Belkin Routers Route Users to Censorware Ad 805
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
Good qoute (Score:3, Interesting)
That is insanity (Score:5, Interesting)
But what if every one in 100 times, UPS thinks I might like a corporate logo bumper sticker instead of my book, they throw my book into the eternal void, and give me a UPS bumper sticker instead. I'm supposed to like this?
Bottom line: When I ask a package to get delivered, and for a certain package to be received, I WANT that package, not what they think I want. Whether it's a TCP/IP packet, or a book. I fail to see the difference here.
Bottom line, thanks to Slashdot I'm not buying my routers from Belkin (not that I'm a telecom person, but still I'd be careful if I ever had to).
This Seth Finkelstein? (Score:1, Interesting)
great quote (Score:5, Interesting)
Also in the news: the American council for airbags has been hitting people randomly in the streets to make it easier to appreciate their products. Thanks!
Seriously, though, I don't 'get' how a company could think this would endear themselves to their customers. If Cisco pulled this shit on its customers and made all their routers randomly direct to their brand-new VPN product I think it'd make people stop using Cisco FAST
Redirect hardcoded? (Score:5, Interesting)
Not in my house (Score:3, Interesting)
From the article:
"In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products as a way to make it easier for consumers to sign up to a free trial of its parental control software."
Soooo.. it's spam, then. What a way of putting it mildly.
Should read:
"In response criticism, a Belkin lackey admitted a confirmation this week that the router will hijack an HTML request in order to advertise their product, for your convenience!"
This is typical. (Score:4, Interesting)
I just wish Belkin would offer firmwares/hardware *without* the "feature". Any hijacking of routed packets is wrong. Sort of like saying
Re:What the...? (Score:3, Interesting)
There's a class-action suit brewing, I'll bet (Score:5, Interesting)
I agree that if I'd bought one of those things and it started redirecting my traffic, I'd consider it defective and demand my money back. Belkin's really moronic to think that this won't backfire on them and result in an expensive class-action lawsuit. Maybe they can defuse a lawsuit by offering refunds to anyone who's upset at the feature, but I'm guessing they're too sold on their own flawed logic to understand that what they did is not going to be seen as anything other than making the product do something its owners didn't ask it to do, and that Belkin didn't tell them it would do.
I can smell the class-action attorneys lining up now.
Meanwhile In Court... (Score:5, Interesting)
"That's right."
"And so you are charging the cashier with assault."
"That's right."
"All right. Mr. Defense lawyer, what do you have to say to that?"
"Mr. Stevens: Did you specifically ask my client NOT to punch you in the face?"
"Huh?"
"What did you tell him exactly?"
"Um.. I told him, I would like a number three meal and a Dr. Pepper."
"I see, and that was all?"
"Um, yes."
"Not that you wanted a number three meal, a Dr. Pepper, and to not be punched in the face?"
"Uh.. no, just the #3 and the Dr. Pepper."
"Your honor. How can my client be expected to be held responsible for this when Mr. Stevens was unclear about what he wanted? Had he configured his order correctly, my client would not have punched him in the face. So why is my client the one to blame? What do think Mr. Stevens expected to have happened?"
"Hmm, excellent point. Case dismissed."
Re:Redirect hardcoded? (Score:4, Interesting)
1.) Send a spam mailing which loads a java applet when opened.
2.) The java applet exploits the ByteVerify hole in an older version of M$ Java VM to drop a bad HOSTS file on the now-infected machine.
3.) Belkin router hijacks an HTTP request to their site, but the HOSTS file redirects that hijack to the second hijacker's site.
4.) The new hijacker's site can either be a pay-per-click search portal, or it can host more trojans to exploit a machine already proven to be out of date on its security patches.
This is not an extreme example at all and could be done very easily. I see this shit every day at my site's support forums.
When Verisign hijacked all mis-typed domain name queries, we started seeing a large number of trojans dropping bad HOSTS files that redirected sitfinder.verisign.com to their own sites.
I suggest a new verb: (Score:5, Interesting)
It's a decent start at a definition. One could say "I installed this topdesk thing which totally belkined my browser". Let's make their name synonymous with bad behavior.
The ISP I used to work at did this (Score:3, Interesting)
I was pretty unhappy with this, but was unable to convince my bosses that this was evil or risky. The company had apparently convinced them that they had checked it out with their laywers, and because they weren't changing the site's HTML -- they were putting outside Google's final </html> -- they were safe. (Never got an answer about substituting ads.).
I don't work there anymore, but last I heard it's still going on, and there's a few ISPs, at least in Vancouver, that are doing this. Scary.
Re:Some other ideas... (Score:5, Interesting)
My TV does change channels automatically to infomercials. I have a TiVo, and one of the "features" is that at the top level menu you'll often see ads that you can choose to watch. The TiVo grabs these late at night when it thinks nobody watches TV... unfortunately if you watch live TV around 1 or 2 in the morning you'll find yourself having to opt-out of a channel change to record "TiVo enhanced content" every ten minutes or so.
(annoying, and I wish there was a way to opt-out of this once and for all, but I'm still a big TiVo fan, and they gotta make money to stay afloat, so I put up with it)
Re:Here's the angle I would take... (Score:4, Interesting)
And Belkin can turn it on again just as easily.
From Belkins response:
"I know the manual could do a better job explaining it."
Badly worded by design.
Amazon (eBay?) did the same sort of thing. "We rewrote the privacy policy recently"
(Oh, and in doing so, we reset your privacy settings. You now will get spam from us. To change it, visit blahdeblah.com). They never proactively told anyone, until it was found out and published.
I'm a Belkin Wireless router owner (Score:3, Interesting)
The device was replaced with another brand that works fine. Off line and collecting dust, I've never had a problem with it hijacking my HTML and inserting ads. Now I have another reason to not buy a Belkin product again, but I hardly needed one.
Re:Exactly (Score:2, Interesting)
The scarier thing is that this possibly opens a backdoor where packet content can be used to get into the router?
Any takers on whether there's a security exploit in a few weeks/months?
Re:That is insanity (Score:1, Interesting)
I for one would be mightily pissed if I was trying to cover my bid at the last minute on eBay and my router decided to "intervene".
Re:Here's the angle I would take... (Score:5, Interesting)
I just ordered a new laptop and I'll need a new Wi-Fi card for it. Guess what brand I'm not going to pick? Unfortunately, between Linksys violating the GPL [slashdot.org] and Belkin hijacking URLs [slashdot.org], D-Link [dlink.com] is about the only remaining choice. Unfortunate not becuase there's anything wrong with D-Link, but because choice is good.
Re:You may wonder how this happened: A Story. (Score:2, Interesting)
Morons.
It's not the only defective device they make. (Score:3, Interesting)
The first DVI port DOES NOT WORK at resolutions above 1024x768. On any of them.
The LCD goes absolutely fucknuts when connected to it.
It's sad. All of ours are being used 3x1 because of it.
Let's face it, Belkin sucks. Cables are way overpriced. Don't ever buy anything from them.
Re:In case Belkin, Linksys, D-Link et al is listen (Score:2, Interesting)
And the count of 3 just got bumped up to 4. And #4 is the guy that fills out the PO's and requisitions for the Director of IT at a nationwide telcom provider. We have 8 data centers, and 6 more are coming online within the next fiscal year. That's just a hair under $50 million USD of product that I research, and give my blessing upon for the Director to rubber stamp.
And not a single center will have ANY product made by Belkin.
Re:That is insanity (Score:2, Interesting)
Two of their top guys there left to work at Gemini.
They were the Bel in Belkin.
The company is a sinking ship and its only getting worse.
BTW some sales emails to blast them about this are.
chetp@belkin.com (owner of the company)
ericp@belkin.com (brother to the owner and all around bad guy)
Re:You may wonder how this happened: A Story. (Score:5, Interesting)
QUOTE
Hi,
I just want to let you know that I'm suspending purchase of several
accessories made by Belkin for my 30G iPod because of your blatant abuse of
customer trust (the router rerouter fiasco). Furthermore, I shall engage in
an active campaign among friends and family to make sure none of them buy your
products for the same reason. Being a geek by profession, a lot of my
non-tech friends take my advice for tech purchases. Since you've been
featured on
similar course of action.
I sincerely hope your bottom line will suffer enough for you to make an
official pledge never to ream your customers again. Or that you go bankrupt
(financially, because morally you obviously already have).
I feel betrayed, having recommended your products (even when priced above
competition) for corporate and personal purchase so many times in the past,
because of build quality I can count on. However, build quality is not
enough; integrity and ethics are just as (if not more) important, especially
at times of Good Enough Syndrome.
Is this (http://slashdot.org/comments.pl?sid=85076&cid=74
happened?
ENDQUOTE
Re:Here's the angle I would take... (Score:4, Interesting)
Re:Here's the angle I would take... (Score:3, Interesting)
Sent to sales@belkin.com,melodych@belkin.com, cindya@belkin.com
----------------
I recently read a few postings on usenet and slashdot regarding your wireless router. It seems that there is now a feature that will redirect you to an advertisement for your censorware products every 8 hours unless they opt out. I find this troubling and disconcerting to say the least, as the days of trusting a companies' motives are long since gone. Simply put, a router's job is to do just that route packets. When you start injecting your advertisements into the process you compromise the integrity of your product. Going forward, how am I to know that your router is not doing something that could compromise my network under the guise of being a feature. There had to be the understanding that this would be poorly received by individuals who already possess technical knowledge. I personally do not own your networking products, but have used your cabling for quite a few years. And as a technical person who runs a small business helping other small businesses with technical issues, I play an intregal part in their purchasing decisions.
