Brian Krebs reported yesterday that Comcast will be implementing its bot detection feature nationwide. Comcast will apparently put an overlay on websites when visited from an IP that exhibits signs of bot activity. I don’t claim to be a security expert, but I think I’ve been in the business long enough to say “that’s really stupid.”
While I agree with Comcast’s efforts to fight bot infestations, they are going about it in exactly the wrong way. Running man-in-the-middle code is unacceptable, regardless of the intent. If the code is inserted into anything other than HTTP traffic, it will almost certainly break things, and I imagine that certain kinds of HTTP applications will break, too (specifically automated retrieval/parsing of sites). Additionally, it opens up another attack vector if Comcast itself suffers a breach.
Perhaps the worst part of this plan, though, is the impact it has on user education. For most users, nuance is not appropriate. Despite repeated warnings about the illegitimacy of “Your computer is infected!” pop-ups, people still click on them. Now suddenly there’s the Comcast nag with a link to download anti-malware tools. Comcast seems to assume that users can handle the nuance. My own experience suggests otherwise.
Unlike the authors of some of the comments on the post, I’m not concerned that Comcast can determine when a host (well, a customer’s connection, which may have several hosts behind the router) is operating as part of a botnet. While they could be inspecting the contents of the packets, it’s more likely that they’re just using the routing information and other already-visible data. There are some hosts and traffic patterns that are generally indicative of bot activity, but not conclusively so. That’s how the network security group at my employer works, in fact: they determine that a host is displaying suspicious behavior, and notify the local admins to investigate. Sometimes, it’s a false alarm, which is another cause for concern. If users get the Comcast “you’re a bot!” warning, act on it, and it turns out to be false, will they take it seriously again?
I don’t have an answer for Comcast. They’re trying to do a great thing by combating botnets (not altruistically, of course, but helping their network helps their customers too, so who’s to complain?), but the current method of informing affected users is a really bad idea.
You’re right it’s kinda teaching your users to get scammed.
I just signed up to your blogs rss feed. Will you post more on this subject?
I have met the enemy and have lost. I have three boxes on my system one win 7 and to xp the xp have an app.called Steady state after finding this banner on the ie of all the boxes i have used the steady state to return to the default image. Still getting the banner i called comcast to ask is this a comcast thing or a phishing trip. The best i could get out of them after three hours was that 1) i could pay to ask my question of a tech or 2) my account was NOT flagged as an abuse account.
Loaded windows defender system run a scan and now the system won’t boot … thank you comcast for nothing.
But i would like to thank you sir for saving me from building all three machines now i only have to image the one and wait until enough user complain to comcast for them to remove it. There are no “bots” on my computers
I, too, received this notice from Comcast about a “possible” bot on my system. Interestingly enough, when I ran my Avira anti-virus, it did indeed pick up an ad-ware and sent it to quarantine—it was the notice from Comcast, which had embedded itself into my computer’s hard drive. How is this not invasive? And I don’t remember giving them permission to download something on my computer without permission. Is that even legal?
My understanding was that Comcast was doing this on the fly, not by forcibly installing software on user machines. If they are truly doing that, I can’t imagine how it could be legal.
Awesome post.Thanks Again. Really Great.
I am dealing with this currently. My computer is a mess. Is it s coincidence that the comcast tech worked in my driveway yesterday?
Now they want to sell me $19.99 a month plan! I just want to have my virus protector actually work.
I’m sorry maybe I missed something. How is this “possibly” legal? We’re already paying for comcast and they want to use “tactical scares” to get us to pay for “better” internet by removing a “possible” bot? How many people have bought into this and lost money over nothing but an annoying pop up? It seems very “con artist”-y. I’m not sure I understand the “good” that’s come of it by people running what they thought to be “unnecessary” scans and DID find threats on their PC but I hate to break it to them but…you’re supposed to run scans on your computer regularly anyway. Maybe I’m just lacking in appreciation or something but I do not like their in your face method and their scam-like ways.
With these safe equipments, do we still need to be worried about.
If your concept includes a baked goods profit center, your menu should be visited as the
seasons change. With another brutal winter more odds on that against this winter,
ice grips for shoes must surely be considered essential prevention against personal
injury.
Very Nice Site. Thanks for spending your time and energy in writing such a informative article.