Slashdot Mirror

← Back to Stories (view on slashdot.org)

AT&T Hotspots Now Injecting Ads

Posted by Soulskill on from the more-ads,-in-more-places dept.

An anonymous reader writes: Computer scientist Jonathan Mayer did some investigating after seeing some unexpected ads while he browsed the web at an airport (Stanford hawking jewelry? The FCC selling shoes?). He found that AT&T's public Wi-Fi hotspot was messing with HTTP traffic, injecting advertisements using a service called RaGaPa. As an HTML pages loads over HTTP, the hotspot adds an advertising stylesheet, injects a simple advertisement image (as a backup), and then injects two scripts that control the loading and display of advertising content. Mayer writes, "AT&T has an (understandable) incentive to seek consumer-side income from its free Wi-Fi service, but this model of advertising injection is particularly unsavory. Among other drawbacks: It exposes much of the user's browsing activity to an undisclosed and untrusted business. It clutters the user's web browsing experience. It tarnishes carefully crafted online brands and content, especially because the ads are not clearly marked as part of the hotspot service.3 And it introduces security and breakage risks, since website developers generally don't plan for extra scripts and layout elements."

40 of 187 comments (clear)

  1. Good News by binarylarry · · Score: 3, Interesting

    Soon someone will have a script or browser extension for this.

    --
    Mod me down, my New Earth Global Warmingist friends!
    1. Re: Good News by Anonymous Coward · · Score: 4, Insightful

      The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale.
      Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

    2. Re: Good News by MightyMartian · · Score: 5, Funny

      Yup, an SSH proxy or other VPN is your bestest friend. I don't access public WiFi without it. That being said, I expect if more people do that, eventually the sociopaths that run the major ISPs will begin using deep packet inspection to shut down anyone using VPNs. Remember, the MBAs that run the world are evil monsters who would, if they weren't trying to find ways to extort money from us, would probably be finding ways of eating human flesh and killing elderly people for fun.

      The real lesson here is that we should be banning all sociopaths and anyone with any significant narcissistic personality disorders from holding any position where they have any authority over anyone else. I would have a law that would ban such individuals from even being shift manager at a McDonald's. They wouldn't be allowed to become lawyers, doctors, accountants or engineers. All professions of any significant importance would be forbidden them.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re: Good News by Ol+Olsoc · · Score: 4, Insightful

      The ONLY thing unsavory advertising, in any form, does is the exact opposite of the initial intent; i.e., "never buying that". Advertisers, regardless of the delivery, apparently are not smart enough to realize if you annoy people, you have LOST the sale. Plus, the whores are then really easy to spot. No resposible consumer likes a whore.

      Mod this guy up! Anything that manages to get through my defenses is put on the "Never ever" list.

      The sooner advertisers understand that, and the sooner they understand that if they put simple unobtrusive ads on web pages, the sooner we'll stop this war on web users.

      When your ads are having the opposite effect than you intended, maybe its time to change.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re: Good News by Chris+Johnson · · Score: 4, Insightful

      Have you tested this conclusion?

      If it turns out that advertisers can test this—for instance, on Facebook, let's say—and discovered that it's not true: that there's a measurable advantage to obnoxiousness in that you're outnumbered by the people who shrug off the obnoxiousness yet retain the payload then you're mistaken.

      I think they've already tested this, and we're seeing the outcome. Results are in: short of legislating better behavior, being abusive gets you enough local gains that it becomes a required strategy, impossible to compete against without adopting the same strategy.

      It would be nice if the 'I boycott youuuu!' reaction made any sort of difference, but clearly it does not.

  2. Free WiFi is a trap, news at 11! by sinij · · Score: 5, Funny

    Free WiFi is a trap, news at 11!

    1. Re:Free WiFi is a trap, news at 11! by Darinbob · · Score: 2

      But I pay for AT&T service and as part of that service they claim access to free wi-fi hotspots of theirs. I think this means that I PAY for these hotspots. So having advertisements in a paid service is obscene (well, more obscene than general purpose advertising). They don't need this side income from their paying customers.

