Apr 21 2008

Profits more important than security

Published by at 6:09 am under Malware,Security Advisories

No one should be surprised that profits are more important to an ISP than the security of their customers. They are a business and the same rules apply to them that apply to any business: if they’re not profitable, they don’t stay in business for long. I don’t approve of the practice, but I am not even slightly surprised to hear that Earthlink is redirecting non-existent domain names to their own search pages in the hope of a small profit. And I’m even less surprised to find that it’s Dan Kaminsky who’s reporting the issue; it is a DNS issue after all. (Side note: IOActive’s web site appears to be down while I’m writing this; I wonder if they’re experiencing heavy traffic or if something else is going on)

The problem with Earthlink and their partner, Barefruit, is that they had a weakness in their code that allowed their servers to be used in a JavaScript attack. They’d been doing this redirection since 2006 and no one had commented on it. But Dan, being the King of DNS Misuse, found the vulnerability and reported it. The worst part of this is the fact that Earthlink is just one of many ISP’s that are providing their customers with this “service”.

The only reason an ISP is going to stop this practice is because the negative publicity outweighs the potential profit. Even though the profits are minuscule, they can make the difference between staying in business or not. More likely, they make the difference between someone in corporate making their numbers and getting a bonus or not. This isn’t a new practice nor is it without it’s own controversy, but as long as there’s a profit to be made by it, non-existent domain name redirection will continue.

Update: IoActive site appears to be back up, don’t know what the issue was. Maybe my ISP was redirecting me to a 404 error?

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

One response so far

One Response to “Profits more important than security”

  1. Benon 21 Apr 2008 at 7:40 am

    Businesses (in the US) aren’t properly incentivized to protect their customers. They have incentive to protect themselves and the data sensitive to their operations (what I call “functional” and “proprietary” data), but they currently have no reason to protect their customers or their customers’ data (what I call “personal/private” data). For ISPs, who are often in a monopoly, or very small oligarchy, this problem is even worse. When you have to choose between cable and telephone, neither of which have a history of caring what the customers think because they lack real competition, then nothing like this is surprising in the least (as you point out).

    I’m afraid that the only solution to this problem will be legislative action, and we all know how good the government is at legislating technology issues. 😉 I blogged about this about a month ago here:

%d bloggers like this: