Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

Hasn't this been going on for a while?

[readandburn]

I don't think this is news. (Yes, I must be new here.....)

Re:Hasn't this been going on for a while?

Slashdot raged about this more than five years ago.

Looks like NYT has a n00b columnist. Rage!

Re:Hasn't this been going on for a while?

But it's good to give it another look if it's still going on.

Re:Hasn't this been going on for a while?

[urbanriot]

Yea, I was going to post the same, but more as a statement rather than a question, perhaps welcoming the poster to the internet. I'm sure this has been on Slashdot before, probably since there was a Google.

Re:Hasn't this been going on for a while?

Sadly, with a 6 digit id, you're not.

Re:Hasn't this been going on for a while?

[hobarrera]

I've never seen this happen, and I tend to use public hotspots whenever possible (since I only get 2G coverage most of the time). I've used hotspot in hotels, restaurants, subway stations, coffee shops, etc.

without the knowledge of the site visitor

[xaosflux]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

Re:without the knowledge of the site visitor

[GamerGirlie]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

Re:without the knowledge of the site visitor

How can I see if my ISP is doing this?

Re:without the knowledge of the site visitor

What if you use an alternative DNS and you do not *change* to https, rather use directly from your first connection to a website?

Re:without the knowledge of the site visitor

[Sir_Sri]

Occasionally ISPs do this legitimately as well. My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit. This is especially amusing when it injects into steam or the web page previews in opera (and in neither case can you accept it, and move on, so it keeps trying to inject until eventually it hits a web page you're actually viewing).

Re:without the knowledge of the site visitor

[Tsingi]

I can't see this being any better or worse than ISP's hijacking DNS lookups and returning search pages, instead of a fail (Which is what they are supposed to do.)

Re:without the knowledge of the site visitor

Well, then, get a different ISP, damn you!

Sure, if they are evil, your web browser shows a warning "Somebody is being evil!" and you just click OK and move on with your life... then they can do evil things with your connection. And since you continue to do business with them, YOU have just made that look like a winning business strategy, increasing the chance MY isp will do it next. Don't support evil!

Re:without the knowledge of the site visitor

[jonwil]

Care to tell me which ISP carries out such a man-in-the-middle attack on a secure web site so I can permanently blacklist them and any entity even remotely connected to them?

Re:without the knowledge of the site visitor

I hardly find that a legitimate reason. This is what email is for.

Re:without the knowledge of the site visitor

[GamerGirlie]

Using alternative DNS servers doesn't really help as it's not tied to that. The company that provides this man-in-the-middle attack tool for ISP's is Blue Coat Systems, based in California, United States.

Re:without the knowledge of the site visitor

[GamerGirlie]

Changing ISP isn't really an option, every ISP in the country does it (for certain sites, and slashdot is one of them). However, I do route around it by using VPN.

Re:without the knowledge of the site visitor

[lightknight]

Agreed. Still, metered internet connections? You trying to bit torrent with a cellphone connection?

Re:without the knowledge of the site visitor

Could you reveal your ISP too so that people get aware as of who does this kind of stuff?

Re:without the knowledge of the site visitor

[mwvdlee]

Hmmmm, no... intercepting and changing internet packages is evil.

Re:without the knowledge of the site visitor

Indeed, had some site users a couple of years back on a 'free' ISP, the ISP were inserting ads into their forum posts, then filtering the same ads for people on the service so that the people making the posts didn't even know they'd had ads inserted into their forum posts...

Re:without the knowledge of the site visitor

[1u3hr]

My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit.

Why screw around with that instead of just sending you an email? If you block it and get cut off, no skin off their nose.

Re:without the knowledge of the site visitor

[Kickasso]

"my ISP serves me their self-signed cert instead of Slashdot's real one."

You see a page/popup that says "this certificate is bogus, somebody is fooling around with your connection". From that point on, if you decide to proceed to the site, you are your own worst enemy.

Re:without the knowledge of the site visitor

[SuricouRaven]

There's something of an emerging generational issue. I don't know exactly why, but I've read of a number of studies on the subject - it seems that email just isn't used by the younger internet population. They've abandoned it in favor of social networking and instant messaging, mostly the former.

Re:without the knowledge of the site visitor

[Restil]

My isp gives me a page saying "Your bill is late" when for some reason the automated charge didn't go through. Click ok on that page and I'm back online again... at least for several days when they put up a more permanent message, but it gives me time to figure out what went wrong with the process. However, that's the only
attempt I've seen at hijacking the internet connection by my ISP. Not that they don't suck in a variety of other ways.....

-Restil

Re:without the knowledge of the site visitor

[Restil]

Spam made email an undesirable option for a lot of people when alternatives existed. So if you used to use email, you still do. If you used instant messaging before you used email, you probably never saw the need for it.

-Restil

Re:without the knowledge of the site visitor

[Khyber]

"Changing ISP isn't really an option, every ISP in the country does it "

Citation needed. I've had no inline ad injection from Charter.

Re:without the knowledge of the site visitor

And what ghodforsaken shithole country is that?

Re:without the knowledge of the site visitor

[Skapare]

Actually, it is Slashdot that is redirecting connections made to https://slashdot.org/ over to http://slashdot.org/ effectively picking you up and plopping you down in to the hacker's lair.

baldr/phil /home/phil 1> lynx --mime_header https://slashdot.org/
HTTP/1.1 302 Found
Server: Apache/2.2.3 (CentOS)
SLASH_LOG_DATA: shtml
Location: http://slashdot.org/index2.pl
Content-Type: text/html; charset=iso-8859-1
Content-Length: 290
Date: Sat, 07 Apr 2012 20:57:29 GMT
X-Varnish: 1836353593
Age: 0
Connection: close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://slashdot.org/index2.pl">here</a>.</p>
<hr>
<address>Apache/2.2.3 (CentOS) Server at slashdot.org Port 80</address>
</body></html>
baldr/phil /home/phil 2>

Web sites need to open up their HTTPS service to providing the same content as the HTTP ... or maybe even going so far as to always redirect HTTP over to HTTPS. A few sites like Google+ already do this (the link is HTTP but you get redirected to HTTPS).

Re:without the knowledge of the site visitor

[hobarrera]

And any decent browser would show a *huge* warning stating that you're visiting a site with a self-signed certificate.
Anyway, if they do this when visiting a bank, I don't think it'd be hard to sue them really. They're un-securing a communication between you and your bank.

Re:without the knowledge of the site visitor

[Skapare]

Their thinking might be along the lines of "lots of people don't use email". And for a lot of people that is true. Most teens today that are glued to Facebook and/or Twitter don't use email. Over half the kids in my family have never even set up their email clients.

Re:without the knowledge of the site visitor

[hobarrera]

I remember an ISP here doing something similar (when you had to change to ADSL password, for some obscure reason). They'd notify on every webpage for a while, and then stop. Of course, if jdownloader or some other automated downloader was running at the time, your downloads would fail, but you'd never get to see the message they sent. Beat me why they didn't use e-mail.

Re:without the knowledge of the site visitor

[hobarrera]

Large messages? People who are offline ATM?
E-mail is like an internet letter. They'll read it when they can, and it can be as long as you want.
IM is like an internet phone call. The other person need to anwser right away, and you can't take your time to write 30 lines while they're waiting on the other end.

Re:without the knowledge of the site visitor

Why does your browser or you accept their self signed cert? Are you in a country where you have to let them?

And they're not intercepting secure communications since it's obviously not secure or they would be able to intercept them. It's not a MITM attack if you let them.

Re:without the knowledge of the site visitor

Wouldn't a tunnel be able to prevent such problems? Of course, they're not cheap.

Maybe we need a law mandating that when this sort of thing is done, that they clearly notify the users, and not in legalese.

Some thoughts...
Would the hotel be liable if the user gets infected by a malicious ad?
Regardless of whether a hotel charges for WiFi access, they should have the decency of notifying the user at check-in or when asked as to whether they insert anything when browsing the web.
Is Internet access so expensive that they have to subsidize expenses (including maintenance) this way?

Re:without the knowledge of the site visitor

[philip.paradis]

I've dealt with a ton of ISPs in the US, and have yet to find a single one that does this. What ISP are you using, and where are you located?

Re:without the knowledge of the site visitor

[Sir_Sri]

How does that help? Not everyone on the connection gets the e-mail, not everyone reads their e-mail, and they send out enough of those e-mails they might get flagged as spam so you'd never get it.

I didn't say this was the best plan ever. But that doesn't make it any less legitimate. They are trying to communicate information about the service they provide you over the service they provide you. That's legitimate.

Re:without the knowledge of the site visitor

[Kalriath]

Simple, you get error messages on every single SSL webpage because you don't have their certificate installed.

Alternatively, you check the SSL chain on your certificate. Proper certificates should not have an unidentifiable intermediate CA (Comodo or GeoTrust will actually sell you a CA certificate for enough money, with the authority to issue end-user certificates and fully backed by their trusted Root CA certificate).

Re:without the knowledge of the site visitor

[Kalriath]

That's intentional. Slashdot restricts browsing over SSL to subscribers only.

Re:without the knowledge of the site visitor

[gravis777]

Of course, that is easily taken care of by using VPN through one of the many resources out there - iPredator is one that comes to mind
https://www.ipredator.se/

And if you simply want to block out ads, that is easy to do as well, with AdBlocking extensions that is available for all the major browsers (yes, I have even used some for IE).

I am actually surprised at how many people are surprised at this. ISPs will redirect mistyped domains to their own search engines (if some squatter hasn't already bought the mistyped domain), they will often redirect search engines (my ISP has a bad habbit of this, but there is an option to switch back to your default search engine - its just annoying), and, shoot, NetZero and Juno practically back in the 90s came up with the whole idea that you get cheap internet by them pushing ads on you. As for the self-signed certs, yeah, you see that too, although not as often as other tricks.

So, yeah, if you are really concerned about security, use VPN through a trusted host. And certainly never trust that a website, even if it starts with https, is secure on an open hotspot.

Re:without the knowledge of the site visitor

[jaymemaurice]

Not nessesarily... if your ISP signs a certificate FOR the site (or wildcard like *) using a trusted CA certificate... then you get no error. Heck, if I were an evil ISP, I'd include my trusted CA certificate on the "install" cd and use it for all my internal systems just to make people install it. Only way you'd know is if you tracked the sites official signing details or verified against a trusted third part through means of communications you can still trust.

Re:without the knowledge of the site visitor

[jaymemaurice]

Just so you know... they can almost as easily use Squid as Blue Coat... Blue Coat is not a man-in-the-middle attack tool... it is a transparent(or not) proxy. Transparent proxies have been used for non evil purposes since the early days of the internet. Just because it has an interface for any idiot to use which is simple then writing your own regex's to grep a standard log file, it doesn't mean its a tool of opression.