  3. Copyright? by msauve · · Score: 4, Insightful

    Why is modifying a web site in this way not copyright infringement? Is not AT&T creating an unauthorized derivative work?

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Copyright? by wbr1 · · Score: 5, Insightful
      They are tampering with a data stream between client and server. That it is not encrypted is moot. This is a violation of the computer fraud and abuse act as well as FCC regulations. If they are a common carrier, they have no business at all tampering with the content.

      Will they be charged? Probably not, and if so it will be a minuscule financial fine.

      --
      Silence is a state of mime.
    2. Re:Copyright? by Anonymous Coward · · Score: 4, Insightful

      It definitely won't be the criminal penalties you or me would face if we did the same thing for monetary gain. There are two standards. One for corporations, and another standard for individuals. It's been that way for far too long.

    3. Re:Copyright? by wbr1 · · Score: 5, Interesting
      To clarify. From the fraud and abuse act

      In practice, any ordinary computer has come under the jurisdiction of the law, including cellphones, due to the inter-state nature of most internet communication.

      ....

      (5) (A) knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer;

      Sending my PC an ad, at the bear minimum causes damage due to increased wear on storage devices. At its worst it installs malware or defrauds such as to install malware.

      Perhaps more relevant is mail and wire fraud:

      18 U.S.C. 1343 provides:

      Whoever, having devised or intending to devise any scheme or artifice to defraud, or for obtaining money or property by means of false or fraudulent pretenses, representations, or promises, transmits or causes to be transmitted by means of wire, radio, or television communication in interstate or foreign commerce, any writings, signs, signals, pictures, or sounds for the purpose of executing such scheme or artifice, shall be fined under this title or imprisoned not more than 20 years, or both. If the violation affects a financial institution, such person shall be fined not more than $1,000,000 or imprisoned not more than 30 years, or both.

      --
      Silence is a state of mime.
    4. Re:Copyright? by adolf · · Score: 3, Interesting

      Is using a browser on a dumb phone with a WAP gateway creating a derivative work?

      Is using the Readability bookmarklet creating a derivative work?

      Both of these things have been happening for number of years (over a decade, in the first example). They simply reformat web pages.

      Now that you've thought about these questions for a moment, consider: If they reformatted a web page and added advertising, does that addition of advertising affect the things status as a (non-)derivative work? (Aside from making you livid, of course. I'm not happy about ads, either.)

      --
      Kid-proof tablet..
    5. Re:Copyright? by tompaulco · · Score: 2

      Along those lines, is using adblock+ copyright infringement? Is something that was served up dynamically copyrightable?

      --
      If you are not allowed to question your government then the government has answered your question.
    6. Re:Copyright? by cfalcon · · Score: 3

      At the point where you have to spend a bunch of money in order to be treated with the proper legal regard, you have "privilege" - literally "private law". You are espousing a tiered set of laws based on how much money you pay, correct? Do you see a lot of good coming from this? Do you normally favor government owned monopolies, or are you just making a special exemption here?

  4. Let's call it what it is... MITM attack by Anonymous Coward · · Score: 2, Insightful

    AT&T is initiating a man-in-the-middle attack. Can you really trust those ads? I mean they're injecting scripts. Who knows what those do, right?

    1. Re:Let's call it what it is... MITM attack by Anonymous Coward · · Score: 2, Insightful

      Well, it's AT&T, than whom no corporation, unless perhaps Microsoft, has ever been friendlier to the National Security Agency. So, I'd guess that you have a pretty good idea of what AT&T's ads and scripts and zero-days could do, but admitting it to yourself is probably too traumatic.

