infected too. If scanning is warranted (too much work to rebuild the system), ta

    • by xenobyte (446878)

      My local university does this. It's actually a pretty good idea if it's done right. Of course, the other side of the reality is that in addition to knocking infected computers off of the Internet, my university also knocks off computers suspected of Internet piracy. If you torrent anything on campus, even a legitimate download, you have to go to the Computing Services office to explain yourself and get it back online.

      So if you do nothing wrong but happen to use a protocol they don't like, they still cut you off? - This means that you're presumed guilty until proved otherwise, and that is morally and ethically wrong.

      This is certainly a violation of your civil rights but can be legal when kept within a university campus whose network can be considered private. As long as they don't prevent you from having a personal network connection in parallel with the one offered by the university, I'd say it's legal.

    • They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety.

      Read that. Then memorize it. Then never forget. Please. Thanks.

  • by Anonymous Coward on Monday September 03, 2012 @02:58PM (#41215313)

    because it will drop the IE part in the browser statistics to zero... :-)

  • by fustakrakich (1673220) on Monday September 03, 2012 @02:59PM (#41215319) Journal

    This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.

    • by pla (258480) on Monday September 03, 2012 @03:41PM (#41215599) Journal
      This will be abused.

      No kidding, it stuns me that anyone would even consider allowing this as a precedent.

      Two major problems, as I see it:

      First, how do you know my PC doesn't mean to send out thousands of emails an hour? That may come from an infection; I could works as a (semi-legitimate) spammer; or perhaps it just means I run a large listserv. How do you know that I don't mean to port-scan thousands of IPs per hour? That could come from an infection; I could work as a researcher collecting vulnerability statistics; or I might work as a consultant paid to do penetration testing for dozens of companies on an ongoing basis. Opting for a "solution" that would also block legitimate activity counts as a great big "no-no".

      Second, who gets to define "malware"? The major ISPs in the US would love to have even the thinnest possible excuse to outright ban P2P traffic; for an example, look at what happened to NNTP - Once considered a "must-have" ISP service, as soon as Cuomo gave them an out (on the basis of a mere 88 out of 80k groups), they all ditched their USENET servers ASAP. And aside from the opportunity to ban legitimate but undesirable traffic, try explaining to Grandma that the "coupon program" she keeps reinstalling can and will use her machine like a Columbian prostitute. Some people will choose to use spyware, even knowing that fact, for whatever service it provides them; should the ISPs have the right to tell a adult what they can and can't do online?


      All that said, I would still like to see it made legal to hunt down and painfully kill malware authors and spammers. Fix the problem at the source, not the destination.
      • All that said, I would still like to see it made legal to hunt down and painfully kill malware authors and spammers. Fix the problem at the source, not the destination.

        I'm sure everyone would be queuing for flights to ex russian states!

      • by FaxeTheCat (1394763) on Monday September 03, 2012 @04:18PM (#41215865)

        First, how do you know my PC doesn't mean to send out thousands of emails an hour? That may come from an infection; I could works as a (semi-legitimate) spammer; or perhaps it just means I run a large listserv. How do you know that I don't mean to port-scan thousands of IPs per hour? That could come from an infection; I could work as a researcher collecting vulnerability statistics; or I might work as a consultant paid to do penetration testing for dozens of companies on an ongoing basis. Opting for a "solution" that would also block legitimate activity counts as a great big "no-no".

        Actually, my terms of service forbid most of what you describe. Want to do that? Get a business subscription.

      • by rossjudson (97786)

        All of the activities you mention are fine if not conducted anonymously. It's anonymity that's the problem. Given that, it makes sense to block certain anonymous behaviors. Want to not get blocked? Sign a key with a valid chain demonstrating you're willing to attach your name and/or company to your actions.

      • should the ISPs have the right to tell a adult what they can and can't do online?

        That depends if the adult is causing others online harm.

        If you were a security researcher doing unsolicited penetration testing, throwing little stones at the wall of a building, to see if one might break through a weak spot (like a open window... or accidentally smashing a window), expected to be sued by the owner of the building for any damage you cause and to be charged with willful damage.