You may have intended for it to be easier for non-technical people to sign up for your service, but did you stop and think how a non-technical person decides on a Belkin product? It isn't your marketing, its the the co-worker/relative/friend of a friend that fixes their computer that they ask for buying tips. And it is exactly these people that are most offended by your actions.
I, like a lot of other techies that read this, will not be recommending your product in the future until you stop this practice and apologize to your customer base.
Thank you,
xxxxxxxxxxx
----------------
G
Re:SUCH old news (Score:1, Interesting)
That may be, but the whole point is that this "feature" has NO BUSINESS requiring you to disable in to begin with. The damage isn't your time or trouble disabling it, the damage is in the risk of having traffic routed in any way other than how you have configured your router.
This isn't an inconvenience, it's a complete breach of trust.
If the ATM at your bank randomly flashed your account balance and how much you were withdrawing on a big screen for the benefit of everyone in line, would you accept the explanation that you could easily disable this feature? Or would you change banks? You'd change banks. You'd also be filing a lawsuit.
Re:Some other ideas... (Score:4, Interesting)
Imagine that that you are about to post a message on your private blog about some hot sex session you had a few nights ago (yeah, unlikely I know). As is the norm, the information will be transmitted in an HTTP POST request. This request is the one that happens to get rerouted to Belkin. Now Belkin knows all about your hot sex escapades.
Where I come from, this is known as wiretapping, eavesdropping, snooping, or something like that. It's highly fucking illegal and whoever at Belkin thought this was a wise idea should be clapped in irons. I'm seriously considering writing a letter to a law enforcement agency about this, I'm just not sure which one to pick!
Here's my letter to their PR rep (Score:5, Interesting)
My name is [name deleted], and I work as IT department manager for a medium sized company in [place deleted]. I write to you in light of the recent unveiling that Belkin are knowingly shipping routers that show commercials to the end users by hijacking HTTP connections.
I am not sure if the product manager, Eric Deming, who designed the product to not work as expected did so understanding the full consequences if - or, rather, when - this information would become public. The one reason Belkin's name has been held in high regard at the company I work for is because of dependability. When it turns out that Belkin is actively designing products to not work dependably, but instead display advertising at the user; that reputation of dependability... well... there's not much left of it. And, as you are aware, for every one of Belkin's products, there is a competing product.
It becomes much worse. It also turns out that Belkin has the ability to remotely modify the behavior of these routers. When I showed this fact to our network security people, they went ballistic and drove straight off to the local equipment store, only to come back two hours later with a bunch of boxes. 30 minutes later, there was a heap of discarded equipment in a disorderly pile in one corner of the networking room. The discarded items all carried the name "Belkin". I signed the receipt for the new equipment with a look, a sigh, and a nod.
To top it off, it seems that your Mr. Deming who designed this behavior believes that every outbound hijackable connection originates from somebody sitting at a computer and browsing the web. However, more important are the automated connections. What would happen if the backup for our commercial data, which is transmitted regularly over the Internet, instead was pushed to Belkin, due to this behavior? What would happen if virus or operating system upgrade connections were the ones hijacked? Heart defibrillating equipment has been mentioned - what would happen if the heart defibrillation monitor, trying to trigger the impulse with the charging equipment, is instead redirected to a Belkin advertisement? You know, telesurgery exists and does depend on a reliable Internet infrastructure, consisting of such boxes as yours.
This product has been designed to not work, despite charging good money for it. I lack words to describe how shameful this behavior is.
Additionally, if the Belkin corporate culture is one that allows such a technical atrocity to make it to the shelves for one product, then it is obvious it may happen again, or has already happened, for other products. However, rest assured that this company will never again buy another Belkin product as long as I run the IT department.
[signature]
Re:Here's the angle I would take... (Score:5, Interesting)
Another exploit using this "feature" (Score:4, Interesting)
Belkin hasn't just abused customers' trust and falsely advertised this piece of trash as a router, they have also opened up security holes for no other reason than advertising censorware. This behavior isn't just wrong, it's despicable.
Doesn't Belkin need to disclose some sourcecode ? (Score:2, Interesting)
Now I do believe when that is done that should solve the problem with this re-routing...
DRM == "Censorship in the Router" (and the desktop (Score:3, Interesting)
The DRM technology promoted by Microsoft, the MPAA, the RIAA, and our legislators (in the U.S.) are all that is needed to implement a network wide censorship of content on the web, in our email, and on any document or media file that traverses the web.
People asking Congress to regulate email, usually using spam as a justification, are asking Congress to assume the right to regulate the content of our private communications. The Patriot Act has already given the government the "right" to monitor it.
