Slashdot Mirror
Belkin Routers Route Users to Censorware Ad
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
The device is defective. Make product support give you one that works. While you're at it, send hate mail to the marketing team. I bet the support guy will give you the right email addresses...
Better yet, get the addresses and post them here.
What's next? Will the phone you buy occasionaly redirect your call to a telemarketer? Will your TV remote automatically switch channels to an infomercial? Maybe your car radio could redirect your listening to a clear channel station every
8 hours. These are business models I need to patent...
Don't forget that Friday is Hawaiian shirt day.
Here's the usenet thread where this was first discussed. Especially noteable are the initial discovery, the response from Belkin and the first response to Belkin. After that it it's pretty much the same thing you can expect to see here on /.
<sig>Guvf vf abg n frperg zrffntr
Ok if I buy say a Book from my favorite online bookstore and get it shipped UPS, I'd expect it to arrive as a book right?
But what if every one in 100 times, UPS thinks I might like a corporate logo bumper sticker instead of my book, they throw my book into the eternal void, and give me a UPS bumper sticker instead. I'm supposed to like this?
Bottom line: When I ask a package to get delivered, and for a certain package to be received, I WANT that package, not what they think I want. Whether it's a TCP/IP packet, or a book. I fail to see the difference here.
Bottom line, thanks to Slashdot I'm not buying my routers from Belkin (not that I'm a telecom person, but still I'd be careful if I ever had to).
...in bed
In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products as a way to make it easier for consumers to sign up to a free trial of its parental control software.
Also in the news: the American council for airbags has been hitting people randomly in the streets to make it easier to appreciate their products. Thanks!
Seriously, though, I don't 'get' how a company could think this would endear themselves to their customers. If Cisco pulled this shit on its customers and made all their routers randomly direct to their brand-new VPN product I think it'd make people stop using Cisco FAST
Take an old Pentium I and put Smoothwall on it. No more Belkin and Netgear routers you get for $50 at Circuty City.
Is the address it redirects to hardcoded, or can the router get hacked and a new address put in? Now that would be good PR for Belkin, someone hacks the router and redirects all web traffic to some porn site.
I Am My Own Worst Enemy
IHBT...
Bullshit. Slashdot is bombarding me with ads because I'm a cheap bastard and refuse to pay them for the content they provide me. Belkin's got the money I gave them for their router, they don't need to be sending me ads I don't want to see to make more money.
Keyboards that occasionally type "www.belkin.com" when they detect you're typing a URL. (But you know, not more than once every eight hours, so it's OK.)
.jpgs of happy people using Belkin products.
USB mass-storage devices that randomly delete files and replace them with
PC Speakers that say "Shop at Belkin!" every couple of minutes.
etc...
With the dizzying array of routers available for purchase, I've often been befuddled by the sheer number of choices that I have when buying new equipment. Which one is better? Why is this router $10 less than this other one when they appear to do the same thing? Which manufacturer should I trust with my data? With razon thin profit margins, and fierce competition in the IT hardware industry, such choices have become extremely difficult.
It's comforting to to know that Belkin has recognized my problem, and has stepped forward in an effort to solve it. They make it so much easier by saying...
"If It's Belkin, You Don't Want It!"(tm)
Thank you Belkin. With your new forward-thinking "Don't Buy Our Stuff" policy, I will be sure to stay on the lookout for other products that you offer, so that they can assist me in making difficult purchasing choices even easier.
Yes, it is a big deal.
First, the original poster on Google said that he got it, unannounced, as part of a router firmware upgrade. No warning or explanation.
Second, Belkin sells a product that is supposed to route Internet traffic, including HTTP. At certain, random points, it does not do that. Instead it sends out an advertisement to a user who has made a valid HTTP request. If Sony started selling a CD player that played a commercial for Coke once every 8 hours, would that be "no big deal"?
I'm not spending another cent on Belkin gear until they reverse the upgrade and pledge not to do it again. Otherwise, simple gear like routers will become spam engines.
