[AusNOG] Telstra manipulating DNS to block botnets

David Walker davidianwalker at gmail.com
Tue Jun 19 02:52:37 EST 2012


On 18/06/2012, Roland Chan <roland at chan.id.au> wrote:
> Would anyone like to try that with a real unskilled customer and get back
> to us with the response?

>From my unqualified perspective I don't have problem per se with
blocking/modifying DNS as long as it's under prescribed conditions
(criminal activity) and I think it should be public so we can all
monitor what's going on. Are there any privacy/confidentiality issues
that should preclude publishing lists? Probably not. Would it be less
effective? Probably not. Would a user be able to spot a bogus
re-direct? Yes.
Here's the ISP blacklist for this week ...
As far as TOS goes, probably every service provider in Australia has
some terms relating to criminal activity. I'm not bothered looking but
does it matter a whole lot if that criminal activity comes from
outside the network?
It seems to me that a computer that is compromised in any way is
already involved in criminal activity. Certainly there's a criminal
somewhere that's wrote some software.

Here comes my rant so if you're not interested, here's some food for thought:
http://forums.whirlpool.net.au/archive/1829076

As far as host security, that might address some subset of a small
number of issues and as far as I'm concerned, there's some elephants
in the room.
The simple methodolgies we provide to consumers aren't enough.
It's not reasonable to expect things will improve regardless how much
more detail we provide about the issues. Short answer, we should
remind users this stuff is complex and recommend they consult
knowledgeable people.
The coal face for the average user and security issues is the computer
store, people who are largely ignorant themselves.

Sadly, pulling some figure out of the air, 99% of the employees at
computer shops in Australia wouldn't know documents like this exist:
http://www.microsoft.com/en-us/download/details.aspx?id=24696
They would never have read one of these:
http://technet.microsoft.com/en-us/security/bulletin/ms12-036
They wouldn't relate to this:
http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
They wouldn't talk about it, read it, never think about searching for
security information.
They don't know what a worm is, what CVE is, how patches work, what
mobile code is, how TCP/IP works, how the DNS works ...
Sad to say but most of them don't know what DNS stands for.

I have minimal experience here but I'm going to say this is probably
true for people who do Apple stuff at the shop level also.

I've never met an employee (or an owner) in a computer store who could
read email headers.

In case it's not obvious, the authoritive point of contact for
computer or information security for the Australian population are as
skilled as your average pimply teenager.
I haven't asked this directly but I'm extremely confident most of them
would struggle to provide an explanation of how malware works yet they
are the domain experts here.
They do three things, install anti-whatever products, "check"
automatic updates, check the firewall. They don't understand the
issues but they can "do" them.
Beyond that it's a matter of conjecture, hearsay, imagination  ... and
re-installing Windows.

Apart from not addressing this, it's my opinion industry/gummint is
enabling it by repeating this advice to consumers every chance they
get (install anti-whatever, turn on the firewall, do automatic
updates) without at the same time letting people know how complex this
stuff is and regulating the industry. I agree with Marcus Ranum, you
can't educate users, it's nice if they know stuff but don't count on
it and while the advice they are getting is widely repeated and
followed there's a lot more to it than that.
My oft repeated assessment is that since last century, Windows forums
all over the planet have been bursting to the seams with people who
install anti-whatever and do automatic updates and turn on the
firewall ... and get owned.
Another assessment is seeing a constant stream of people walking into
computer stores who follow the advice and are having issues ...
The prophylactics we're pushing aren't enough on their own and while
we do talk about some other issues (phishing and so on) we also fail
here ... and the users aren't to blame. They're idiots for sure but
that's not something we're ever going to do anything about ... unless
we all work in IT ...

There's no want of information, it's there by the bucketload. People
don't read it and they shouldn't be expected to. It would be nice but
unless they're interested they'll never grok what a rootkit is, they
won't understand a padlock is an indicator not a guarantee, and so on.
If they won't read that at schneier.com they won't read it at ACMA or
wherever.
They do ask questions at their local computer shop though and these
people are ultimately responsible for giving policy advice and locking
down machines.

This is the coal face of where the public meet IT in my understanding,
and in my experience, consumers (and many SOHOs) can and do ask
(sometimes very interesting and pertinent) questions and can listen
very attentively and make choices about what strategies they like.
Sadly though, in my experience finding a correct answer to anything
more than a mundane issue at a computer shop is extremely rare.
For the most part answers are false with some element of danger.

There's no doubt upskilling here will not solve every problem,
security is complex and insecurity unavoidable but I don't think the
lowest common denominator is good enough any more and I can't see it
getting any better unless it's forced on the industry.
I don't have a problem with nerds doing their own stuff but if
somebody runs a business and takes money from the unsuspecting public
I think there should be some minimum standard.
I don't think users should necessarily be protected by their service
provider but they certainly should be protected from unskilled people
selling them security.

I might be alone here but I think we should be addressing this the way
we address other safety issues. Regulation, whatever you want to call
it.

In short, I don't have a problem with the current strategies on their
own but they're not enough on their own and we should take every
opportunity to let consumers know that.
Users are not going to go research the extras on their own. They're
certainly not going to front up and say, you can turn off some of that
mobile code for me or I only ever run these apps, can you whitelist
them for me ...
Users will never have access to anything better until the people they
face to face with understand the subject matter and start answering
questions appropriately and offering useful advice.

That's a bit broad, broader than malware or botnets or whatever but it
doesn't seem right to me to shift responsibility around from consumers
to providers to education and avoid looking at perhaps the only place
where no doubt many people communicate with another person about these
issues.

Best wishes.



More information about the AusNOG mailing list