Re:without the knowledge of the site visitor

[jaymemaurice]

That and it seems many ISPs don't have complete customer information and if they did it would probably be more expensive to use it then simply modifying a page through a transparent proxy... could you imagine the cost on an with 5,000,000+ subscribers, on a billing date if 20,000 didn't pay and were cut off and called a call center for 5 minutes... that is 100,000minutes of call center staff... 1666hours... every 30 days for subscribers who are not paying or keeping updated payment records. If they were spaced out over a single staff member getting paid $12/hr with no other overhead easy quarter million/yr... but obviously one staff member can't answer 1666hours of calls with tollerable wait times and there is overhead... non paying subscribers are nearly all going to call during peak hours. As a large ISP how would you do it?

Re:without the knowledge of the site visitor

I find your comment slightly ignorant (pay attention to detail please) based on the title of this thread "without the knowledge of the site visitor". Every mainstream browser would exclaim loudly about the site presenting a self signed cert and require you to explicitly allow it access, thus the visitor hasknowledge of the fact something isn't right.

I'm done trolling.

Re:without the knowledge of the site visitor

I thought so until I attended a seminar by a Firewall appliance vender which touted the ability to do deep packet inspection on https/SSL encrypted accesses by what was essentially a "man in the middle" attack.

Re:without the knowledge of the site visitor

Your username is already prominently displayed above your post.

Writing it again at the end of your post wastes vertical space and makes you look like a retard.

Stop doing it.

Re:without the knowledge of the site visitor

for example my provider. Im posting from my android phone and the provider is '3' Italy.
As about your question [RST]....

Re:without the knowledge of the site visitor

[Kalriath]

Uh, how exactly would your ISP sign a certificate for the site with a trusted Root CA? They won't have any of those, since the Root CAs are not ISPs. The only way is if they get an intermediate CA certificate from a Root CA, and the Root CA would embed the ISPs details into that intermediate CA, making it blindingly obvious you are being MITMd.

Oh, and a "wildcard like *" is always invalid - no browser on the face of this planet would consider that acceptable, as it violates the spec.

Re:without the knowledge of the site visitor

[1u3hr]

Their thinking might be along the lines of "lots of people don't use email". And for a lot of people that is true. Most teens today that are glued to Facebook and/or Twitter don't use email. Over half the kids in my family have never even set up their email clients.

So what? It's the account holder who has to be informed. Kids are just going to ignore any such messages until they're actually cut off anyway. My daughter ignored the messages from her phone company about her going over her quota till her phone went dead.

When you sign up for an account, you supply an email address. Or SMS maybe.

Re:without the knowledge of the site visitor

Most kids just use the messaging features built into their social website (Facebook mostly) for those purposes. To them, email is seen as something older people use at work.

Beyond that, many younger people (in their 20's now) have only used email through web based clients like Gmail or Hotmail and that it can exist separate from the web seems foreign to them.

Of course,what do I know, I'm still trying to figure out twiter...

Some ISP's do stuff like this as well

[Joe_Dragon]

Some ISP's do stuff like this as well

Seen it too!

I was at a Hampton Hotel and noticed it. It was very annoying (randomly changed words into links which popped up ads when hovered).

Guess the $120 a night I was paying wasn't enough for 1/100th of a Broad band connection, they also needed the $.00001 per ad impression too.....

Complimentary breakfast was good though.

Re:Seen it too!

[Joe_Dragon]

What about the resort fee that is forced and has the internet as part of it.

Yay a New Arms Race!

[ohnocitizen]

I wonder if there is a way to consistently detect and remove/alter these ads? A nice "Marriot is trying to advertise at you" text notice. A new browser extension perhaps?

Re:Yay a New Arms Race!

[History's+Coming+To]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Re:Yay a New Arms Race!

[93+Escort+Wagon]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

Re:Yay a New Arms Race!

[History's+Coming+To]

Good idea - might as well CC the hotspot provider in too :)

Re:Yay a New Arms Race!

[Skapare]

YOU sue them. Then the rest of us will have a legal precedent.

Re:Yay a New Arms Race!

[Xtifr]

Yes, I'd love to see the bastards sued over this! And I think the Grateful Dead might be a great organization to launch such a suit. They have a couple of advantages: 1) for their "free" music, they have a license similar to CC-NC, but it predates CC-NC by many years, and explicitly forbids Internet advertising (some people claim that the CC-NC is a little vague about this), and 2) one of their songwriters is a lawyer and, moreover, not just any lawyer--he's one of the founders of the EFF (John Perry Barlow).

Yep. So use HTTPS-Everywhere.

[khasim]

Well, if you use Firefox that is.

If the connection between you and the website is encrypted, no one can add code to it.

Re:Yep. So use HTTPS-Everywhere.

[hairyfeet]

Weird question: Do you surf porn? Does that HTTPS trick stop the Firefox porn bug? Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that opens a hidden iFrame and uses FF autocomplete to log into their Yahoo mail and then spam the address book. From my tests with a couple of fake yahoo accounts it ONLY seems to work on FF and on the new yahoo layout, no other combo like Chrome and Gmail, IE and Hotmail seems to work. If you want to see how many sites have that bug now put a master password on your password list and see how many times the master password dialog pops up, on several porn sites its pretty much pop up city. Since so many of the guys kept sending me "How come I'm spamming and i don't have a bug?" I switched them to Comodo Dragon as it works with low rights mode and doesn't have the bug.

As for TFA what does anyone expect? TINSTAAFL and with the economy in the shitter hotels are frankly doing lousy business and i'm sure those ads make their "free Wifi" truly free for the hotel, so surprise surprise they add the ads. would you rather have this, or have to pay for the Wifi, or have it like AT&T where every so many minutes you are stopped cold and forced to watch a commercial? Personally I'd choose door #1, but of course I've got ABP in Dragon so it don't affect me either way.

Re:Yep. So use HTTPS-Everywhere.

[Skapare]

More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

Re:Yep. So use HTTPS-Everywhere.

It might be funny to you, but you are funny to me.
This guy is obviously above-average. The average internet user doesn't even know how they connected to the internet in the first place other then "the tech guy from the cable/phone company hooked it up"

Re:Yep. So use HTTPS-Everywhere.

[Khyber]

"Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone."

Never touched LinkedIn in my LIFE and that shit site is spamming my gmail account CONSTANTLY.

Re:Yep. So use HTTPS-Everywhere.

[Alex+Belits]

Oh wow, hairyfeet is now running an anti-Firefox campaign.

HEY, EVERYONE -- this is the same hairyfeet that usually pretends to run some kind of computer business while parroting anti-Linux marketing for Microsoft.

Re:Yep. So use HTTPS-Everywhere.

Sorry, can't feel either shock over that or pity for your users. If they're not using their browser's privacy mode when surfing porn (or making a separate profile without any "real" passwords), it's their own damn fault when (not if) their data gets misused.

Re:Yep. So use HTTPS-Everywhere.

[hobarrera]

You can just get your porn from thepiratebay.org, and yes, it works over HTTPS.

Re:Yep. So use HTTPS-Everywhere.

[kermidge]

Interesting bug, didn't know of it.

I never use a browser to store passwords with or without master password; use your own (keepass, etc.) with local backups, or Lastpass or similar with local backups. After trying various password utilities I've used Lastpass since it came out and have been well pleased.

Just FYI, it's TANSTAAFL from Heinlein, "There Ain't No Such Thing As A Free Lunch."

Re:Yep. So use HTTPS-Everywhere.

Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that

... gets blocked by my noscript addon for Firefox.

uses FF autocomplete to log into their Yahoo mail and then spam the address book

1. Why are you using Yahoo for your mail.
2. Why is it set to your default mail provider.
3. Why are you saving password information to start with.
4. Why are your users looking at porn on the company dime.

Seriously man, you worked way too hard on this one, and addressed the wrong issue. Put FF back on those machines, install an addon such as NoScript (no I'm not a shill just a satisfied user, use another product if it works better for you) which blocks not just scripts but also enforces application boundaries, prevents cross-site-scripting attacks, and addresses other security holes. Plus, it has the side benefit of blocking ads, including the kind injected by hotels as listed in the article.

Re:Yep. So use HTTPS-Everywhere.

[zyzko]

Comodo Dragon is not FOSS. It has a freeware license with restrictions, but you can't get your hands on their modifications to Chromium so you are switching your users from FOSS to non-free browser so your rant about FOSS is really merited - you are actually switching users away from FOSS...

Re:Yep. So use HTTPS-Everywhere.

Then you should mark it as 'spam'.

Re:Yep. So use HTTPS-Everywhere.

A campaign? 2-3 comments on an irrationally anti-ms website is a campaign? lol. Most people here.. like you lack the mental capacity to see the world beyond microsoft vs linux.

Re:Yep. So use HTTPS-Everywhere.

[hairyfeet]

The Chromium base they are using is freely downloadable from their servers as per the GPL the ONLY changes that aren't available are the security connections which allow them to filter phishing and malware attacks which DUH! I do NOT want everybody and their dog to know how they are blocking the fucking bugs or the malware will just go around them!

So go compile something and STFU, you can compile the whole thing off their FTP server and there is less than 10% difference between Dragon and Chromium, or is Chromium not good enough either? damned FOSSies, just like Moonies in their religious crazies.

Re:Yep. So use HTTPS-Everywhere.

[zyzko]

And here sir you go crazy as I suspected - they are not providing changes, they are not doing anything by the GPL (because chromium is not GPL, and that is completely ok) - I was just addressing your assumption that you are converting people from another FOSS browser to another FOSS browser - which you do not do - you convert people to a closed one, I'm not arguing against your reasons for doing so - just do not lie about it.

-k

Re:Yep. So use HTTPS-Everywhere.

[Alex+Belits]

hairyfeet's anti-Linux campaign goes on for years -- he just dilutes it with various unrelated copypasta and karma whoring. It's only recently that he started raging on Firefox, and suddenly he presents itself as a random user "reporting" a nonexistent problem.

HTTP Policies

[improfane]

This is why websites need to publish policy files a bit like ABE (Application Boundaries Enforcer). This would mean that a website would publish what resources that site can request and destinations that are not in that policy are not loaded. Unfortunately if they can intercept anything that you are served then the injector can just modify the policy file too. Perhaps signed policy file could solve this?

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

(Although the guy who wrote ABE/NoScript should be considered in caution because of what he did to NoScript users in the past. He deliberately removed NoScript blocks for his own website so he could raise money on his plugin update page that opens after updates.)

Re:HTTP Policies

[icebike]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

They might be able to pull this off, but the revenue they could earn off of such a scheme would never pay the lawyer bills. One could argue this would be a DMCA violation. (In fact, they seem to be on shaky legal ground altering un-encryption streams. It is after all, a form of scraping and perhaps copyright violation.)

The drop everything to HTTP would certainly be noticed.

Re:HTTP Policies

[bbecker23]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

Re:HTTP Policies

[mwvdlee]

It isn't so much scraping as it is simply taking somebody's website content and copying it for their own profit.
Plain and simple copyright violation where the website owner is the victim.