    • by dropadrop (1057046) on Monday September 03, 2012 @03:55PM (#41215699)

      This will be abused. Life is too short to list how and why. Let's just say that people will be knocked off (up?) for expressing something "offensive". Feel free to define that as you wish. The authorities and fanbois will.

      Well the current situation is definitely abused... Now the question of course is what kind of a solution is used to treat the problem, but personally I'd like to be notified if I had a contagious desease that I did not know about and could be harmful for me too.

      Here's how one ISP handled it: http://www.net-security.org/article.php?id=1703 [net-security.org]

    • Re: (Score:2, Interesting)

      The problem is that allowing infected machines to remain connected also has the potential to be abused. Governments are already releasing malware onto the Internet to further their political aims, and they are able to do so because machines that have malware running are not being denied access.

      The problem is that we took a network designed by and for people who all trust each other, and allowed a bunch of untrustworthy, greedy, and politically ambitious people to run wild with it. I would like to say w
  • by TWX (665546) on Monday September 03, 2012 @03:01PM (#41215333)
    ...the ISP provides the only outbound connections as solutions to the problem, or only blocks those methods by which that particular detected malware spreads. Additionally the system must assume clean and only cut off for a limited time and automatically assume clean again. Without those protections the system would be ripe for abuse including using the claim of malware to restrict groups.

    In short, I don't think that it'll work. If it would, we wouldn't have a malware problem in the first place.

    Can someone explain how software developers aren't at least partially legally responsible for their faulty software allowing maliciousness to spread through them in the first place?
    • It's a Turing Oracle problem. There's no way to know all the things a system can do without testing every possible situation.

      It's impossible to make a bugproof program of any real use, or any nontrivial complexity.

      • by Hizonner (38491)

        The cases that prove that program property X is undecidable and program property Y is superexponential to determine are almost universally pathological ones that nobody would want to do anyway. When they're not, they can often be worked around.

        You CAN prove useful things about large classes of bugs in programs. No, you can't prove those things about every program you can run on a Turing machine, but that's irrelevant, and clinging to it causes serious defeatism that sets back the field. You don't have to be

        • by Hizonner (38491)

          Oh, yeah, and to take it back to the topic, the question of whether some random black box computer is infected with something is also undecideable. And, worse, impractical to even make a good guess at.

  • by Revotron (1115029) on Monday September 03, 2012 @03:04PM (#41215349)
    ...In other unrelated news, when I had tuberculosis all the restaurants in my area kicked me out when they found me coughing on their salad bars. How dare they stifle my freedoms! Police state!
  • ... with the "Your idea won't work because ..." checklist?

    • by gmhowell (26755)

      Here you go [craphound.com]. Fill it out yourself:

      Your post advocates a

      ( ) technical ( ) legislative ( ) market-based ( ) vigilante

      approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

      ( ) Spammers can easily use it to harvest email addresses
      ( ) Mailing lists and other legitimate email uses would be affected
      ( ) No one will be able t

  • by someones (2687911) on Monday September 03, 2012 @03:15PM (#41215421)

    Why publically introduce censorship, if you can call it "computer infected by malware".
    'nuff said.

    • by Nidi62 (1525137)
      So is quarantining people infected with Ebola infringing on their free speech then?
      • by amorsen (7485)

        So is quarantining people infected with Ebola infringing on their free speech then?

        Of course it is, assuming they don't get to communicate (most are probably too busy trying not to die though).

        Sometimes infringing on free speech is necessary. The question is simply where the line is.

      • So is quarantining people infected with Ebola infringing on their free speech then?

        It is when you claim they have Ebola just to shut them up.

    • Wouldn't it be great if nobody who criticized the government could send their message to anyone who is not already a dissident? Let's write a worm that checks what people are writing, then hides from them the fact that only fellow dissidents are seeing their emails/usenet posts/facebook feeds!
  • The proper way (Score:5, Interesting)

    by Teun (17872) on Monday September 03, 2012 @03:17PM (#41215427) Homepage
    I think it is only proper for ISP's to limit spreading of viruses or engagement in things like phishing.

