Hotel Connectivity Provider SuperClick Tracks You

saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.

I did a little "sleuthing" on my honeymoon

[Gothmolly (148874)]

But it involved chocolate sauce, melted wax, and soft restraints. What is this 'Herf' person thinking, signing onto his laptop while on honeymoon? Go get laid you nerd!

Re:

[Joebert (946227)]

Cut the guy some slack, he was probably getting ready to print out some diagrams.
You know how the net is, distractions everywhere !

Not so fast..

[Kadin2048 (468275)]

What is this 'Herf' person thinking, signing onto his laptop while on honeymoon?

Well, maybe he was logging onto Picasa to do some uploading...?

Double Dipping

[udderly (890305)]

Well, I was going to make a snide remark about how they spent their honeymoon, but I really like Picasa, so I refrained.

However, I remember this happening the last time I stayed in a hotel (a Hilton Garden). At least I kept getting redirected. I am more than a little miffed that hotels are charging me *and* spying on me.

Next time I will use the VPN.

A true nerd

[MyNameIsEarl (917015)]

A true nerd would consummate his marriage while surfing on the internet and maybe writing some code while he was at it.

Re:A true nerd

[Intron (870560)]

Honey. I thought you said you were getting me pearls and rubies?

Re:A true nerd

[Your Pal Dave (33229)]

You call that a python?

Re:A true nerd

[Gzip Christ (683175)]

A true nerd would consummate his marriage while surfing on the internet and maybe writing some code while he was at it.

I tried to do that, but there's not much else you can do when you're in the middle of a really long fsck.

Putty w/ dynamic proxy support and an SSH server.

[tgd (2822)]

If you've got the resources to run an SSH server at home, use Putty with a dynamic proxy and point your browser and IM clients to it via SOCKS5.

I wouldn't trust any network like that... even if the service itself isn't watching what you're doing, do you trust the other people on that network aren't?

Its easy to surf or do other network apps safely on questionable networks. At least among the Slashdot crowd its easy... but I've educated even my parents on doing that when using public or hotel internet and gave them an SSH account to use at my house.

OpenVPN

[Shawn is an Asshole (845769)]

Or just use OpenVPN. I use this on my laptop. Set it as the default route, use the internal DNS and your good to go. I also use an internal proxy server. So when I'm at a coffee shop or hotel doing some work, the only thing they get to see is encrypted traffic to port 1194 (udp).

Over that connection I can do anything. Instant messaging, email, SSH, http, ftp, BitTorrent, etc.

Re:

[ArbitraryConstant (763964)]

Unfortunately, an SSH connection is much more likely to be allowed out than VPN traffic.

OpenVPN uses SSL

[SIGBUS (8236)]

Note that OpenVPN can be set up to use a TCP connection instead of a UDP connection, and it uses SSL. No need for weird things like GRE that might not make it through.

You could always put OpenVPN on a port other than 1194 if you think you might run into port blocking, too.

Re:

[josecanuc (91)]

On a related note: Does anyone know of any off-the-shelf router/NAT device that supports OpenVPN tunnels?

My company does 4-5 day jobs at convention centers, etc. and we currently use IPSEC with an off-the-shelf "VPN Router" product to tunnel back to our office network for access to fileshares and database data. Often, it is difficult and/or expensive to get hotel and convention center folks to give us a public IP address and they won't do port forwarding, etc.

I would love to have a box I can set up that wil

Re:Putty w/ dynamic proxy support and an SSH serve

[by Anonymous Coward]

Dynamic Proxy with OpenSSH:

ssh -C -D NNNN @

where NNNN is a port on the local machine. Just setup your network applications to using localhost:NNNN as a socks5 Proxy.
If you are paranoid, make sure DNS lookups are done via the proxy too.

To do that in Firefox. go to about:config in the location bar and make sure that this is set

network.proxy.socks_remote_dns = true

The wise man assumes

[Silver Sloth (770927)]

that nowadays all his actions are watched and recorded. I live in the UK, which, I believe, has the highest ratio of CCTV cameras per head of population in the world. To me it's no surprise that when I log in at the Marriot I'm watched. Fortunately the first thing I do is establish a VPN tunnel to my company's network where I'm being watched by the CIO.

Further than that, welcome to the modern world, cue the cliches (1984, quis custodiet, ...)

Re:The wise man assumes

[Billosaur (927319)]

Face it, your ISP is even watching you, noting your bandwidth usage, logging where you go, reading your email to make sure it's not spam, etc. The fact is, any transaction that occurs on the Internet is being logged on a server somewhere, and someone has access to that information. If you're lucky, it's just a sysadmin making sure you don't go over some quota, but you have no way of truly knowing. A true paranoic wouldn't use the Internet at all.

Re:

[somersault (912633)]

A true paranoic wouldn't use the Internet at all.

