Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major ISPs Injecting Ads, Vulnerabilities Into Web

Posted by timothy on from the do-you-feel-violated dept.

Rebecca Bug writes "Several Web sites (Wired, eWEEK, The Washington Post) are reporting on Dan Kaminsky's Toorcon discussion of a serious security risk introduced when major ISPs serve ads on error pages. Kaminsky found that the advertising servers are impersonating, via DNS, hostnames within trademarked domains. 'We have determined that these injected servers are, in fact, vulnerable to cross-site scripting attacks. Since these servers are being injected into your trademarked domains, their vulnerability can be used to attack your users and your sites,' Kaminsky said, identifying EarthLink, Verizon and Qwest among the ISPs."

5 of 116 comments (clear)

  1. Re:Only mildly illegal. by crispin_bollocks · · Score: 5, Insightful

    It could get really touchy if they're serving targeted ads. It's one thing if I type my company's name into a Google search and get served competitors' ads, but if an existing or potential customer tries to visit my site, mustypes, and ends up with an ad for the competition, I'd go ballistic. It would seem a pretty open and shut violation of my brand name and good reputation.

  2. Re:Only mildly illegal. by ScrewMaster · · Score: 5, Insightful

    I can see doing this for nonexistant domains

    I can't. That's exactly what Verisign tried doing a few years ago, and got bitchslapped for because it breaks things. Not every piece of equipment that connects to the Internet and uses the Domain Name System is a Web browser, you know, and many of those systems expect a failed resolution attempt to return the proper error codes. These corporate bastards should be required to honor the basic Internet standards that exist, and which millions upon millions of networked machines depend upon for proper operation. Failure to do so should involve hundreds of millions of dollars in penalties and lost tax breaks, because their arrogance costs everyone else at least that much when they pull stunts like this.

    Bloodsucking leeches, all of them. These jerks are just asking for some heavy-handed regulation to be applied to them: if they don't want to be forced into being common carriers, they'd damn well better act responsibly. Contrary to what these idiots may think, the Internet is not a private profit-making engine built exclusively for their use. It's reached the point of being a public utility, as important to our well-being as clean water. Sure, maybe as individuals we can live without our personal Internet connection: the supply chain which provides us with vital goods and services cannot.

    --
    The higher the technology, the sharper that two-edged sword.
  3. Even better. by DaedalusHKX · · Score: 4, Insightful

    Actually, the copyright owners of said domain CAN, and SHOULD demand ALL revenues that the ISP derived off of the serving of said ad pages, and any other related income they received as a result of said copyright violations.

    I keep saying, this is like the NAFTA and WTO, they can be tools for the masses or for the masters, but so far, only the so called "masters" have used them. Peons will be peons.

    --
    " What luck for rulers that men do not think" - Adolf Hitler
  4. Oops... by DaedalusHKX · · Score: 3, Insightful

    Oops, did I forget to mention?

    By hijacking the website, ANY possible damage that is incurred by the person visiting the website, that could not have occurred from said website, can and should be used to hold the injecting ISP's liable for "fraud", "wire fraud", "internet fraud", "conspiracy to commit fraud", "electronic fraud" along with any "accessory to fraud" charges that can be used. It isn't double jeopardy if they are tried for criminal trespass to chattel, though that might take someone with more knowledge of common law copyrights than I have. So hit them for criminal charges, and then sue them for damages.

    One big ISP getting put out of business would teach the rest a pretty important lesson. "Stop fucking with Joe, he fucked back without even needing a lawyer. Joe's not very nice to assholes who impersonate him and put his customers at risk."

    --
    " What luck for rulers that men do not think" - Adolf Hitler
  5. Re:Verizon by Nushio · · Score: 2, Insightful

    No way to complain? How about leaving Verizon?

    I don't know how it works there (there being USA, and Verizon, specifically), but once I wanted to leave my old Internet Cable Company, they asked me to fill in a list of reasons for leaving.

    I'm sure that if enough people leave for the same reason, someone will wake up and notice. And if they don't? Well, its lost revenue.

    Money is the only language companies understand.

    --
    Check out Unsealed: Whispers of Wisdom! http://unsealed.k3rnel.net It's an action-RPG about Open Sourcerers.