    My ISP xs4all.nl, one of the most reputable when it comes to internet freedom, will shut a subscriber's net access down when there is good indication of infection.
    The way they do it is smart, you get a mail on your administrative account and you are diverted to a message explaining why you can only access the net via the ISP's own proxy.
    The last is to give you a chance to get on-line help or updates.
    Once you can convince the helpdesk you have cleaned up your computer(s) they'll switch you back on.
    The helpdesk is also very helpful to the clueless on how to clean up their computer.

    • by Yaa 101 (664725)

      They are my isp too, and I had the same thing happening.

      Their helpdesk is the only non scripted helpdesk with a dutch isp, they take the time it takes to solve the problem, instead of playing hide and seek while blaming their customers like most other companies do.

  • by SuperKendall (25149) on Monday September 03, 2012 @03:18PM (#41215433)

    The thing is, a malware infected system that is attacking other systems is broken - just usually in a way the user of that system does not notice.

    But broken it is, and all blocking/damaging the system does is make it apparent to the user of that system that it is broken, so that they can fix it (or buy a new system).

    It's yet another reason why backups are very important...

  • If it's possible to detect with a relatively high degree of certainty that a given customer's account is being used by a machine that's infected then I very much support turning them off and giving them a phone call/email/letter. But that's (potentially) a big if.
  • by DarkOx (621550) on Monday September 03, 2012 @03:28PM (#41215517) Journal

    The DNS Changer clean up saw some PCs prevented from accessing the web.

    No the maleware would have done that after the fraudulent DNS servers got shutdown. DNS change is a case where COMPROMISED SYSTEMS WERE ACTIVELY KEPT ON THE NETWORK, what should have been done is those machines should have been allowed to fail to resolve hosts, after the fake DNS servers where shut down, than would have had them fixed literally months sooner.

    • Bingo. I really don't get the logic behind allowing the users of the infected machines to remain oblivious to the problem for so long (up to several years). Where there's one infection, there's likely to be more (especially given that DNSChanger also blocked anti-virus updates). Treating the symptom instead of the root cause is rarely a good idea.
  • by Yaa 101 (664725) on Monday September 03, 2012 @03:28PM (#41215519) Journal

    My ISP, xs4all blocks my connection automatically when trojans or other malware starts to make outbound connections.
    I know this as I am responsible for several people on this connection, one of them connected a laptop which triggered this.

    When this happens all my ports are closed at the ISP and I get a notice to connect to their proxyserver so that I can download protective means.
    When I solve the issue I get a checkup and after that all goes well, the ports are reconnected.

  • Hell no. (Score:4, Insightful)

    by PopeRatzo (965947) on Monday September 03, 2012 @03:32PM (#41215545) Homepage Journal

    Let's not bullshit around here. The idea of kicking people off the Internet because of "malware" is about the opposite of security.

    We've already had the RIAA and MPAA try to portray any copied media as malware. There are hacks that will allow you to play you legitimately-purchased game without having to have the disk in the drive that are seen as malware by the major antivirus software.

    How many times over the years have you had to tell your antivirus software to ignore a false positive? What if you'd been thrown off the Internet every time that happened? How long before the big content providers start using this approach to create an ad hoc "two strikes" policy? Or "one strike"?

    Now how about if Comcast decides that if your system is kicked off the Internet for having "malware" that they won't let you use your broadband connection until they are allowed to scan your system remotely?

    Anything that smacks of this kind of centralized, or even potentially centralized control is bad news. Even if it's not centralized now, you know it will be if Comcast (and others) have their way.

    Look, just provide broadband to my house. I'll protect myself and you protect yourself. Unfortunately, the days of just getting "plain old broadband" to your house and then being left alone seem to be dwindling. More and more our use of the Internet is being monitored, tracked. How long before we're knocked off if we don't allow ads in our browsers? Maybe they'll declare ad-block to be "malware".

