Slashdot Mirror
Tool Detects "In-Flight" Webpage Alterations
TheWoozle writes "In a follow-up to a recent story about ISPs inserting ads into web pages, the University of Washington security and privacy research group has teamed with the International Computer Science Institute (ICSI) to develop an online tool to help you identify if your ISP is inserting ads or otherwise modifying the web pages you request."
If that isn't desirable, do a patch to Apache that creates a header that holds a hash of the content.
The hash gets calculated once for static content, which is usually the bulk of the traffic, no? So
not too big of a hit.
Browser sees content. Browser sees hash. Browser compares the two...
--
Censored by Technorati and now, Blogger too!
Do we sue the ad folks for inserting ads and stealing content? I mean, in just about any other medium this would wind up in court overnight as copyright and stolen content and so on. But now we have a circumvention tool to detect it...so are we going to get sued under DMCA like nonsense for attempting to circumvent the ad insertion?
The only change I can believe in is what I find in my couch cushions.
ISPs intercepting, altering results from online security tool
The only surefire protection against Microsoft infections is abstinence. - The Onion
We (the authors of the page) will be answering questions in this thread.
Test your net with Netalyzr
What if the ISP is simply putting the web-page in its own frame, and the advertisement in a second frame? Unless you add the ability for web-pages to dictate that they should not be in frames, this one can't really be trapped for like that. The ISP could create its own hash for the served web-page that holds the frames.
Ben Hocking
Need a professional organizer?
No need for thousands of "All good in Kalamazoo" & "Up to date in Kansas City" posts.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
A friend of mine had a similar problem with his webpages. They were on a free host (rolls eyes). I wrote a script for him to store special tags to denote the beginning and the end of his webpage content. After the webpage was loaded, a script erased everything and replaced all the html with his marked content. Ta-da, no ads!
If you want to be stricter, encode your webpage content with base64 to make sure the ads don't intrude your precious content.
My hosting service (the University of Minnesota) sticks a little legal disclaimer (some h5 tags) in a contrasting colot at the bottom of every HTML page it serves for non-official accounts. It's the typical "The University of Minnesota is not responsible for the content...blah blah blah" message.
A certain ISP in Canada delt with this not long ago...
they're not talking about the ISP hosting the web page, they're talkign about your ISP adding ads to random sites that you visit. client-side, not server-side.
It's not the host ISP that's inserting the ads, It's the "Client" ISP, for example Joe Smith buys a computer and buys high speed internet from "ECI" the Evil Cable ISP. Joe Smith visits Bob's Website, Bob, who hates ads never put any on his webpage, and instead makes his money through online sales of his product. Now Joe loads up Bob's webpage to purchase a widget from Bob, and he sees Ads all over Bob's Website. Bob who has GHI (Good Highspeed ISP) visits his website and there's no ads. ECI is putting the Ads on Bob's website. and collecting all the revenue from those ads. Profiting off of Bob's Website.
It seems that everyone is concerned about downstream modification, and is completely ignoring the possibility of upstream modification. What if Sprint started modifying upstream http-posts to start a more viral ad distribution system? Not only would they be able to target their customers, they would also be able to target the customers of anyone who could read the post!
This is the reason that we need to push for network neutrality. When the only choices are between a giant douche which alters content and a turd sandwich which alters content, the customer ends up screwed in the end.
Karma: SELECT `karma` FROM `users` WHERE `userid`=138474;
We've seen a couple cases of NebuAdd, one other that looks interesting, and a fair amount of addblocking/firewall software (eg, ZoneAlarm does some modifications)
We are waiting for the Slashdot and DIGG deluges to pass, however, before we have a more detailed analysis.
Test your net with Netalyzr
These guys actually want as much traffic as they can get to get a good idea of what isps are doing what. Go ahead, click online tool. It's pretty nifty.
If you are about to mod me down, keep in mind that this post was most likely sarcastic.
Years ago on one April Fool's day, I got a list of ad sites (from the usual /etc/hosts files out there), then got the internal DNS server to resolve them to a server that served up the company logo instead (for all possible url paths).
:). Nope I didn't get fired or even reprimanded - plus even better - I was saving company bandwidth (remember this was years ago)... Nobody complained about the lack of ads from ad.doubleclick.net and gang.
FWIW, seemed only one person noticed that the forbes page they loaded somehow had the company logos everywhere
I toyed with the idea of substituting ads with reminders (meeting at 2pm, or "you have been on slashdot for 2 hours!") and other more useful information.
Lastly, I don't think their naive hashing thing checks if you are altering the images - the content may remain unchanged, but linked to contents may change (they aren't checked from what I see), so it doesn't work for my scenario where different ads are substituted for the unaltered URL.
That said, I'm still curious on:
1) How many ISPs would bother modifying traffic from those 7 destinations they are testing.
2) What the various laws around the world say about this.
3) What those laws say about "sponsored internet access" where an ISP gives a cheaper package/plan where the ads are substituted with the ISPs advertisers with the risk of some corrupted info.
4) What those laws say about "streamlined internet access" where an ISP provides a package/plan where ads and other crap are removed (or modified) for their customer.
..why not just use SSL?
I can understand how this wouldn't help with hosting ISPs who insert ads into their own customers' pages, but if you're worried about your readers' ISPs modifying your pages, SSL seems like a no-brainer.
What's the downside? It can't still be CPU, can it? It's 2007 now, and processing power is ridiculously cheap/fast.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Are you pretending to be mentally challenged in order to troll, or do you really not understand even after having it explained to you a little further up the page? It is not the developer's ISP, or the hosting ISP that is doing this! It is the ISP of the people looking at the page. So, you left out a step in your patented eyeball method: signing up for every ISP in existence and loading your page, to see if that particular ISP does it.
- None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
This is a war however which we can make damn difficult by using virus-like mutation techniques, so that every checker looks different: force THEM to solve the AV defender arms race.
As long as the actual API used by the Javascript is common enough that the ad-injectors can't recognize and block our code by keeing in on the API calls rather than the overall Javascript.
The proper solution, adding integrity checking to all HTTP, seems like its not happening.
Test your net with Netalyzr