Belkin Routers Route Users to Censorware Ad 805
The Register has a story today about
Belkin routers redirecting their users' network traffic.
To me, this seems like the logical next step after top-level domain name servers piping ads to your browser. Now the routers themselves hijack the traffic they are supposed to, uh, route -- and you'll love where they send you instead. But it's OK because you can opt out. Incidentally, the Crystal Ball Award goes to Seth Finkelstein, who in 2001 quoted John Gilmore's famous aphorism about the internet, and asked "What if censorship is in the router?"
Good qoute (Score:3, Interesting)
Here's the angle I would take... (Score:5, Insightful)
Better yet, get the addresses and post them here.
Re:Here's the angle I would take... (Score:5, Insightful)
Re:Here's the angle I would take... (Score:5, Interesting)
I just ordered a new laptop and I'll need a new Wi-Fi card for it. Guess what brand I'm not going to pick? Unfortunately, between Linksys violating the GPL [slashdot.org] and Belkin hijacking URLs [slashdot.org], D-Link [dlink.com] is about the only remaining choice. Unfortunate not becuase there's anything wrong with D-Link, but because choice is good.
Re:Here's the angle I would take... (Score:5, Insightful)
Re:Here's the angle I would take... (Score:5, Interesting)
Re:Here's the angle I would take... (Score:5, Informative)
there are other wireless routers (Score:4, Funny)
Oh wait..we hate them too.
Re:Here's the angle I would take... (Score:5, Informative)
Re:Here's the angle I would take... (Score:5, Informative)
ericd@belkin.com
You're welcome. :)
Re:Here's the angle I would take... (Score:4, Interesting)
Re:Here's the angle I would take... (Score:5, Funny)
Exactly (Score:4, Insightful)
Boy did they blow this one. If they had stuck to something simple like your very first HTTP transaction brought up a configuration/advert screen only once, then there wouldn't even be a story.
What if I had bought this for an isolated network? Would it hang up for an appreciable amount of time trying to contact belkin.com?
Re:Exactly (Score:5, Informative)
>> to something simple like your very first HTTP
>> transaction brought up a configuration/advert
>> screen only once, then there wouldn't even be
>> a story.
Actually this is pretty much what happens. Here is a snippet from usenet [google.com].
We elected to re-direct one http request to
the "Register Now" reminder page. (There is a link in a previous
posting if you want to see it) This page asks the user to register for
the service for a free 6 month trial. Now, granted this looks like an
ad. It should, it is intended to be informative and easy enough to
understand. At this point, the user can register or click "No Thanks".
Clicking "No Thanks" sets a flag in the Router to stop the Router from
re-directing every 8 hours to the reminder page.
In summary, you have to click 'no thanks' ONCE and you'll never see the thing again unless you do a hard reset of the router.
Re:Exactly (Score:5, Insightful)
--Tom
Re:Exactly (Score:5, Funny)
Customer: "Great! I'd like a cup of the soup please."
[Waiter takes out a hammer, thwaps customer on skull]
Customer: "WTF was that for?"
Waiter: "Sir, I'll stop thwapping you on the head as soon as you TELL me to stop."
Customer: "Why the hell would I have to TELL you to stop?"
[Waiter thwaps customer once more]
Customer: "GOD DAMMIT!"
Waiter: "Just say 'Stop,' sir, and this will all be over..."
No... IN SUMMARY... (Score:5, Insightful)
That is, I (or anybody on the inside of my net, not just an administrator) can click on a link delivered from outside my area of control and that link SETS A FLAG IN MY ROUTER....???!
So now I have my router with its optional firewall support watching the data transport and reconfiguring itself in response.
This is such a bad idea it is unspeakable.
What if the first guy to see the web page and who isn't the rightful administrator, accepts?
How long until a nice buffer-overrun attack lets a malicious server reporgram my router?
How much of the CPU in the router is wasted looking at each HTTP request in search of this flag setting?
Belkin is "stealing" cycles and security from their customers.
Not smart.
Re:Companies like Belkin... (Score:5, Insightful)
You may wonder how this happened: A Story. (Score:5, Funny)
One day, Belkin's router project manager Eric Deming was sitting around thinking, "How can we get $5,000,000 worth of bad publicity for free, and sink the company in an afternoon?"
Then he had an idea: "That's it! We'll abuse the trust of our customers, and get a story on Slashdot!
Re:You may wonder how this happened: A Story. (Score:5, Interesting)
QUOTE
Hi,
I just want to let you know that I'm suspending purchase of several
accessories made by Belkin for my 30G iPod because of your blatant abuse of
customer trust (the router rerouter fiasco). Furthermore, I shall engage in
an active campaign among friends and family to make sure none of them buy your
products for the same reason. Being a geek by profession, a lot of my
non-tech friends take my advice for tech purchases. Since you've been
featured on
similar course of action.