    • by shentino (1139071)

      Which is rather ironic when you remember the BMG rootkit scandal.

  • by Truekaiser (724672) on Monday September 03, 2012 @03:36PM (#41215565)

    Who defines what is malware if this happens.
    I have no doubt that if the isp in question is also a media company, programs that access the internet and are of their competitor's 'might' occasionally be flagged as malware.
    I can also see that alternative o.s.'s could theoretically be flagged as such.

    But above 'all' how could they determine if malware is installed simply from the isp side and without requiring special programs on their customer's pc's to access their services.

  • responsibility (Score:4, Interesting)

    by tverbeek (457094) on Monday September 03, 2012 @03:39PM (#41215583) Homepage

    Back in olden days, this went without saying. If your system was infected with a worm and you didn't take prompt action to clean it up, you were disconnected from the net. Likewise with other conduct unbecoming of a host on the internet, like forging Usenet cancels or sending spam. After all, access to the Internet was a privilege, not a right. A college with net access was expected to police its users, the university or cooperative that provided the college with access was expected to police them, and so on. There was a chain of responsibility all the way from the end-user to the backbone. That all changed over the course of the 1990s, as the Internet was opened to anyone with an adequate checking account, and the proliferation of commercial ISPs made it trivially easy for a cracker to move from one account to another, so the threat of being banished from the net lost its teeth.

  • Dumb pipe (Score:4, Insightful)

    by Oceanplexian (807998) on Monday September 03, 2012 @03:40PM (#41215593) Homepage
    It really depends on where the "knocking off" happens. If the FBI knocks off some bot's C&C network, then it's fair game. If an ISP were to start blocking ports, addresses, etc, for "spam" reasons, it's the start a slippery slope. I've always been against sender-side spam mitigation for this exact reason.

    Yes, spam/bots are annoying as hell, but it's not the ISP's responsibility. Anything less threatens the very nature of the Internet as an open platform.
  • many blocked users will just buy another computer and get infected again. Education is really the key to fixing this, but I have no idea how we could realistically educate everyone (requiring a license to use the internet is not realistic).
    • by shentino (1139071)

      Simple.

      Treat spam as spam no matter who is sending it.

      If you get credible complaints, shut the user's access down, period.

      Users who are willfully blind to computer security are aiding and abetting.

      • Well that works great when the idiots live alone, work alone etc. ... but when people have to share a network with idiots, it doesn't quite work out.

        What if someone takes an infected computer to Starbucks - no one can get internet access at Starbucks anymore? What if a person takes computer security very seriously but their mother/father/wife/etc. just doesn't understand? What if, in a work situation where people take their work laptops home with them, someone manages to get infected over the weekend and
  • Some of the responses I'm seeing so far from other Slashdotters is amazing given the support towards Net Neutrality. You do not get to determine what is "malicious" from your point of view and decide whether to keep it on or off the Internet. It gets sent out, period.

    - If my home ISP, workplace, campus connection, etc. has in writing via a TOS they can quarantine me from the rest of the internet for being contagious, I'm good with that.
    - If said home ISP, workplace, campus connection, etc. suddenly decide

  • by LourensV (856614) on Monday September 03, 2012 @03:53PM (#41215685)

    We don't let people drive unsafe cars on the roads, or connect non-FCC certified equipment to the telephone network, or fly uninspected airplanes over other people's rooftops, so why should we let infected computers onto the Internet?

    If it's clearly infected, you quarantine it and make sure all that can be accessed from that machine is instructions on how to remove the infection, updates for virus scanners, etc. Basic common sense.

  • I once accidentally connected an unprotected unpatched Windows machine onto the internet--it was a test machine that was not supposed to ever be connected to the wider network. I got an email from my ISP complaining about and informing that they'd cut off its access. The only anger I felt was at myself for having screwed up. My ISP did the right thing, isolating the damage from my mistake to within my own network.

