Hotel Connectivity Provider SuperClick Tracks You 175
saccade.com writes "During my last hotel stay, I thought it was a pretty strange that it took two browser re-directs before the hotel's Wi-Fi would show me the web page I browsed to. Picasa developer Michael Herf noticed the same the thing and dug a little deeper. He discovered: '...their page does some tracking of each new page you visit in your browser, outside what a normal proxy (which would have access to all your cookies and other information it shouldn't have, anyway) would do. This "adlog" hit appears to also track a "hotel ID" and some other data that identifies you more directly. Notably, I've observed these guys tracking HTTPS URLs, and of course you can't track those through a proxy.' Herf notes the Internet service provider, SuperClick, advertises that it 'allows hoteliers and conference center managers to leverage the investment they have made in their IP infrastructure to create advertising revenue, deliver targeted marketing and brand messages to guests and users on their network...'" Herf was on his honeymoon when he did this sleuthing. Now that's dedication.
Putty w/ dynamic proxy support and an SSH server. (Score:5, Informative)
I wouldn't trust any network like that... even if the service itself isn't watching what you're doing, do you trust the other people on that network aren't?
Its easy to surf or do other network apps safely on questionable networks. At least among the Slashdot crowd its easy... but I've educated even my parents on doing that when using public or hotel internet and gave them an SSH account to use at my house.
I've always worried about this... (Score:2, Informative)
Of course that's assuming the VPN is secure enough...i'm sure there's a way around everything. Hell, just connecting to the WiFi and checking your email can give anyone your password if they have half a brain.
Re:I've always worried about this... (Score:1, Informative)
Re:Some hotels intercept SMTP traffic too (Score:2, Informative)
Some? How about "most"? (Score:3, Informative)
OpenVPN (Score:5, Informative)
Over that connection I can do anything. Instant messaging, email, SSH, http, ftp, BitTorrent, etc.
Re:Some hotels intercept SMTP traffic too (Score:1, Informative)
This is actually done mainly for compatability reasons. Many people are configured for smtp without authentication, so what happens is when they try to send email they get "we do not relay" type errors from their home smtp server because they are not connected to their regular ISP (their home isp uses IP white lists to decided who is allowed to relay). So, some hotels redirect outbound port 25 to a server that is configured to relay for that hotel.
I've noticed most hotels that do this do not redirect smtp via ssl, so if you're concerned about it then set up smtp over ssl and make sure you have smtp auth enabled.
As to why it took 12 hours to deliver the mail.. that's shame on the admins for a slow server.
Re:https urls? (Score:3, Informative)
Set up an squid/ssh server at home/work, set your browser's proxy settings to a localhost:port and portforward everything with ssh to your home machine. I personally also would only use web based mail (via ssh/proxy) or imaps to read mail too, I wouldn't trust a client not to connect insecurely with imap+starttls, but that's probably just paranoia.
If you are on some kind of public network just assume that someone is watching/mitming everything you do. You don't want to end up on the wall of sheep [google.com].
HTTPS tracking (Score:2, Informative)
Um, yes, you can. It is possible with todays hardware.
Here are a few;
http://www.esafe.com/eSafe/traffic_solutions.asp [esafe.com]
Another;
http://www.scmagazine.com/us/products/productdeta
http://www.cyberguard.com/products/webwasher/webw
"WW1000 has the ability to scan encrypted SSL"
The days of HTTPS being valuable are long gone. We can look inside this traffic realtime. I monitor & block traffic to HTTPS sites myself..
FreeNX (Score:3, Informative)
FreeNX is fast enough to make this viable.
You get a lot of advantages from doing it this way. There's the privacy angle, which is a big thing. But you also get your main desktop -- the one with all of your stuff on it.
And you don't need a really fast laptop. Once it's fast enough to run FreeNX, you're ok. I use a thinkpad I bought on ebay for $200. It's not just cheap, it's from the era when laptops ran cool enough to actually hold on your lap.
Not all hotels are like this. (Score:1, Informative)
From my experience (a few different positions) in the hotel industry, the less expensive hotels (Econolodge, Travelodge, Red Roof, etc..) typically don't have these tracking systems. The downside is that their networks are usually less secure, because many don't have any sort of authentication outside of a WEP/WPA key. The tracking systems aren't found at these hotels because of the high setup costs (usually in the $1,000-3,000 range) and fees. It's not cost effective for the rates charged at these places, so they often end up with some sort of homebrew solution (kind of like the one I set up at a place -- used WRT54Gs authenticating to a FreeRADIUS server) which is less expensive to set up, and ends up being less expensive in the long run by only having to pay for a separate Cable/DSL connection. As previously stated, the downside here is security most of the time.
It really turns into a pick your poison-type situation. Regardless, I'd go along with the VPN/SSH Tunnel mentality. You never know what that front desk worker is doing downstairs in their free time.. *grin*
Re:Putty w/ dynamic proxy support and an SSH serve (Score:3, Informative)
ssh -C -D NNNN @
where NNNN is a port on the local machine. Just setup your network applications to using localhost:NNNN as a socks5 Proxy.
If you are paranoid, make sure DNS lookups are done via the proxy too.
To do that in Firefox. go to about:config in the location bar and make sure that this is set
network.proxy.socks_remote_dns = true
Hotels want to know EVERYTHING (Score:3, Informative)
Re:OpenVPN (Score:3, Informative)
Re:FreeNX (Score:3, Informative)
It makes the connection dramatically faster and more responsive. Like, as usable as Microsoft's Remote Desktop Connection. X is not very efficient. NX does some other things too but that's the biggie.
OpenVPN uses SSL (Score:5, Informative)
You could always put OpenVPN on a port other than 1194 if you think you might run into port blocking, too.
I work for a competing pay to use service. (Score:3, Informative)
Thankfully it sounds like they are not even trying to lie about what is happening, and are say they are trying to push advertisements to their wireless users so I don't need to explain why they wouldn't be using a proxey.
After a user authenticates at a location there is no need for any of this redirecting per page every time a user tries going to a different site. Any good wireless gateway (and many bad ones) simply track each user using a session assigned to their mac address on the gateway, Nothing needs to be done to track service usage as long as they are active.
The only reason (and I don't know why they haven't been using this as the excuse) is to be able to claim monitoring illegal web usage such as kiddy porn or illegal music downloads. We had a few places claim they needed to be able to track this, but we dropped them instead of willingly tracking users for a b.s. reason.
This is just another case where a company that is charging for a service are trying to make even more money doing secretive and underhanded business practices.