Belkin Routers Route Users to Censorware Ad 805
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
Here's the angle I would take... (Score:5, Insightful)
Better yet, get the addresses and post them here.
Some other ideas... (Score:5, Insightful)
8 hours. These are business models I need to patent...
I could see this coming (Score:1, Insightful)
If you disagree with me, look at the ad at the top of this very page, even slashdot uses ads to stay in business.
Jeezus Christ on a stick, what's next? (Score:2, Insightful)
Re:Here's the angle I would take... (Score:5, Insightful)
This is a DEFECT. Give me back my money (Score:2, Insightful)
When will they learn ?
Re:I could see this coming (Score:5, Insightful)
Bullshit. Slashdot is bombarding me with ads because I'm a cheap bastard and refuse to pay them for the content they provide me. Belkin's got the money I gave them for their router, they don't need to be sending me ads I don't want to see to make more money.
Wasn't this mentioned awhile ago? (Score:3, Insightful)
The next step, of course, is for a hacker to hijack this "feature" and dump all of a routing companys customers to child porn, warez sites, or nigerian scams galore.
Then there is the temptation of the companies themselves, "You can turn this feature off only by submitting a valid e-mail address." Then they sell off these addresses to spammers worldwide for a profit.
This kind of stuff is worse than big brother. At least in 1984 they didn't force commercials down your throat.
Hijacking my HTTP requests? (Score:2, Insightful)
Assuming I understand this correctly, it could be dangerous. What if the request that got hi-jacked was me transferring money between two accounts?
Sure, they are probably safe because they only hijack HTTP (port 80) and not HTTPS (port 143). Hopefully anything important I'm doing is on port 143.
I will not buy Belkin anymore. This type of behaviour in a product is unacceptable. Advertising is one thing. Hijacking my requests is much more serious.
Re:so.. (Score:5, Insightful)
First, the original poster on Google said that he got it, unannounced, as part of a router firmware upgrade. No warning or explanation.
Second, Belkin sells a product that is supposed to route Internet traffic, including HTTP. At certain, random points, it does not do that. Instead it sends out an advertisement to a user who has made a valid HTTP request. If Sony started selling a CD player that played a commercial for Coke once every 8 hours, would that be "no big deal"?
I'm not spending another cent on Belkin gear until they reverse the upgrade and pledge not to do it again. Otherwise, simple gear like routers will become spam engines.
Re:so.. (Score:5, Insightful)
Yes. Because routers route, period. And when they route, they're supposed to route correctly. Opt-out is bullshit, because it's saying "our product ships broken, until you unbreak it."
Exactly (Score:4, Insightful)
Boy did they blow this one. If they had stuck to something simple like your very first HTTP transaction brought up a configuration/advert screen only once, then there wouldn't even be a story.
What if I had bought this for an isolated network? Would it hang up for an appreciable amount of time trying to contact belkin.com?
Re:Here's the angle I would take... (Score:4, Insightful)
Re:Here's the angle I would take... (Score:5, Insightful)
Re:Here's the angle I would take... (Score:5, Insightful)
I think Belkin deserves every bit of abuse on this issue. They knowingly did something annoying to their customers only because they couldn't figure out how to sell this POS censorware service any other way. Screw them.
This Breaks web sites... (Score:4, Insightful)
just my $2/100
Re:In case Belkin, Linksys, D-Link et al is listen (Score:3, Insightful)
Also, I think Belkin, D-Link, et.al. might well listen. The home wireless router market is a cutthroat, commodity place. To me, they're all basically the same box. Why would I buy from a company that routes me to spam, when there are 5 others that don't on the same shelf for the same price?
Re:so.. (Score:5, Insightful)
Re:Redirect hardcoded? (Score:5, Insightful)
Re:Not in my house (Score:2, Insightful)
Well, guess I won't be using any Belkin routers.
Or network cables, or any other product on my network. As a network admin, you have to trust at least that the components you install on your network. Besides, unsolicited http is exactly the same as unsolicited smtp. Regardless of whether its penis pills or newtork services, I don't want it. This is worse however, as it not only sends unwanted packets, but destroys valuable data, which may or may not be vital to the operation of the network, or my company, or my job. Sorry Belkin, you lost my trust.
Belkin can modify your router settings? (Score:5, Insightful)
[quote]
By the way, this procedure (disabling the nagware in the router web-config) might have to be done if your router is behind a firewall. Reason: filter.belkin.com sends a response to the Router to set the flag. [/quote]
So Belkin deliberately left a configuration on the router to be modifiable by someone without proper authorization (the owner of the router or the network admin)? Absolute genius. Destroy your company's reputation 100% in one easy step: the backdoor(s) will piss of the geeks, and the nagware-advertising will piss off Joe Sixpack.