  • by WaffleMonster (969671) on Monday September 03, 2012 @03:54PM (#41215695)

    Yes for all cases like DNS Changer the best thing to do is take any C&C systems offline and make no attempt to mitigate any side effects. LEA caused countless thousands to go on about their daily activities with compromised systems and not know about it. Shutting off the damn C&C would have immediatly caused these people to realize they were hacked or hire someone to determine the same. Instead continuing to run the DNS service hid this fact potentially unecessarily endangering people with compromised systems.

    Now if the question is should you deliberatly disconnect someone from the Internet if you don't like or suspect the packets they are sending the answer is hell no.

  • what about false positives? Norton and McAfee had issues with that.

    Now think of how bad it can be if say windows based systems got flagged and kicked off.

    • It is not as though you will be shot in the head if malware is detected. You call up your ISP and ask to know what happened, they explain, and then you tell them that you were running some application that is not actually malware, and you should get reconnected, at least in theory. In practice, things are probably going to be a bit different, but again, this is not permanent.
      • that is if you get stuck with the call center script readers who may just say reload your OS or make maybe even say delete the app called windows explorer (talking about the system one) as they may just need the name of the flagged app or even say as part of your isp account you get Norton Security Suite for free so install that and run a scan even when say microsoft security essentials is way better.

  • Stupid (Score:4, Interesting)

    by KalvinB (205500) on Monday September 03, 2012 @04:46PM (#41216081) Homepage

    My ISP cut off my internet connection after accusing me of spamming while providing no evidence that I was. I blocked port 25 at my router but that wasn't good enough for them. Since I couldn't connect to the internet I couldn't install any sort of anti-malware software. And once I did, I found it wasn't infected with anything. And I never got anything from my ISP showing what was going on.

    They wanted to have a tech come in and check things out and have third party validation that my computers were clean. I told them the only tech coming in my house would be a competing ISP. And they could pound sand if they thought I was going to pay someone to inspect my computer which I need running and on-line to do my job of web development.

    All without any actual documentation to show what they were accusing me off. They didn't even contact me before shutting off my internet to see if we could do a quick fix if needed. It's a good thing their competitor is Century Link (previously known as Qwest).

    The only reason I got quick resolution is because they had a local office I went to and started in on them there. Their phone support kept trying to pass me off and just refused to do anything. They had customers hearing about how they just shut off my internet connection for no reason and with no warning so that was a bit of motivation for them to stop being morons.

    I really hate that Qwest is the only competitor. I unblocked port 25 recently and if they give me grief again I'm done since there's no other option. Turns out, sites in progress have various email features that need to be checked.

  • So other than Windows Defender Offline what livecds are available that can be updated without downloading a full disc EVERY TIME??

    (bonus if you can load the payload onto flash media for systems without a ROM drive and Double Bonus if a single copy can do both 32 and 64 bit)

    Why did AV publishers stop doing live install cds??

    • by Guppy (12314)

      Why did AV publishers stop doing live install cds??

      They realized it was cutting into the re-occurring subscription fees for installed AV packages, which are a major source of their revenue (this includes most free AV companies also, as they try to up-sell you on premium subscriptions). Microsoft is an exception, since their AV business mainly serves as a method of defending their core OS business.

  • What they should be doing is random monitoring of packets looking for malware coming across. Once they locate one of the systems as having malware, they could simply give the PC a local address and re-direct all output to a master system that will then notify the system on HTTP request that it is infected.
    By taking such an action, they simply bump off infected systems until they clean it up, or call the ISP's help desk and prove that it is NOT malware.

    By the same token, if an ISP notices that a system is
  • How long until someone snail-mail spams entire communities with install media for a supposedly mandatory security software package purportedly from the Internet provider who has the dominant market share? Seems like faking a mandatory install security software CD/DVD would be a wonderful way to root unsuspecting sheeple with whatever flavor of malware a blackhat desired.
  • I can see the re-tweets now:

    "Your computer is infected and internet access has been disabled. Click Here[www.malware-infection.site] to restore."

Your computer account is overdrawn. Please see Big Brother.

Working...