I sincerely hope your bottom line will suffer enough for you to make an
official pledge never to ream your customers again. Or that you go bankrupt
(financially, because morally you obviously already have).
I feel betrayed, having recommended your products (even when priced above
competition) for corporate and personal purchase so many times in the past,
because of build quality I can count on. However, build quality is not
enough; integrity and ethics are just as (if not more) important, especially
at times of Good Enough Syndrome.
Is this (http://slashdot.org/comments.pl?sid=85076&cid=74
happened?
ENDQUOTE
There's a class-action suit brewing, I'll bet (Score:5, Interesting)
I agree that if I'd bought one of those things and it started redirecting my traffic, I'd consider it defective and demand my money back. Belkin's really moronic to think that this won't backfire on them and result in an expensive class-action lawsuit. Maybe they can defuse a lawsuit by offering refunds to anyone who's upset at the feature, but I'm guessing they're too sold on their own flawed logic to understand that what they did is not going to be seen as anything other than making the product do something its owners didn't ask it to do, and that Belkin didn't tell them it would do.
I can smell the class-action attorneys lining up now.
Re:There's a class-action suit brewing, I'll bet (Score:3, Insightful)
Re:Here's the angle I would take... (Score:5, Informative)
Contact:
Melody Chalaban,
Public Relations Manager
Belkin Components
501 W. Walnut Street
Compton, CA 90220
melodych@belkin.com
(310) 604-2347 direct
(310) 898-1107 fax
www.belkin.com
Re:Here's the angle I would take... (Score:3, Informative)
-----
Hello. My name is Michael Pedersen, and I am a systems administrator by profession, technical support for my friends and family, and programmer for my own personal needs.
I am also an ex-Belkin customer. Prior to today, I felt confident in being able to recommend Belkin to anybody who might have a need for any of the products which Belkin sells. In fact, I have bought a fair number of the products myself for my own usage.
However, I have just no
Here's my letter to their PR rep (Score:5, Interesting)
My name is [name deleted], and I work as IT department manager for a medium sized company in [place deleted]. I write to you in light of the recent unveiling that Belkin are knowingly shipping routers that show commercials to the end users by hijacking HTTP connections.
I am not sure if the product manager, Eric Deming, who designed the product to not work as expected did so understanding the full consequences if - or, rather, when - this information would become public. The one reason Belkin's name has been held in high regard at the company I work for is because of dependability. When it turns out that Belkin is actively designing products to not work dependably, but instead display advertising at the user; that reputation of dependability... well... there's not much left of it. And, as you are aware, for every one of Belkin's products, there is a competing product.
It becomes much worse. It also turns out that Belkin has the ability to remotely modify the behavior of these routers. When I showed this fact to our network security people, they went ballistic and drove straight off to the local equipment store, only to come back two hours later with a bunch of boxes. 30 minutes later, there was a heap of discarded equipment in a disorderly pile in one corner of the networking room. The discarded items all carried the name "Belkin". I signed the receipt for the new equipment with a look, a sigh, and a nod.
To top it off, it seems that your Mr. Deming who designed this behavior believes that every outbound hijackable connection originates from somebody sitting at a computer and browsing the web. However, more important are the automated connections. What would happen if the backup for our commercial data, which is transmitted regularly over the Internet, instead was pushed to Belkin, due to this behavior? What would happen if virus or operating system upgrade connections were the ones hijacked? Heart defibrillating equipment has been mentioned - what would happen if the heart defibrillation monitor, trying to trigger the impulse with the charging equipment, is instead redirected to a Belkin advertisement? You know, telesurgery exists and does depend on a reliable Internet infrastructure, consisting of such boxes as yours.
This product has been designed to not work, despite charging good money for it. I lack words to describe how shameful this behavior is.
Additionally, if the Belkin corporate culture is one that allows such a technical atrocity to make it to the shelves for one product, then it is obvious it may happen again, or has already happened, for other products. However, rest assured that this company will never again buy another Belkin product as long as I run the IT department.
[signature]
Re:Here's my letter to their PR rep (Score:4, Insightful)
Re:Here's my letter to their PR rep (Score:4, Informative)
Actually, I can think of a couple of reasons this is still an issue. What if it isn't on the Internet...does the connection just get dropped?
Does this device send out DNS queries to determine where to redirect stuff to?
What happens if you have a test suite for a web-based application and IT just added a Belkin piece-of-junk router? Bam, mysterious failures. You could spend a week trying to figure out what the sporadic errors you're getting are from.
What if you're using SOAP or similar software, and the software you're using doesn't deal well with mysterious crap coming back from the server?
Belkin is a piss-poor company that sells lousy hardware and overpriced cables.
They aren't on my "buy" list anymore, either (and I *have* purchased Belkin products in the past).
It's not the only defective device they make. (Score:3, Interesting)
The first DVI port DOES NOT WORK at resolutions above 1024x768. On any of them.
The LCD goes absolutely fucknuts when connected to it.
