Slashdot Mirror
Hotel Connectivity Provider SuperClick Tracks You
saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.
But it involved chocolate sauce, melted wax, and soft restraints. What is this 'Herf' person thinking, signing onto his laptop while on honeymoon? Go get laid you nerd!
I want to delete my account but Slashdot doesn't allow it.
If you've got the resources to run an SSH server at home, use Putty with a dynamic proxy and point your browser and IM clients to it via SOCKS5.
I wouldn't trust any network like that... even if the service itself isn't watching what you're doing, do you trust the other people on that network aren't?
Its easy to surf or do other network apps safely on questionable networks. At least among the Slashdot crowd its easy... but I've educated even my parents on doing that when using public or hotel internet and gave them an SSH account to use at my house.
that nowadays all his actions are watched and recorded. I live in the UK, which, I believe, has the highest ratio of CCTV cameras per head of population in the world. To me it's no surprise that when I log in at the Marriot I'm watched. Fortunately the first thing I do is establish a VPN tunnel to my company's network where I'm being watched by the CIO.
...)
Further than that, welcome to the modern world, cue the cliches (1984, quis custodiet,
init 11 - for when you need that edge.
You mean to tell me that Slashdotters, some of the most paranoid people on the planet, didn't just automatically assume hotels did crap like this on their networks to make extra money? Are people here that damned naive? The story that would be news would be a hotel that does *not* do this.
Any time I use a network that isn't my own, be it a hotel, restaurant, or even the public library, I just automatically assume that someone who wants to remain unknown is taking an active interest in what I'm doing. Otherwise, why would any of these places provide free networking in the first place. They aren't doing it out of the goodness of their heart and so they can sleep warm and cuddly at night. They're doing it because they've found other ways to make a buck off of it.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
He's on his honeymoon, but looks like he was lucky enough to marry another geek, so its all good
Or just use OpenVPN. I use this on my laptop. Set it as the default route, use the internal DNS and your good to go. I also use an internal proxy server. So when I'm at a coffee shop or hotel doing some work, the only thing they get to see is encrypted traffic to port 1194 (udp).
Over that connection I can do anything. Instant messaging, email, SSH, http, ftp, BitTorrent, etc.
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
.... for years. That's why I've begun to use a remote access product called the MobiKEY. It is a USB token that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your home/work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. Also, since it's SSL, I don't have to change my firewall settings.
By using this product, nobody can snoop on my activities and I can do what I have to do in complete confidence. Problem solved.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Are theese guys based in Soviet Russia by any chance ?
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
"What? This security dialog box is warning me that this certificate is unsigned! Better click 'ok' so I can see my bank account anyways."
Slow Down, Cowboy! It's been 60 minutes since you last successfully posted a comment.
I won't try to claim there is no evil in this instance...
However there are some providers that do the same type of thing with the genuine interest in helping the guest.
This is NOT uncommon; this is all about providing transparent network services. There are systems already out there (STSN, et.al.) that don't even require you to use DHCP.. If your IP is static, it handles the masquerading needed to make it work without your intervention, same for DNS and Mail.
Take for instance your mom and pop traveler, they are setup for cable broadband, their ISP comes to their home and hard wires the DNS and SMTP settings, and sometimes the IP. Mom and Pop go on vacation and bring their laptop, yes Virginia some non-geeks/non-business people own laptops. What settings do they need to know how to change in order to get online? At a minimum their IP is hopefully DHCP but I'll say that is not always the case, and also DNS which would be set by DHCP unless their IP or DNS settings are hard coded. In this case, the system would see the system using an IP that isn't part of the hotel network and wasn't assigned by the server, so it will do what is needed to make that IP work. Same thing goes for DNS, it will route all DNS requests to its internal DNS server, and sometimes ISP's don't allow public access from the outside.
As far as SMTP is concerned, would you be surprised that in this age of rampant spam that Mom and Pops ISP refuse connections from outside their network? Also in a growing trend, the ISP the hotel uses wants some assurances that the public access isn't allowing mass spamming. In this case the hotel(or their network provider) routes all SMTP traffic to one server on their network which queues it and sends it out. They could be doing spam checks or simply a queue threshold/throttle to limit the damage Mom and Pops zombified laptop can do.
That last point is also my last point, from the Hotel/ISP point of view you're using a computer that is not controlled by the person who owns the network. Most companies do not allow unsecured systems on their network, in a hotel, that is the idea... so measures must be taken to not only have the network adapt to the user but also to protect the host from their guests.
Honey. I thought you said you were getting me pearls and rubies?
Intron: the portion of DNA which expresses nothing useful.
What is this 'Herf' person thinking, signing onto his laptop while on honeymoon?
Well, maybe he was logging onto Picasa to do some uploading...?
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
As a former employee of a hotel service provider, we would certainly store MAC addresses indefinitely, proxy (and occasionally read) outgoing email (and deny SMTP service for the flimsiest of pretexts), and best of all, t2 support would often tail the squid logs in search of the best pr0n. If the company had been in any way organised you can bet we'd have been selling (aggregate only! honest!) data to the first bidder.
And don't even get me started on the plan to introduce targetted ads direct to the browser on *every page*. What? you think we used squid for performance?
Dynamic Proxy with OpenSSH:
ssh -C -D NNNN @
where NNNN is a port on the local machine. Just setup your network applications to using localhost:NNNN as a socks5 Proxy.
If you are paranoid, make sure DNS lookups are done via the proxy too.
To do that in Firefox. go to about:config in the location bar and make sure that this is set
network.proxy.socks_remote_dns = true
I work for a certain hotel company, I'm the person who you get when you call to make a reservation. If you have any kind of identifying profile or number, then you're activity is being tracked. Whether you stayed on business or pleasure, who you're companion was, what floor you like, how many beds, on what occasion you decided to stay at the hotel...any information i can gather about you, i am paid to gather. We use an integrated soft phone that is linked with our reservations system. I know what number you are calling from. If you have stayed with us before, chances are you have a profile, and i have your address, credit card number, and possibly how many kids you have. The hotels want your business so badly, they want to REALLY get to know you, and have your favorite flower on the bed when you come in, or if you know the concierge well enough, your favorite escort. So if you want to keep you're personal info "secret", don't earn points towards that free stay, and don't get a profile number. We get paid extra for making these profiles, so watch out for people just making you one, without your expressed consent. It happens all of the time. i watch it happen everyday. I'm looking for a new job.
Hotel Connectivity Provider SuperClick Tracks You!
Oh, wait...
So say we all
Note that OpenVPN can be set up to use a TCP connection instead of a UDP connection, and it uses SSL. No need for weird things like GRE that might not make it through.
You could always put OpenVPN on a port other than 1194 if you think you might run into port blocking, too.
Oh, no! You have walked into the slavering fangs of a lurking grue!
You call that a python?