Slashdot Mirror
Hotel Connectivity Provider SuperClick Tracks You
saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.
But it involved chocolate sauce, melted wax, and soft restraints. What is this 'Herf' person thinking, signing onto his laptop while on honeymoon? Go get laid you nerd!
I want to delete my account but Slashdot doesn't allow it.
Well, I was going to make a snide remark about how they spent their honeymoon, but I really like Picasa, so I refrained.
However, I remember this happening the last time I stayed in a hotel (a Hilton Garden). At least I kept getting redirected. I am more than a little miffed that hotels are charging me *and* spying on me.
Next time I will use the VPN.
A true nerd would consummate his marriage while surfing on the internet and maybe writing some code while he was at it.
If you've got the resources to run an SSH server at home, use Putty with a dynamic proxy and point your browser and IM clients to it via SOCKS5.
I wouldn't trust any network like that... even if the service itself isn't watching what you're doing, do you trust the other people on that network aren't?
Its easy to surf or do other network apps safely on questionable networks. At least among the Slashdot crowd its easy... but I've educated even my parents on doing that when using public or hotel internet and gave them an SSH account to use at my house.
that nowadays all his actions are watched and recorded. I live in the UK, which, I believe, has the highest ratio of CCTV cameras per head of population in the world. To me it's no surprise that when I log in at the Marriot I'm watched. Fortunately the first thing I do is establish a VPN tunnel to my company's network where I'm being watched by the CIO.
...)
Further than that, welcome to the modern world, cue the cliches (1984, quis custodiet,
init 11 - for when you need that edge.
...which is why I only get online using my corporate VPN, and never visited any sites that required a login (banking, blog, yadda yadda).
Of course that's assuming the VPN is secure enough...i'm sure there's a way around everything. Hell, just connecting to the WiFi and checking your email can give anyone your password if they have half a brain.
You mean to tell me that Slashdotters, some of the most paranoid people on the planet, didn't just automatically assume hotels did crap like this on their networks to make extra money? Are people here that damned naive? The story that would be news would be a hotel that does *not* do this.
Any time I use a network that isn't my own, be it a hotel, restaurant, or even the public library, I just automatically assume that someone who wants to remain unknown is taking an active interest in what I'm doing. Otherwise, why would any of these places provide free networking in the first place. They aren't doing it out of the goodness of their heart and so they can sleep warm and cuddly at night. They're doing it because they've found other ways to make a buck off of it.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
It's not dedication, just means he's not particularly enthusiastic about his honeymoon.
"Just a fox, a whisper."
Herf was on his honeymoon when he did this sleuthing. Now that's dedication.
Come one. This is slashdot. More like "Herf was taking a break from a month-long WoW session in his parents' basement when he did the sleuthing."
Like we'd buy that someone here even *knew* a girl, much less got married or went on a honeymoon!
He's on his honeymoon, but looks like he was lucky enough to marry another geek, so its all good
I believe the word you were looking for was `sad`.
How do they do that? From what I understood all that a man in the middle could see was the host ip address as everything else is authenticated/encrypted. Or else you would get a security warning upon visiting the page.
---- aut viam inveniam aut faciam
In Soviet Russia, You track Hotel Connectivity Provider SuperClick!
Am I the only one who read "Hotel Connectivity Provider SuperChick Tracks You". I thought "why on earth would a CCM rock band be working for a hotel?"
Man is the lowest-cost, 150-pound, nonlinear, all-purpose computer system which can be mass-produced by unskilled labor.
In Corporate America, hotel tracks you!
...
1. Install wifi network
2. track wifi users' net traffic
3.
4. Profit!
Zhrodague.net - I do projects and stuff too.
Superclick already has the backing of major Hotel chains, so it already has recognition in the marketplace (hotel owners). That is not going to change. They would also be very competitive for the services they provide and, given what has been found, it is not unreasonable to think that they are cheaper because they sell off the information they gather to marketing companies.
I cannot see this kind of tracking coming to an end until either the mainstream media make a story out of it, or someone sues the Hotel chain for breaching their privacy (or both).