If Microsoft's DRM facilities are capable of the user control that they claim they are, then it would also be possible to block the transfer of any document that was not made with that technology, to track the origin of any document to the users computer and userid, and to filter traffic at the router for any specific document. Palladium would enable similar "features" to be implemented as well.
I believe that this is and always has been the motivation behind DRM, and that the censorship will be implemented not only to protect the media giants that currently enjoy monopolies on entertainment, but also to ensure that the message put forth by these companies as "news" will be able to continue unchallenged by smaller sources who are either more concerned for the factuality of what they are reporting, or are unfettered by the necessary allaiances between government and our large corporations and are thus not obligated to report only the sanctioned viewpoint.
Before anyone recommends the tinfoil hat, I'd just like to ask you to consider:
Is it a safe enough bet to allow to chance?
Can we assume that despite this capability being built into the network and our software it will not go unused?
Is a government that seems desiring to curtail our rights (while promissing the payoff of lower taxes) going to show enough restraint to not censor once it is capable?
Are the software and media companies actually idealistic enough to prevent this? or would they willingly participate with an opressive government as long as that government promisses to protect thier market position in the face of growing competition?
Am I overly paranoid for considering this to be a possibility?
Is paranoia justified in situations such as this?
Belkin responds -- and digs a deeper hole (Score:4, Interesting)
The letter makes it clear that Belkin still doesn't get it. The letter isn't an apology, it's an explanation, an excuse for Belkin's reprehensible conduct, and it's full of spin - that's the polite way of saying misinformation, which is the polite way of saying lies.
The letter begins by claiming that "a group of privacy advocates have targeted Belkin Routers". That's not the case at all - a single user posted [google.com] an explanation of Belkin's router's hijacking, and asked if anyone knew any more about it, in the usenet group news.admin.net-abuse.email. No group was involved, and there was no targeting.
The letter continues with a claim that "[t]he Parental Control registration page is not spam, adware or spyware. It is part of the setup process of the router. It does not "hi-jack" the browser." It is, apparently, part of the set-up process, but that's spam in and of itself: the user hasn't purchased Belkin's "Parental Control", but in the process of installing what he has purchased, the user is forced to sit through an advertisement for another Belkin product, whether or not the user has requested this advertisement. That's the essence of spam.
(And yes, I know that businesses like to claim that unsolicited advertisements are not spam if there is a "pre-existing" relationship with the customer, but that's bunk. Buying a product does not involve an implicit agreement to surrender my time to the manufacturer.)
Even if you're willing to by the argument that installing a product should be made more complicated and time-consuming by subjecting you to advertising, the reason that Belkin's received so much unfavorable publicity is not a one-time ad at install. The problem is the ads repeat indefinitely, every eight hours, until you, the user - Belkin's valued customer - takes some action to make them stop. And this is the same as he sneering spammer who sends you unsolicited email with a "click here to opt out" link. Not only does it steal your time, it steals more of your time before you can make it go away.
The letter goes on to state that "nor does Belkin have the ability to advertise to our customers using our routers as a conduit."
Wait a second, lady. This whole brouhaha started because Belkin continues to use its routers as a conduit to deliver customers to its ad for "Parental Control" every eight hours. If your routers didn't have that ability, we wouldn't all be telling you why we're not going to buy Belkin products anymore. This is a blatant lie, and an insult to the intelligence of anyone reading it. The page the router delivers users to is an ad. It's a solicitation to do additional business with Belkin.
The letter also claims that "[i]f a customer clicks "No Thanks" on the first prompt, the for Parental Control signup will no longer appear." Not entirely true. Belkin Manager Eric Deming admitted in a usenet post (since cowardly cancelled, but mirrored here [stevesobol.com]) that clicking "No Thanks" won't work for users behind firewalls. It also appears that the "No Thanks" gets reset if the router is reset, and anecdotal evidence suggests that the (low) quality of Belkin's routers makes resetting rather more usual than it should be - possibly as often as every 20 minutes [cnet.com].
The letter ends on a surreal note, "[the Belkin advertisement web page] is not a browser pop-up, this means that the Parental Control web page will only be displayed if the user opens the browser". Huh? It's not a br
Re:IT'S ON THEIR WEB PAGE, TOO! (Score:4, Interesting)
If a company makes a mistake, or even a major blunder, but owns up to it and fixes it, that tells me they really DO care about their customers. This is a far cry from a company that tries to excuse their behaviour and wants US to live with the consequences.
So while I won't buy this *particular* Belkin product, their behaviour is NOT deserving of an across-the-board boycott.
What people also forget in their rush to find "some other product, ANY other product" is that other companies may have implemented naughties that you don't yet KNOW about. So in your haste to punish the erring company, you may well be jumping out of the frying pan and into the fire.
Sometimes I think people who go off the deep end like this should be cast into the outer darkness the first time *they* majorly fuck up. That'd teach 'em a little restraint.