Why not, if they're not doing anything illegal, or immoral?

Re:The wise man assumes

[BVis (267028)]

Because some of us still care about our privacy; we also think "If you're not doing anything wrong, what do you have to worry about" is just about the most offensive thing we could think of.

I just don't think it's anyone's business what books I'm buying, or what threads I'm posting to, or if I look up some rash on WebMD, or talk to my wife on IRC, etc etc. I'm not about to give up my privacy for some corporate bullet point about "leveraging marketing assets." They want that info, they can bloody well ask me.

Re:

[somersault (912633)]

I just don't get why its so offensive, and what I perceive to be the whole american "I'd rather die than lose my 'freedom'" type attitude. Especially considering the way the american government is acting with things like the Patriot Act, etc, americans seem to be less free than the rest of the western world.

You're obviously right though that corporations don't deserve to see into your private life and conversations just so that they can target marketing towards you (though I'd prefer to have marketing I

Re:

[drinkypoo (153816)]

Again, obviously the government has the ability to go too far, for example with things like the Patriot Act, but personally I would prefer them to have some power, as long as they use it responsibly and for its intended purposes, rather than abusing public trust.

So, what color is the sky on your planet?

This is the very reason why government should have only the power which it actually requires. It doesn't really matter whether power corrupts, or simply attracts the corrupt, or even the corruptible; t

Re:

[karmatic (776420)]

You ask - "if you're not doing anything wrong, what do you have to hide?". I ask, "if I'm not doing anything wrong, why do you feel the need to spy on me?".

Avoiding the obvious issues with international law, having your activities spied upon tends to change what you do. In some cases, this is a good thing (less crime) - in some cases, it's not.

Consider someone who is aware of wrongdoing by their company/politician/etc. With the (relative) anonymity of the internet, that person can go online and expose th

Re:

[CantStopDancing (1036410)]

I just don't think it's anyone's business

The problem is that it is exactly that - business! While you have money to spend someone will *always* be looking at what you're doing, and trying to convince you to give them some of that luvverly moneys.

Re:

[rednuhter (516649)]

so, you are saying that, if you legaly buy an copy of "King Kong" from amazon it does not matter that the mafia were monitoring all the SSL data and decoding it through a bot net ?
"King Kong", "amazon" and "Mafia" are freely replacable terms.

I've always worried about this...

[dslknowitall (562532)]

...which is why I only get online using my corporate VPN, and never visited any sites that required a login (banking, blog, yadda yadda).

Of course that's assuming the VPN is secure enough...i'm sure there's a way around everything. Hell, just connecting to the WiFi and checking your email can give anyone your password if they have half a brain.

You mean you didn't suspect this automatically?

[davmoo (63521)]

You mean to tell me that Slashdotters, some of the most paranoid people on the planet, didn't just automatically assume hotels did crap like this on their networks to make extra money? Are people here that damned naive? The story that would be news would be a hotel that does *not* do this.

Any time I use a network that isn't my own, be it a hotel, restaurant, or even the public library, I just automatically assume that someone who wants to remain unknown is taking an active interest in what I'm doing. Otherwise, why would any of these places provide free networking in the first place. They aren't doing it out of the goodness of their heart and so they can sleep warm and cuddly at night. They're doing it because they've found other ways to make a buck off of it.

Re:You mean you didn't suspect this automatically?

[node 3 (115640)]

The story that would be news would be a hotel that does *not* do this.

No. This is news because it's excessive and uncommon.

Otherwise, why would any of these places provide free networking in the first place. They aren't doing it out of the goodness of their heart and so they can sleep warm and cuddly at night. They're doing it because they've found other ways to make a buck off of it.

Not everyone is so obsessed with money as you seem to think. Some people, even astute businesspeople, make decisions based on things like, "doing what's right", "giving back to the community", and "providing quality and value". I highly doubt that your average coffee-shop free WiFi is snooping on you.

Such extreme cynicism (as you seem to be promoting) is detrimental to society, and makes for a poor foundation to live by.

Not-quite-honey Moon

[FrozenFOXX (1048276)]

It's not dedication, just means he's not particularly enthusiastic about his honeymoon.

I call bullshit

[PeeAitchPee (712652)]

Herf was on his honeymoon when he did this sleuthing. Now that's dedication.

Come one. This is slashdot. More like "Herf was taking a break from a month-long WoW session in his parents' basement when he did the sleuthing."

Like we'd buy that someone here even *knew* a girl, much less got married or went on a honeymoon!

Re:

[redelm (54142)]

I have no doubt you are speaking from your personal experience. So be it.

I will speak from mine: I have no doubt. Nerds are actually very attractive to certain women. They like the reliability and equality. Many have been seriously burned being arm candy for jocks & preps.