It's sad. All of ours are being used 3x1 because of it.
Let's face it, Belkin sucks. Cables are way overpriced. Don't ever buy anything from them.
Re:Here's the angle I would take... (Score:4, Insightful)
Re:Here's the angle I would take... (Score:5, Insightful)
Re:Here's the angle I would take... (Score:5, Insightful)
I think Belkin deserves every bit of abuse on this issue. They knowingly did something annoying to their customers only because they couldn't figure out how to sell this POS censorware service any other way. Screw them.
Re:Here's the angle I would take... (Score:3, Insightful)
Belkin is on my banned list now.
Meanwhile In Court... (Score:5, Interesting)
"That's right."
"And so you are charging the cashier with assault."
"That's right."
"All right. Mr. Defense lawyer, what do you have to say to that?"
"Mr. Stevens: Did you specifically ask my client NOT to punch you in the face?"
"Huh?"
"What did you tell him exactly?"
"Um.. I told him, I would like a number three meal and a Dr. Pepper."
"I see, and that was all?"
"Um, yes."
"Not that you wanted a number three meal, a Dr. Pepper, and to not be punched in the face?"
"Uh.. no, just the #3 and the Dr. Pepper."
"Your honor. How can my client be expected to be held responsible for this when Mr. Stevens was unclear about what he wanted? Had he configured his order correctly, my client would not have punched him in the face. So why is my client the one to blame? What do think Mr. Stevens expected to have happened?"
"Hmm, excellent point. Case dismissed."
Re:Here's the angle I would take... (Score:4, Interesting)
And Belkin can turn it on again just as easily.
From Belkins response:
"I know the manual could do a better job explaining it."
Badly worded by design.
Amazon (eBay?) did the same sort of thing. "We rewrote the privacy policy recently"
(Oh, and in doing so, we reset your privacy settings. You now will get spam from us. To change it, visit blahdeblah.com). They never proactively told anyone, until it was found out and published.
Re:Here's the angle I would take... (Score:3, Informative)
The BBB doesn't handle any kind of litigation or action against a company. They try to facilitate a resolution between an individual and a corporation. For example, when Best Buy (I will never NEVER NEVER buy anything from Best Buy again) tried to screw me out of a $150 rebate on a laptop, I filed a complaint with the BBB to get my money. The best the BBB can do is "blacklist" a company, but that only does anyone any good if they actively seek info on a company with the BBB before doing business with th
Some other ideas... (Score:5, Insightful)
8 hours. These are business models I need to patent...
Re:Some other ideas... (Score:4, Funny)
Re:Some other ideas... (Score:5, Funny)
Come to WA state: it appears that most drivers here are already using them, if their apparent road-sense is anything to go by...
Re:Some other ideas... (Score:5, Funny)
Re:Some other ideas... (Score:5, Funny)
Re:Some other ideas... (Score:4, Funny)
Re:Some other ideas... (Score:5, Interesting)
My TV does change channels automatically to infomercials. I have a TiVo, and one of the "features" is that at the top level menu you'll often see ads that you can choose to watch. The TiVo grabs these late at night when it thinks nobody watches TV... unfortunately if you watch live TV around 1 or 2 in the morning you'll find yourself having to opt-out of a channel change to record "TiVo enhanced content" every ten minutes or so.
(annoying, and I wish there was a way to opt-out of this once and for all, but I'm still a big TiVo fan, and they gotta make money to stay afloat, so I put up with it)
Re:Some other ideas... (Score:3, Informative)
Re:Some other ideas... (Score:5, Informative)
Not my TV, but my cable TV set top box does. Telewest (UK) just upgraded their menu systems. Now, whenever I select the [GameZone] menu option, whichever cable channel I listen to (even the BBC World News radio) is automatically switched over to the FrontRow trailer preview - No negotiation. As soon as I leave the GameZone, the channel is automatically switched back to whatever channel was playing when I started, even if the FrontRow channel is now playing a trailer I want to see.
It's good to see that cable TV system developers really know how to design good user interface.
Re:Some other ideas... (Score:3, Funny)
dreams?
Leela: Of course!
Fry: But how is that possible?
Prof.: It's very simple. The ad gets into your brain, just like this
liquid gets into this egg.
% Farnsworth holds up an egg, and injects a needle (filled with yellow
% fluid) into it. That very second, the egg explodes, pelting everyone
% at the table with egg-yolk.
Prof.: [unphased] Although, in reality it's not liquid, but gamma
radiation.
Fry: That's awful. It's like
Re:Some other ideas... (Score:4, Interesting)
Imagine that that you are about to post a message on your private blog about some hot sex session you had a few nights ago (yeah, unlikely I know). As is the norm, the information will be transmitted in an HTTP POST request. This request is the one that happens to get rerouted to Belkin. Now Belkin knows all about your hot sex escapades.