I noticed some hotels intercept SMTP traffic after a client complained he couldn't send email through our mail server while he was on the road. The hotel's service provider was trying to masquerade as our mail server and attempting to intercept the mail delivery. When I tested it I sent a test message through the mail server that was representing itself as our mail server and received the message 12 hours later. Interesting that it took that long to deliver the message and surprising that they would try to intercept messages and authentication information in this fashion. If I remember correctly, this was the Hilton in Chicago. I can't remember the name of the organization that was providing the service for the hotel.
"Herf was on his honeymoon when he did this
A sure sign on trouble. Even a caveman wouldn't do that.
or run this as a cgi script on a webserver http://www.jmarshall.com/tools/cgiproxy/ not that 'anon' but better and no adverts either. No website should be without one and we have it running too
They're intercepting all of the SMTP traffic outbound ostensibly to prevent spammers from renting a room for the night and using their "high-speed" access to cover their tracks. Since my SMTP server can use the alternate authenticated (and SSL encrypted) ports, they're not dinking with my email right at the moment- either way. Their little mail proxy engine is like an open relay and gets rejected by other mailservers if they've got those sorts of countermeasures on. I'd sent some emails to my friends and wife back home to my personal domain- got a bounce that didn't make any sense- it was coming from ME, through what claimed to be a symantec based mailserver. I promptly changed access methods and have had no issues since- I'm not going through their garbage for anything but the web- soon, I probably won't even be doing that much.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Or just use OpenVPN. I use this on my laptop. Set it as the default route, use the internal DNS and your good to go. I also use an internal proxy server. So when I'm at a coffee shop or hotel doing some work, the only thing they get to see is encrypted traffic to port 1194 (udp).
Over that connection I can do anything. Instant messaging, email, SSH, http, ftp, BitTorrent, etc.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
.... for years. That's why I've begun to use a remote access product called the MobiKEY. It is a USB token that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your home/work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. Also, since it's SSL, I don't have to change my firewall settings.
By using this product, nobody can snoop on my activities and I can do what I have to do in complete confidence. Problem solved.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Collectively and out loud: "Oh yea...VPN, thats what we should be using..."
Learn to set it up in your home and stop whining about people who track you, unless your cable company is tracking you....
Are theese guys based in Soviet Russia by any chance ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"What? This security dialog box is warning me that this certificate is unsigned! Better click 'ok' so I can see my bank account anyways."
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
On his honeymoon?
wow, that's a relationship with a good start.
The only reason that spam is alive right now is because of its horribly low cost: it costs nothing, basically, to send junk mail through the internet. That nothing would be increased by about $70 a day for a hotel room with high-speed internet.
Ninjas and pirates. How piquant.
In Soviet Russia, even the hotels are watching you...
"Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy."
r e_apps.html
I wouldn't be so sure about that...
http://www.bluecoat.de/solutions/performance/secu
"The solution starts with Blue Coat's patented proxy technology, a core part of all Blue Coat SG appliances. Because a proxy is an active device (i.e., it terminates traffic), it acts as both the server to the client, and the client to the server. Thus, within an SSL session, Blue Coat SG appliances terminate the encrypted connection, inspect the traffic and apply all appropriate MACH5 acceleration techniques to its content, then re-encrypt the traffic and send it its destination. "
>>Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.
i ls/94de9e89-b7a1-6d6f-9479-84b866a2ffab/webwasher- 1000-csm-appliance/a sher_products/csm_appliance/index.html?lang=de_EN
Um, yes, you can. It is possible with todays hardware.
Here are a few;
http://www.esafe.com/eSafe/traffic_solutions.asp
Another;
http://www.scmagazine.com/us/products/productdeta
http://www.cyberguard.com/products/webwasher/webw
"WW1000 has the ability to scan encrypted SSL"
The days of HTTPS being valuable are long gone. We can look inside this traffic realtime. I monitor & block traffic to HTTPS sites myself..
I use FreeNX to go back to my home desktop through a ssh tunnel. I use the local desktop only if I want some multimedia -- I'll start streaming a radio station, then pull up my home desktop, etc.
FreeNX is fast enough to make this viable.
You get a lot of advantages from doing it this way. There's the privacy angle, which is a big thing. But you also get your main desktop -- the one with all of your stuff on it.
