For the last several months, some of the folks at Comcast have been working on a draft IETF document to inform ISPs about the role they can play in remediating bots on their customers’ computers. This is a tricky challenge: on one hand, ISPs are in a great position to detect bot activity, notify their customers, and potentially even block traffic. On the other hand, customers and net neutrality advocates don’t want ISPs mucking around with customers’ Internet use.

The document attempts to find a balance, encouraging ISPs to notify customers of bots and assist with remediation, while warning about some of the risks of more aggressive involvement (such as "walled gardens," in which users are cut off from most Internet access until they clean up an infection).

I wrote up a set of comments which I shared with the authors and now make available here.

Comcast isn’t just talking about this issue in theory. They recently launched a pilot program in Denver that inserts a warning message into web pages that a customer is trying to view if Comcast has detected bot activity on that customer’s account. It will be interesting to watch how this develops over time. How will customers react to the warnings? Will Comcast customers be tricked by fake warnings designed to look like the real ones? How will customers who learn that their computers are bot-infected go about getting them cleaned up? (Comcast offers some useful tools and information for this, as well as support forums. Will this be enough?)

There’s no question that ISPs have an important role to play in reducing badware on the Internet, and I commend Comcast for taking intiiative in this area. It will be interesting to see whether this proves effective and whether the potential side effects are able to be kept to a minimum.

Yesterday evening, I was wondering why an e-mail of mine to a friend using Comcast’s e-mail bounced. Then I saw a message on a listserv I use asking if anyone else had experienced difficulty sending e-mail to Comcast addresses. Thirty seconds and one Google search later, I discovered why. Slashdot explains:

Fallen Andy notes that Comcast, one of the largest US ISPs, lost control of its domain name to what appeared to be juvenile social engineers of the old school — i.e. not in it for the money. The intruders got into Comcast’s registrar account at Network Solutions and repointed the domain’s DNS records. A blog entry at SANS points out how trivially easy this can be. Reader ElvenKnight points out an insightful interview up at Wired with the two young guys who perpetrated the hack.

While I’m sure Comcast and its customers are none too happy about this incident, it’s probably a positive for them in the sense that the hackers were tricksters, not serious criminals. Using the same technique, a criminal organization could have delivered malware or collected usernames and passwords (or potentially bank/credit card account information). Hopefully, Comcast, the domain registrars, and other companies will learn from this example and will tighten up their security processes and controls to reduce the risk of more dangerous abuses in the future.