On Sat, Oct 10, 2009 at 12:05:24PM -0400, Jon Kibler wrote: > A *much* smarter move on Comcast's part would be to simply null route any > suspected infected computer until it is cleaned up.
Absolutely. Infected systems should be walled off *in toto* (not in part, as some on NANOG have recently suggested, not grasping the true nature of the problem) until they're fixed. > Yes, that would put a > greater load on Comcast's support staff, but maybe they could do it smarter -- > like limit access to only the Comcast and legit AV vendor's web sites. Not a > 100% cure, but I would think it would create less problems than pop-ups that > get > ignored and spawn rogue pop-ups that create even more malware infection. I'm with this as far as it goes. (And I certainly agree that sending pop-ups is off-the-scale idiotic.) But...the first improvement I'd make to this would be to gain agreement from those AV vendors to host mirrors of their sites inside my own walled garden so that no external traffic at all is permitted. Surely an entity the enormous financial resources of Comcast could make this happen, and surely it would be in the interest of AV vendors to collaborate. The second would be to dispense with this approach entirely: too many people, in fact, I'd say *most* people, labor under the delusion that it's possible to boot a known-infected system off known-infected media and get the desired outcome. But Comcast won't even attempt this, because the accompanying support costs would cut into their massive profits. Let us also not forget that Comcast is *finally* taking this first, bumbling, feeble step most of a decade after the problem was very well-known among the clueful portions of the community. Any competent organization would have acted within days, at most, even if that action was being scripted on-the-fly. (Compare/contrast with the speed and efficiency of the response to 11/2-3/1988.) ---Rsk _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