  5. Can You Say Lawsuit? by mschwanke97402 · · Score: 4, Interesting

    So, basically AT&T is placing their advertising on someone's web site without paying for the privilege? Were I the content owner, I'd be speaking to my lawyers first thing. The sad thing is that major companies don't even seem to worry breaching the public's trus or their reputations anymore. How long until Comcast decides to force extra advertising into my cable internet browsing. Oh! That's right, I cancelled them after the NetFlix throttling episode. So now, I guess I have to cancel DirecTV (AT&T) too.

    1. Re:Can You Say Lawsuit? by Dutch+Gun · · Score: 3, Insightful

      I wouldn't be surprised if a lawsuit occurs the first time malware is injected onto a user's machine though one of these advertisements. If this keeps happening, it's really only a matter of time.

      I think Comcast tried this same thing earlier, and temporarily backed off when people noticed them doing this and complained about it. Advertisements are bad enough, but you can sort of understand the desire of a website operator to want to pay for bandwidth. It's downright slimy when ads are simply injected in content someone doesn't own at all.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    2. Re:Can You Say Lawsuit? by sphealey · · Score: 2

      AT&T Wi-Fi isn't free. It is an included benefit of various AT&T services including cellular and home data service. The end user is paying for it - just not on a specific basis as with Bongo.

      sPh

    3. Re:Can You Say Lawsuit? by Anonymous Coward · · Score: 2, Informative

      Money... 100's of extra $.

    4. Re:Can You Say Lawsuit? by psyclone · · Score: 3, Informative

      The web traffic incident was VeriSign, manager of the .com & .net TLDs.

  6. https by Anonymous Coward · · Score: 5, Insightful

    Time for https on all websites.

    1. Re:https by psyclone · · Score: 4, Insightful

      Yup. Encryption isn't just for people who have something to hide, it's for integrity of all communications, even if it's cat gifs.

  7. Well at least they didn't sell us out to the NSA. by r-diddly · · Score: 2

    ...oh wait...

  8. Piracy? by hawguy · · Score: 4, Funny

    So when I browse Pirate Torrent sites at an AT&T hotspot, then AT&T can get sued for profiting from piracy?

  9. Umm by MobileTatsu-NJG · · Score: 3, Insightful

    Didn't they claim to just be a carrier in order to not being held liable for what the users do with that connection? By delivering content they've created aren't they having their cake and eating it, too?

    --

    "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)

  10. Trap? Usually its a tarpit of unusable service by swb · · Score: 3, Informative

    The free ATT hotspots I've found to be basically unusable tarpits of service that would make me grateful for the whine and hiss of a 9600 baud modem.

    I've mostly encountered them at McDonalds where they were almost always unusable. I kind of wonder how they get their Internet service for these, whether they just steal from whatever the specific franchise might have or whether it's something more retarded, like an ancient 3G hotspot above the ceiling.

  11. Surprised? Don't be ... by gstoddart · · Score: 3, Insightful

    Anybody who is surprised by shit like this is an idiot.

    Everybody setting up "free" hotspots wants to monetize with anayltics and ads.

    Google wanting to sell you a router they can control is also going to lead to monetizing and ads.

    The problem is unless we have really good quality tools to block this shit, we're never going to stop it. And this is why we can't trust ad infrastructure at all and need to block it .. because it's being done by people who want money, and don't give a crap about your security of your privacy.

    Until this shit is deemed illegal (ie the computer fraud and abuse act), it will continue. Because the assholes at AT&T feel it is their right to do anything they want with your internet traffic.

    Never trust that "free" doesn't come with strings like this. And never trust than any corporation won't revert to being sociopaths and decide they can do anything they want to.

    --
    Lost at C:>. Found at C.
  12. amusing effects in mint update manager by SkunkPussy · · Score: 2

    mint update manager seems to query for descriptions of package updates via http. So wifi that interferes with http somtimes causes mint to give nonsonse descriptions for updates.

    breaking end-to-end connections is really really really bad.

    --
    SURELY NOT!!!!!
    1. Re:amusing effects in mint update manager by psyclone · · Score: 2

      Why aren't all those requests going over HTTPS?