Re:HTTP Policies

[SuricouRaven]

Stop thinking like an engineer, and lower yourself to the thoughts of a typical computer user.

"A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."

Re:HTTP Policies

[Restil]

While they couldn't insert code into an encrypted session, they COULD perform a man in the middle attack and accomplish the same thing, provided the user decided to override the certificate warning (which I'm guessing most people would). A more secure solution would be to do all the browsing over a ssh tunnel. That too could be intercepted, but it's less likely, and ssh will catch such an attempt provided the tunnel was first initiated over a trusted connection, so at least you'd be able to avoid using the service if you know it's going to be insecure.

What's ironic is the fact that the cheap hotels that are out in the middle of nowhere have great, highspeed, well covered wifi with mostly unrestricted or completely unrestricted hotspots (most of the time, all you have to do is agree to a clickthrough agreement, and you're good to go). But go to a big hotel in the city for a convention or something and they want to charge $15 a day for it. I'd just grown accustomed to tethering my cellphone in those instances since I got higher speeds from that than I did from the hotel wifi.

-Restil

Re:HTTP Policies

[Skapare]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

The SSL layer already knows the hostname of where it wants to go. The signed certificate received from the connected server should have a cert for the Certificate Authority, identifying which public CA key to get from the collection the browser or SSL library has. The CA signature of the web site's cert is decrypted by that public CA key. If that works, it is then known the site cert is signed. If the site name also matches (maybe with wildcard enabled), and today's date is in the range valid for the signature, then the site cert is valid. Otherwise not, and you get that annoting security popup.

For the proxy to insert anything, it would have to act as the end point for the SSL stream. But that setup would fail unless the proxy has the web site's certificate signed by a valid CA. If you add a new CA the proxy server used (its own), then it could do that. Otherwise they would have to convince some CA to sign certs for ALL the major sites, for use in this proxy. A bad CA could do this. You can then defeat that by removing the bad CA cert from your browser. But the hotel could defeat you by convincing you to add their local CA cert to your browser (and then the proxy can dynamically generate a fake signed cert for any site you visit if they know the name in advance, which can be done with a name server injection). You can defeat that by not allowing any of their stuff into your computer.

If you have the means, a VPN to your own trusted network can help, though you then have slower responses. Test their network to see if you can access secured services you normally do have access to, like SSH, IMAPS, Submit/TLS. Also check to see if they have IPv6 and complain if not. Tell them "the FREE porn sites are on IPv6 only".

Re:HTTP Policies

[bbecker23]

"A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."

My point exactly. SSL (and a handful of other techniques) will alert the user to something untoward going on, but the lion's share of those users will ignore/not understand the threat.

Re:HTTP Policies

[b4dc0d3r]

How is that ironic? Big hotels in the city pay outrageous prices for land, and operating costs are much higher. Everything costs more in a big city because everything costs more. And people will pay because they are used to paying for little things like that.

This is how big cities work. Let me guess, you were expecting prices to be based on cost? Oh, well that's not how the world works.

Re:HTTP Policies

[Alex+Belits]

if you're connecting to an unsecured network, I doubt security is much of a priority.

Congratulations, you are an idiot!

The whole point of encryption is that it allows secure communications over insecure network.

Re:HTTP Policies

[tepples]

But that setup would fail unless the proxy has the web site's certificate signed by a valid CA.

There are foreign government-owned CAs that'll sign any-teen for ten dollar, soldier boy.

You can defeat [a hotel's requirement to install its CA certificate] by not allowing any of their stuff into your computer.

If you don't install their certificate, the captive portal will block you from connecting to any web sites, and you'll have to buy a MiFi and service.

Re:HTTP Policies

[colinrichardday]

You say that big-city hotels have higher costs, and that they charge more for wifi because of those higher costs (maybe not of bandwidth, but other stuff). You then criticize the GP for expecting prices to be higher based on costs? Hmm. . .

Re:HTTP Policies

[DarwinSurvivor]

The only things a secure access point are good for are protecting your LAN and protecting your bandwidth. Browsing the internet over a WPA2 connection is no more secure than browsing over an unencrypted connection because once the packets leave your router, all bets are off anyways. Using a WPA2 encrypted router to connect to unencrypted destinations on the internet is like a general giving his order to his messenger in code, who then writes it on his forehead before walking through the enemy command center.

Re:HTTP Policies

[jasen666]

Bull. Shit.
Different hotels in the same town, next door to each other, have wildly different policies. Budget hotels offer free WiFi almost universally, along with other freebies in EVERY CITY. The more you pay for your room, the more likely it is you will be nickel and dimed for every little thing you use. It's been this way forever. It makes no damn sense to me either. I get free shit with my $80 room, but with the $200 room they tack on surcharges for wiping my ass with the window open.

Re:HTTP Policies

[edb]

Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

< $100/night usually includes:
    - FREE wifi, unspecified throughput, non-public IP
    - FREE incoming phone calls
    - FREE incoming faxes
    - FREE outgoing phone calls up to 30 min
    - FREE computer near lobby for guest use
    - FREE document printing for reasonable # pages
    - FREE microwave oven in the room
    - FREE mini-fridge in the room
    - FREE pillows & linens on the bed
    - FREE pull-out drying line for laundry in the bathroom
    - coin-op laundry for hotel guests

> $100/night often imposes charges for:
    - WIFI: $12.95+tax per day
    - public IP: additional $10+tax per day
    - incoming faxes: $.50/page
    - outgoing phone calls: AT&T Operator rates + 200% surcharge
    - document printing: $.50/page
    - fridge in room: $25 per night, special request
    - microwave in room: $25 per night, special request
    - linens: changed every 3 days at no charge, no discount for multi-day stay
    - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!

Re:HTTP Policies

[jaymemaurice]

I find your observations correct as well... except the threshold seems not to be the money, but if the hotel has rewards points, corporate accounts or both. The fact they are higher priced just seems to milk on that.

Re:HTTP Policies

[Courageous]

Ever heard of Blue Coat? Most users will just accept the cert, alas.

Re:HTTP Policies

[140Mandak262Jamuna]

$100 joints are frequented by people spending their employer's money. Then some corporations control costs in a brain dead way. They look at per diem charges, get a discount off the rack rate, the company executive who extracted this "great cost savings" mentions it in his annual performance review and goes his merry way. The hotels nickel and dime.

Re:Insert this:

Obviously posting with the complimentary Hotel wifi.

Captive Portals Do That You Know?

[TemplePilot]

Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

Re:Captive Portals Do That You Know?

[sotweed]

You want he shoulda said irregardful?

Re:Captive Portals Do That You Know?

[mrmeval]

DD-WRT has had this for a while now.

http://blog.anchorfree.com/news-events/ad-supported-wi-fi-network-launches/

"Consumers on an AnchorFree hotspot are presented with a display ad that remains at the top of the screen with every Web site they visit, and those ads can be contextually matched to the content on each page, according to Mark Smith, EVP strategy and product development for AnchorFree."

Re:Captive Portals Do That You Know?

Yes it is. Learn how language works and come back later.

Re:Captive Portals Do That You Know?

[eht]

Hint, that is a word. From Merriam Webster

http://www.merriam-webster.com/dictionary/irregardless

"The most frequently repeated remark about it is that âoethere is no such word.â There is such a word, however."

Just because you choose to not recognize it, even though you understand perfectly what he meant by it, shows your ignorance. By the way, ain't is a word too, well a contraction at any rate.

Re:Captive Portals Do That You Know?

Or perhaps it is a word, just not accepted as a proper part of the English language at this time.

http://grammar.quickanddirtytips.com/irregardless.aspx

In other words it's accepted that people are using the word and as such is in most dictionaries but it isn't considered a proper part of the English language at this time. That may change at some point in the future. Though it likely won't be any time soon.

Re:Captive Portals Do That You Know?

[spire3661]

Hint: Usage defines what is a word. People use 'irregardless', even if you think its wrong, it is a word. Dictionaries are not the end all be all of language either. A dictionary isnt all inclusive, it is not a listing of all 'proper' words, thats a fallacy. Its a best effort to put as many well defined words as possible in one place.

Re:Captive Portals Do That You Know?

Shit like this leads to "I could care less" or "I literally ..." (meaning figuratively) and other bullshit. No. Use the words correctly, and drop absolute abominations like "irregardless". Sure, you might think it's OK, but I and many like me will judge you to be likely a drooling imbecile if you do.

Re:Captive Portals Do That You Know?

[Nidi62]

Shit like this leads to "I could care less" or "I literally ..." (meaning figuratively) and other bullshit. No. Use the words correctly, and drop absolute abominations like "irregardless". Sure, you might think it's OK, but I and many like me will judge you to be likely a drooling imbecile if you do.

I literally could care less if you think I'm a drooling imbecile

Re:Captive Portals Do That You Know?

[ericloewe]

Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

Actually pfSense does that (at least most of it) for free. So does DD-WRT, I've heard.

Re:Captive Portals Do That You Know?

[mikkelm]

So you're asking him to learn how language works because he objects to people who make up contradictory words as a consequence of apparently not understanding how the language that they're using works. I don't generally have a problem with new words to explain new concepts, or even new words to explain existing concepts, but making up a new word consisting of an existing word with the same definition, preceded by a prefix that typically serves to negate the following word, that's just.. well.. dense.

Wouldn't it be easier if people just used the right words?

Re:Captive Portals Do That You Know?

[admdrew]

...that said, I think the person who said "Hint: That's not a word." totally derailed the conversation and took away from what TemplePilot was trying to say. (sorry for the double post)

Re:Captive Portals Do That You Know?

[admdrew]

Wouldn't it be easier if people just used the right words?

Yes, it would, but did you really have that much difficulty understanding TemplePilot's post with a nonstandard word in it?

Re:Captive Portals Do That You Know?

[93+Escort+Wagon]

So you're asking him to learn how language works because he objects to people who make up contradictory words as a consequence of apparently not understanding how the language that they're using works.

Count yourself in that group that apparently doesn't understand how language works.

Languages are dynamic. New words come into being when enough people start hearing and reusing slang or phrases that have developed as part of a dialect. Sometimes a person will simply make up a word, but it'll catch on for whatever reason and become part of the official lexicon.

"Irregardless" has been in use for about a century - it's now a word in the dictionary, just like "regardless" is a (somewhat older) word in the dictionary. They both mean the same thing. You may not like it, but that's the way it goes.

Re:Captive Portals Do That You Know?

People that judge others on innocent mannerisms are the real imbeciles...literally.

Re:Captive Portals Do That You Know?

[mikkelm]

No. Am you haveng truble anderstending dese werds? Probably not. Should those words go in the dictionary and be acceptable use? Probably not.

Re:Captive Portals Do That You Know?

[Khyber]

"Shit like this leads to "I could care less"

Except that's a proper sentence and statement, you 9th grade English failure.

Re:Captive Portals Do That You Know?

