FBI tells the public to call their ISP for help
admin at digibase.ca
Thu Jun 14 20:34:46 UTC 2007
On Thursday 14 June 2007 10:27, michael.dillon at bt.com wrote:
> > Since many Microsoft patches are only legally available via
> > the Internet, and an ISP can not predict which servers
> > Microsoft will use to distribute Microsoft patches, ISPs must
> > enable essentially full Internet access which includes access
> > for most worms.
> Has anybody tried a firewalling solution in which unpatched PCs are only
> able to access a special ISP-operated forwarding nameserver which is
> configured to only reply with A records for a list of known Microsoft
> update sites? And then have this specially patched nameserver also
> trigger the firewall to open up access to the addresses that it returns
> in A records?
> According to Microsoft, their list of "trusted sites" for MS Update is
> *.update.microsoft.com and download.windowsupdate.com. Even if they have
> some sort of CDN (Content Delivery Network) with varying IP addresses
> based on topology or load, this is still predictable enough for a
> software solution to provide a temporary walled garden.
> You don't need to make copies of their patch files. You don't need MS to
> provide an out-of-band list of safe IP addresses. As long as you are
> able to divert a subscriber's traffic through a special firewalled
> garden, an ISP can implement this with no special support from MS. Wrap
> this up with a GUI for your support-desk people to enable/disable the
> traffic diversion and you have a low-cost solution. You can even
> leverage the same technology to deal with botnet infestations although
> you would probably want a separate firewalled garden that allows access
> to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's
> own pages, etc.
> --Michael Dillon
There's a major problem with this - End-users won't take nicely to being
restricted from going to specific websites, and will more than likely go to
another ISP rather than to patch their computer as they see no benefit of
patching themselves. We see the benefit of the patches, they don't
Not to single anyone out but there will more than likely always be a careless
(and/or clueless) ISP who doesn't care if over half their network is wormed,
the customers from the ISPs who are cracking down on infected machines will
simply go over to the ISP who doesn't care as there would be "less hassle".
What needs to be done is ALL ISPs accross the board need to clean up their
networks, thus cornering the lazy end-users into cleaning up their machines.
To be honest: There's too few ISPs that would want to take up the
responsibility of filtering worm'd customers, and as well, the instant an ISP
starts filtering, they may even set themselves up for a lawsuit of the
customer saying "I paid for the service, why aren't I getting it?!"
And reguarding Microsoft and their patching licences:
Those patches may be their precious "legal property" but it's their hording of
legal rights that's damaging hundreds of thousands of computers. Microsoft is
currently abusing their market share standings and giving insufficient patch
distribution, (i.e. offline distibution) Therefore Microsoft should be held
accountable for every computer that becomes infected with worms due to
insufficient patching. To me, it sounds like Microsoft wants the power, but
doesn't want the responsibility that comes with the power of great market
share. It is time Microsoft be forced to take that responsibility.
More information about the NANOG