Slashdot Mirror
Belkin Routers Route Users to Censorware Ad
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
The device is defective. Make product support give you one that works. While you're at it, send hate mail to the marketing team. I bet the support guy will give you the right email addresses...
Better yet, get the addresses and post them here.
What's next? Will the phone you buy occasionaly redirect your call to a telemarketer? Will your TV remote automatically switch channels to an infomercial? Maybe your car radio could redirect your listening to a clear channel station every
8 hours. These are business models I need to patent...
Don't forget that Friday is Hawaiian shirt day.
Here's the usenet thread where this was first discussed. Especially noteable are the initial discovery, the response from Belkin and the first response to Belkin. After that it it's pretty much the same thing you can expect to see here on /.
<sig>Guvf vf abg n frperg zrffntr
Ok if I buy say a Book from my favorite online bookstore and get it shipped UPS, I'd expect it to arrive as a book right?
But what if every one in 100 times, UPS thinks I might like a corporate logo bumper sticker instead of my book, they throw my book into the eternal void, and give me a UPS bumper sticker instead. I'm supposed to like this?
Bottom line: When I ask a package to get delivered, and for a certain package to be received, I WANT that package, not what they think I want. Whether it's a TCP/IP packet, or a book. I fail to see the difference here.
Bottom line, thanks to Slashdot I'm not buying my routers from Belkin (not that I'm a telecom person, but still I'd be careful if I ever had to).
...in bed
In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products as a way to make it easier for consumers to sign up to a free trial of its parental control software.
Also in the news: the American council for airbags has been hitting people randomly in the streets to make it easier to appreciate their products. Thanks!
Seriously, though, I don't 'get' how a company could think this would endear themselves to their customers. If Cisco pulled this shit on its customers and made all their routers randomly direct to their brand-new VPN product I think it'd make people stop using Cisco FAST
Take an old Pentium I and put Smoothwall on it. No more Belkin and Netgear routers you get for $50 at Circuty City.
Is the address it redirects to hardcoded, or can the router get hacked and a new address put in? Now that would be good PR for Belkin, someone hacks the router and redirects all web traffic to some porn site.
I Am My Own Worst Enemy
Well, guess I won't be using any Belkin routers.
From the article:
"In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products as a way to make it easier for consumers to sign up to a free trial of its parental control software."
Soooo.. it's spam, then. What a way of putting it mildly.
Should read:
"In response criticism, a Belkin lackey admitted a confirmation this week that the router will hijack an HTML request in order to advertise their product, for your convenience!"
IHBT...
Bullshit. Slashdot is bombarding me with ads because I'm a cheap bastard and refuse to pay them for the content they provide me. Belkin's got the money I gave them for their router, they don't need to be sending me ads I don't want to see to make more money.
Keyboards that occasionally type "www.belkin.com" when they detect you're typing a URL. (But you know, not more than once every eight hours, so it's OK.)
.jpgs of happy people using Belkin products.
USB mass-storage devices that randomly delete files and replace them with
PC Speakers that say "Shop at Belkin!" every couple of minutes.
etc...
With the dizzying array of routers available for purchase, I've often been befuddled by the sheer number of choices that I have when buying new equipment. Which one is better? Why is this router $10 less than this other one when they appear to do the same thing? Which manufacturer should I trust with my data? With razon thin profit margins, and fierce competition in the IT hardware industry, such choices have become extremely difficult.
It's comforting to to know that Belkin has recognized my problem, and has stepped forward in an effort to solve it. They make it so much easier by saying...
"If It's Belkin, You Don't Want It!"(tm)
Thank you Belkin. With your new forward-thinking "Don't Buy Our Stuff" policy, I will be sure to stay on the lookout for other products that you offer, so that they can assist me in making difficult purchasing choices even easier.
Yes, it is a big deal.
First, the original poster on Google said that he got it, unannounced, as part of a router firmware upgrade. No warning or explanation.
Second, Belkin sells a product that is supposed to route Internet traffic, including HTTP. At certain, random points, it does not do that. Instead it sends out an advertisement to a user who has made a valid HTTP request. If Sony started selling a CD player that played a commercial for Coke once every 8 hours, would that be "no big deal"?