[mikkelm]

No, I understand how languages work. I understand that 'ir' is a negator in the English language. Irrespective, irreconcilable, irrefutable, irresistible. Not respective, not reconcilable, not refutable, not resistible. "Irregardless" would then be "not regardless," but it is being used in the same manner as "regardless."

As I said, new words are fine. Breaking the basic grammatical rules of a language to accommodate common misspellings is not.

Re:Captive Portals Do That You Know?

[pz]

You forgot to add gratuitous, incorrect quotation marks for icing on the cake.

Re:Captive Portals Do That You Know?

[colinrichardday]

Dictionaries that act as though "ir" is not a negating prefix are wrong.

Re:Captive Portals Do That You Know?

[colinrichardday]

Simply because Merriam-Webster chooses to accept it doesn't make it a word.

Re:Captive Portals Do That You Know?

[colinrichardday]

Hint: Usage defines what is a word.

Whose usage?

Re:Captive Portals Do That You Know?

[Xtifr]

That's fine; I and many others, including some of the best linguists in the world, consider people who insist on made-up, bullshit rules about English, as you do, to be drooling idiots. The Language Log site (run by a collection of noted linguists from around the world) has a whole category of articles about making fun of dictatorial, whiny bullshit-prescribers like you.

As for your specific examples ("could care less" and "literally") both are accepted by the OED as valid and correct, despite your pathetic attempt to assert (with no evidence) that they're not.

Re:Captive Portals Do That You Know?

[couchslug]

Interesting.

Would disconnecting then spoofing a different MAC address work around that problem?

Re:Captive Portals Do That You Know?

[Man+Eating+Duck]

As I said, new words are fine. Breaking the basic grammatical rules of a language to accommodate common misspellings is not.

I'm not really taking sides here, but it seems that you and the other posters are talking about different things (normative/prescriptive vs. descriptive linguistics). I have had this discussion a number of times with a buddy who has a PhD in the field. I don't necessarily agree with him, especially when it comes to a few particularly egregious examples, hence the discussions :)

He (and descriptive linguistics in general) states that language/grammar consist of the actual usage of the language by native speakers, not what normative sources say is legitimate. Basically, everything goes as long as it's in use by a significant amount of speakers (speech is more important to linguists than prose, and "internet speech" and other types of informal writing is an extension of that).

My counter-argument is that you need normative rules in order to have efficient communication, and particularly bad errors can actually impede that. He agrees in principle, but does not agree that those rules need to be established only by authorities. Description of actual usage is also acceptable, and this is generally how those rules originated in the first place. New words pop up continuously, and changes in spelling occur all the time. Sometimes they fulfil the function of making speech and writing easier, in other cases they stem from a misunderstanding of the "proper" expression. They might reach mainstream acceptance in the end, or not. My buddy would probably quip that "irregardless" is a perfectly cromulent word (he would have used a Norwegian equivalent, but never mind).

What there is no doubt about is that language is evolving, even "accepted" standards. Read some prose from the 19th century to see this clear as day. The evolution happens a lot faster now, as there is a lot more widespread communication happening than just a few decades or years ago. To me "irregardless" and its ilk is bollocks as well, and you and I may not like some of those neologisms, but they'll keep coming. It will only get worse as we get (even) older :)

I realise that this post might be (in)flammable to some, but I probably won't involve myself in further arguments.

Re:Captive Portals Do That You Know?

[mikkelm]

He agrees in principle, but does not agree that those rules need to be established only by authorities. Description of actual usage is also acceptable, and this is generally how those rules originated in the first place.

I think this is the essential part of the argument. As a linguist, he has to agree, as structure is the only thing separating established languages from descriptive sounds. I agree with the idea that rules can be established by non-authoritative sources, and I'd argue that there's no such thing as an authoritative source for the English language. This case, however, is one of a conflation of two separate words that violates long-established rules of the language, and I'd say it's very difficult to make a case for that being proper and acceptable in any way.

Re:Captive Portals Do That You Know?

[egr]

Am you haveng truble anderstending dese werds? Probably not. Should those words go in the dictionary and be acceptable use?

The funny thing is that they are gonna make its way into a dictionary some day. Not these words exactly, but you catch my drift.

Re:Captive Portals Do That You Know?

[Kalriath]

No it isn't. Could care less means, literally, "I do care at some level about this, as I have the ability to care less than I currently do about it" - it means the exact opposite of what people use it to mean. Or rather, what Americans use it to mean. Everyone else on the planet correctly says "couldn't care less" which means, literally, "my level of caring about this topic is zero. I cannot care less about this as it is physically impossible".

Re:Captive Portals Do That You Know?

[Kalriath]

I find it unlikely the OED accepts "could care less" as valid and correct, as it's a dictionary, and they tend not to assert anything about entire sentences. And even if they did, the OED uses Queen's English, in which "couldn't care less" is correct and "could care less" is not.

Re:Captive Portals Do That You Know?

[Xtifr]

Then you may find this article (by Mark Liberman, Professor of Linguistics and Computer Science, and one of the Gods of computational linguistics) enlightening. He not only quotes chapter and verse from the OED, but debunks the common theory that the phrase originated as sarcasm. (Note: he doesn't claim to prove the theory is false; merely that it's unsupported by any actual evidence.)

And yes, it's primarily an American phrase. The OED lists it as "US colloq. phr.". But before you jump on that word colloq(uial), not that I couldn't care less is also listed as a colloquial phrase. But the OED has never hesitated to document American English, whatever you may believe about how they "use the Queen's English".

Re:Captive Portals Do That You Know?

[Courageous]

Look up the definition of the word "word" in your favorite dictionary and get back to us.

Hey, just because you're anal retentive doesn't prevent me from being anal retentiver.

LOL

Re:Captive Portals Do That You Know?

[colinrichardday]

Begging the question. If I would argue over MW's use of "irregardless", why would I meekly accept their use of "word"? Does this make me anal retentivest?

Re:Captive Portals Do That You Know?

[Courageous]

I didn't say MW. I said "your favorite dictionary".

In any case, what definition of the word "word" do you prefer? I think you will find yourself struggling to come up with one that doesn't allow "irregardless" as actually being a word. The problem is--and I find it amusing--when someone says that something's "not a word," they actually don't mean that. They themselves are engaging in sloppy English; hence, the irony.

C//

Re:Captive Portals Do That You Know?

[Khyber]

"No it isn't. Could care less means, literally, "I do care at some level about this, as I have the ability to care less than I currently do about it" - it means the exact opposite of what people use it to mean."

No, it can also mean "I can get into a negative quantity of caring, as opposed to zero," which is the meaning for most Americans.

Re:Captive Portals Do That You Know?

[colinrichardday]

Any dictionary that allowed "irregardless" as a word wouldn't be my favorite. What does "irregardless" give you that "regardless" doesn't?

And you might not want to get me started on treating "antisemitic" as a synonym for "anti-Jewish". Hello! Arabs are Semites, too!

Re:Captive Portals Do That You Know?

[Courageous]

When I said "what definition of the word 'word' do you prefer?" I was asking you to provide one. You, as in personally you, are going to be hard pressed to come up with a good working definition of the word 'word' that disallows "irregardless" as one. Go ahead, try. You don't really mean "word" here, you only think you do. It will become obvious over time to you when you spend some intellectual time on it. You haven't done that yet. That, too, is obvious.

Re:Captive Portals Do That You Know?

[colinrichardday]

When I said "what definition of the word 'word' do you prefer?"

If we were discussing words as such, you would have a point, but English has rules about forming words. The string "irregardless" has two negative morphemes, and people treat it as though it only had one. That is my objection.

Re:Captive Portals Do That You Know?

[Kalriath]

That - literally - makes no sense whatsoever.

So you Americans DO speak a completely different language!

Re:Captive Portals Do That You Know?

[Kalriath]

Well, as a native speaker of United Kingdom English, I will continue to consider it invalid - especially as the phrase despite its usage still reads when broken down as the exact opposite of what a typical American uses it to mean. (I will also point out that an American professor of linguistics from an American University is a flawed reference - they also speak United States English and naturally would consider virtually all Americanisms valid).

However, I was not aware that the OED included American English and concede that point.

Re:Captive Portals Do That You Know?

[Courageous]

If we were discussing words as such...

Therein lies the irony. When someone says "that's not a word!" they are using a form of pedantry which, due to its inaccuracy, is itself subject to pedantry. "That is not a word" is not what one means to say here. "That is an improper word," might be more accurate, or more honestly: "that's a word that some people might not approve of," or more honest yet: "using that word might make you appear to be uneducated."

The fact of the matter is, words are combinations of morphemes or syllables used to convey meaning. I never saw the original post, so I have no context. Whatever the case may be as to what was originally said, correcting someone by telling them that "irregardless is not a word," is in fact wrong.

C//

Re:Captive Portals Do That You Know?

[Xtifr]

For a non-USian, it probably is an error--unless it's a (deliberate or inadvertant) Americanism. When writing to people I know to be UKish, I sometimes try to use UKisms ("lorry" instead of "truck", "boot" instead of "trunk", "colour" instead of "color"). Technically, I'm commiting an error in my native language, but I do it in a (probably futile) attempt to surmount the language barrier, and it's (more-or-less) correct for my reader. There are probably people in the UK who do the same in reverse--so before you call it an error, you need to be sure it's not intended as an Americanism.

Otherwise, I think we're basically in agreement, unless you're trying to argue that British English is "real" English, in which case, I consider you a troll. It's not an error in English because American English is a form of English, which was my original point, but it's (probably) an error in most other forms of English.

On the other hand, international communications and the Internet are starting to break down some of the strict barriers between variants of English. Whether you'll still be able to consider it an error even in British English in five--or twenty-- years is unknown. Some people consider this a horror, and want to try to erect strong barriers between English variants, but as a lover of language and the evolution of language, I consider it amazing and fascinating.

Re:Captive Portals Do That You Know?

[colinrichardday]

The fact of the matter is, words are combinations of morphemes or syllables used to convey meaning.

And how does a double negative ("ir" and "less") convey meaning? When people treat "irregardless" as a synonym for "regardless, they are trampling on the meaning of "ir".

Re:Captive Portals Do That You Know?

[Courageous]

And how does a double negative ("ir" and "less") convey meaning?

Human beings are remarkable creatures, with powerful linguistic capability. Most of us, in attempting to communicate, are able to do so in spite of grave linguistic errors by other parties. To be clear, and to answer your question, I know, you know, and everyone else knows what is meant when someone says "irregardless". Did I mention you here? Yes, even you are conveyed meaning when someone uses this not favorite word of yours. You perfectly well know what they mean.

I think we have established that you cringe when this meaning is conveyed, yes? But conveyed it is. And a word is not "a combination of phonemes or syllables used to uncringingely convey meaning." I will go out on a limb and assert it so.

What do you think of that?

C//

Re:Captive Portals Do That You Know?

Finish the thought...

"Its reputation has not risen over the years, and it is still a long way from general acceptance. Use regardless instead."

I bet you defend ibonics too.

Re:Captive Portals Do That You Know?