Yes. Because routers route, period. And when they route, they're supposed to route correctly. Opt-out is bullshit, because it's saying "our product ships broken, until you unbreak it."
This is a defective product. It doesn't route IP packets correctly. Return it for repair, replacement, or [preferrably] refund.
Boy did they blow this one. If they had stuck to something simple like your very first HTTP transaction brought up a configuration/advert screen only once, then there wouldn't even be a story.
What if I had bought this for an isolated network? Would it hang up for an appreciable amount of time trying to contact belkin.com?
no it won't. this is slashdot.
sulli
RTFJ.
One day, Belkin's router project manager Eric Deming was sitting around thinking, "How can we get $5,000,000 worth of bad publicity for free, and sink the company in an afternoon?"
Then he had an idea: "That's it! We'll abuse the trust of our customers, and get a story on Slashdot!
Consider that a user is in the midst of filling out a long string of forms. After hitting the submit button, the next HTTP request directs them to this AD instead of the intended web form. Their form chain is broken, and there is potential data loss, as the customer has to start the forms over again. This is a VERY bad precedent to set. If it was the very first page served by the router, that could be different... the first time I tunred on my home router it directed me to a welcome and setup page... which is quite different.
just my $2/100
After a 18 hour operation, a router was removed from a belkin representative's rectum. When asked how the hardware device got there, all the man could say was "No. More. Spam. I. Promise...."
During the operation, the heart monitor seemed to have contracted a strange glitch; every 100th heartbeat a message about "Herbal Penis Enlargements" would pop up, blocking the stats"
Belkin belongs on fuckedcompany.
I agree that if I'd bought one of those things and it started redirecting my traffic, I'd consider it defective and demand my money back. Belkin's really moronic to think that this won't backfire on them and result in an expensive class-action lawsuit. Maybe they can defuse a lawsuit by offering refunds to anyone who's upset at the feature, but I'm guessing they're too sold on their own flawed logic to understand that what they did is not going to be seen as anything other than making the product do something its owners didn't ask it to do, and that Belkin didn't tell them it would do.
I can smell the class-action attorneys lining up now.
It's the difference between opt-out and opt-in. If Belkin's routers shipped with this "feature" disabled, who in their right mind would turn it on?
[grabs crotch] Remedy this!
Snip.
"So Mr. Stevens, you are saying that you ordered an Extra Value Meal, and the cashier instead hauled off and punched you in the face."
"That's right."
"And so you are charging the cashier with assault."
"That's right."
"All right. Mr. Defense lawyer, what do you have to say to that?"
"Mr. Stevens: Did you specifically ask my client NOT to punch you in the face?"
"Huh?"
"What did you tell him exactly?"
"Um.. I told him, I would like a number three meal and a Dr. Pepper."
"I see, and that was all?"
"Um, yes."
"Not that you wanted a number three meal, a Dr. Pepper, and to not be punched in the face?"
"Uh.. no, just the #3 and the Dr. Pepper."
"Your honor. How can my client be expected to be held responsible for this when Mr. Stevens was unclear about what he wanted? Had he configured his order correctly, my client would not have punched him in the face. So why is my client the one to blame? What do think Mr. Stevens expected to have happened?"
"Hmm, excellent point. Case dismissed."
I found this quote from Eric Deming in response to the original newsgroup posting quite interesting...
[quote]
By the way, this procedure (disabling the nagware in the router web-config) might have to be done if your router is behind a firewall. Reason: filter.belkin.com sends a response to the Router to set the flag. [/quote]
So Belkin deliberately left a configuration on the router to be modifiable by someone without proper authorization (the owner of the router or the network admin)? Absolute genius. Destroy your company's reputation 100% in one easy step: the backdoor(s) will piss of the geeks, and the nagware-advertising will piss off Joe Sixpack.
"Jesus saves, but everyone else in a 10 foot radius takes full damage from the fireball."