I'm not spending another cent on Belkin gear until they reverse the upgrade and pledge not to do it again. Otherwise, simple gear like routers will become spam engines.
This is your typical "Tech vs. Non-Tech" argument. The manufacturer did something to appeal to Non-Techs, and it offended many Techs. Hmm.. wonder if the whole Windows vs Linux thing falls into this category...
... well, when you first buy your car, at some point it will drive itself to McDonalds, unless you tell it "no thanks". Oh and it might randomly do this in the future unless you turn the feature off. Regardless of wether you like McDonalds or not, we had added the feature out of popular demand...
I just wish Belkin would offer firmwares/hardware *without* the "feature". Any hijacking of routed packets is wrong. Sort of like saying
FLR
Emergency rescue team takes a patient to hospital. The patient is in critical state. Suddenly the driver pulls over and exclaims: "We're at the bar that is owned by our hospital manager. Would you like a hamburger?" "For god's sake, I'm dying! Do I look like I wanted a hamburger?!" "Okay, as you wish, but remember, that are best hamburgers in town!" and the driver resumes his way to hospital...
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
Yes. Because routers route, period. And when they route, they're supposed to route correctly. Opt-out is bullshit, because it's saying "our product ships broken, until you unbreak it."
This is a defective product. It doesn't route IP packets correctly. Return it for repair, replacement, or [preferrably] refund.
Boy did they blow this one. If they had stuck to something simple like your very first HTTP transaction brought up a configuration/advert screen only once, then there wouldn't even be a story.
What if I had bought this for an isolated network? Would it hang up for an appreciable amount of time trying to contact belkin.com?
no it won't. this is slashdot.
sulli
RTFJ.
One day, Belkin's router project manager Eric Deming was sitting around thinking, "How can we get $5,000,000 worth of bad publicity for free, and sink the company in an afternoon?"
Then he had an idea: "That's it! We'll abuse the trust of our customers, and get a story on Slashdot!
Consider that a user is in the midst of filling out a long string of forms. After hitting the submit button, the next HTTP request directs them to this AD instead of the intended web form. Their form chain is broken, and there is potential data loss, as the customer has to start the forms over again. This is a VERY bad precedent to set. If it was the very first page served by the router, that could be different... the first time I tunred on my home router it directed me to a welcome and setup page... which is quite different.
just my $2/100
"Uh. . . Clem" was the answer given by a character on a Firesign Theatre record We're all Bozos on this Bus, circa 1970, when asked by a computer for his name.
After a 18 hour operation, a router was removed from a belkin representative's rectum. When asked how the hardware device got there, all the man could say was "No. More. Spam. I. Promise...."
During the operation, the heart monitor seemed to have contracted a strange glitch; every 100th heartbeat a message about "Herbal Penis Enlargements" would pop up, blocking the stats"
Belkin belongs on fuckedcompany.
I agree that if I'd bought one of those things and it started redirecting my traffic, I'd consider it defective and demand my money back. Belkin's really moronic to think that this won't backfire on them and result in an expensive class-action lawsuit. Maybe they can defuse a lawsuit by offering refunds to anyone who's upset at the feature, but I'm guessing they're too sold on their own flawed logic to understand that what they did is not going to be seen as anything other than making the product do something its owners didn't ask it to do, and that Belkin didn't tell them it would do.
I can smell the class-action attorneys lining up now.
It's the difference between opt-out and opt-in. If Belkin's routers shipped with this "feature" disabled, who in their right mind would turn it on?
[grabs crotch] Remedy this!
Snip.
"So Mr. Stevens, you are saying that you ordered an Extra Value Meal, and the cashier instead hauled off and punched you in the face."
"That's right."
"And so you are charging the cashier with assault."
"That's right."
"All right. Mr. Defense lawyer, what do you have to say to that?"
"Mr. Stevens: Did you specifically ask my client NOT to punch you in the face?"
"Huh?"
"What did you tell him exactly?"
