Home » Privacy & Security

Comcast heading the right direction on cybersecurity

By 9 October 2009 4 Comments

comcast-logoComcast has announced that they will begin to test a new monitoring system called Comcast Constant Guard that looks for botnets on their network.  Infected customers will get a “service notice” that pops up messages on the subscriber’s web browser telling them they are infected with resources (mostly preventative solutions) to help clean the computer.

This is a great public service to the health of the Internet and it perfectly illustrates why the often misunderstood and maligned technology called Deep Packet Inspection (DPI) is so essential to the Internet.  There are literally tens of thousands of attacks a day on the Internet most of which come from hundreds of thousands of hijacked personal computers running on broadband connections.  These botnets to take down critical infrastructure on the Internet and they are one of the largest threats to cybersecurity.  So far, the fight against botnets have been a losing battle because there will always be a certain percentage of computers that fall victim to spyware and malware infection.  With a centralized solution that scans the entire network, we finally have a chance to make a serious dent in the problem.

Comcast is actually not the first ISP to try something like this.  (UPDATE – CNET’s Elinor Mills reports that Qwest has also been doing this for 2 years and they go as far as restricting web access until the customer is clean).  In 2002 when I had SBC (currently merged into AT&T) DSL service, I found out the hard way when I ran some security auditing tests against the servers I was charged with protecting.  As far as the network Intrusion Detection System (IDS) was concerned, the security auditing traffic is indistinguishable from actual attack traffic and I was placed under quarantine.  This meant that I had no access to the Internet which means had I actually been infected with something, I would instantly be prevented from infecting other computers on the Internet.  This sounded great until we stop to consider the ramifications for the broadband provider.

The computer savvy user has a very low chance of cleaning a spyware infection much less the typical user.  Even the CEO of Microsoft found out how difficult this was when he was forced to turn the problem over to his co-president and a team of Microsoft engineers to fix an infected computer.  For most situations short of a complete reinstall of the computer’s operating system and applications, there is no easy way to clean an infected computer.  It took Microsoft’s resident super genius Mark Russinovich to come up with an advanced malware cleaning method.  For the typical home user, it means paying a technician at least two hours of labor which doesn’t even include the hours needed to backup and recover the data.  So what does the average user do?  They simply decide that it is easier to live with the infection even if their computer operates at 1/10th the speed.

But what happens when the ISP steps in and cuts off broadband service?  The infected customer at least had Internet access before even if it was a deteriorated experience and now their ISP is going to punish them too?  It didn’t matter that they were a danger to the rest of the world because the cost of the infection aren’t fully internalized.  What happens to the health of the Internet isn’t their problem; the fact that they now can’t access the Internet is their problem which in turn becomes the ISP’s problem in the form of a very angry customer service call which might explain why the system seems to have discontinued.

Comcast is taking a less extreme approach by merely warning customers but not cutting them off until the computer is fixed.  While cutting off infected computers is the right thing to do to minimize the treat to the rest of the Internet, it is not be the pragmatic thing to do unless every ISP did the same thing which would force users to comply.  The question then becomes what happens if the customer simply blocks the popup messages because they can’t figure out how to clean the infection and they don’t want to pay someone to do it?  What happens if malicious websites imitate the Comcast popup notification to scam more customers?  These aren’t simple questions to answer and it’s going to take a lot of smart people from a broad range of industries to work together to come up with a solution?

Ultimately, we might need a standardized out-of-band notification mechanism (I propose a system here) that doesn’t rely on the web browser and can only be triggered by authorized entities and it will require much better remote management tools to allow computers to get fixed by remote technicians.  For the time being, Comcast has taken a huge step in the right direction for the Internet’s wellbeing.