[Khyber]

"That - literally - makes no sense whatsoever."

Well, at least we know you're not fit for quantum sciences.

Re:Captive Portals Do That You Know?

[Kalriath]

I'm not going to disagree with you there. Quantum anything is just convoluted.

I'm sure he agreed to this in the TOS.

[Vandil+X]

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Re:I'm sure he agreed to this in the TOS.

[Chrisq]

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Where would you draw the line?

Adding adverts for their hotel?
Switching adverts for other hotels to theirs?
Removing negative reviews of their hotel, or changing the rating?
Removing news items supporting a political party the owners don't favour?
Adding fictitious negative news stories about a political party the owners don't favour?

In my view as soon as you start delivering content that has been changed from that the original author intended (except under complete control of the user such as adblock) then you are on dodgy ground.

Re:I'm sure he agreed to this in the TOS.

As the saying goes: Ignoring a problem doesn't make it go away.

Re:I'm sure he agreed to this in the TOS.

[joocemann]

Here here!

imho, a business would not, in good faith, offer 'free' services under the legalese shroud to actually modify and distort what a client would faithfully consider to be happening....

in other words, this is dishonest business practice, even if its in a ToS or EULA.

Re:I'm sure he agreed to this in the TOS.

[joocemann]

As the saying goes "protect yourself with awareness, but let your neighbors burn in the fire of ignorance".

'the market' isnt the answer to everything.

Re:I'm sure he agreed to this in the TOS.

[Culture20]

Did they have the rest of the world wide web sign the terms of service so that their copyrighted works could be modified and used for profit?

Re:I'm sure he agreed to this in the TOS.

[gdshaw]

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire [...]

Even if that lets them off the hook so far as the user is concerned, the website owner is not a party to those terms of service.

Re:I'm sure he agreed to this in the TOS.

but can i send them a bill for advertising on my site.

Re:I'm sure he agreed to this in the TOS.

[Wrath0fb0b]

Dodgy ground? They own the hotspot, they can provide whatever they want. They can replace all the images with cats if they really feel the internet would be better if all images were cat pics. The hotspot does not belong to you, you have no right to dictate its configuration. Not yours.

If you want to communicate with a site securely, you sign the content cryptographically. Otherwise, the internet provides absolutely no guarantee that the message has not been tampered with. It's not part of the spec, never has been, never will be.

Re:I'm sure he agreed to this in the TOS.

[admdrew]

I think the line is drawn at the addition of content, versus modifying or removing content from the sites you visit. It's analogous to television; produced programs don't have control of the timing or content of the ads *added* during broadcast, but they know that their show's content won't be modified or edited out (simplification, of course, since networks obviously have ultimate editing power behind their own shows).

If (when?) ISPs at any level (since the hotel in this fashion is operating as an ISP to its patrons) start modifying or remove code/content from the sites they serve up, I think there may be more public outcry - I hope.

EDIT: QoS of traffic may already fit under this, since its very nature is to modify how content is served... maybe it's still 'ok' because it's still not actually changing the content? Dunno...

Re:I'm sure he agreed to this in the TOS.

[Restil]

At some point, it's not really worth the trouble. I can see the reasoning behind trying to make an extra buck off the customer, but in the end, they need the customer or nothing else matters, so anything that involves making the customer's stay an uncomfortable one is going to make them a non-customer in the future. Anytime you screw around with a webpage, you're greatly increasing the chances that the page will not display properly. It's hard enough as it is to code a page so that it works identically with all browsers. Inserting an ad might not be too difficult, but cherrypicking out content from them is going to be considerably more complicated.

-Restil

Re:I'm sure he agreed to this in the TOS.

[Khyber]

"Dodgy ground? They own the hotspot, they can provide whatever they want. They can replace all the images with cats if they really feel the internet would be better if all images were cat pics. The hotspot does not belong to you, you have no right to dictate its configuration. Not yours."

THE WEBSITE IS MINE AND MODIFYING ITS CONTENT WITHOUT MY EXPRESS PERMISSION AND KNOWLEDGE IS A VIOLATION OF MY COPYRIGHT.

Get your head out of your ass.

Re:I'm sure he agreed to this in the TOS.

[Skapare]

And "distance yourself from the problem" doesn't prevent it from following you like a lonely puppy.

Re:I'm sure he agreed to this in the TOS.

[hobarrera]

It's not really free if I pay USD200 a night at the hotel, is it?

Re:I'm sure he agreed to this in the TOS.

[Wrath0fb0b]

THE WEBSITE IS MINE AND MODIFYING ITS CONTENT WITHOUT MY EXPRESS PERMISSION AND KNOWLEDGE IS A VIOLATION OF MY COPYRIGHT. ALSO I AM DUCK.

The website is yours but the configuration of the hotspot is not. For instance, I have every right to take my router and add a rule to iptables that drops all requests to odd-numbered IP addresses. If you happen to have a webpage that runs with some images at an even numbered IP and some at an odd IP, that doesn't mean you have any right to order me to change my setup just to make your webpage display right.

Otherwise, you are basically announcing a rule stating the content providers have the right to determine the system configuration and behavior of all intermediate machines between themselves and their destinations. That's obviously wrong and, as I tried to explain, was never part of the contract for the internet -- it's not a medium that guarantees any authenticity whatsoever.

But, really thought please pretty pretty please sue someone based on this theory. It's probably the only way you'll ever appreciate how wrong you are.

Re:I'm sure he agreed to this in the TOS.

[Khyber]

Considering I've had multiple DMCAs successfully withstand a challenge in court regarding my own website and the modification of its content, I think you're the mistaken one, here.

Re:I'm sure he agreed to this in the TOS.

I can see valid points either side. I think I can equivicate this to the hotel cutting the newspaper and repasting it together as a newsletter and handing that to customers instead of a newspaper in the morning. They can ads to that as well, and state that they are not changing the origrinal - hence modifying your website does not come into it. It is a way of giving "free" service by subsidising the cost in the way of advertisments, which is hardly new even this sort of "hotspot" software.

I think that their should be a point of filtered vs. non-filtered connections, and need to be stated as such. A filtered connection means the traffic can be altered in some way - whether that be injecting ads, filterering websites, DNS searches and the like. Unfiltered connections is exactly that - an unfiltered pipe from a provider, where only the number of bits count.

I think this would opens up grounds within of the "safe harbour" provision. If you are filtering sites for customers, you have to ensure your setup/filtering is good and correct - therefore you are resposible for what your clients download. You are the end customer, who is repackaging the goods to sell on to others privately (but should be required to tell everyone that it is a filtered connection. - i.e. "Filtered internet availiable!")

An unfiltered connection should be just like the water tap - you pay for the service connection, the water usage - but what you do what you want with that water, such as using it to make drinks to sell on, however you are responible for what was brought in, unless those connections are sold on to others.

Any filtering along the way should marks a line as filtered, so one provider cant start selling unfiltered connections from a filtered provider (Ever have a provider swear that they aren't blocking ports, only to find their provider blocks those ports?)

To summerize - your complaining that you were "sold" a filtered connection on the assumption that it was unfiltered, and was unhappy with the quality of what was delivered. I'm sure they'll be happy to offer a refund for your compliemtary internet usage. However these days I think consumers do need a little more information and standardization of what they are being sold.

Re:I'm sure he agreed to this in the TOS.

[Man+Eating+Duck]

ALSO I AM DUCK.

I see what you did there :)

On topic: I'm not sure about the legal aspects, but modifying a communication and reusing its content for your own financial gain is in any case a scummy practice, especially if the receiver is not explicitly made aware of this. I would also think that all the HTML in a web page is copyrighted, not only editorial content as presented by the page author, and that you are not allowed to alter and reuse it for financial gain even if you're implicitly allowed to forward it. As TFA states, they'd probably land in hot water if they had subtly redacted complimentary newspapers. I don't really see the difference.

Also, from your earlier post:

They own the hotspot, they can provide whatever they want. They can replace all the images with cats if they really feel the internet would be better if all images were cat pics.

No, not at all. There are lots of content and redactions you could provide that aren't legal anywhere. Where I live you'd also be slapped pretty hard with false advertising if you promoted your hotel as having free Wi-fi without mentioning that all images were replaced with cute kittens. So, where to draw the line? To me it seems reasonable to draw it at "no content altering whatsoever".

Re:I'm sure he agreed to this in the TOS.

[joocemann]

Good point.

Re:I'm sure he agreed to this in the TOS.

[Kalriath]

That sounds like an incredibly handy precedent for all website-owning slashdotters to know about. What would be the case numbers of these court challenges?

Re:I'm sure he agreed to this in the TOS.

[Khyber]

You'd have to ask China and my legal department about that one. I just get the news, my staff handles the rest.

Yes, China. Isn't that funny?

Re:I'm sure he agreed to this in the TOS.

Did the websites that care sign their pages/content? If not, then this shouldn't be your only worry, pretty far from it depending on how paranoid you are. If you want to be protected, protect yourself and those who you do business with. Nobody owes you shit.

Re:Insert this:

[Amyntas]

Contrary to popular belief, a recent study has found that, 'First,' actually comes before second, and is generally regarded as something that should not be mistaken with second.

Remember, One comes before Two comes before 60 comes after 12 comes before Six Trillion comes after 504.

Copyright infringement?

[Filter]

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

   

Re:Copyright infringement?

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

 

Yes it is, but it hasn't stopped Phorm or NebuAd from still trying it.

Re:Copyright infringement?

[folderol]

Not only is it definitely copyright infringement (but try doing anything unless you have huge wads of spare cash) but it doesn't matter what T&C the ISP tries to put on their users, it's not the users that own the copyright!

Re:Copyright infringement?

[Jah-Wren+Ryel]

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

I don't think so. Alteration by itself is not infringement. Redistribution by itself is infringement. So take the derivative work part out of the equation and you have what every caching proxy in the world does and that does not appear to be considered infringement.

Re:Copyright infringement?

[slazzy]

I wouldn't think it would be a clear case of copyright infringement. It could be argued that the ISP putting an advertising bar at the top of a webpage is not that different from a browser toolbar containing advertising. If it turned out to be, then using programs such as adblock would also be copyright infringement or in fact viewing a webpage with images or javascript turned off in your browser? In any case it's an evil practice in which I'm sure a solution can be found, maybe web servers should send some kind of hash which can be verified by the browser to make sure nothing changed in transit.

Re:Copyright infringement?

[hobarrera]

It's being redistributed, and this ads. The goal of the redistributer, is to make profit, so I think that would be ilegal.

Re:Copyright infringement?

[Jah-Wren+Ryel]

It's being redistributed, and this ads.

I don't understand your point.

The goal of the redistributer, is to make profit, so I think that would be ilegal.

I don't think profit is really relevant, we aren't talking a fair-use defense here, I am saying that no redistribution - in the legal sense - is occuring. For example, see these guys who are one of many such services that makes copies for profit but they aren't infringing because it is not legally considered redistribution.

Re:Copyright infringement?