Re:This is typical. (Score:1, Insightful)
I couldn't disagree with you more... (Score:5, Insightful)
Unlike popups, etc., this is redirecting randomly selected packets going to port 80 (and probably the HTTPS port as well...) to thier server. Take a wild guess how many different things that just broke (SOAP, XML RPC, etc.). Like someone said, I hope nothing mission critical for you is on the inside of this stupid router- because it's BROKEN by design (And "configuring" the Router doesn't include turning frigging adverts off, either...).
It's got to be one of the stupidest things I've heard of in a long time done for the sake of marketing.
Re:Here's the angle I would take... (Score:3, Insightful)
Belkin is on my banned list now.
Re:That is insanity (Score:4, Insightful)
This is their wireless router -- it's made for home use, not for telecomm use.
And don't just not buy routers from Belkin. Don't buy anything. No routers, no cables, no USB hubs, no keyboards, nothing. Belkin makes a great deal of stuff -- boycot all of it. There's not a single product they make that they don't have competition for.
And let them know about it too. Email them (look here [belkin.com] for the appropriate regional sales address) and tell them that you will no longer purchase their products until they apologize for doing this, put out a patch to fix it, and promise to never do anything along these lines again. Yes, I've already sent my email.
I've got a decent number of Belkin products... they're decently made, and often available for a good price. But there's no way I'll purchase anything from them at this point if I can't actually rely on the product to do it's intended purpose. And that's what this boils down to -- you have a router that doesn't route properly.
Re:There's a class-action suit brewing, I'll bet (Score:3, Insightful)
Re:Oh, this is bad (Score:3, Insightful)
I'd return it as defective, which it is (in this case by design).
I request that it route packets to and from a given IP address, and instead it routes them to/from another. That meets my definition of a defective router.
This could suck for automated HTTP (Score:5, Insightful)
It's annoying enough to know that when you're sitting at a computer using a browser to surf the Web, a couple requests a day will get hijacked to the spam site.
But what about automated HTTP requests? You might be running some script to wget the latest greatest kernel source and instead it downloads a piece of spam. The hijacked HTTP request might come in the middle of a Gentoo build, or as you mirror a Web site and have a page replaced with an advertisement. You could be tunneling some other protocol over HTTP, and then who knows what this would do.
Very stupid and annoying of Belkin. If they wanted to make their parental control thing so easy to use, just include a CD that says "Put this CD into any computer on your network to enable parental control on your new Belkin router!" Newbies can figure that out. I don't want my own router launching some kind of spoofing attack on me three times a day just so I can view more spam.
Ease of use? (Score:3, Insightful)
Then their letter goes on to explain how to disable the feature in the router (so you don't have to wait to be randomly redirected to the ad), and the instructions are quite vague: navigate to 192.168.2.1, find the setting which says something like (they don't give exact wording or where to find it, just vague directions), and turn it off. Where's the "ease of use" in that? Are they suggesting that this should only be turned off by advanced users and that naive users should simply sign up for their services?
Why can't they just admit that they wanted to prominently promote their subscription-based service? It's not like it isn't obvious what they're up to or anything.
Re:That is insanity (Score:5, Insightful)
Since the router doesn't descriminate over whith HTTP request it overrides, what happens if it intersects a privacy-sensative transaction?
For example, if someone goes to pay thier bills online, enter thier biling info, click "submit"... then suddenly get an ad... what ramifications might that have?
That's a little more worrysome than getting an ad instead of some random page I might be trying to visit...
=Smidge=
Solution to all these problems (Score:5, Insightful)
Interesting! (Score:3, Insightful)
1. Client initiates a connection to www.my-private-site.org on HTTP port.
2. Client is silently redirected to Belkin's site.
3. Unknowing client sends the HTTP request, a POST request which contains some sensitive information.
4. Belkin has now hijacked a connection and received sensitive information that was not intended to go to Belkin.
Logically the thing to do is prosecute Belkin under federal wiretapping and computer crime laws.
Re:Hijacking my HTTP requests? (Score:3, Insightful)
By doing it at all, they've established they have no sense:
So I think it's no great leap to speculate that this travesty isn't implemented well. We already know that the website it redirects to offers to turn off the reminder, but can't do so if you're behind a firewall. That's a pretty big flaw. And even if it is able to effect the change, we also must wonder at the security implications of a website being able to change router settings. That's another pretty big flaw.
I'll further speculate that someone in marketing came up with this brilliant idea late in the product cycle, and this mis-feature was addded in some last minute code. I doubt it distinguishes between POST, GETS with query strings, and plain vanilla GETS.
And regardless, if the plain vanilla GET is GET htpp://mysite.com/get-time-sensitive-file-every-n
So just why should I trust Belkin to have wisely implemented this incredibly stupid idea?
More of the same (Score:2, Insightful)
This goes wrong when advertisments are part of a public space. Like sitefinder or billboards. If we are in that public space, we have no control over wether or not we will see the ads.
As for the belkin routers. In this issue they are not breaking any rules unless they do not inform the consumer that this "feature" is in thier products. A consumer does not have to purchase belkin routers.
