OmniTraining

We'd all love to get less spam. To receive less spam we must clean up infected computers, but who is going to do it? Apparently, many people believe the ISP is responsible.

Taking it to extremes, the FBI recently published, then retracted, a recommendation to call your ISP, because, "They can help you determine if your computer has been infected, and what steps to take to restore it." A public outcry on a well-known network operator's list prompted the eventual removal of this recommendation. The remaining article is simply part of a botnet awareness campaign.

We've been shown two things with this tidbit from the FBI. First, they don't have a clue how to combat the problem. Second, the FBI, like many other people, is quick to recommend that a user's ISP is responsible for helping end-users clean their systems.

The truly laughable point is that an ISP should be responsible, in any way, for supporting their customers. Sure, they have a stake in helping their customer set up their computer such that it functions properly for Internet access, but that is the extent of their interests; as it should be.

An ISP sells a vehicle to the Internet. What a customer does while using these services should not be of concern to the ISP. A few exceptions to the rule exist, such as a customer interrupting service for others. For the most part, however, an ISP should simply be a channel. The frustrations people feel when using Internet services are a direct result of the ISP trying to protect itself, and in some cases even trying to protect their users. Blocked ports are the best example of a standard practice that results in high frustration levels for users.

The real cause of botnet infestations, where the responsibility should lie, is Microsoft. Some people actually argue that this is not true, but Microsoft does not. At great expense to their bottom line, Microsoft offers free technical support to all Windows users who have virus issues. Really! Give them a call at 1-866-PC-SAFETY. Some companies will charge up to $300 for cleaning up viruses, and when Dell sells $400 computers that are quite usable for most people, that's just silly.

The blame isn't 100% attributable to Microsoft, but its close. Botnet controllers (the server that clients contact) often run on Unix machines. And you thought Unix or Linux was secure? The fact of the matter is that just because a bot server is running doesn't mean the entire system is compromised, unlike Windows. Most often someone has installed a horribly written PHP application which has allowed a remote attacker to run a script on the server. Not to minimize the problem, but simply killing the script renders the infestation neutered. Linux administrators who allow users to host their own websites constantly deal with this problem, which is not unlike a Windows user downloading random applications from the Internet. It is actually quite the same, just on a much smaller scale, if you ignore the fact that the Windows installation is completely compromised. External-facing applications, i.e. botnet software, still run in both cases.

Zombie computers are responsible for most spam, and nobody wants to be responsible for the problem. Microsoft will assist users in cleaning up, but most users don't even know they're infected. Their ISP knows they're infected, but couldn't help even if they wanted to.

Let's say that an ISP's monitoring software detected botnet activity on a home user's computer. Said ISP has two options: turn off the Internet access for that user in an effort to help clean the 'net, or notify the user and tell them to clean up. The former option isn't good for business, and the latter is useless. A user will either ignore the notice, or require help. Therefore, the ISP opts for none of the above. Simply talking to a user on the phone for 30 minutes means that most ISPs won't make any money off that person for the next two to six months (estimated, but with real figures in mind).

In an ideal world, an ISP would be able to redistribute Microsoft patches. Imagine if the ISP could quarantine an infected user, and present them with a webpage that explains what's wrong. "Dear $USER, you're infected. Please click here, here, and here, then install the software you've just downloaded. When complete, click 'here' and your Internet access will be restored." That would be wonderful, but there's a slight problem.

Microsoft will not allow ISPs to distribute Windows patches the way that universities can. If an ISP wants to allow only certain trusted websites from the quarantine, such as their own, and perhaps Windows Update, they're still stuck. Microsoft uses content providers to serve up Windows patches, and it's impossible to tell where a user will be downloading a patch from. So ISPs who wish to help their users are really stuck.

ISPs aren't entirely without fault, however. They provide Internet service, which by most measures is "as safe as possible" while still allowing productivity, but they do forget one important aspect. What if a customer needs to reinstall Windows? The critical period between the time they've finished installing and the amount of time it takes to install all Microsoft patches is plenty of time to get infected. Users without NAT are wide open. Many ISPs are shipping NAT-enabled modem/router equipment, but dialup customers, of which there are a shocking number, have no protection.

Hopefully the FBI made a mistake in their original press release. The PR department likely didn't consult with the brains, we hope. Kudos for acknowledging the problem, FBI.

The real solution is to distribute Mircosoft's free support number for virus issues: 1-866-PC-SAFETY. If enough people call and overwhelm 1-866-PC-SAFETY, perhaps the source of the problem will begin turning things around. Vista is a great step forward, but huge security problems still exist, enough that 1-866-PC-SAFETY should be overrun with callers.

1-866-PC-SAFETY.