[Courageous]

Incorrect. An unauthorized change is an unlicensed derivative work.

Re:Copyright infringement?

[ljfrench]

I would argue copyright infringement and unjust enrichment. http://en.wikipedia.org/wiki/Unjust_enrichment

Even if it were in the TOS and the terms were properly agreed to, I would still haul them before a judge and make them explain.

I am a lawyer and this is not legal advice.

Re:Copyright infringement?

[Jah-Wren+Ryel]

Incorrect. An unauthorized change is an unlicensed derivative work.

I think you are going to have about zero chance of proving that. I'll even one up you - look at those DVD players which censor the movies they play back based on a list of cut-points from a 3rd party. Hollywood threatened to go to court over those, but they never won. Sure congress made it moot by passing a law explicitly authorizing those players, but most people thought hollywood would lose in court anyway.

Re:Copyright infringement?

[mikkelm]

Censoring hardware and software block content. You can block whatever you want to block, and blocking specific parts of a movie is no more "derivative" than skipping ahead five minutes with your remote. When you alter a work according to copyright law definitions of alteration, you manipulate it or add to it. If you do that for fun, it's usually a civil matter, but if you do it for profit, it's always a criminal matter. Adding profit-generating ads to an existing work without authorisation most certainly passes the test for criminal copyright infringement.

Re:Copyright infringement?

[hobarrera]

Sorry, I made a typo, it was "It's being redistributed and with ads."
And of course it's being redistributes.
User tries to access www.example.org. Hotspot operator downloads content of site, and puts some ads on it, for his own profits. Sends altered website to user. There's your redistribution, with alterations, and for-profit.

Re:Copyright infringement?

[Jah-Wren+Ryel]

You can block whatever you want to block, and blocking specific parts of a movie is no more "derivative" than skipping ahead five minutes with your remote.

Seems to me you are arguing counter to your own point. In order to legally qualify as a derivative work any changes must be creative and not rote. The cut-list is a creative work in and of itself as it requires a human to make a determination as to what does and what does not qualify for censorship. But the automatic insertation of ads is a completely rote operation, almost by definition, since it is done on the fly by a computer.

Re:Copyright infringement?

[Jah-Wren+Ryel]

You are arguing in circles - alteration or not, all proxies send the website to the end user and "send" equals distribution while "alter" does not.

To make it more clear - if I give a copy of an mp3 to a friend I have distributed it and that is just as much distribution as if I had recorded an introduction, mixed it into the opening of the song and gave that new mp3 to my friend.

Re:Copyright infringement?

[mikkelm]

I see where you think I'm arguing counter to my own point if you don't understand what a derivative work is in copyright law. A derivative work is a creation that contains significant elements of an original work. A cut-list does not contain any element at all of the original work, and is as much derivative of a movie as a frame is of a painting.

As far as interaction goes, it requires a human to determine where to cut a movie, and it requires a human to determine where an advertisement is to be inserted into a page. A censoring DVD player censors automatically based on human instructions, just like an injection device inserts advertisements automatically based on human instructions. That's all irrelevant, however, as there's absolutely no stipulation in copyright law that requires human interaction or intervention to make a work derivative.

Re:Copyright infringement?

[Jah-Wren+Ryel]

A cut-list does not contain any element at all of the original work, and is as much derivative of a movie as a frame is of a painting.

Lol, I never said it did. I said the movie + cut list equals a derivative work.

That's all irrelevant, however, as there's absolutely no stipulation in copyright law that requires human interaction or intervention to make a work derivative.

I never used the word interaction nor did I imply it through the use of a related other term. I used the words "rote" and "creative" which are orthogonal to the concept of human interaction.

You've gone from arguing against yourself to arguing against ghosts. I don't think many rational people will find either approach persuasive.

Re:Copyright infringement?

[mikkelm]

Lol, I never said it did. I said the movie + cut list equals a derivative work.

Why are you contradicting yourself? If a cut list isn't a derivative work by itself, then nor is it a derivative work in combination with a movie. Like I just told you in the previous post, a work has to contain significant elements of another work to be considered derivative. Running it atop another work does not magically make it derivative, and since we've already established that a cut list does not alter the content of the media, but merely establishes which parts the user does not wish to see, it is not a derivative work from a copyright law perspective. Not even Hollywood lawyers would go to court to argue that it is.

I never used the word interaction nor did I imply it through the use of a related other term. I used the words "rote" and "creative" which are orthogonal to the concept of human interaction.

You need to read your own posts. You said specifically that

The cut-list is a creative work in and of itself as it requires a human to make a determination as to what does and what does not qualify for censorship.

, suggesting that any human interaction makes a work creative according to copyright law definitions. I can tell that you're probably using Wikipedia as your main source for this material, because you're citing the "creative" and "rote" differentiation that determines whether or not the author of a derivative work can claim copyright on their derived work. That has nothing to do with the discussion at hand. In any way.

You've gone from arguing against yourself to arguing against ghosts. I don't think many rational people will find either approach persuasive.

Rather, I've been arguing against the points you've raised under the misconception that you understand what it is that you're talking about. I think most rational people who understand the subject matter will recognise this.

Re:Copyright infringement?

[Courageous]

There are two flaws with your attempt to make an analogy to just in time censorship:

The first flaw is that it is, in your analogy, the end user applying a technical means to exercise their right to not view/hear certain forms of content.

The second flaw is that you attempt to make an analogy between the deletion of trivial content to the wholesale substitution and or addition of independent copyrightable creative work.

This is a weak analogy.

Re:Copyright infringement?

[Courageous]

I agree."Original content displayed below" is fine. Replacing the ads of the original content, however: not so much.

Re:Copyright infringement?

[Jah-Wren+Ryel]

Why are you contradicting yourself? If a cut list isn't a derivative work by itself, then nor is it a derivative work in combination with a movie.

So. If I write and record my own completely original song, that is not a derivative work and then I mash it up with Stairway to heaven the result is not a derivative work either? Lol. You are so far lost.

suggesting that any human interaction makes a work creative according to copyright law definitions.

No, YOU keep trying to force "human interaction" into equalling creativity. A human is just as capable of doing rote work as a computer is. But a computer is NOT capable of doing creative work - hence my use of the word determination which is not a synonym for interaction. If you can't wrap your head around the difference you aren't capable of making a meaningful contribution to the discussion.

Re:Copyright infringement?

[Jah-Wren+Ryel]

The first flaw is that it is, in your analogy, the end user applying a technical means to exercise their right to not view/hear certain forms of content.

And when they signed up to use the wifi service that is exactly what they signed up for as well. Both are "just in time censorship" - removal and replacement of content as it is viewed.

The second flaw is that you attempt to make an analogy between the deletion of trivial content to the wholesale substitution and or addition of independent copyrightable creative work.

So you are arguing that because the new ads are also creative work that it is somehow more of a violation of the copyright on the original than not adding any additional creative works? So if I pirate a song wholesale that is less of an infringement than if I mix my own voice into the song before copying it. Really? That's your reasoning here?

That should fail.

[khasim]

Unless you have specifically trusted whatever certificate authority server the ISP put up to do that.

Re:That should fail.

[Richard_at_work]

And what if they own one of the large CAs?

Re:That should fail.

[Kefabi]

How can you ever get /.'s cert if the ISP keeps switching it out with the ISP's cert? Just go without /. and all other secure sites while at home? That sucks!

Re:That should fail.

[Nikker]

You should take a closer look at the CD media your ISP sends you to "setup" your Internet connection.

Re:That should fail.

Chain of trust. Slashdot's cert is signed by one of the certificate authorities that your browser trusts, so your browser knows it's getting the real Slashdot cert, rather than the ISPs.

Many Slashdotters despise the certificate authorities and wish that web browsers would stop warning the user that they're browsing a site with an invalid cert. Well, guess what, if your web browser wasn't warning you of this, then your ISP could trivially intercept and modify your HTTPS communications.

Re:That should fail.

[sconeu]

Who uses that?

Re:That should fail.

[Kalriath]

Easy enough to do. Comodo or GlobalSign will actually sell you an intermediate CA certificate issued by their trusted Root CA. Refer to GlobalTrust's page on that for evidence. Comodo has no info on the fact they allow this, but I have seen a Comodo chained CA in the wild.

Re:Insert this:

Good job. Now go investigate the difference between insert and append and figure out if one or the other can be used to generate lists in non-sequential order.

Great idea

[ickleberry]

You can make money from running an open wifi AP. I might try this myself and replace all google ads with my own, also deprive the Goog of some money for their driverless car pet project

Re:Great idea

I doubt it works. Google checks that the sites has the code or not.

It's a copyright violation.

[sotweed]

IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).

I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
people look as if they're 20% fatter (wider) than they actually are...

Re:It's a copyright violation.

[sprior]

Actually I think you'd use an MPAA case as a precedent. Wasn't there a case from the MPAA against a company that was creating a side editing track to cut out the bad(good) parts of a movie to reduce it from R to PG-13?

those clever bastards!

[FudRucker]

someone should crack it and turn it in to something useful like advertising for something free & open source like Linux, Debian, Emacs or Vim

Re:those clever bastards!

[rrohbeck]

Inject ads for porn sites. That'll get some attention.

oh good good--we now have step 2.

Marriot you say?

Time to register a copyright on my webpage, put up a local bulletin board offering $100 per screenshot of my website, and then offer their legal department the chance to settle for $2,000 per infringement, an 80% saving over the statutory rate...

VPN

[SuperTechnoNerd]

So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?

Re:VPN

[FudRucker]

goats.cx the front desk if they are snooping on people's browsing habits, after some of that i bet they get disgusted and quit

Re:VPN

[kybred]

So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?

FireFox + QuickProxy FTW!

I use that combo when traveling. You just have to set up a machine at home to accept a ssh tunnel.

Not exactly news

[element-o.p.]

I work for an ISP, and we had a vendor try to sell us a box that would insert ads into downloaded web pages. My boss and I kicked the idea around for about half a second before turning our noses up at it.

Having said that, as a consumer, I wouldn't care if someone providing free WiFi inserted ads to offset the cost of providing bandwidth as long as the ads weren't too egregious. If you are providing a service that I value for free, then I don't care if you throw a few ads up to generate some revenue to fund your free service. For example, I've started seeing targeted ads on some web pages I visit, and quite frankly I don't much mind seeing ads for motorcycle parts and camping gear (two of my interests) when viewing web pages. Viagra and match.com, on the other hand...not so much.

The difference between this and what the vendor was trying to sell the company I work for is that we are already charging our customers for bandwidth. Inserting an ad on their connection after they've already paid to receive service seemed just a little...sleazy. WiFi at a hotel would seem similar to the ISP example.

Re:Not exactly news

[Skapare]

Would porn ads be OK if the user had explicitly visited porn sites?

Re:Not exactly news

[Thing+1]

Personally, after ordering a pizza I get a ton of Domino's ads. And I applied at a company, and got a ton of their ads for about a month afterwards. Google analytics at work, but a bit creepy.