"Um.. I told him, I would like a number three meal and a Dr. Pepper."
"I see, and that was all?"
"Um, yes."
"Not that you wanted a number three meal, a Dr. Pepper, and to not be punched in the face?"
"Uh.. no, just the #3 and the Dr. Pepper."
"Your honor. How can my client be expected to be held responsible for this when Mr. Stevens was unclear about what he wanted? Had he configured his order correctly, my client would not have punched him in the face. So why is my client the one to blame? What do think Mr. Stevens expected to have happened?"
"Hmm, excellent point. Case dismissed."
I found this quote from Eric Deming in response to the original newsgroup posting quite interesting...
[quote]
By the way, this procedure (disabling the nagware in the router web-config) might have to be done if your router is behind a firewall. Reason: filter.belkin.com sends a response to the Router to set the flag. [/quote]
So Belkin deliberately left a configuration on the router to be modifiable by someone without proper authorization (the owner of the router or the network admin)? Absolute genius. Destroy your company's reputation 100% in one easy step: the backdoor(s) will piss of the geeks, and the nagware-advertising will piss off Joe Sixpack.
"Jesus saves, but everyone else in a 10 foot radius takes full damage from the fireball."
Belkin (verb) - To serreptitiously alter a product in such a fashion that legitimate use is hijacked to the benefit of the manufacturer or associated beneficiaries, usually in a crass self-promoting fashion.
It's a decent start at a definition. One could say "I installed this topdesk thing which totally belkined my browser". Let's make their name synonymous with bad behavior.
I've finally had it: until slashdot gets article moderation, I am not coming back.
It's a ROUTER. By design, it's supposed to deliver traffic to it's intended destination, to the best of it's ability, 100% of the time. Not route a request to some other place- that's not it's design (well, in the case of Belkin's routers, unlike everyone else's, that is...).
Unlike popups, etc., this is redirecting randomly selected packets going to port 80 (and probably the HTTPS port as well...) to thier server. Take a wild guess how many different things that just broke (SOAP, XML RPC, etc.). Like someone said, I hope nothing mission critical for you is on the inside of this stupid router- because it's BROKEN by design (And "configuring" the Router doesn't include turning frigging adverts off, either...).
It's got to be one of the stupidest things I've heard of in a long time done for the sake of marketing.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
I have one of these gems and it redirects the three PCs going through it about once every two weeks. Incidentally, I have clicked the opt out href probably 5 times and each time it gives me an error message saying my request did not go through then I keep getting the redirects.
I was incensed enough about this that I read all the usenet posts in NANAE about it.
In the post by the Belkin employee he notes that clicking the opt out link won't wotk if you're behind a firewall, because the response won't get through your firewall and back to the router. To turn this off, you'll have to go to the local http page hosted by the router, and opt out there. (And I'm not sure even that would work for me; my firewall is set to block localhost (127.0.0.1) to localhsot connections too, unless I've explcitly allowed them for specific applications.)
Also, the Belkin employee proudly states that the hijacking occurs once every eight hours, so if you're only seeing it every two weeks, it may mean that applications other than your browser that make requests to port 80 (http downloaders such as emusic's, rss readers, various applications auto-updating or calling wget, perl scripts, python scripts -- all of these things on my system might make http requests) may be failing silently.
If you see one hijack in your browser every two weeks, that means there are 41 (3 * 14 - 1) http requests in those two weeks being hijacked that are not browser traffic. Given that silent failure, who knows what's been lost, corrupted, or delayed on your computers.
Naturally, I'll never purchase a Belkin product again, unless Belkin certifies that whoever thought this up, and whoever approved it, have been fired.
Selling me a product, claiming it does something, and then making it intentionally fail, in order to sell me another product? Then you'll never sell me anything again.
Opinions on the Twiddler2 hand-held keyboard?
If you word it as you've done above, you make it look like you have a vendetta against Belkin out of spite. You don't need to.