Where I come from, this is known as wiretapping, eavesdropping, snooping, or something like that. It's highly fucking illegal and whoever at Belkin thought this was a wise idea should be clapped in irons. I'm seriously considering writing a letter to a law enforcement agency about this, I'm just not sure which one to pick!
Usenet thread (Score:5, Informative)
Re:Usenet thread (Score:5, Informative)
Newsgroups: news.admin.net-abuse.email
Subject: Re: [OT-evil marketing] Belkin does Verislime one better - router spam!
Date: 5 Nov 2003 15:25:28 -0800
Organization: http://groups.google.com
Lines: 70
Message-ID:
References:
NNTP-Posting-Host: 67.98.73.254
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Trace: posting.google.com 1068074728 22743 127.0.0.1 (5 Nov 2003 23:25:28 GMT)
X-Complaints-To: groups-abuse@google.com
NNTP-Posting-Date: Wed, 5 Nov 2003 23:25:28 +0000 (UTC)
"JerryMouse" wrote in message news:...
> Mr. Uh Clem wrote:
>
> [...]
>
> What does Belkin say when you complain?
>
> I'd make their life miserable until they removed the offending software from
> my machine.
>
> You did not conset to this aspect of your machine's modification - this is
> nothing less than malicious.
>
> Raise hell.
I was made aware of this posting by an e-mail that was sent to
Belkin's tech support e-mail box. Since I am a product manager for
Belkin's LAN products and was very involved with the development of
the Parental Control feature, I feel that I can shed some light on
this subject. Firstly, without trying to sound too stand-offish, we
are not talking about SPAM here. For me to clarify, an understanding
of the Parental Control service will really be needed.
Since Parental Control is a subscription service, Belkin wanted to
make registering for the service very easy. Since the router actually
will work in tandem with an outside server (Cerberian,
www.cerberian.com) registration information needs to be collected and
sent to Belkin and Cerberian to activate an account. Traditional
methods of registration, such as asking the user to go to a website or
navigate to the Router's internal Web page to enter information didn't
meet the ease-of-use goal. We elected to re-direct one http request to
the "Register Now" reminder page. (There is a link in a previous
posting if you want to see it) This page asks the user to register for
the service for a free 6 month trial. Now, granted this looks like an
ad. It should, it is intended to be informative and easy enough to
understand. At this point, the user can register or click "No Thanks".
Clicking "No Thanks" sets a flag in the Router to stop the Router from
re-directing every 8 hours to the reminder page. (Again remember, only
one http request every 8 hours). Admittedly, there is no controlling
which computer on the LAN this message will pop up on. If the user
just closes the window without clicking "No Thanks", then the flag is
never set, and the reminders will continue. Now, if you are the type
that doesn't want to click the "No Thanks" button, then no problem.
Navigate to the Router's internal web interface (default IP =
192.168.2.1), click on the Parental Control menu. In the Menu, select
"Don't Remind every 8 hours" (This phrase actually varies a bit, but
you get the idea) then click "Apply Changes". DONE. Nothing to it. By
the way, this procedure might have to be done if your router is behind
a firewall. Reason: filter.belkin.com sends a response to the Router
to set the flag. Firewalls will block the response. This might explain
the problem in a school for instance.
We did this not to be evil, we did this to make sure that any
non-techy person (part of our target audience) would have ample
opportunity to opt in or out of the free 6 month trial of the Parental
Control feature. The Router doesn't collect information on you and
send it to Belkin. We don't have the ability to SPAM you at a later
time if you select "No Thanks" or turn off the Reminder manually. I
know this feature might be misunderstood and might PO some people. I
know the manual could do a better job explaining it. These are all
things that we at Belkin are working to remedy.
Re:MOD PARENT UP (Score:5, Funny)
no it won't. this is slashdot.
Re:Usenet thread (Score:3, Informative)
Bullshit. I'm certain no one has ever asked for their router to randomly redirect an http session for a "Parental Controls" feature. What people wanted was the PC feature, not a router that interferes with network traffic.
Now, if it were the default behaviour following the firmware update to redirect *ALL* http sessions until the feature is configured (yes/no/demo), then this would be acceptable. Stealing one connection seamingly at random is broken behavior for
That is insanity (Score:5, Interesting)
But what if every one in 100 times, UPS thinks I might like a corporate logo bumper sticker instead of my book, they throw my book into the eternal void, and give me a UPS bumper sticker instead. I'm supposed to like this?
Bottom line: When I ask a package to get delivered, and for a certain package to be received, I WANT that package, not what they think I want. Whether it's a TCP/IP packet, or a book. I fail to see the difference here.
Bottom line, thanks to Slashdot I'm not buying my routers from Belkin (not that I'm a telecom person, but still I'd be careful if I ever had to).
Re:That is insanity (Score:4, Insightful)
This is their wireless router -- it's made for home use, not for telecomm use.