Re:Here's the angle I would take... (Score:5, Insightful)
A programmer is to blame... (Score:2, Insightful)
The point is that geeks are to blame for this. The marketroids may come up with some stupid ideas, but who actually implements them?
I understand (completely) the self-presevation necessary in today's economy and the unwillingness to say, "No!" to something like this. I hope there were technical objections at Belkin. I hope there were testers jumping up and down and screaming about RFCs and proper routing and a failure rate of 3 per day per unit shipped, but I doubt it.
The next time your boss comes to you with one of these half-baked, assinine ideas, I hope you tell him that you object, as a Geek.
---
Q: Why do marketing guys wear ties? A: To keep the foreskin from flapping up!
Re:Here's my letter to their PR rep (Score:4, Insightful)
Re:Exactly (Score:5, Insightful)
--Tom
Re:A programmer is to blame... (Score:5, Insightful)
Let me explain what might have happened at Belkin:
Middle Manager: "Hey, Geek-boy. Marketing have come up with a new feature they want in the wireless router."
SWEng: [reading Powerpoint slides] "An ad every eight hours? That's not what a router is for!"
Middle Manager: "I admit it's unusual, but Marketing really wants this, and legal says there's nothing in the law that prevents us from doing this."
SWEng: "You can't be serious. It's an affront to civilized behavior! It's a very bad idea."
Middle Manager: "Do it or you're fired."
At this point, the room becomes very quiet. The engineer thinks very carefully about this ultimatum. The economy is in a shambles, especially the tech sector. There is no shortage of people who would take his job in an instant. And he has a new wife with a child on the way.
Assuming the above scenario, and assuming the engineer capitulated, he has perhaps unwittingly caused the loss of his own job, anyway, once the full force of market backlash hits Belkin's revenue.
I agree that techs should stand up for what they see as ethical behavior, and refuse to perform work that violates it. But not all of them have the same degree of flexibility in enforcing their sense of ethics.
Schwab
Sorry Belkin (Score:3, Insightful)
Re:Companies like Belkin... (Score:5, Insightful)
No... IN SUMMARY... (Score:5, Insightful)
That is, I (or anybody on the inside of my net, not just an administrator) can click on a link delivered from outside my area of control and that link SETS A FLAG IN MY ROUTER....???!
So now I have my router with its optional firewall support watching the data transport and reconfiguring itself in response.
This is such a bad idea it is unspeakable.
What if the first guy to see the web page and who isn't the rightful administrator, accepts?
How long until a nice buffer-overrun attack lets a malicious server reporgram my router?
How much of the CPU in the router is wasted looking at each HTTP request in search of this flag setting?
Belkin is "stealing" cycles and security from their customers.
Not smart.
Here's my questions . . . (Score:2, Insightful)
Thank you for your kind and timely response.
Please forgive my additional questions, they are technical in nature. I'm sure you're getting a lot of communication on this subject lately.
I understand that the HTTP redirection is not really spam or spyware, it is more of a configuration page. I have applications that regularly download via HTTP:
1. Operating system updates (e.g., Windows Update)
2. Real-time data (e.g., stock quotes)
3. Critical data (e.g., drug interaction updates)
How does your product ensure that one of these HTTP connections (i.e. one not coming from a browser operated by an administrator) does not return the parental controls option page instead of the actual data requested?
The product is now open to receive configuration settings from a remote site (the external website is able to disable the 8 hour reminder). What authentication mechanisms are in place to ensure that the reconfiguration of the router by the remote site is, in fact, authorized? Note that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance requires 512 bit encryption on data transfers. Can I continue to recommend this product in a HIPAA environment?
Thanks again,
Marsh Ray
cc: kmc
Christine Lee wrote:
> >
>
> -----Original Message-----
>From: Marsh Ray [mailto:marsh@mysteray.com]
>Sent: Friday, November 07, 2003 4:21 PM
>To: sales@belkin.com
>Subject: Routers
>
>Dear Sir or Madam,
>
>I heard the wildest rumor today, and am seeking some clarification. Is
>it really true that Belkin routers will misroute http connections to
>advertisement sites?
>
>I have always held your products in high regard and am having a hard
>time beliving this.
>
>Regards,
>
>Marsh Ray
>Belkin customer since 1997
>
Re:Here's my letter to their PR rep (Score:1, Insightful)
Re:Usenet thread (Score:1, Insightful)
It is better to be silent and thought a fool than to speak and confirm it.
Re:Here's my letter to their PR rep (Score:1, Insightful)
While telesurgery is done over leased lines, and not the common internet (thank GOD! just like you say), the traffic flowing over those lines is still off-the-shelf TCP/IP. That TCP/IP is driven by ordinary equipment.
Also, IIRC, the contingency plan is not a technical one, but rather a surgical team on standby ready to "cleanly abort" the op if connectivity fails.
So I believe the original poster does have a point, although he/she doesn't seem to have been aware of it.