As for coding on Honeymoon, why not? Are you assuming an absence of pre-marital sex? There is also such a thing as too much togetherness, and some breathing space even on a week-long honeymoon is a good idea for both.

Not as stupid as others seem to think

[pdawson (89236)]

FTFA:

It turns out that Lorna and I both noticed and both got upset about it, so I'm spending a (small) amount of time figuring out how this thing works and what it's after. After all, I'm still on my honeymoon.

He's on his honeymoon, but looks like he was lucky enough to marry another geek, so its all good

Re:

[DoctorPepper (92269)]

Some of us are lucky, some no so much.

I had the great fortune to also marry another geek. She's not so much of a computer geek, like me, she's more of a science geek (also like me) and a mathematics geek.

She also thinks my two great hobbies, computers and ham radio, are "cute", and allows me to spend inordinate amounts of money on them ;-)

Obligitory

[drewzhrodague (606182)]

In Corporate America, hotel tracks you!

1. Install wifi network
2. track wifi users' net traffic
3. ...
4. Profit!

Dedication

[DoofusOfDeath (636671)]

Herf was on his honeymoon when he did this sleuthing. Now that's dedication.

To whom?

A disturbing trend

[NimbleSquirrel (587564)]

Unfortunately, this is only going to become more widespread. Hotel chains are only interested in profit, and running their own in-house ISP just isn't profitable. They will contract out whereever possible, and for the lowest price.

Superclick already has the backing of major Hotel chains, so it already has recognition in the marketplace (hotel owners). That is not going to change. They would also be very competitive for the services they provide and, given what has been found, it is not unreasonable to thi

Some hotels intercept SMTP traffic too

[toga98 (109028)]

I noticed some hotels intercept SMTP traffic after a client complained he couldn't send email through our mail server while he was on the road. The hotel's service provider was trying to masquerade as our mail server and attempting to intercept the mail delivery. When I tested it I sent a test message through the mail server that was representing itself as our mail server and received the message 12 hours later. Interesting that it took that long to deliver the message and surprising that they would try to

Re:

[NimbleSquirrel (587564)]

That would be http://www.superclick.com/ [superclick.com]. Take a look at their customers. Hilton is one.

Some? How about "most"?

[Svartalf (2997)]

They're intercepting all of the SMTP traffic outbound ostensibly to prevent spammers from renting a room for the night and using their "high-speed" access to cover their tracks. Since my SMTP server can use the alternate authenticated (and SSL encrypted) ports, they're not dinking with my email right at the moment- either way. Their little mail proxy engine is like an open relay and gets rejected by other mailservers if they've got those sorts of countermeasures on. I'd sent some emails to my friends and

Re:

[Ninjaesque One (902204)]

The only reason that spam is alive right now is because of its horribly low cost: it costs nothing, basically, to send junk mail through the internet. That nothing would be increased by about $70 a day for a hotel room with high-speed internet.

Re:Some hotels intercept SMTP traffic too

[Alpha232 (922118)]

I won't try to claim there is no evil in this instance...
However there are some providers that do the same type of thing with the genuine interest in helping the guest.

This is NOT uncommon; this is all about providing transparent network services. There are systems already out there (STSN, et.al.) that don't even require you to use DHCP.. If your IP is static, it handles the masquerading needed to make it work without your intervention, same for DNS and Mail.

Take for instance your mom and pop traveler, they are setup for cable broadband, their ISP comes to their home and hard wires the DNS and SMTP settings, and sometimes the IP. Mom and Pop go on vacation and bring their laptop, yes Virginia some non-geeks/non-business people own laptops. What settings do they need to know how to change in order to get online? At a minimum their IP is hopefully DHCP but I'll say that is not always the case, and also DNS which would be set by DHCP unless their IP or DNS settings are hard coded. In this case, the system would see the system using an IP that isn't part of the hotel network and wasn't assigned by the server, so it will do what is needed to make that IP work. Same thing goes for DNS, it will route all DNS requests to its internal DNS server, and sometimes ISP's don't allow public access from the outside.

As far as SMTP is concerned, would you be surprised that in this age of rampant spam that Mom and Pops ISP refuse connections from outside their network? Also in a growing trend, the ISP the hotel uses wants some assurances that the public access isn't allowing mass spamming. In this case the hotel(or their network provider) routes all SMTP traffic to one server on their network which queues it and sends it out. They could be doing spam checks or simply a queue threshold/throttle to limit the damage Mom and Pops zombified laptop can do.

That last point is also my last point, from the Hotel/ISP point of view you're using a computer that is not controlled by the person who owns the network. Most companies do not allow unsecured systems on their network, in a hotel, that is the idea... so measures must be taken to not only have the network adapt to the user but also to protect the host from their guests.

I've assumed that this was the case....