And don't just not buy routers from Belkin. Don't buy anything. No routers, no cables, no USB hubs, no keyboards, nothing. Belkin makes a great deal of stuff -- boycot all of it. There's not a single product they make that they don't have competition for.
And let them know about it too. Email them (look here [belkin.com] for the appropriate regional sales address) and tell them that you will no longer purchase their products until they apologize for doing this, put out a patch to fix it, and promise to never do anything along these lines again. Yes, I've already sent my email.
I've got a decent number of Belkin products... they're decently made, and often available for a good price. But there's no way I'll purchase anything from them at this point if I can't actually rely on the product to do it's intended purpose. And that's what this boils down to -- you have a router that doesn't route properly.
Re:That is insanity (Score:5, Insightful)
Since the router doesn't descriminate over whith HTTP request it overrides, what happens if it intersects a privacy-sensative transaction?
For example, if someone goes to pay thier bills online, enter thier biling info, click "submit"... then suddenly get an ad... what ramifications might that have?
That's a little more worrysome than getting an ad instead of some random page I might be trying to visit...
=Smidge=
great quote (Score:5, Interesting)
Also in the news: the American council for airbags has been hitting people randomly in the streets to make it easier to appreciate their products. Thanks!
Seriously, though, I don't 'get' how a company could think this would endear themselves to their customers. If Cisco pulled this shit on its customers and made all their routers randomly direct to their brand-new VPN product I think it'd make people stop using Cisco FAST
use a real router (Score:4, Informative)
Redirect hardcoded? (Score:5, Interesting)
Re:Redirect hardcoded? (Score:5, Insightful)
Re:Redirect hardcoded? (Score:4, Interesting)
1.) Send a spam mailing which loads a java applet when opened.
2.) The java applet exploits the ByteVerify hole in an older version of M$ Java VM to drop a bad HOSTS file on the now-infected machine.
3.) Belkin router hijacks an HTTP request to their site, but the HOSTS file redirects that hijack to the second hijacker's site.
4.) The new hijacker's site can either be a pay-per-click search portal, or it can host more trojans to exploit a machine already proven to be out of date on its security patches.
This is not an extreme example at all and could be done very easily. I see this shit every day at my site's support forums.
When Verisign hijacked all mis-typed domain name queries, we started seeing a large number of trojans dropping bad HOSTS files that redirected sitfinder.verisign.com to their own sites.
Not in my house (Score:3, Interesting)
From the article:
"In response criticism, a Belkin product manager came forward this week to confirm the behaviour was designed into the products as a way to make it easier for consumers to sign up to a free trial of its parental control software."
Soooo.. it's spam, then. What a way of putting it mildly.
Should read:
"In response criticism, a Belkin lackey admitted a confirmation this week that the router will hijack an HTML request in order to advertise their product, for your convenience!"
Oh, this is bad (Score:3, Funny)
Everyone at Belkin should be ashamed of themselves. How could an engineer do this? He should be flogged with a cat-o-nine tails of twisted pair wire... this is evil, evil, evil.
Oh, and to the Belkin Marketing Department: Kill yourselves. Suck a tailpipe, hang yourself, borrow a gun... rid the world of your evil machinations. [ Just planting seeds [billhicks.com] ]
Re:Oh, this is bad (Score:3, Insightful)
I'd return it as defective, which it is (in this case by design).
I request that it route packets to and from a given IP address, and instead it routes them to/from another. That meets my definition of a defective router.
Wasn't this mentioned awhile ago? (Score:3, Insightful)
The next step, of course, is for a hacker to hijack this "feature" and dump all of a routing companys customers to child porn, warez sites, or nigerian scams galore.
Then there is the temptation of the companies themselves, "You can turn this feature off only by submitting a valid e-mail address." Then they sell off these addresses to spammers worldwide for a profit.
This kind of stuff is worse than big brother. At least in 1984 they didn't force commercials down your throat.
Coming soon to a Belkin product near you! (Score:5, Funny)
USB mass-storage devices that randomly delete files and replace them with
PC Speakers that say "Shop at Belkin!" every couple of minutes.
etc...
Thank you Belkin. (Score:5, Funny)
It's comforting to to know that Belkin has recognized my problem, and has stepped forward in an effort to solve it. They make it so much easier by saying...
"If It's Belkin, You Don't Want It!"(tm)
Thank you Belkin. With your new forward-thinking "Don't Buy Our Stuff" policy, I will be sure to stay on the lookout for other products that you offer, so that they can assist me in making difficult purchasing choices even easier.
This is typical. (Score:4, Interesting)
I just wish Belkin would offer firmwares/hardware *without* the "feature". Any hijacking of routed packets is wrong. Sort of like saying
Let me imagine this... (Score:4, Funny)
_Might_ PO some people????? (Score:3, Funny)
Oh please.
[grabs crotch] Remedy this!
Re:_Might_ PO some people????? (Score:5, Funny)
Snip.