And you don't need a really fast laptop. Once it's fast enough to run FreeNX, you're ok. I use a thinkpad I bought on ebay for $200. It's not just cheap, it's from the era when laptops ran cool enough to actually hold on your lap.
I will speak from mine: I have no doubt. Nerds are actually very attractive to certain women. They like the reliability and equality. Many have been seriously burned being arm candy for jocks & preps.
You might be on to something there...
iSKUNK!
I find it somewhat strange/funny that the majority of hotels having these systems in place seem to be the "expensive" ones. Marriott, Hilton, etc..
From my experience (a few different positions) in the hotel industry, the less expensive hotels (Econolodge, Travelodge, Red Roof, etc..) typically don't have these tracking systems. The downside is that their networks are usually less secure, because many don't have any sort of authentication outside of a WEP/WPA key. The tracking systems aren't found at these hotels because of the high setup costs (usually in the $1,000-3,000 range) and fees. It's not cost effective for the rates charged at these places, so they often end up with some sort of homebrew solution (kind of like the one I set up at a place -- used WRT54Gs authenticating to a FreeRADIUS server) which is less expensive to set up, and ends up being less expensive in the long run by only having to pay for a separate Cable/DSL connection. As previously stated, the downside here is security most of the time.
It really turns into a pick your poison-type situation. Regardless, I'd go along with the VPN/SSH Tunnel mentality. You never know what that front desk worker is doing downstairs in their free time.. *grin*
But that reasoning is flawed. You see, all it takes is recruiting one of numerous zombie-net spammers to do your dirty work. No way you're going to get caught. If you go at it from a Hotel room, you're possibly going to get caught.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
What is this 'Herf' person thinking, signing onto his laptop while on honeymoon?
Well, maybe he was logging onto Picasa to do some uploading...?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
As a former employee of a hotel service provider, we would certainly store MAC addresses indefinitely, proxy (and occasionally read) outgoing email (and deny SMTP service for the flimsiest of pretexts), and best of all, t2 support would often tail the squid logs in search of the best pr0n. If the company had been in any way organised you can bet we'd have been selling (aggregate only! honest!) data to the first bidder.
And don't even get me started on the plan to introduce targetted ads direct to the browser on *every page*. What? you think we used squid for performance?
Dynamic Proxy with OpenSSH:
ssh -C -D NNNN @
where NNNN is a port on the local machine. Just setup your network applications to using localhost:NNNN as a socks5 Proxy.
If you are paranoid, make sure DNS lookups are done via the proxy too.
To do that in Firefox. go to about:config in the location bar and make sure that this is set
network.proxy.socks_remote_dns = true
Is anyone else reminded of the Babylon 5 episode "Day of the Dead"? Where Garibaldi rigs, in his quarters, a comm channel for Lochley while there's a hot female Marine on his bed waiting for him? IIRC, the marine said something like, "It's a good thing we didn't hook up back then; I would have killed you inside two months."
But, seriously, one time I was trying to install some packages on my Gentoo laptop at a hotel, and the downloaded files were coming up corrupt. Turns out that when Gentoo went to fetch the files with wget via http, the hotel would occasionally intercept the connection and respond with a page that was just a graphic that said "You are being connected...", with a <meta> tag that reloaded the page in two seconds. Wget, treating the data as binary, just figured it was a partial download and then went to hit the next mirror to get the rest of the file, so in the end, I had files with the right file size, but the first 400 bytes or so were corrupt.
I work for a certain hotel company, I'm the person who you get when you call to make a reservation. If you have any kind of identifying profile or number, then you're activity is being tracked. Whether you stayed on business or pleasure, who you're companion was, what floor you like, how many beds, on what occasion you decided to stay at the hotel...any information i can gather about you, i am paid to gather. We use an integrated soft phone that is linked with our reservations system. I know what number you are calling from. If you have stayed with us before, chances are you have a profile, and i have your address, credit card number, and possibly how many kids you have. The hotels want your business so badly, they want to REALLY get to know you, and have your favorite flower on the bed when you come in, or if you know the concierge well enough, your favorite escort. So if you want to keep you're personal info "secret", don't earn points towards that free stay, and don't get a profile number. We get paid extra for making these profiles, so watch out for people just making you one, without your expressed consent. It happens all of the time. i watch it happen everyday. I'm looking for a new job.
