Slashdot Mirror


Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

6 of 273 comments (clear)

  1. Re:without the knowledge of the site visitor by GamerGirlie · · Score: 5, Interesting

    Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

    And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

  2. Captive Portals Do That You Know? by TemplePilot · · Score: 4, Interesting

    Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

    --
    This strange comment at the bottom of the message is illogical.
  3. Re:Yay a New Arms Race! by History's+Coming+To · · Score: 5, Interesting

    There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

    --
    Please consider this account deleted, I just can't be bothered with the spam anymore.
  4. Re:HTTP Policies by bbecker23 · · Score: 5, Interesting

    Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

    I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

    --
    cat /dev/random > sig.txt
  5. Re:Yay a New Arms Race! by 93+Escort+Wagon · · Score: 5, Interesting

    There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

    Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

    --
    #DeleteChrome
  6. Re:HTTP Policies by edb · · Score: 5, Interesting

    Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

    < $100/night usually includes:
        - FREE wifi, unspecified throughput, non-public IP
        - FREE incoming phone calls
        - FREE incoming faxes
        - FREE outgoing phone calls up to 30 min
        - FREE computer near lobby for guest use
        - FREE document printing for reasonable # pages
        - FREE microwave oven in the room
        - FREE mini-fridge in the room
        - FREE pillows & linens on the bed
        - FREE pull-out drying line for laundry in the bathroom
        - coin-op laundry for hotel guests

    > $100/night often imposes charges for:
        - WIFI: $12.95+tax per day
        - public IP: additional $10+tax per day
        - incoming faxes: $.50/page
        - outgoing phone calls: AT&T Operator rates + 200% surcharge
        - document printing: $.50/page
        - fridge in room: $25 per night, special request
        - microwave in room: $25 per night, special request
        - linens: changed every 3 days at no charge, no discount for multi-day stay
        - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!

    --
    In theory, practice and theory are the same. In practice, they rarely are.