This Breaks web sites... (Score:4, Insightful)
just my $2/100
In related news... (Score:5, Funny)
During the operation, the heart monitor seemed to have contracted a strange glitch; every 100th heartbeat a message about "Herbal Penis Enlargements" would pop up, blocking the stats"
Belkin belongs on fuckedcompany.
Belkin can modify your router settings? (Score:5, Insightful)
[quote]
By the way, this procedure (disabling the nagware in the router web-config) might have to be done if your router is behind a firewall. Reason: filter.belkin.com sends a response to the Router to set the flag. [/quote]
So Belkin deliberately left a configuration on the router to be modifiable by someone without proper authorization (the owner of the router or the network admin)? Absolute genius. Destroy your company's reputation 100% in one easy step: the backdoor(s) will piss of the geeks, and the nagware-advertising will piss off Joe Sixpack.
I suggest a new verb: (Score:5, Interesting)
It's a decent start at a definition. One could say "I installed this topdesk thing which totally belkined my browser". Let's make their name synonymous with bad behavior.
The ISP I used to work at did this (Score:3, Interesting)
I was pretty unhappy with this, but was unable to convince my bosses that this was evil or risky. The company had apparently convinced them that they had checked it out with their laywers, and because they weren't changing the site's HTML -- they were putting outside Google's final </html> -- they were safe. (Never got an answer about substituting ads.).
I don't work there anymore, but last I heard it's still going on, and there's a few ISPs, at least in Vancouver, that are doing this. Scary.
I'm a Belkin Wireless router owner (Score:3, Interesting)
The device was replaced with another brand that works fine. Off line and collecting dust, I've never had a problem with it hijacking my HTML and inserting ads. Now I have another reason to not buy a Belkin product again, but I hardly needed one.
This could suck for automated HTTP (Score:5, Insightful)
It's annoying enough to know that when you're sitting at a computer using a browser to surf the Web, a couple requests a day will get hijacked to the spam site.
But what about automated HTTP requests? You might be running some script to wget the latest greatest kernel source and instead it downloads a piece of spam. The hijacked HTTP request might come in the middle of a Gentoo build, or as you mirror a Web site and have a page replaced with an advertisement. You could be tunneling some other protocol over HTTP, and then who knows what this would do.
Very stupid and annoying of Belkin. If they wanted to make their parental control thing so easy to use, just include a CD that says "Put this CD into any computer on your network to enable parental control on your new Belkin router!" Newbies can figure that out. I don't want my own router launching some kind of spoofing attack on me three times a day just so I can view more spam.
Ease of use? (Score:3, Insightful)
Then their letter goes on to explain how to disable the feature in the router (so you don't have to wait to be randomly redirected to the ad), and the instructions are quite vague: navigate to 192.168.2.1, find the setting which says something like (they don't give exact wording or where to find it, just vague directions), and turn it off. Where's the "ease of use" in that? Are they suggesting that this should only be turned off by advanced users and that naive users should simply sign up for their services?
Why can't they just admit that they wanted to prominently promote their subscription-based service? It's not like it isn't obvious what they're up to or anything.
Belkin support (Score:5, Funny)
"My router every once in a while replaces my URL with one for Belkin parental controls."
"That's correct."
"But I just spent half an hour filling out the web form, and it doesn't cache, so I have to do it all again."
"You can turn off parental controls by clicking on 'No thanks!'"
"So this is intentional?"
"Yes sir, it's a service to you, provided at no extra cost. It also comes with a free 6 month trial."
"But a router is supposed to ROUTE."
"It can do that, if you change the configuration."
"So, it comes intentionally misconfigured to fail once every eight hours?"
"It's not failing, it's offering a service."
"So it's spamming me."
"It's not spam."
"Why not?"
"Because we're offering you a service you might not know about."
"So it's intentionally misconfigured to send me spam on something I didn't request any information for, dropping my URL and information in the process?"
"Well, yes."
"You should really just kill yourself."
"You're right. Goodbye."
*BANG*
"Dang, should of told him to kill the marketting department first. Well, I can always call back..."
=Blue(23)
I called 'em up months ago... (Score:3, Informative)
Glad to see someone else is pissed off about this. I turned it off in my router, got mad for an hour or so, and went on using my router.
Coincidentally, Belkin routers can't work with arbitrary MTU's over PPPoE, in case anyone needs further reasons not to buy them. I won't be buying another, even though mine works okay, sort of (I'm the netadmin for my ISP, so I can futz with things to make it work despite itself).
Jouster
Solution to all these problems (Score:5, Insightful)
Interesting! (Score:3, Insightful)
1. Client initiates a connection to www.my-private-site.org on HTTP port.
2. Client is silently redirected to Belkin's site.
3. Unknowing client sends the HTTP request, a POST request which contains some sensitive information.
4. Belkin has now hijacked a connection and received sensitive information that was not intended to go to Belkin.
Logically the thing to do is prosecute Belkin under federal wiretapping and computer crime laws.