China

This is standard practice here in China. Whenever I'm not using my VPN, my ISP injects code to pages I visit that opens a pop-up window with ads. It is quite annoying as you can imagine. I've seen this at multiple locations, so it's not specific to this one ISP.

HTML modification going on since 2007 or earlier

[ODBOL]

In November 2007, I bought a wireless box from Meraki (http://www.meraki.com/). I intended to use it to provide a free wireless hotspot for my neighborhood, and to be ready to peer with any neighbor who chose to work on the grassroots network. These were primarily symbolic acts, since neither service is likely to get much use in my neighborhood.

In most respects, the Meraki box appeared to do a good job of exactly what I wanted. But I noticed a little blank stripe at the top of Web pages. I found that Meraki hacked HTTP packets to add that stripe. As owner, I was able to set the contents of the stripe (e.g., to advertise myself as the provider of the free hotspot, or to ask for payment if it's not free). But, I was not able to eliminate the stripe. I called support, and they confirmed that the stripe is not optional, but its contents are owner controlled. I sent the box back for a refund. I understand why Meraki provided the feature (I don't like it, but I understand). I don't understand why they made it impossible to turn it off. They were very good about delivery, support, and refund in all other respects.

I think that Open Mesh (http://www.open-mesh.com/) provides something like the Meraki box, but cheaper and transparent to all Internet traffice. I have not tried their products yet.

For the time being, I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network. But there's no chance of peering to help avoid the last-mile bottleneck.

Never seen before?

[fermion]

He said in an interview that he had never seen an Internet provider modifying Web pages that a person visits.

I guess this speaks to inexperience of the web developer. It was not long ago that ISPs were trying to do this. It was not that long ago that web developers put third content within a frame along with ads that generated personal revenue. AFAIR, this idea of pushing personal ads over third party content is as old as the mass advertising on the web. And I know some ISPs specifically did this.

This is a negative practice. It is one of the primary reason used to justify web blockers. While one might trust the website, there are many ways to inject other ads and content into a web page. As such, it is best, from a security perspective, not to load ads.

Re:Never seen before?

[Thing+1]

And I know some ISPs specifically did this.

So, would this work? (I realize that it might make "page delivery" take twice as long; although, I just made it better, here it is.)

After the page completes, have a JavaScript routine that runs which calculates the page's MD5 sum (or similar) and sends it back to the server. The server can then determine whether what it sent is what the user saw.

This of course might also be a way for the server to violate ad blockers. If it didn't match, then the server could negotiate with the client as to which parts of the page didn't match, and then re-send them through a side channel and show the ads.

(The "twice as long" was the initial implementation, which was to send the page back; then the server would re-send anything missing. But the checksum idea seems to use less bandwidth.)

Huh?

And this guy claims he's a web developer and this is the first time he has ever seen someone do something like this before?

Yeah, he's some web developer all right. He may know how to write HTML a bit, but he obviously is lacking in a few other tools of the trade or in his own personal knowledge / experience...

Old news. Move along.

Let's just be clear about that.

[khasim]

And what if they own one of the large CAs?

Just to be clear about that ...

You're postulating a situation where:
The ISP
is owned by a certificate authority
that is, by default, trusted by your browser vendor
and that certificate authority
is creating certificates for 3rd party websites
without the 3rd party websites' permission
in order to facilitate man-in-the-middle attacks
so that the ISP can inject ads into your session.

I would imagine the backlash would kill both the ISP and that certificate authority.

Re:Let's just be clear about that.

[Ja'Achan]

And if you're that paranoid, you shouldn't have any CAs in your browsers anyhow.

Re:Let's just be clear about that.

[Alex+Belits]

I would imagine the backlash would kill both the ISP and that certificate authority.

No, because fraud charges against everyone involved will do it long before that.

Re:Let's just be clear about that.

I work in the security team at a major bank, and we have many lawyers.

If we found an ISP doing this to sessions between our customers and our Internet banking site, we'd kill them in court.

Re:Let's just be clear about that.

If the ISP were doing this in Australia, for example, I suspect people at the ISP going to jail would kill both the ISP and CA.

SSL MITM by an ISP would constitute a number of numerous offences carrying hard time under the Telecommunications (Interception and Access) Act 1979.

Re:Let's just be clear about that.

[thermowax]

You're almost right. There are a number of commercial appliances (Websense makes one, which I've deployed for corporate use) that do exactly this so the corporate powers-that-be can peer into SSL encrypted traffic. This is generally (hopefully) for IDS/IPS purposes.

The key is that:

1. Corporate workstations have to be loaded with a CA cert generated by the appliance so they trust all certs issued by the appliance, and
2. The fake server certs are generated *real time*. Pre-generation isn't necessary.

So the reality is that this happens every day if you're running one of these systems. You raise an interesting point, though, that if a CA with their CA cert already in browser distros did this, it would be pretty much undetectable. However, then anyone with one of those appliances could do this man-in-the-middle attack, rendering the CA's infrastructure/reputation worthless. Additionally, they'd have the CA's private key, which is the crown jewel of a CA- so I doubt that would happen.

Now, if someone maliciously inserted their CA key into a browser distro, well, that opens the door for all kinds of fun...

J-.

HTTPS everywhere

[DrYak]

Use HTTPS Everywhere extension (currently for FireFox, I don't know about chrome equivalents).

This will make everything coming to you as an encrypted stream, by passing the Hotspot's rewritting.
Or the Hotspot will attempt to Man-In-The-Middle Attack your encrypted stream (decrypt it itself, as if they were a normal client like you, and then re-encrypting it before sending it to you, as is they were a server. Except they don't know the original private encryption keys, so they will need to use another private key). In that case, it's harder for you to bypass the ads, but HTTPS Everywhere 2.0 or newer or Certificate Patrol will both be able at least to detect the unusual switch of encryption key.

A harder to bypass way would be to use a SOCKS proxy over SSH ("ssh -D" under unices, or corresponding setting in PuTTY under Windows).

If SSH connections are blocked, use corckscrew to try connecting over a HTTPS proxy.
Or use some HTTP tunnel.

At worst, use a DNS tunnel. Much slower, but almost always work.

The latest step are more Geek's last measure. But HTTPS everywhere is currently a must on any laptop.

Re:HTTPS everywhere

[Skapare]

Have you tried this with Slashdot yet?

Re:HTTPS everywhere

[hobarrera]

FYI, there is an HTTPS Everywhere for chrome; I noticed the download link right next to the firefox one every time I install a new PC. :)
I tried to use putty one, but never found the equivalent for "-D". Just use cygwin's SSH.

Re:HTTPS everywhere

[Kalriath]

It won't work because Slashdot forces non-subscribers back to HTTP.

I think this is a business model in use

[ODBOL]

I can't tell if you are joking or being sarcastic here. I'm pretty sure that you have just described a business model in actual use. It seemed to be promoted by Meraki as a way to make money with their wireless boxes.

I also believe that there was a dispute some years ago regarding television broadcasts inserting advertisements as if they were posted on the fences at baseball stadiums.

I would greatly appreciate reliable pointers that anyone could provide to these behaviors. I will try to find some later. For now, this is what I remember, and I think it's right, but it hasn't been checked.

Re:I think this is a business model in use

[SuricouRaven]

When I was with Virgin cable (I'm not now) they actually inserted ads into the channels themselves - you could tell because their editing tended to be off by a couple of seconds, and because the adverts were invariably for Virgin cable/phone/internet. They only advertised themselves, and I assume that a huge payment was made to the channel providers to get them to agree to such editing. This was years ago though, so they probably don't do it any more.

Re:I think this is a business model in use

Comcast did that for years, and probably still does. Another way you can tell is the sudden drop or increase of signal quality.
The inserted ads always start a few seconds into the station's ad, or they cut off and you see the last couple seconds of the station's ad. And, they're usually louder than the station normally is.

Since 2007 or earlier

[ODBOL]

I posted a comment below regarding Meraki wireless boxes that did this in 2007. I never experienced an actual deployment, but there must have been some.

So?

"I have news for you. When Roscius was an actor in Rome..."

No.

[Vandil+X]

1. The websurfer agrees to a Terms of Service that allows the ISP to make changes to inbound website page requests.
2. The websurfer proceeds to request pages from a remote webserver. The ISP injects ads as the customer consented.


No where in this was the remote webserver compromised or hacked. The website still loads as the content owner designed on computers accessing the website through ISPs that have not adjusted the content. Since the customer is agreeing to allow the ISP to alter his web browsing experience in exchange for Internet Access, this is permissible. Unethical, perhaps, but permissible. Certainly not compyright infringement.

Re:No.

[overnight_failure]

Assuming this is copyright infringement, your logic is wrong. Just because the consumer of the product agrees to receiving modified content, it does not allow someone to modify a copyrighted work.

Re:No.

[corsec67]

So, I can make a TOS that you agree to which allows me to violate the copyright of CNN.com and send that to you?

Re:No.

[user32.ExitWindowsEx]

By inserting the ads without telling the site owner (and obtaining approval) the ISP is creating an copyright-infringing derivative work.

Re:No.

[Courageous]

It doesn't matter what the websurfer agreed two. The websurfer cannot absolve the ISP of their legal obligation to not create derivative works without the original content owner's consent. The remote content was modified, created an unlicensed derivative work.

Re:No.

[Kalriath]

If the website had ads to start with, one could argue... er, what's it... tortious interference I think it is. Your business model relies on ads being sent to the client, and a third party without your authorisation is removing those ads and replacing them with their own, depriving you of revenue.

I wouldn't want a precedent set on that though - it could potentially make ad-blockers illegal if it stood up in court.

Then if you don't accept the ISP's self signed

certificate you don't get to use any https websites at all. Most people will eventually accept rather than lose the ability to access anything that uses https (that means no gmail/yahoo mail, no facebook, no twitter, no logging into slashdot, etc).

Remember free Dial-Up Providers from the 1990s?

[Vandil+X]

In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users, but since the websites themselves were not hacked or damaged and displayed correctly on the computer screen of those not using ad-managed ISPs/web browsers, there is probably not a tangible copyright issue.

Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.

Re:Remember free Dial-Up Providers from the 1990s?

[SeaFox]

In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users,

No, because the ads were in a frame around the webpage. It's not any different than having two browser windows open on your desktop where a few inches of a background window is visible below/beside the frontmost window.

Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.

Except the ads are being added in a way where the viewer cannot distinguish what is an original part of the page with what has been added by the service provider. What if a site dealt with a certain political viewpoint or sensitive topic and the ads being added were in a contrary viewpoint or otherwise in bad taste for the web page topic? What if the viewer was using a site where they pay a fee to access it ad-free? If they started seeing these ads (injected by the service provider on the sly), they might think the website operator was doing it despite their subscription.

Re:Remember free Dial-Up Providers from the 1990s?