Hotel Connectivity Provider SuperClick Tracks You!
Oh, wait...
So say we all
In light of this information, it is obviously the duty of every red-blooded geek to fight back by stealing free porn from any hotel which uses this system.
That's my solution as well. I've looked into OpenVPN, but it looks quite complicated to set up in comparison. Of course most browsers do not route their DNS queries through SOCKS despite the fact that SOCKS5 can do that. So the hotel's DNS server can still get an idea of where you're going.
Need a Python, C++, Unix, Linux develop
Since male reproduction is more variable than female, women are torn between aggressive and nurturing males. Sometimes riskily resolved by cuckoldry. The assumption is that other women's daughters won't find nurturing sons as attractive. Probably an equilibrium thing: too many aggressors don't help enough but there are large rewards if there are too few. A predator-prey cycle.
"Sperm Wars" [Robin Baker] begins to scratch the surface (if you can tolate the lurid examples). But evolution is not about kids. It's about grandkids and beyond.
This was my worry in all the activity to provide municipal wireless around the country.
Our tax dollars are going to build out networks that are going to be used, in this fashion, to track our activities - probably as a revenue source, by selling our personal information to advertisers (or worse).
And then, the whole shebang will be sold to a monopolist for pennies on the dollar by crooked politicians.
Other than that, I think municipal wireless is a great idea. . .
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
Just wondering here, wouldn't you also need to run Privoxy or something similar (an HTTP proxy) on the remote server?
My thought would be that you'd need to have a remote server (say at home, on your broadband connection), hopefully with a dyndns name, running sshd and Privoxy. Then from your laptop, you'd establish an SSH tunnel that would go from port 80 on the local machine, over the SSH pipe, and exit into Privoxy's input port on the server. Then it would go through Privoxy, to the web, and return the same way.
This avoids having to actually set up a SOCKS5 proxy that accepts external connections; you can set Privoxy to accept only connections from the localhost, and do the local-remote machine connections via SSH. Although it's probably more complicated than just a proxy, it seems like setup would be easier.
I think this would be possible to set up, even on a Windows machine.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Note that OpenVPN can be set up to use a TCP connection instead of a UDP connection, and it uses SSL. No need for weird things like GRE that might not make it through.
You could always put OpenVPN on a port other than 1194 if you think you might run into port blocking, too.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Quantcast pays them for the data, which offsets the cost of the connection. In turn, Quantcast gets a usage data for people that are in the "can afford to stay at hotels" demographic. (I've always thought this was an immoral practice.) See: Quantcast FAQ: How do you collect your data?
Maybe he married a geek/nerd from the opposite sex and they just checked things out together... In that case: better then sex. :)
Many legit sites don't bother to get "real" certificates from Verisign or whereever. I'm forever clicking "yes" already.
As others have noted, it's good to proxy. And it's wise to assume the worst about hotel networks; no, any foreign network; no, any network; no, any communications medium. Probably even your own thoughts.
Problem solved.
Shouldnt be trusting another persons network in the first place.
---- Booth was a patriot ----
For the last 3 years I have worked for another pay to use wireless service. I won't say the name but we supply most of the wireless service in Hiltons, Radisons and Embassy suites in the united states.
Thankfully it sounds like they are not even trying to lie about what is happening, and are say they are trying to push advertisements to their wireless users so I don't need to explain why they wouldn't be using a proxey.
After a user authenticates at a location there is no need for any of this redirecting per page every time a user tries going to a different site. Any good wireless gateway (and many bad ones) simply track each user using a session assigned to their mac address on the gateway, Nothing needs to be done to track service usage as long as they are active.
The only reason (and I don't know why they haven't been using this as the excuse) is to be able to claim monitoring illegal web usage such as kiddy porn or illegal music downloads. We had a few places claim they needed to be able to track this, but we dropped them instead of willingly tracking users for a b.s. reason.
This is just another case where a company that is charging for a service are trying to make even more money doing secretive and underhanded business practices.
TruePunk | Games
He's correct.
With the first link, the chain is forged.