  13. Re:Free wifi by Anonymous Coward · · Score: 2, Insightful

    Adherence to the law.
    Even for free products.

  14. Re:Free wifi by andymadigan · · Score: 3, Interesting

    Fine, but require AT&T to disclose (in large font) that it's not an internet connection, since the content is being modified en route.

    Something like:

    WARNING: Web pages you view may be recorded or altered by AT&T or its affiliates. Web pages and other content retrieved may not reflect the content available over a standard internet connection. Information you enter or retrieve may be transferred or sold to third parties. AT&T is not responsible for malware injected into your content by its affiliates, or damage done to you or your computer by said malware.

    (Actually, I think that last sentence should be in large font at the top of every web page that uses ads inject by third parties)

    --
    The right to protest the State is more sacred than the State.
  15. Re:Noscript by psyclone · · Score: 4, Insightful

    But they could inject local CSS and local scripts into the page, so if you trust the current hostname by default (which many do for basic functionality) then NoScript won't help you here.

  16. Re:Free wifi by Darinbob · · Score: 2

    They're not free. As in AT&T hotspots are not accessible to everyone who wanders by, but are only for paying AT&T customers. You log in using your existing account. So yes, as a customer I expect decent service for a product I pay for, not additional monetization. If it's unacceptable to sell my customer lists to advertisers then it's also unacceptable to inject side advertisements into a paid product.

    And despite being a paid customer, I suspect some one being paid by advertisers is going to pop on here and accuse us of being cheap ass freeloaders by using adblock. Yet this is yet another perfect argument about why ad block is a necessary tool to fight against the tactics being used by immoral advertisers.

  17. Re:Surprised? Don't be ... by Darinbob · · Score: 2

    Except that it's not free. This service is for paying customers. Which makes this behavior even worse, actually.

  18. Re:Trap? Usually its a tarpit of unusable service by adolf · · Score: 2

    AT&T's hotspots used to be faster back when they were non-free.

    I used them a few times back then, generally at McDonald's, as an AT&T customer ("free" for me).

    They seemed backed by a T1, based on speeds and traceroute guessery in an empty store. And that was generally better than the alternatives at that time (3G or nothing), so was certainly welcome. But that was a different time...

    These days a T1 with multiple freeloading users is painfully slow. Overall experience can be helped considerably with some very careful QoS at the endpoint to prioritize small data streams over more lengthy streams but this is something they apparently aren't doing.

    The last time I was at a McDonald's and wanted a cup of free WiFi I had far better results turning my cell phone into a 4G hotspot and paying by the gigabyte.

    Same with the local public library: They have free Wifi, and welcome you to use it, but it's so slow that it's useless.

    --
    Kid-proof tablet..
  19. China Telecom by Balthisar · · Score: 2

    My home ISP -- China Telecom -- does this to me, for the service that I pay for. And no, I can't use a VPN 100% of the time because China is getting pretty good at killing VPN connections. It doesn't even matter if I use a non-ISP DNS server, because it's standard in China to poison DNS results (I've not tried experimenting with DNSSEC yet).

    In my case I'll try to load Bing (which isn't blocked by Golden Shield), and the only content will be a meta reload instruction. The rest of the "real" page will have been served via an injected javascript with a shitty Chinese ad at the bottom. Reloading will fetch the real page, as the ads aren't injected 100% of the time, but only seemingly randomly.

    --
    --Jim (me)
  20. Once again.... by JustAnotherOldGuy · · Score: 2

    Once again, I'm shocked, SHOCKED I tell you!!

    --
    Just cruising through this digital world at 33 1/3 rpm...
  21. Re:Trap? Usually its a tarpit of unusable service by Dunbal · · Score: 2

    I once got a 300 baud modem to handshake with me by whistling the carrier tone.

    --
    Seven puppies were harmed during the making of this post.
  22. Https-everywhere by slazzy · · Score: 2

    https://www.eff.org/Https-ever...

    --
    Website Just Down For Me? Find out