I will be avoiding Belkin products especially those with "intelligence" (such as routers) until it's absolutely clear they will not pull this kind of stunt again. I will be avoiding it for the same reason as most of the people reading this article will, because I demonstrably can't trust Belkin to produce a working one. It doesn't matter if it's a random redirect of port 80, or, say, the box advertising a higher MTU than will work over a PPPoE connection - the fact is it's broken, and it appears to be an incompetent decision that's the source of this.
Belkin needs to demonstrate that this will not happen again, not to reassure everyone they're not really a bunch of utter bastards, but to convince everyone they're not really a bunch of idiots.
You are not alone. This is not normal. None of this is normal.
It's annoying enough to know that when you're sitting at a computer using a browser to surf the Web, a couple requests a day will get hijacked to the spam site.
But what about automated HTTP requests? You might be running some script to wget the latest greatest kernel source and instead it downloads a piece of spam. The hijacked HTTP request might come in the middle of a Gentoo build, or as you mirror a Web site and have a page replaced with an advertisement. You could be tunneling some other protocol over HTTP, and then who knows what this would do.
Very stupid and annoying of Belkin. If they wanted to make their parental control thing so easy to use, just include a CD that says "Put this CD into any computer on your network to enable parental control on your new Belkin router!" Newbies can figure that out. I don't want my own router launching some kind of spoofing attack on me three times a day just so I can view more spam.
"Belkin support, how can I help you?"
"My router every once in a while replaces my URL with one for Belkin parental controls."
"That's correct."
"But I just spent half an hour filling out the web form, and it doesn't cache, so I have to do it all again."
"You can turn off parental controls by clicking on 'No thanks!'"
"So this is intentional?"
"Yes sir, it's a service to you, provided at no extra cost. It also comes with a free 6 month trial."
"But a router is supposed to ROUTE."
"It can do that, if you change the configuration."
"So, it comes intentionally misconfigured to fail once every eight hours?"
"It's not failing, it's offering a service."
"So it's spamming me."
"It's not spam."
"Why not?"
"Because we're offering you a service you might not know about."
"So it's intentionally misconfigured to send me spam on something I didn't request any information for, dropping my URL and information in the process?"
"Well, yes."
"You should really just kill yourself."
"You're right. Goodbye."
*BANG*
"Dang, should of told him to kill the marketting department first. Well, I can always call back..."
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
Sleazy tactics like this aren't going to end. Theres only one solution. We need to sit around and think up every sleazy, disgusting, wrong, and dishonorable tactic someone could use to pervert the internet and it's standards to make a buck. We take that list, and patent it.
Here is one [http://www.microsoft.com/hardware/broadbandnetwor king/productdetails.aspx?pid=003]
Oh wait..we hate them too.
Cave, wreck, and deep diver.
We're all part of the public, aren't we?
Contact:
Melody Chalaban,
Public Relations Manager
Belkin Components
501 W. Walnut Street
Compton, CA 90220
melodych@belkin.com
(310) 604-2347 direct
(310) 898-1107 fax
www.belkin.com
(this is (unless you get redirected by your router) publicly available information at www.belkin.com)
Opinions on the Twiddler2 hand-held keyboard?
Good afternoon.
My name is [name deleted], and I work as IT department manager for a medium sized company in [place deleted]. I write to you in light of the recent unveiling that Belkin are knowingly shipping routers that show commercials to the end users by hijacking HTTP connections.
I am not sure if the product manager, Eric Deming, who designed the product to not work as expected did so understanding the full consequences if - or, rather, when - this information would become public. The one reason Belkin's name has been held in high regard at the company I work for is because of dependability. When it turns out that Belkin is actively designing products to not work dependably, but instead display advertising at the user; that reputation of dependability... well... there's not much left of it. And, as you are aware, for every one of Belkin's products, there is a competing product.
It becomes much worse. It also turns out that Belkin has the ability to remotely modify the behavior of these routers. When I showed this fact to our network security people, they went ballistic and drove straight off to the local equipment store, only to come back two hours later with a bunch of boxes. 30 minutes later, there was a heap of discarded equipment in a disorderly pile in one corner of the networking room. The discarded items all carried the name "Belkin". I signed the receipt for the new equipment with a look, a sigh, and a nod.
