Malaysian ISP Jaring to scan users following abuse
By Julian Matthews
Wednesday, September 01 1999

KUALA LUMPUR--Local Internet service provider Jaring will scan its users while they are online to curb the high volume of abuse of foreign chat networks.

The scanning was announced in a notice sent via email to its 200,000 subscribers Tuesday.

"Connection to any equipment which exposes our network to abuse may be terminated without notice and follow-up action will be taken against the owner of the related account. We will not hesitate to suspend or terminate any account which has been found to be abused," warned the notice.

The suggested scanning has alarmed some members of the local Internet community who question whether such action infringes on their privacy.

"How can we be assured that the scanning will be confined to just checking insecure ports and not go one step further?" asks Internet consultant Dinesh Nair.

Dinesh suggests the scanning may be open to abuse by the ISP staff if left unchecked. "I welcome the ISP informing us first prior to the scanning, but they should provide more details of the type of software they will use and what ports they plan to scan, " he said.

Dinesh drew parallels to an incident in neighboring Singapore in April when ISP SingNet was forced to apologize to its 200,000 subscribers for scanning without prior notice.

He said local ISPs should not scan subscribers who explicitly object to the scan. "Unauthorized port scanning is generally accepted as a hostile action by the Internet community," he said.

Jaring's scanning comes in the wake of a blanket ban by Undernet.org of the .my domain two weeks ago for "intolerable" abuse by Malaysian users which was draining the resources of the popular Internet Relay Chat (IRC) network.

The .my domain was branded as "the most abusive in the world"for persistent denial of service attacks, flooding of chat rooms with multiple messages and running of unauthorized robot programs by its users.

The Undernet.org lifted the ban for Jaring users after the ISP promised to put in place a more effective abuse management policy.

"We feel it is necessary to implement drastic measures to protect the innocent users as well as the integrity of our network," said Mohamed Awang-Lah, the vice president of Mimos Berhad, which operates Jaring, in defence of the action.

Mohamed downplayed the privacy issue and suggested the scanning was like "just like knocking a door to check if it is locked or not".

"There is normally one unique IP address assigned to each equipment attached to the Internet. However, there are many doors known as 'ports' attached to each IP address. There are well-known doors such as port 25 for SMTP mail, 23 for Telnet, 21 for FTP. There are also many 'unpublished' or hidden doors. When you knock on some of these doors, we will know if it's protected or not.

"We are not interested to enter the door ourselves but some unscrupulous people might. So before they do, we will give a warning first to the owner," he said.

Mohamed assured subscribers that the ISP would not access their email and private information while they are online. "If a user launches an attack from a PC, we have the means to detect and confirm it without ever entering the machine. We then have to get the cooperation from the owner to shutdown the machine. If we fail, we will block all traffic from the machine until remedial action is taken," he explained.

Mohamed said the scanning would also not be limited to chat abusers alone but aimed at misconfigured equipment which might be targets for unauthorized users.

Misconfigured or misused equipment using the Wingate modem-sharing solution and Socks 5 proxy servers were identified by the Undernet.org as possible sources for the abuse.

The Jaring notice advised subcribers using applications such as Wingate and popular IRC applications such as mIRC and Pirch to configure them securely to prevent abuse by unauthorized users.

Jaring has prepared online guidelines on how to set up such applications correctly.

Mohamed said the ISP reserves the right to do the scanning "whenever necessary" and disconnect errant subscribers "without notice".

"It will depend on the severity of the case. Our first option will be to contact the account holder. However, if that cannot be done and the abuse activity is considered damaging, we reserve the right to disconnect without notice. Sometimes, our act of disconnection will save the account holder from further embarrassment or damaging effects," he said.

Mohamed did not discount the possibility that the police could be informed on specific cases.

Meanwhile, TMnet administrators contacted by CNET Asia said it was maintaining "active contact" with the Undernet.org to resolve the chat abuse issue. The global ban on subscribers of TMnet--the only other local ISP--has been enforced since Aug 15.

TMnet has over 350,000 subscribers, while the total user base in Malaysia is estimated to be about 1.5 million.

Emilia Mustafa, assistant manager of brand and communication at Telekom Multimedia, which operates TMnet, said the ISP was also pursuing the matter together with the Malaysian authorities in preparing a "Code of Practice for the Internet" which will cover both consumers and ISPs in Malaysia.

Last week, the Undernet.org rejected an offer by TMnet to host a local Undernet server as a means to resolve the abuse issue because it failed to meet the network's minimum bandwidth requirements. It also said this was the seventh rejection of a TMnet application.

The Undernet.org said it would not lift the ban of TMnet users from its 41-server global network until the ISP was fully committed to putting in place an effective abuse management policy.