« Qwest: Good connection, horrible ISP | Main | 200 Things »

October 13, 2004

Qwest Redux

Because I'm still pissed off about yesterday's email from Qwest, let's review how exactly this came to pass.

1. Admittedly clueless user installs Norton Internet Security, a program which is, shall we say, alarmist at the least (Symantec couldn't make money if all their programs suggested everything was fine).
2. Admittedly clueless user reviews his NIS logs, finding IPs.
3. Admittedly clueless user admits he's clueless and puts the list of IPs -- and only a list of IPs -- into an e-mail to Qwest's abuse department. No timestamps, no datestamps, no information on what they did. Just a list of IPs. And a statement of what day these supposedly came from. "I can only assume it's bad," clueless user says in his message. [Yes, son, your report is awful, but those IPs showing up isn't necessarily bad.]
4. Apparently Qwest's network operations people also "can only assume it's bad" and don't have a clue about basic network administration or customer service, as they review it and freak out.
5. Qwest does not review their own DHCP records -- or doesn't keep any -- which would have immediately exonerated my account, as I didn't have a lease on that IP at the time. Qwest's IPs have fairly standard 90 minute leases.
6. Qwest sends me an email, including the email address, full name, and current IP of the person who reported the "abuse."

Now let's touch on why exactly so much of this is wrong.

Clueless User
Blindly following the word of a clueless customer is bad juju, folks. He even admits in his email that he doesn't have a clue. Why, then, do you break out the jackbooted thugs at the drop of a hat? What am I to do if I, like him, are a clueless user? How do I refute your claims, with which comes the threat of you canning my account the next time someone baselessly reports me as abusing the service and you don't so much as verify it?

Useless logs
Or rather, lack of logs. He didn't forward a firewall log of any sort -- there are no time or date stamps, no note of what port was attempted, or how many attempts were made. Simply "these were some IPs in my log." Qwest somehow turned this in to "MS RPC DCOM exploit," though I'm not entirely sure how. That's one hell of a logical leap from "no facts" to "RPC/DCOM." Most serious ISPs would laugh at you if you couldn't provide exact date and time stamps in addition to solid, factual information on what those IPs were doing.

Hell, those IPs could have shown up for any number of reasons. Maybe he was on a filesharing network. Or had File and Print Sharing turned on for his Internet NIC. Or he was on IRC, or instant messaging, or posted a link to files hosted on his computer... This would be how the internet works. A machine with one IP contacts a machine at another, for any one of a variety of reasons. If your firewall for any reason doesn't think this is right, it stops it and logs it. "Blocked" doesn't mean "attack."

No Logs or No Research
Qwest obviously didn't perform any research before throwing out their warning emails. This leads me to one of two possibilities: they don't log, or they don't care. If the latter, shame on them. If the former, shame on them. Let's assume for a moment they do log, however: they'd have right under their noses that fact that my machine hasn't had a lease for that IP in months. Per Qwest's own description, their IPs are dynamically assigned. Not to mention there's nothing stopping you from manually entering another, unused IP.

If you can't prove beyond a shadow of a doubt that I was indeed using that IP, you shouldn't accuse me. It's the basis of our legal system, not to mention common sense. Additionally, assuming their logic of "firewall log" to "RPC/DCOM holes" is correct, many of those attacks use forged source IPs, which means it sure as hell may not have come from me.

Equivalent logical leap and action: You're foaming at the mouth. Therefore you must have rabies. You don't know how you got rabies, therefore you must have been bitten by the neighbor's dog. Therefore, you go shoot the dog while your neighbor's at work. (Nevermind the Alka Seltzer tab in your mouth.)

Customer Hostile
Being customer-hostile does not earn you brand loyalty. I could just as soon find another ISP. I could go to satellite, or cable, or possibly find another DSL provider.

Bad business. Not that anyone has cared about good business since Qwest swallowed up USWest whole.

Violated Their Privacy Policy
According to Qwest's privacy policy, they'll never release your information to a third party -- including fun stuff like your full name.

What's in my mailbox? The reporting customer's full name, e-mail address, and IP address (which includes... Dun! Dun! Dun! his location).

Good job protecting that customer information there, folks! It makes me proud to know you're living up to your corporate goals. Were I the reporter, I could almost certainly sue you for breach, but alas, I'm only the person the charges were levied against.

The Bottom Line
I can't knock Qwest for the speed of the connection, although they could certainly increase it. Their customer service and network administration skills, however, are sorely lacking. In fact, they're the worst I've seen through five ISPs.

PSInet was pretty awful, and nobody at Earthlink could ever answer a question, but neither company ran around like a headless chicken, accusing and threatening their customers willy-nilly. This is certainly the end of my recommending Qwest's Choice Online VDSL to people who can't get ADSL. I simply can't in good conscience recommend this to people who can't effectively defend themselves from Qwest's bogus, completely clueless claims.

Posted by Colin at October 13, 2004 10:21 AM

Trackback Pings

TrackBack URL for this entry:
http://blog.tigre-tech.net/mt/mt-tb.cgi/191

Comments

Post a comment




Remember Me?

(you may use HTML tags for style)