To top it off, it seems that your Mr. Deming who designed this behavior believes that every outbound hijackable connection originates from somebody sitting at a computer and browsing the web. However, more important are the automated connections. What would happen if the backup for our commercial data, which is transmitted regularly over the Internet, instead was pushed to Belkin, due to this behavior? What would happen if virus or operating system upgrade connections were the ones hijacked? Heart defibrillating equipment has been mentioned - what would happen if the heart defibrillation monitor, trying to trigger the impulse with the charging equipment, is instead redirected to a Belkin advertisement? You know, telesurgery exists and does depend on a reliable Internet infrastructure, consisting of such boxes as yours.
This product has been designed to not work, despite charging good money for it. I lack words to describe how shameful this behavior is.
Additionally, if the Belkin corporate culture is one that allows such a technical atrocity to make it to the shelves for one product, then it is obvious it may happen again, or has already happened, for other products. However, rest assured that this company will never again buy another Belkin product as long as I run the IT department.
[signature]
Let me explain what might have happened at Belkin:
Middle Manager: "Hey, Geek-boy. Marketing have come up with a new feature they want in the wireless router."
SWEng: [reading Powerpoint slides] "An ad every eight hours? That's not what a router is for!"
Middle Manager: "I admit it's unusual, but Marketing really wants this, and legal says there's nothing in the law that prevents us from doing this."
SWEng: "You can't be serious. It's an affront to civilized behavior! It's a very bad idea."
Middle Manager: "Do it or you're fired."
At this point, the room becomes very quiet. The engineer thinks very carefully about this ultimatum. The economy is in a shambles, especially the tech sector. There is no shortage of people who would take his job in an instant. And he has a new wife with a child on the way.
Assuming the above scenario, and assuming the engineer capitulated, he has perhaps unwittingly caused the loss of his own job, anyway, once the full force of market backlash hits Belkin's revenue.
I agree that techs should stand up for what they see as ethical behavior, and refuse to perform work that violates it. But not all of them have the same degree of flexibility in enforcing their sense of ethics.
Schwab
Editor, A1-AAA AmeriCaptions
In summary you have bought a "router" that has its internal configuration updated by an external event.
That is, I (or anybody on the inside of my net, not just an administrator) can click on a link delivered from outside my area of control and that link SETS A FLAG IN MY ROUTER....???!
So now I have my router with its optional firewall support watching the data transport and reconfiguring itself in response.
This is such a bad idea it is unspeakable.
What if the first guy to see the web page and who isn't the rightful administrator, accepts?
How long until a nice buffer-overrun attack lets a malicious server reporgram my router?
How much of the CPU in the router is wasted looking at each HTTP request in search of this flag setting?
Belkin is "stealing" cycles and security from their customers.
Not smart.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Belkin hasn't just abused customers' trust and falsely advertised this piece of trash as a router, they have also opened up security holes for no other reason than advertising censorware. This behavior isn't just wrong, it's despicable.
That's it. I'm no longer part of Team Sanity.
Just got this from Eric Deming. Funny, he's working late tonight!
From: Eric Deming [mailto:EricD@belkin.com]
Sent: Friday, November 07, 2003 10:05 PM
Subject: RE: defective router
Please be advised, we are working on this issue. Here is text from our latest posting to NANAE on google. It just went up, so it may not show up for a while.
All,
We at Belkin apologize for the recent trouble our customers have experienced with the wireless router/browser redirect issue. We unintentionally overlooked the effect this feature would have. We never intended to compromise the trust of our customers, and we never intend to do so in the future.
We are taking responsibility for this, and we will be offering firmware fixes early next week. We do not have exact details yet as we are still working on them, and will continue to work on them over the weekend. What we can tell you now is that each Router's firmware that incorporates Parental Control as an option will be changed.
I'll keep posting as things develop. Stay tuned...
The letter makes it clear that Belkin still doesn't get it. The letter isn't an apology, it's an explanation, an excuse for Belkin's reprehensible conduct, and it's full of spin - that's the polite way of saying misinformation, which is the polite way of saying lies.
