AT&T Bans 3G P2P Users, But Hasn't Booted Any Yet [Broadband Reports]
As a follow-up to yesterday's news that AT&T has announced that subscribers to their wireless network will be dropped as customers if they use peer-to-peer applications on that network, I noticed that Broadband Reports wrote about the announcement. What raised my eyebrows was the treatment BBR gave the announcement.
While BBR has been on the forefront, publishing several critical comments about cable operators' network management practices, AT&T gets nearly a free pass from BBR after they announce that P2P protocol use is completely prohibited and users will be banned for any infraction.
With Comcast being hammered for failing to be transparent about their P2P throttling, AT&T has been doing their best to come clean with the FCC about their own practices. That involves the recent announcement that they'd be changing their DSL tiers this fall to eliminate the "up to" marketing tag, and stating they don't throttle P2P users on their DSL network. In a follow up letter this week, AT&T also confirms to the FCC that they prohibit P2P use on their wireless broadband network, and threaten termination for violating this rule. Interestingly, they say they haven't actually banned anyone yet since "the vast majority of our customers abide by their contractual commitments."
I noticed that several commenters on the BBR post are wondering how the FCC would react to AT&T's new policy given the current case against Comcast's network management practices in front of the commission. I wonder too.
In the past month, one of the paramount issues in Internet security has been the revelation of a flaw in the Domain Name System (DNS) that might allow hackers to take control of web sites, faking their identity to grab users' personal information. The DNS is the system that connects the web address you type into your browser to the correct server for that site. It's security is obviously very important to the integrity of Internet use.
The New York Times published a story this morning that details the exploits of the person who discovered the flaw, and his efforts to get network administrators across the Internet to patch their systems to any vulnerability.
What about Insight's network? Some have asked about whether Insight's network is safe from the DNS flaw. Paul Meltzer, Insight's Senior VP for Product Management, has posted this answer in Broadband Reports' Inside Insight forum.
Some of you have expressed concern about DNS vulnerability. Insight is constantly monitoring our system for security vulnerabilities and acting to close them. DNS servers must be accessible by all users, but our continuous efforts to add security began well before this recent concern was raised, with our practice of flushing DNS cache more then the industry average, and work in progress to add additional protection as well as to apply the patch some have written about. Still, at the end of the day, the best protection is continuance vigilance. Insight provides that.
With Security at Risk, a Push to Patch the Web [New York Times]
Insight's DNS Servers [Broadband Reports]
And more news from the Scrabble/Scrabulous controversy on Facebook. Now, even the New York Times is writing stories about the dispute between two Indian software developers (who wrote the Scrabulous application) and Hasbro (which owns the rights to Scrabble). Turns out that the makers of Scrabulous have voluntarily pulled their application from Facebook after being sued by Hasbro for copyright infringement.
According to this article, there is something of a revolt happening among loyal Scrabulous users in response to the decision to pull down the application. Hasbro's own Scrabble Facebook application has been the subject of a malicious attack according to Hasbro. As of the article's writing, neither application was available to Facebook users.
So, for now, no Scrabble or Scrabulous for anyone.
Scrabulous Barred to North American Users [New York Times]
Insight was slow to patch this DNS issue. I don't use Insight DNS servers on any of my Insight connections, but tested out of curiosity. After the details of the issue were inadvertently disclosed early and exploit code was available, it was still at least a few days until Insight had patched the issue.
It does look good now though.
$ dig +short porttest.dns-oarc.net TXT @74.128.1.31
porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"74.128.1.31 is GREAT: 52 queries in 28.9 seconds from 52 ports with std dev 19251"
It could be worse - AT&T had a DNS server cache poisoned from this vulnerability.
http://isc.sans.org/diary.html?storyid=4801
I would guess Insight probably didn't see any such thing. But they still left customers at risk by the slow response on this, it was at least two weeks before the patch was applied. Proactive? Hardly! I understand you have to test these things first, but it doesn't take two weeks to properly test this DNS patch. And yes, I do run significant networks and am well versed in DNS - sorry, can't pull the "never run a network" bit on me. ;)
On the topic of DNS, I have a serious problem with what Insight does with NXDOMAIN queries. For the less technical, this is the cause of the not-found-entry spammy looking pages you get when you mistype a URL. It *should* appear to users the same as it did to me when I first saw it. I assumed the PC I was on, which wasn't mine personally, was infected with spyware. Insight even does this on the several business connections I manage. It's unethical, has privacy concerns (sends all your typos to some company that has a far less than ethical appearance), and there is no legit means of opting out (the "opt out" available is a joke, it doesn't truly opt you out).
I suggest all Insight customers, and any customers of any ISP that does similar things use OpenDNS instead of their ISP's DNS servers. http://www.opendns.com It's free, and also offers some nice additional functionality such as content filtering. For the techies, it won't return NXDOMAIN by default but if you sign up for a free account you can enable it. For me, I can't do my job on my business class Insight connections using their DNS servers because they don't return NXDOMAIN. Part of my job is network security testing, and a number of security tools require NXDOMAIN responses to function properly.
Overall I'm a happy Insight residential and business customer, with service at a number of locations, but am disappointed in both of these areas.
Posted by: Chris Buechler | Wednesday, July 30, 2008 at 11:30 PM