Two words: software updates (Score:3, Funny)
Did they even consider the potential liability issues when they came up with this scheme, or did they just say, "hey, let's roll with it"?
We're all part of the public, aren't we? (Score:4, Informative)
Contact:
Melody Chalaban,
Public Relations Manager
Belkin Components
501 W. Walnut Street
Compton, CA 90220
melodych@belkin.com
(310) 604-2347 direct
(310) 898-1107 fax
www.belkin.com
(this is (unless you get redirected by your router) publicly available information at www.belkin.com)
Another exploit using this "feature" (Score:4, Interesting)
Belkin hasn't just abused customers' trust and falsely advertised this piece of trash as a router, they have also opened up security holes for no other reason than advertising censorware. This behavior isn't just wrong, it's despicable.
New reply from Eric Deming (Score:5, Informative)
From: Eric Deming [mailto:EricD@belkin.com]
Sent: Friday, November 07, 2003 10:05 PM
Subject: RE: defective router
Please be advised, we are working on this issue. Here is text from our latest posting to NANAE on google. It just went up, so it may not show up for a while.
All,
We at Belkin apologize for the recent trouble our customers have experienced with the wireless router/browser redirect issue. We unintentionally overlooked the effect this feature would have. We never intended to compromise the trust of our customers, and we never intend to do so in the future.
We are taking responsibility for this, and we will be offering firmware fixes early next week. We do not have exact details yet as we are still working on them, and will continue to work on them over the weekend. What we can tell you now is that each Router's firmware that incorporates Parental Control as an option will be changed.
I'll keep posting as things develop. Stay tuned...
Re:IT'S ON THEIR WEB PAGE, TOO! (Score:4, Interesting)
If a company makes a mistake, or even a major blunder, but owns up to it and fixes it, that tells me they really DO care about their customers. This is a far cry from a company that tries to excuse their behaviour and wants US to live with the consequences.
So while I won't buy this *particular* Belkin product, their behaviour is NOT deserving of an across-the-board boycott.
What people also forget in their rush to find "some other product, ANY other product" is that other companies may have implemented naughties that you don't yet KNOW about. So in your haste to punish the erring company, you may well be jumping out of the frying pan and into the fire.
Sometimes I think people who go off the deep end like this should be cast into the outer darkness the first time *they* majorly fuck up. That'd teach 'em a little restraint.
Belkin responds -- and digs a deeper hole (Score:4, Interesting)
The letter makes it clear that Belkin still doesn't get it. The letter isn't an apology, it's an explanation, an excuse for Belkin's reprehensible conduct, and it's full of spin - that's the polite way of saying misinformation, which is the polite way of saying lies.
The letter begins by claiming that "a group of privacy advocates have targeted Belkin Routers". That's not the case at all - a single user posted [google.com] an explanation of Belkin's router's hijacking, and asked if anyone knew any more about it, in the usenet group news.admin.net-abuse.email. No group was involved, and there was no targeting.
The letter continues with a claim that "[t]he Parental Control registration page is not spam, adware or spyware. It is part of the setup process of the router. It does not "hi-jack" the browser." It is, apparently, part of the set-up process, but that's spam in and of itself: the user hasn't purchased Belkin's "Parental Control", but in the process of installing what he has purchased, the user is forced to sit through an advertisement for another Belkin product, whether or not the user has requested this advertisement. That's the essence of spam.
(And yes, I know that businesses like to claim that unsolicited advertisements are not spam if there is a "pre-existing" relationship with the customer, but that's bunk. Buying a product does not involve an implicit agreement to surrender my time to the manufacturer.)
Even if you're willing to by the argument that installing a product should be made more complicated and time-consuming by subjecting you to advertising, the reason that Belkin's received so much unfavorable publicity is not a one-time ad at install. The problem is the ads repeat indefinitely, every eight hours, until you, the user - Belkin's valued customer - takes some action to make them stop. And this is the same as he sneering spammer who sends you unsolicited email with a "click here to opt out" link. Not only does it steal your time, it steals more of your time before you can make it go away.
The letter goes on to state that "nor does Belkin have the ability to advertise to our customers using our routers as a conduit."
Wait a second, lady. This whole brouhaha started because Belkin continues to use its routers as a conduit to deliver customers to its ad for "Parental Control" every eight hours. If your routers didn't have that ability, we wouldn't all be telling you why we're not going to buy Belkin products anymore. This is a blatant lie, and an insult to the intelligence of anyone reading it. The page the router delivers users to is an ad. It's a solicitation to do additional business with Belkin.
The letter also claims that "[i]f a customer clicks "No Thanks" on the first prompt, the for Parental Control signup will no longer appear." Not entirely true. Belkin Manager Eric Deming admitted in a usenet post (since cowardly cancelled, but mirrored here [stevesobol.com]) that clicking "No Thanks" won't work for users behind firewalls. It also appears that the "No Thanks" gets reset if the router is reset, and anecdotal evidence suggests that the (low) quality of Belkin's routers makes resetting rather more usual than it should be - possibly as often as every 20 minutes [cnet.com].