Belkin (verb) - To serreptitiously alter a product in such a fashion that legitimate use is hijacked to the benefit of the manufacturer or associated beneficiaries, usually in a crass self-promoting fashion.
It's a decent start at a definition. One could say "I installed this topdesk thing which totally belkined my browser". Let's make their name synonymous with bad behavior.
I've finally had it: until slashdot gets article moderation, I am not coming back.
It's a ROUTER. By design, it's supposed to deliver traffic to it's intended destination, to the best of it's ability, 100% of the time. Not route a request to some other place- that's not it's design (well, in the case of Belkin's routers, unlike everyone else's, that is...).
Unlike popups, etc., this is redirecting randomly selected packets going to port 80 (and probably the HTTPS port as well...) to thier server. Take a wild guess how many different things that just broke (SOAP, XML RPC, etc.). Like someone said, I hope nothing mission critical for you is on the inside of this stupid router- because it's BROKEN by design (And "configuring" the Router doesn't include turning frigging adverts off, either...).
It's got to be one of the stupidest things I've heard of in a long time done for the sake of marketing.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
It's annoying enough to know that when you're sitting at a computer using a browser to surf the Web, a couple requests a day will get hijacked to the spam site.
But what about automated HTTP requests? You might be running some script to wget the latest greatest kernel source and instead it downloads a piece of spam. The hijacked HTTP request might come in the middle of a Gentoo build, or as you mirror a Web site and have a page replaced with an advertisement. You could be tunneling some other protocol over HTTP, and then who knows what this would do.
Very stupid and annoying of Belkin. If they wanted to make their parental control thing so easy to use, just include a CD that says "Put this CD into any computer on your network to enable parental control on your new Belkin router!" Newbies can figure that out. I don't want my own router launching some kind of spoofing attack on me three times a day just so I can view more spam.
"Belkin support, how can I help you?"
"My router every once in a while replaces my URL with one for Belkin parental controls."
"That's correct."
"But I just spent half an hour filling out the web form, and it doesn't cache, so I have to do it all again."
"You can turn off parental controls by clicking on 'No thanks!'"
"So this is intentional?"
"Yes sir, it's a service to you, provided at no extra cost. It also comes with a free 6 month trial."
"But a router is supposed to ROUTE."
"It can do that, if you change the configuration."
"So, it comes intentionally misconfigured to fail once every eight hours?"
"It's not failing, it's offering a service."
"So it's spamming me."
"It's not spam."
"Why not?"
"Because we're offering you a service you might not know about."
"So it's intentionally misconfigured to send me spam on something I didn't request any information for, dropping my URL and information in the process?"
"Well, yes."
"You should really just kill yourself."
"You're right. Goodbye."
*BANG*
"Dang, should of told him to kill the marketting department first. Well, I can always call back..."
=Blue(23)
LITTLE GIRL: But which cookie will you eat FIRST? C. MONSTER: Me think you have misconception of cookie-eating process.
Sleazy tactics like this aren't going to end. Theres only one solution. We need to sit around and think up every sleazy, disgusting, wrong, and dishonorable tactic someone could use to pervert the internet and it's standards to make a buck. We take that list, and patent it.
Good afternoon.
My name is [name deleted], and I work as IT department manager for a medium sized company in [place deleted]. I write to you in light of the recent unveiling that Belkin are knowingly shipping routers that show commercials to the end users by hijacking HTTP connections.
I am not sure if the product manager, Eric Deming, who designed the product to not work as expected did so understanding the full consequences if - or, rather, when - this information would become public. The one reason Belkin's name has been held in high regard at the company I work for is because of dependability. When it turns out that Belkin is actively designing products to not work dependably, but instead display advertising at the user; that reputation of dependability... well... there's not much left of it. And, as you are aware, for every one of Belkin's products, there is a competing product.