[8127972 (73495)]

.... for years. That's why I've begun to use a remote access product called the MobiKEY [route1.com]. It is a USB token that creates an SSL tunnel with 2 factor authentication (some sort of PKI based scheme) to your home/work computer. The company that makes this has a managed service called MobiNET that helps to broker the connection so that even Joe Sixpack can connect anywhere there is a net connection. Also, since it's SSL, I don't have to change my firewall settings.

By using this product, nobody can snoop on my activities and I can do what I have to do in complete confidence. Problem solved.

They do, do they ?

[Joebert (946227)]

Are theese guys based in Soviet Russia by any chance ?

pardon?

[rucs_hack (784150)]

On his honeymoon?

wow, that's a relationship with a good start.

FreeNX

[astrashe (7452)]

I use FreeNX to go back to my home desktop through a ssh tunnel. I use the local desktop only if I want some multimedia -- I'll start streaming a radio station, then pull up my home desktop, etc.

FreeNX is fast enough to make this viable.

You get a lot of advantages from doing it this way. There's the privacy angle, which is a big thing. But you also get your main desktop -- the one with all of your stuff on it.

And you don't need a really fast laptop. Once it's fast enough to run FreeNX, you're ok. I use a thinkpad I bought on ebay for $200. It's not just cheap, it's from the era when laptops ran cool enough to actually hold on your lap.

Re:

[drinkypoo (153816)]

what does this give you that you couldn't get by tunnelling X via XDMCP over SSH? Doing remote-display stuff is part of the fundamental design of X, after all.

It makes the connection dramatically faster and more responsive. Like, as usable as Microsoft's Remote Desktop Connection. X is not very efficient. NX does some other things too but that's the biggie.

Whorehousing

[by Anonymous Coward]

As a former employee of a hotel service provider, we would certainly store MAC addresses indefinitely, proxy (and occasionally read) outgoing email (and deny SMTP service for the flimsiest of pretexts), and best of all, t2 support would often tail the squid logs in search of the best pr0n. If the company had been in any way organised you can bet we'd have been selling (aggregate only! honest!) data to the first bidder.

And don't even get me started on the plan to introduce targetted ads direct to the browser on *every page*. What? you think we used squid for performance?

Hotels want to know EVERYTHING

[AndSheWas (1049788)]

I work for a certain hotel company, I'm the person who you get when you call to make a reservation. If you have any kind of identifying profile or number, then you're activity is being tracked. Whether you stayed on business or pleasure, who you're companion was, what floor you like, how many beds, on what occasion you decided to stay at the hotel...any information i can gather about you, i am paid to gather. We use an integrated soft phone that is linked with our reservations system. I know what number you are calling from. If you have stayed with us before, chances are you have a profile, and i have your address, credit card number, and possibly how many kids you have. The hotels want your business so badly, they want to REALLY get to know you, and have your favorite flower on the bed when you come in, or if you know the concierge well enough, your favorite escort. So if you want to keep you're personal info "secret", don't earn points towards that free stay, and don't get a profile number. We get paid extra for making these profiles, so watch out for people just making you one, without your expressed consent. It happens all of the time. i watch it happen everyday. I'm looking for a new job.

In soviet Russia...

[Zaatxe (939368)]

Hotel Connectivity Provider SuperClick Tracks You!

Oh, wait...

I work for a competing pay to use service.

[blanks (108019)]

For the last 3 years I have worked for another pay to use wireless service.  I won't say the name but we supply most of the wireless service in Hiltons, Radisons and Embassy suites in the united states.

Thankfully it sounds like they are not even trying to lie about what is happening, and are say they are trying to push advertisements to their wireless users so I don't need to explain why they wouldn't be using a proxey.

After a user authenticates at a location there is no need for any of this redirecting per page every time a user tries going to a different site.  Any good wireless gateway (and many bad ones) simply track each user using a session assigned to their mac address on the gateway, Nothing needs to be done to track service usage as long as they are active.

The only reason (and I don't know why they haven't been using this as the excuse) is to be able to claim monitoring illegal web usage such as kiddy porn or illegal music downloads.  We had a few places claim they needed to be able to track this, but we dropped them instead of willingly tracking users for a b.s. reason.

This is just another case where a company that is charging for a service are trying to make even more money doing secretive and underhanded business practices.

Probably went something like:

[DJCacophony (832334)]

"What? This security dialog box is warning me that this certificate is unsigned! Better click 'ok' so I can see my bank account anyways."

Re:

[DaveCar (189300)]

You are right, but they will be doing your DNS lookups for you too, so let's say they see www.myxxxporn.com get resolved to aaa.bbb.ccc.ddd for your client, then an https request to aaa.bbb.ccc.ddd from your client then there's a pretty good chance you're viewing pages at www.myxxxporn.com. Exactly what you are viewing they don't know, they can't see the content or the path part of the URL, but it's probably good enough to work out what you might be interested in.

Set up an squid/ssh server at home/work, set