My $.02 worth, someone with more ISP savvy than I might want to comment if I get too lost. If Comcast is like my Cable company (ATT, use to be @home) they have an Acceptable Use Policy (AUP) that states that you can't run a web server from your home on their network (probably due to the bandwidth issue mentioned below) and if I recall properly ISP's were hit rather hard with CodeRed and other nasties. So beyond the evil issues raised by Hoover I can see at lease two valid reasons for monitoring HTTP traffic: 1) Compliance with the AUP, with relates to the "..service quality control checks." exception in "US Code TITLE 18, PART I, CHAPTER 119, Sec. 2511. (2) (a) (i)" and 2) To scan for malicious code in the HTTP requests, which would again relate to the exception. I don't see #2 as likely, just possible. My philosophy "Never attribute to malice what can be adequately explained by stupidity". There are many more stupid people in the world that evil ones, or at least people who sometimes act stupidly. Maybe not the best philosophy for a security guy but I'll stand by it. So the fact that this/these device(s) does not do something correctly may just be misconfiguration. Again just my $.02 worth and if I'm wrong many, many people will point it out. ********************************************** Tom Arseneault System Admin. Certainty Solutions, formerly Global Networking and Computing (GNAC). "Certainty in an Uncertain World" arsenat_private http://web.corp.rwc.crtsol.com ********************************************** > -----Original Message----- > From: jon schatz [mailto:jonat_private] > Sent: Friday, February 08, 2002 2:20 PM > To: J Edgar Hoover > Cc: vuln-devat_private > Subject: Re: Comcast man-in-the-middle attack > > > On Fri, 2002-02-08 at 13:27, J Edgar Hoover wrote: > > > This is standard behavior for a transparent web proxy. > Nothing new here. > > > These have been around for a while, and Inktomi is not the > only company > > > to deploy one. Hell, you can do this with squid and ipchains: > > > > > > http://www.linuxpowered.com/archive/mini/TransparentProxy.html#toc5 > > > > Whether the device is performing correctly is not the question. The > > question is whether the device is appropriate at all in this context. > > It certainly is. Comcast (like all ISPS) sells alot more bandwidth than > they actually have. Without some type of caching system, their network > performance would suffer greatly. > > > > Once again, standard behavior for a proxy request. Most (if not all) > > > proxies are dependant on a partial HTTP/1.1. implementation, > and without > > > the host header, all would be lost... > > > > It may be "standard behavior", but it is incorrect behavior. If I send a > > packet to my office, I expect it to go to my office, not comcast's. > > But you're not sending just any packet. you're sending an http request. > We dealt with this issue at my previous employer, and non-http requests > on port 80 were just passed through without any interference. > > > They log the requested URL, and the response. They log it to a network > > storage device, that is simultaneously accessed by datamining software. > > This gets passwords, contents of webmail, web bbs posts, news you read, > > etc.. What part of this is *not* snooping? > > Does their privacy statement or EULA state this? If so, find a new > provider. If not, why would you assume that it's happening? > > > Incidently, the IP of one of the machines I used to test the evil proxy > > this week is now blocked. This isn't speculation, they've > already started > > censoring. > > I truly don't buy it. No offense, but your level of paranoia seems to > match your email handle. I mean, if they really wanted to track all > network data, why not just run tcpdump on a machine somewhere near their > outside POP? that would be a lot easier (and less expensive) than buying > some proprietary inkotmi software. > > -- > jonat_private || www.divisionbyzero.com > gpg key: www.divisionbyzero.com/pubkey.asc > think i have a virus?: www.divisionbyzero.com/pgp.html > "You are in a twisty little maze of Sendmail rules, all confusing." >
This archive was generated by hypermail 2b30 : Fri Feb 08 2002 - 21:19:41 PST