Slashdot Mirror

← Back to Stories (view on slashdot.org)

Covert BT Phorm Trial Report Leaked

Posted by CmdrTaco on from the look-at-what-someone-found dept.

stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe. NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.

8 of 292 comments (clear)

  1. For the uninitiated by Anonymous Coward · · Score: 4, Informative

    BT stands for "British Telecom," Something they failed to mention, except in TFA

    I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...

  2. Re:Ouch by KnightMB · · Score: 5, Informative

    That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT? Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures. You'll find the site here: http://wanip.org/anti-nebuad/ in which every browser becomes a data-mining polluter when it's run. Get enough those on a suspect ISP and watch the CEO's have a heart attack from the "pollution attack".
  3. Re:Ouch by Janos421 · · Score: 5, Informative

    The browsed pages do not exist, so you never download pictures or js files. It's very easy for an ISP to filter these requests, they can filter the HTTP response code.
    Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR and TrackMeNot. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.

  4. Re:Um, Replacing Charity Ads? by fhage · · Score: 3, Informative

    TFA says BT purchased the ads they replaced. The Charities got free advertisements if they were not replaced.

  5. Re:Loss of Common Carrier Exemption? by Red+Flayer · · Score: 5, Informative

    It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.
    Newsflash: ISPs do not have common carrier status.

    This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).
    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  6. Re:Advertisement Injection by VC · · Score: 3, Informative

    Actually its a terrible idea. SSL only works because you know that the connection is encrypted between you and the person you're talking to. SSL to an untrusted host is just as bad as no ssl because the man-in-the-middle (which is kind of the definition of an ISP) could easily produce a certificate that says, "hey, I'm what ever page you wanted to look at". And the insert ads.

    --
    Official GOD FAQ.
  7. Re:Advertisement Injection by jonaskoelker · · Score: 4, Informative

    You could do something almost good enough, though, that's done completely on the client side:

    Let's say you're sending index.html. Take a hash of the page, put the hash early on the page.

    In the bottom of the page, insert javascript code that removes the hash value, hashes the page, and compares it to the removed hash. If they mismatch, do an alert("warning: the page has been tampered with since it left Foocorp.com's servers."). The hash function doesn't have to be overly secure; here is actually a good time to write your own bad crypto.

    The ISP would then have a hard time modifying the page, because they would have to generate the hash value of the modified page before seeing the page they want to modify only slightly.

    They could, of course, buffer the whole page (if the server sends it out, or it could spoof your ACKs) and run the javascript on their modified version to compute the hash function. But how are they to know which functions to call? Include an infinite loop and some exploits that you never call yourself if you want to be really disruptive.

  8. Re:And created a copyright violation by mikael · · Score: 4, Informative

    This was discussed in the forum digitalspy.co.uk

    Phorm in the UK

    One business user was updating the website for his home business. He used his home network connection to inspect the appearance of his website. To his surprise, he could not understand why the format of his website was consistently different from what he had intended. Disturbed by this, he reinstalled the OS on all his servers in fear of being rootkitted, rechecked all his security settings, reconfigured his firewall, and performed a packet trace on every connection made. In the end he noticed that various links on his webpages were being changed and that in particular some were coming from dns.sysip.net. Basically, this system redirected any links to adverts back to Phorm servers.

    Customer who was Phormed

    --
    Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads