Hello Serge, hello all without Serge,
On Thursday 11 November 2010 08:22:53 Serge Droz wrote:
On 25 November 2010 SWITCH will launch an new initiative to maintain the high security standards of Swiss websites.
Let me briefly explain what we will do, as it is relevant to the SWINOG community:
From different third parties we receive a fairly large number of URLs in .ch/.li ccTLDs which distribute malware. We're talking a few hundred URLs per week. In a first step SWITCH verifies that this claim is true. If the site is indeed distributing malware we will contact the domain holder and technical contact by e-mail and ask them to remove the problem within one working day.
This is a difficult task and I see many problems.
First of all you have to know, what is malware and what is not. This decision sounds simple but if you go to the details you see that lawyers have much work with such cases.
The other thing is that you are responsible for domains which is a logical thing. It's not an dedicated computer with internet connectivity. DNS can do round robin for example, DNS can change every hour, every day. Somebody who manages a domain is in reality not the same person who manages computers.
You get in trouble if you ignore all these facts. DNS is NOT a 1:1 mapping for IP addresses. This view is oversimplified.
And you have also cases where it is not very easy to know on one server who is responsible. Imagine you have a file hoster - do you want to kill this business?
If the they fail to do so, we will delete the name server delegation from the zone-file [1]. We report this to MELANI, as required by law [2]. The domain holder will be informed about this.
So if a big company with slow decisions has maybe(!) a malware problem (remember the difficulties to decide what is malware) you kill the whole swiss traffic after one day?
Do you know that if you have a malware problem it's not always easy to solve the problem?
Great DoS opportunity against companies. If you don't give me money I attack your systems which you can't clean within a day and I call Switch immediatly. Bye bye business.
Do you know that it is one thing to distribute the malware the other thing to have vulnerable software asking for a exploit?
What you suggest is not a solution for anything. Distributing malware works perfect without domains. And distributing malware works perfect without the whole swiss internet.
And I'm sure that your reaction is much slower than tons of bots which attacks thousands computers per second. You change nothing related to malware.
I have to make it clear: As somebody who knows IT security very well I will avoid in the future swiss domains if this happens. I don't support systems with so many flaws.
Yes I support fighting malware but I don't agree that the problem are people who supports downloading malware. The overall problem is the stupid patch management on many platforms.
And if you want to change something, you should support people with patch management and maybe use of rating systems against browser exploits. This would be a constructive way to change the things instead trying to be repressive against domain holders. Remember, being a domain holder don't means that this guy is responsible for any system. They even don't have to know each other.
Regards Oli