IT experts should put together criteria that measure objectively how well a given business protects customer privacy (or doesn't). Turn that into a workable auditing process with star ratings (1-5 stars) or Gold, Silver, Bronze certificates and businesses will have an actual incentive to "prove" that they take their customer privacy seriously.
Where I surf and what pages I look at and various other tidbits about my personal preferences and habits are valuable commodities. Companies wouldn't be pursuing that information so aggressively if it didn't have any value. So if a hotel wants to offer me free internet service in exchange for letting them see where I go and serve ads to me, sure I might consider it. To take that information without informing me and offering some sort of consideration is just shady if not outright thievery. Charging me for the privilege of helping fill their coffers is insult added to injury. It's crap like this that makes me seriously consider going to law school. I'd love to try a case like this based on the idea that it's stealing and not privacy invasion.
We are programmed to receive.
You can check out anytime you like,
But you can never leave!
I wish I could mod that up, but since you replied to me, I can't.
I didn't know about that setting, and thats excellent information. Hope others mod you up.
Depending on the hotel, the terms of service can claim all sorts of crazy things. Whether these are enforceable or not is another matter (IANAL). I usually anticipate that they reserve the right to log just about anything, but the worst I've seen was from a hotel in San Francisco. The service there (which wasn't even free at the time - 2003), claimed that anything you uploaded through the service you provided a perpetual, royalty-free license for them to do whatever they want with it. This would mean that on a business level, this would make this hotel service have the ability to redistribute any work you transmit over the internet, which is absurd. Now, I've often seen terms like this for specific websites (like forums), or claims that you are providing the ISP with the right to route your traffic as needed (which is probably legally implicit in your using an ISP).
When it comes to where you've been and what you've transmitted, I assume that many places log everything. If you don't like it, that's what VPNs are for. However, claiming a perpetual license to anything you transmit is just insane.
"The universe seems neither benign nor hostile, merely indifferent." --Carl Sagan
You might want to check your VPN (unless you set it up, of course). I know that mine doesn't actually encrypt and tunnel traffic that's not destined for my company's servers.
E.g., everything going to $COMPANY gets pushed through to the VPN interface, but everything else just goes to eth0/wlan0. So when I'm sitting in Starbucks on the wifi, my corporate email would be encrypted but my personal mail wouldn't. (And for the record I'm not bitching here; I think this is a fine setup and I don't think that my company has any reason to tunnel all the traffic, and I don't really want them to.)
It's pretty easy to tell what's happening: start up your VPN and ping a computer in your home LAN (or something else that's nearby in the network). Then disable it and repeat the ping. If the pingtime drops substantially, then it was being tunneled; if it doesn't change then it's not. Alternately you can also just ping a server in your home LAN and then one on your corporate network, if the home server's ping is the corporate one's, then you're not tunneling, while if it's the same or longer than it is.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
if the home server's ping is much less than the corporate one's
Should have used preview...Slashdot ate my "much less than" sign.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Just relakks!
/happy customer...
I think his wife would disagree.
Or rather, that's not dedication *wink*.
Me lost me cookie at the disco.
If anyone in Australia notices this, check the terms & conditions of use and the hotels privacy agreement. You may be able to take legal action against the hotel.
;-)
Or ask them for your money back
That author hasn't even read the sites she's criticizing (which teach men to be confident.. do you really want to be with a women who's attracted to guys without confidence??)
Be nice, be a jerk, be a jock, be a nerd, be shy, be outgoing, whatever, just be CONFIDENT, and LEAD most of the time, and you'll have tons of success with women. Pretty simple.
(Here, have a complementary question mark: ? )
Erm, OTTOMH: they provide it to encourage people to visit? Works perfectly well for complementary soap, coffee, maps, condiments, magazines, question marks, and all the other things such places provide. They may not be making 'a buck' from all those things directly, but you can bet the increase in customer numbers is improving the bottom line to some extent. (Otherwise, as you say, they wouldn't do them.) But that's no reason to infer snooping on your traffic.
(No reason not to, either, of course! But you'll need some other argument for that.)
Ceterum censeo subscriptionem esse delendam.
http://www.mysecureisp.com/ is a good one.