The letter begins by claiming that "a group of privacy advocates have targeted Belkin Routers". That's not the case at all - a single user posted an explanation of Belkin's router's hijacking, and asked if anyone knew any more about it, in the usenet group news.admin.net-abuse.email. No group was involved, and there was no targeting.
The letter continues with a claim that "[t]he Parental Control registration page is not spam, adware or spyware. It is part of the setup process of the router. It does not "hi-jack" the browser." It is, apparently, part of the set-up process, but that's spam in and of itself: the user hasn't purchased Belkin's "Parental Control", but in the process of installing what he has purchased, the user is forced to sit through an advertisement for another Belkin product, whether or not the user has requested this advertisement. That's the essence of spam.
(And yes, I know that businesses like to claim that unsolicited advertisements are not spam if there is a "pre-existing" relationship with the customer, but that's bunk. Buying a product does not involve an implicit agreement to surrender my time to the manufacturer.)
Even if you're willing to by the argument that installing a product should be made more complicated and time-consuming by subjecting you to advertising, the reason that Belkin's received so much unfavorable publicity is not a one-time ad at install. The problem is the ads repeat indefinitely, every eight hours, until you, the user - Belkin's valued customer - takes some action to make them stop. And this is the same as he sneering spammer who sends you unsolicited email with a "click here to opt out" link. Not only does it steal your time, it steals more of your time before you can make it go away.
The letter goes on to state that "nor does Belkin have the ability to advertise to our customers using our routers as a conduit."
Wait a second, lady. This whole brouhaha started because Belkin continues to use its routers as a conduit to deliver customers to its ad for "Parental Control" every eight hours. If your routers didn't have that ability, we wouldn't all be telling you why we're not going to buy Belkin products anymore. This is a blatant lie, and an insult to the intelligence of anyone reading it. The page the router delivers users to is an ad. It's a solicitation to do additional business with Belkin.
The letter also claims that "[i]f a customer clicks "No Thanks" on the first prompt, the for Parental Control signup will no longer appear." Not entirely true. Belkin Manager Eric Deming admitted in a usenet post (since cowardly cancelled, but mirrored here) that clicking "No Thanks" won't work for users behind firewalls. It also appears that the "No Thanks" gets reset if the router is reset, and anecdotal evidence suggests that the (low) quality of Belkin's routers makes resetting rather more usual than it should be - possibly as often as every 20 minutes.
The letter ends on a surreal note, "[the Belkin advertisement web page] is not a browser pop-up, this means that the Parental Control web page will only be displayed if the user opens the browser". Huh? It's not a br
Opinions on the Twiddler2 hand-held keyboard?
That's my take on it too. They got bitchslapped for implementing a Dumb Idea, and they're now saying, "You're right, that WAS dumb... give us a few days and we'll fix it."
;)
If a company makes a mistake, or even a major blunder, but owns up to it and fixes it, that tells me they really DO care about their customers. This is a far cry from a company that tries to excuse their behaviour and wants US to live with the consequences.
So while I won't buy this *particular* Belkin product, their behaviour is NOT deserving of an across-the-board boycott.
What people also forget in their rush to find "some other product, ANY other product" is that other companies may have implemented naughties that you don't yet KNOW about. So in your haste to punish the erring company, you may well be jumping out of the frying pan and into the fire.
Sometimes I think people who go off the deep end like this should be cast into the outer darkness the first time *they* majorly fuck up. That'd teach 'em a little restraint.
~REZ~ #43301. Who'd fake being me anyway?
Next drop URLs into an almost-invisibly small FRAMEs, and have the main frame show one of those annoying "Site loading" things with a 5 second redirect to the next page of the site, target _TOP(No, there shouldn't be a space between 10 0, it should be 100 -- slashdot doesn't love me)
When the browser hits the "next page", it will trigger some classic windows exploits (for education purposes only, of course)
You could turn off ZoneAlarm and PC-Cillin too if you wanted.
Give a man a fish, he'll eat for a day, but teach a man to phish...