It becomes much worse. It also turns out that Belkin has the ability to remotely modify the behavior of these routers. When I showed this fact to our network security people, they went ballistic and drove straight off to the local equipment store, only to come back two hours later with a bunch of boxes. 30 minutes later, there was a heap of discarded equipment in a disorderly pile in one corner of the networking room. The discarded items all carried the name "Belkin". I signed the receipt for the new equipment with a look, a sigh, and a nod.
To top it off, it seems that your Mr. Deming who designed this behavior believes that every outbound hijackable connection originates from somebody sitting at a computer and browsing the web. However, more important are the automated connections. What would happen if the backup for our commercial data, which is transmitted regularly over the Internet, instead was pushed to Belkin, due to this behavior? What would happen if virus or operating system upgrade connections were the ones hijacked? Heart defibrillating equipment has been mentioned - what would happen if the heart defibrillation monitor, trying to trigger the impulse with the charging equipment, is instead redirected to a Belkin advertisement? You know, telesurgery exists and does depend on a reliable Internet infrastructure, consisting of such boxes as yours.
This product has been designed to not work, despite charging good money for it. I lack words to describe how shameful this behavior is.
Additionally, if the Belkin corporate culture is one that allows such a technical atrocity to make it to the shelves for one product, then it is obvious it may happen again, or has already happened, for other products. However, rest assured that this company will never again buy another Belkin product as long as I run the IT department.
[signature]
Let me explain what might have happened at Belkin:
Middle Manager: "Hey, Geek-boy. Marketing have come up with a new feature they want in the wireless router."
SWEng: [reading Powerpoint slides] "An ad every eight hours? That's not what a router is for!"
Middle Manager: "I admit it's unusual, but Marketing really wants this, and legal says there's nothing in the law that prevents us from doing this."
SWEng: "You can't be serious. It's an affront to civilized behavior! It's a very bad idea."
Middle Manager: "Do it or you're fired."
At this point, the room becomes very quiet. The engineer thinks very carefully about this ultimatum. The economy is in a shambles, especially the tech sector. There is no shortage of people who would take his job in an instant. And he has a new wife with a child on the way.
Assuming the above scenario, and assuming the engineer capitulated, he has perhaps unwittingly caused the loss of his own job, anyway, once the full force of market backlash hits Belkin's revenue.
I agree that techs should stand up for what they see as ethical behavior, and refuse to perform work that violates it. But not all of them have the same degree of flexibility in enforcing their sense of ethics.
Schwab
Editor, A1-AAA AmeriCaptions
In summary you have bought a "router" that has its internal configuration updated by an external event.
That is, I (or anybody on the inside of my net, not just an administrator) can click on a link delivered from outside my area of control and that link SETS A FLAG IN MY ROUTER....???!
So now I have my router with its optional firewall support watching the data transport and reconfiguring itself in response.
This is such a bad idea it is unspeakable.
What if the first guy to see the web page and who isn't the rightful administrator, accepts?
How long until a nice buffer-overrun attack lets a malicious server reporgram my router?
How much of the CPU in the router is wasted looking at each HTTP request in search of this flag setting?
Belkin is "stealing" cycles and security from their customers.
Not smart.
Innocent people shouldn't be forced to pay for inferior software development.
--"Code Complete" Microsoft Press
Just got this from Eric Deming. Funny, he's working late tonight!
From: Eric Deming [mailto:EricD@belkin.com]
Sent: Friday, November 07, 2003 10:05 PM
Subject: RE: defective router
Please be advised, we are working on this issue. Here is text from our latest posting to NANAE on google. It just went up, so it may not show up for a while.
All,
We at Belkin apologize for the recent trouble our customers have experienced with the wireless router/browser redirect issue. We unintentionally overlooked the effect this feature would have. We never intended to compromise the trust of our customers, and we never intend to do so in the future.
We are taking responsibility for this, and we will be offering firmware fixes early next week. We do not have exact details yet as we are still working on them, and will continue to work on them over the weekend. What we can tell you now is that each Router's firmware that incorporates Parental Control as an option will be changed.
I'll keep posting as things develop. Stay tuned...