Slashdot Mirror
Covert BT Phorm Trial Report Leaked
stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe.
NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.
That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?
Do it yourself, because no one else will do it yourself. [beta blockade 10-17 Feb]
If you're paying for metered bandwidth, why are you accepting ads in the first place? AdBlock+ solves that problem very quickly.
Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.
Slashdot Patriotism: We Support our Dupes!
Its actually good thing they did this.
Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.
Now if only major news picked this up and made big deal out of it...
-- Technology for the sake of technology is as pathetic as eschewing technology because it's technology.
There's another issue. Say I post a banner for Charity X on my site, with a note saying "I support these guys with all my heart and soul, and I urge my readers to do all they can for this cause." You go to my site, but your ISP swaps said charity banner for an ad for personal ads or punching the monkey for a ringtone or some other damn thing, making it appear to you as though I'm imploring you to purchase something I would never willingly endorse.
The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.
Slashdot Burying Stories About Slashdot Media Owned
1) write a checksum to a page; if it doesn't match (or another hashing method doesn't match) warn the user that the page has been intercepted and corrupted; the code might not be too tough
2) Use page receipts to vet page authentication
3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author
4) other solutions that someone will think of; stop the page vandals NOW!
---- Teach Peace. It's Cheaper Than War.
It occurs to me that, at least in the US, an ISP that does ad injection *may* be losing its common-carrier status by changing the information that they convey from a Web site to the subscriber.
Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.
Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
I like that idea actually.
A sort of "You probably shouldn't trust me that much, but at least nobody's eavesdropping or screwing with the datastream" setting.
A possible solution would be opportunistic encryption. It would allow some sites to serve encrypted traffic without changing anything at the apache/squid end of things. No change is needed at the browser level either, and cache's can still be used.
There's still a cpu overhead, but at least we don't lose all the other methods needed to keep http traffic flowing quickly.
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.
The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.
"I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
SSL fixes nothing. the user is still stupid.
I interviewed at a company (a few years ago) that had designed a hardware 'appliance' that intercepts SSL web comms and fools the user into accepting a fake cert that looks VERY VERY much like the real thing. he clicks 'ok' and whammo - he FEELS safe but his link is now MITM attacked and compromised. and he didn't even know it.
technically, SSL didn't break but the middle box (cough cough) did some very evil things and asked both ends to talk to it, instead. essentially.
how many people really scrutinize the MESS OF TEXT that comes up in those cert popups? even experts tend to say 'yeah yeah, OK' and click it away.
morale: assume your company is using one of these boxes and go from there. over time, more and more companies WILL be snooping on their employees or users using these 'SSL feel good' faker boxes.
be advised.
--
"It is now safe to switch off your computer."
Well, firstly I am glad to see that the document has forked such a debate here on Slashdot and I thank you all for that (it is long overdue). As a result of some of my comments regarding the report, I am now facing legal threats from Phorm and BT. Alexander Hanff