[zyzko]

Well, the difference here is that these tricks are played by Marriot, which is not in the cheapskate class of hotels. If I'm paying top price for my room I expect that they offer a reasonably good (eg. I accept one-time signup based on mac, I can live with NAT, my VPN works with it but intercepting traffic...no, you do not get my business next time) internet service. As I would expect that the bed is not full of adds and to get warm water in shower I do not have to watch commercials for a few minutes first.

For free wifi providers around - I'm fine with you being jerks and requiring whatnot, but for hotel where I'm actually your customer and paying a premium - you do this once and I'm not coming again.

Re:Remember free Dial-Up Providers from the 1990s?

So what if they served up a page framed in ads? (heck, many websites already look like that) So you have a frame of ads, and have the actual page served through an iframe. (looks exactly like the browser described, but thanks to the power of web applications, you don't actually need a customized browser!)

Nothing is free

[nurb432]

They have to pay the bills somehow. A bigger deal would be if they were removing others ads..

Don't like ads, don't use their service or block them.

Re:HTML modification going on since 2007 or earlie

[nurb432]

people occasionally park in front of my house to use the network

Or they are casing the house, as since you are 'above' the average end user out there they know you have some electronics in there they might want to steal..

As a customer, I don't care

I don't care about all of this at all. Insert or replace any ad you like, I'm still blocking it anyway.

Re:HTML modification going on since 2007 or earlie

[admdrew]

Two quick things:
- Thanks for the Open Mesh link, I hadn't heard of it before and I'll definitely check it out.
- I'd be wary about running an open AP for the purposes of distributing a connection to your neighborhood; you may be violating your own ISP's terms of service (although not ethically an issue to me), and, far worse, you may open yourself up to people attempting to do illegal/unethical things, something that could fall back to you.

To me, access to my wireless AP should be treated like my own home's front door; I'd gladly give my trusted neighbors keys, but I'd do everything I reasonably could to protect myself from the rest of the world, who I do not implicitly trust as a group.

"Web Engineer?"

[CohibaVancouver]

Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott

C'mon editors - "Web Engineer?" What the hell does that mean? It's amazing how engineers allow their title to be attached to every job under the sun these days. You certainly don't hear about 'Web Laywers' or 'Web Dentists.'

Re:"Web Engineer?"

An engineer: someone who engineers or desgns things in this case web pages. I fail to see the problem here.

Re:"Web Engineer?"

[CohibaVancouver]

I fail to see the problem here

From http://en.wikipedia.org/wiki/Engineer

In the US and Canada, engineering is defined as a regulated profession whose practice and practitioners are licensed and governed by law.

Re:"Web Engineer?"

Yeah yeah, and a 'hacker' isn't someone who does illegal stuff in front of keyboard.

Back in the real world, people will continue to use the terminology they are familiar with, even if it 'devalues' your profession or whatever nonsense people try to claim when they realise they picked the wrong career path.

Re:"Web Engineer?"

[CohibaVancouver]

even if it 'devalues' your profession

Hey Anonymous Coward, I'm *not* an engineer. I have a bachelor's in Political Science - And no I don't go around caclling myself a 'scientist.'

Re:"Web Engineer?"

You can't show that someone misused a word by providing one usage that would be incorrect. You must show that all possible meanings of the word would be incorrect. Unfortunately for you, there is one meaning that fits his usage:
engineer:
3.c. a person who carries through an enterprise by skillful or artful contrivance

Re:"Web Engineer?"

So as a state licenced and regulated truck driver I am a logistics engineer. Official descriptions are not necessarily pragmatic descriptions.

Re:"Web Engineer?"

I fail to see the problem here

From

http://en.wikipedia.org/wiki/Engineer

In the US and Canada, engineering is defined as a regulated profession whose practice and practitioners are licensed and governed by law.

Exactly! Here in Canada the last time I checked there were no regulated web engineers

Re:"Web Engineer?"

[Kalriath]

My pet hate job title - the one that doesn't really explain what the job actually is.

By which I mean, that's my job title too. And even I don't know what it is.

Re:"Web Engineer?"

Actually, not accurate.

In Canada, Engineer is a protected title. You need to be a member of a professional engineering order to call yourself an engineer. Even if you have the diploma, it's not enough: you still need to be member of the order.

In the US, Engineer is not a protected title. Anyone and their dog can call themselves engineer. Janitor? Building Sanitation Engineer. Seriously, I've seen that one, it was no joke.

Hotel WiFi Internet is Broken - BADLY

This is common: Seems the IETF conference in Paris had conference-goers fixing the hotel wifi: http://newsletters.networkworld.com/t/6464858/258822064/355639/0/

The last 2 weeks, I visited 6 different countries and hotels in those countries. I intended to use ssh as a VPN back to my home computer and do all the email, browsing over that connection. It worked flawlessly here in the states from friends homes and the local library.

When I arrived in Europe country "a", the hotel wifi was limited to the first floor lobby. Since I didn't bring any devices that could be plugged into a wall, I was stuck sitting in the lobby to surf. Port scans showed that a proxy was being used and only HTTP or HTTPS traffic were allowed. No SMTP, no ssh, and definitely no VPN (openvpn or L2TP-IPsec) were allowed. Broken.

Country "b" wasn't any better except the wifi worked from my room. No non-standard ports worked.

Country "c" had issues with coverage ... but by that time, I'd already been off the net for 5 days and was starting to not care at all. No ssh ports worked.

Country "d" is known for being hi-tech. The internet didn't work at all in that very expensive, high-end hotel. I had a suite there. In the morning, I convinced the counter lacky to reboot the router in the lobby and everything started working - again, no ssh ports worked.

Country "e" was in Eastern Europe and the auto-answer on the phone in my suite had me looking for bugs in the room. It was strange to hear someone else talking through the speaker phone on the telephone when I hadn't made any calls. The phone never rang either. The suite looked nice in a once over, but all the details were cheap. They had marble floors and walls with plastic shower arms and plastic towel racks. None of the drawers or cabinets fit properly. Everything was just a little off. Still the city views out the windows were FANTASTIC. Oh, the internet only supported HTTP/HTTPS - no other traffic worked.

Country 'f' is my home country. Here there are liabilities for downloading copyright content, so I get the desire to filter the connection - even block netflix and bittorrent, but why block ssh and VPN traffic that business travelers require?

On my next trip, I'll do a few things differently:
* I will take my travel wifi-router with my. I'd assumed it wasn't needed this time. I was an idiot. Rooms that didn't have wifi coverage had rj45 ethernet ports.
* I will setup an HTTPS web interface to my desktop system on the normal port, 443.

Seems many network providers are lazy and allow all traffic on port 80/443 and block everything else. Lazy and stupid. I've met a few guys in small companies who block everything except proxied traffic for ports 80 and 443. No other outbound ports are supported regardless of the protocol used. HTTP to port 82 fails. We have lots of geniuses working in IT.

This problem is big enough for a revolt. We all need to be vocal in our hotel reviews and tweets to get this fixed. Soon hotels will be advertising completely open ports on their internet if we are successful.

Re:Hotel WiFi Internet is Broken - BADLY

[Skapare]

You're posting as Anonymous Coward so go ahead and name names.

Goose and Gander

[glorybe]

If it is ok for a business to make changes in other peoples' materials then the reverse is also true so if I want to make huge changesd in Marriot's web pages that should not be illegal at all. good for one is good for all.

Violation of Copyright

hmmm...Seems to me that if I add a clause to my websites Terms of Service that states "Modifying this websites code while being transmitted to the end-user to include but not limited to injection of advertisements is a violation of this website's Terms of Service."
This would allow legal action to be taken against these companies. Also it seems to be a violation of the owner's copyright on their webpage since it is being modified without their knowledge or consent.

Open AP is politeness for me

[ODBOL]

Thanks for the advice, but I studied the issue quite a bit, and read the careful insights from Bruce Schneier (http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html), and I decided that I don't want to treat any portion of the world-connected IP network as my personal domain. I carefully chose an ISP (Speakeasy) who allows, and even caters to, sharing.

I have no interest in convincing you to take my attitude. But you should be aware that it isn't necessarily a matter of naivety.

Re:HTML modification going on since 2007 or earlie

I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network

I see a lawn strewn with soiled condoms and a knock on the door from the FBI in your future.

https

Solved.

This is OLD news ...

[Skapare]

... but since it still going on, it is worth bashing it around a bit. Maybe we can get more people to use HTTPS. Maybe we can even get Slashdot to make their HTTPS port actually work.

Re:This is OLD news ...

[Dwedit]

HTTPS as it exists now is broken. Self-signed certificates are taboo, and there's a one IP address limit per site.

Re:This is OLD news ...

[ledow]

The last part is not true unless you're still expecting your visitors to use IE6 or Firefox 2.

Google "Server Name Indication".

Sometimes it does, but VPN is the real solution

[Burz]

Always connect to your home or work VPN when traveling.

SSL in the form of HTTPS would solve the problem only here and there, depending on which sites are setup for it, and if so, whether or not their secured pages have includes that are plain HTTP.

If you go the VPN route (which will be based on SSL or other crypto) then all your activity is subject to only one ISP's quirks (that of your home or business) wherever you happen to be. In addition, you get essential protection from the scads of random criminals and malware carriers that your system will encounter on the various Wifi networks with which you connect.

Adblock

Wait. Would the ads actually bypass adblock?

Airports do this too

It's an annoying practice, but I've seen it in airports too. Denver International does, or at least did, for example. Nasty. But not new.

Their network, their rules.

The network belongs to the hotel, not the guest, and the hotel can do whatever they want.

1999 nTown Communications Knoxville, TN

[SydShamino]

A company called N Town communications had a box that did this in 1999. They were an internet startup in Knoxville, Tennessee. As a way to "bring the web home", as they called it, their proprietary device intercepted HTTP traffic for all of their customers, reconstructed the web pages, inserted them into a frame with an ad bar along the top, and then broke it down and sent it on.

The bar also had a link to your mail box, a search bar (not something browsers had at that time), and maybe local time / temp / etc. The business plan was for local newspapers to use their advertising department to sell ads for these bars, which would be displayed only for local ISP customers wherever they browsed. Hence, "bringing the web home". For the customers, they received ultra-low-cost dial-up internet service. (I believe they were $5 a month for the test ISP they ran in Knoxville.) The real business model, of course, was to sell these boxes to ISPs around the country that want to partner with the local paper, and to get those papers a way to take a cut of internet ad revenue.

Anyway I think the technology was patented by them in 1999 or so, and so I expect this new tech is either owned by the same folks or about to get their pants sued off by those same folks. I knew a guy who worked on technology there. They were out of business by the end of 2000 but someone has to own that patent.

Facepalm Public Wifi Use

If I am using public WiFi everything goes through an SSH tunnel or a VPN.

PuTTY

[DrYak]

I tried to use putty one, but never found the equivalent for "-D". Just use cygwin's SSH.

With all other tunneling options, under SSH->Tunnel.
Instead of "local" (= "-L") or "remote" (= "-R"), just pick "dynamic". ( = "-D").