Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

Re:without the knowledge of the site visitor

[GamerGirlie]

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

Captive Portals Do That You Know?

[TemplePilot]

Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

Re:Captive Portals Do That You Know?

[mikkelm]

So you're asking him to learn how language works because he objects to people who make up contradictory words as a consequence of apparently not understanding how the language that they're using works. I don't generally have a problem with new words to explain new concepts, or even new words to explain existing concepts, but making up a new word consisting of an existing word with the same definition, preceded by a prefix that typically serves to negate the following word, that's just.. well.. dense.

Wouldn't it be easier if people just used the right words?

Copyright infringement?

[Filter]

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

   

Re:I'm sure he agreed to this in the TOS.

[Chrisq]

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Where would you draw the line?

Adding adverts for their hotel?
Switching adverts for other hotels to theirs?
Removing negative reviews of their hotel, or changing the rating?
Removing news items supporting a political party the owners don't favour?
Adding fictitious negative news stories about a political party the owners don't favour?

In my view as soon as you start delivering content that has been changed from that the original author intended (except under complete control of the user such as adblock) then you are on dodgy ground.

Re:Yay a New Arms Race!

[History's+Coming+To]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Re:HTTP Policies

[icebike]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

They might be able to pull this off, but the revenue they could earn off of such a scheme would never pay the lawyer bills. One could argue this would be a DMCA violation. (In fact, they seem to be on shaky legal ground altering un-encryption streams. It is after all, a form of scraping and perhaps copyright violation.)

The drop everything to HTTP would certainly be noticed.

Re:HTTP Policies

[bbecker23]

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

HTML modification going on since 2007 or earlier

[ODBOL]

In November 2007, I bought a wireless box from Meraki (http://www.meraki.com/). I intended to use it to provide a free wireless hotspot for my neighborhood, and to be ready to peer with any neighbor who chose to work on the grassroots network. These were primarily symbolic acts, since neither service is likely to get much use in my neighborhood.

In most respects, the Meraki box appeared to do a good job of exactly what I wanted. But I noticed a little blank stripe at the top of Web pages. I found that Meraki hacked HTTP packets to add that stripe. As owner, I was able to set the contents of the stripe (e.g., to advertise myself as the provider of the free hotspot, or to ask for payment if it's not free). But, I was not able to eliminate the stripe. I called support, and they confirmed that the stripe is not optional, but its contents are owner controlled. I sent the box back for a refund. I understand why Meraki provided the feature (I don't like it, but I understand). I don't understand why they made it impossible to turn it off. They were very good about delivery, support, and refund in all other respects.

I think that Open Mesh (http://www.open-mesh.com/) provides something like the Meraki box, but cheaper and transparent to all Internet traffice. I have not tried their products yet.

For the time being, I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network. But there's no chance of peering to help avoid the last-mile bottleneck.

Re:Yep. So use HTTPS-Everywhere.

[hairyfeet]

Weird question: Do you surf porn? Does that HTTPS trick stop the Firefox porn bug? Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that opens a hidden iFrame and uses FF autocomplete to log into their Yahoo mail and then spam the address book. From my tests with a couple of fake yahoo accounts it ONLY seems to work on FF and on the new yahoo layout, no other combo like Chrome and Gmail, IE and Hotmail seems to work. If you want to see how many sites have that bug now put a master password on your password list and see how many times the master password dialog pops up, on several porn sites its pretty much pop up city. Since so many of the guys kept sending me "How come I'm spamming and i don't have a bug?" I switched them to Comodo Dragon as it works with low rights mode and doesn't have the bug.

As for TFA what does anyone expect? TINSTAAFL and with the economy in the shitter hotels are frankly doing lousy business and i'm sure those ads make their "free Wifi" truly free for the hotel, so surprise surprise they add the ads. would you rather have this, or have to pay for the Wifi, or have it like AT&T where every so many minutes you are stopped cold and forced to watch a commercial? Personally I'd choose door #1, but of course I've got ABP in Dragon so it don't affect me either way.

Re:Yay a New Arms Race!

[93+Escort+Wagon]

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

Re:HTTP Policies

[edb]

Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

< $100/night usually includes:
    - FREE wifi, unspecified throughput, non-public IP
    - FREE incoming phone calls
    - FREE incoming faxes
    - FREE outgoing phone calls up to 30 min
    - FREE computer near lobby for guest use
    - FREE document printing for reasonable # pages
    - FREE microwave oven in the room
    - FREE mini-fridge in the room
    - FREE pillows & linens on the bed
    - FREE pull-out drying line for laundry in the bathroom
    - coin-op laundry for hotel guests

> $100/night often imposes charges for:
    - WIFI: $12.95+tax per day
    - public IP: additional $10+tax per day
    - incoming faxes: $.50/page
    - outgoing phone calls: AT&T Operator rates + 200% surcharge
    - document printing: $.50/page
    - fridge in room: $25 per night, special request
    - microwave in room: $25 per night, special request
    - linens: changed every 3 days at no charge, no discount for multi-day stay
    - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!