The letter ends on a surreal note, "[the Belkin advertisement web page] is not a browser pop-up, this means that the Parental Control web page will only be displayed if the user opens the browser". Huh? It's not a br
Re:I could see this coming (Score:5, Insightful)
Bullshit. Slashdot is bombarding me with ads because I'm a cheap bastard and refuse to pay them for the content they provide me. Belkin's got the money I gave them for their router, they don't need to be sending me ads I don't want to see to make more money.
I couldn't disagree with you more... (Score:5, Insightful)
Unlike popups, etc., this is redirecting randomly selected packets going to port 80 (and probably the HTTPS port as well...) to thier server. Take a wild guess how many different things that just broke (SOAP, XML RPC, etc.). Like someone said, I hope nothing mission critical for you is on the inside of this stupid router- because it's BROKEN by design (And "configuring" the Router doesn't include turning frigging adverts off, either...).
It's got to be one of the stupidest things I've heard of in a long time done for the sake of marketing.
Re:so.. (Score:5, Insightful)
First, the original poster on Google said that he got it, unannounced, as part of a router firmware upgrade. No warning or explanation.
Second, Belkin sells a product that is supposed to route Internet traffic, including HTTP. At certain, random points, it does not do that. Instead it sends out an advertisement to a user who has made a valid HTTP request. If Sony started selling a CD player that played a commercial for Coke once every 8 hours, would that be "no big deal"?
I'm not spending another cent on Belkin gear until they reverse the upgrade and pledge not to do it again. Otherwise, simple gear like routers will become spam engines.
Re:so.. (Score:5, Insightful)
Yes. Because routers route, period. And when they route, they're supposed to route correctly. Opt-out is bullshit, because it's saying "our product ships broken, until you unbreak it."
Re:so.. (Score:3, Informative)
This is not adequate for two reasons.
First, many users will never discover it. For these users, the censorship [jerf.org] is involuntary and permenent.
Second, Free speech [jerf.org] is a right, not something any entity can predicate on an action at their whim.
The opposite might be acceptable, if the users could deliberately request this "feature". The fact no sane person would activate this "feature" also sp
Re:so.. (Score:5, Insightful)
Re:so.. (Score:4, Informative)
I was incensed enough about this that I read all the usenet posts in NANAE about it.
In the post by the Belkin employee he notes that clicking the opt out link won't wotk if you're behind a firewall, because the response won't get through your firewall and back to the router. To turn this off, you'll have to go to the local http page hosted by the router, and opt out there. (And I'm not sure even that would work for me; my firewall is set to block localhost (127.0.0.1) to localhsot connections too, unless I've explcitly allowed them for specific applications.)
Also, the Belkin employee proudly states that the hijacking occurs once every eight hours, so if you're only seeing it every two weeks, it may mean that applications other than your browser that make requests to port 80 (http downloaders such as emusic's, rss readers, various applications auto-updating or calling wget, perl scripts, python scripts -- all of these things on my system might make http requests) may be failing silently.
If you see one hijack in your browser every two weeks, that means there are 41 (3 * 14 - 1) http requests in those two weeks being hijacked that are not browser traffic. Given that silent failure, who knows what's been lost, corrupted, or delayed on your computers.
Naturally, I'll never purchase a Belkin product again, unless Belkin certifies that whoever thought this up, and whoever approved it, have been fired.
Selling me a product, claiming it does something, and then making it intentionally fail, in order to sell me another product? Then you'll never sell me anything again.
Re:What the...? (Score:3, Interesting)
Re:In case Belkin, Linksys, D-Link et al is listen (Score:3, Funny)
Re:In case Belkin, Linksys, D-Link et al is listen (Score:3, Insightful)
Also, I think Belkin, D-Link, et.al. might well listen. The home wireless router market is a cutthroat, commodity place. To me, they're all basically the same box. Why would I buy from a company that routes me to spam, when there are 5 others that don't on the same shelf for the same price?
Re: (Score:3, Funny)
Re:One word: Cisco (Score:3, Funny)
Re:Hijacking my HTTP requests? (Score:3, Insightful)
By doing it at all, they've established they have no sense:
Re:A programmer is to blame... (Score:5, Insightful)
Let me explain what might have happened at Belkin:
Middle Manager: "Hey, Geek-boy. Marketing have come up with a new feature they want in the wireless router."
SWEng: [reading Powerpoint slides] "An ad every eight hours? That's not what a router is for!"
Middle Manager: "I admit it's unusual, but Marketing really wants this, and legal says there's nothing in the law that prevents us from doing this."
SWEng: "You can't be serious. It's an affront to civilized behavior! It's a very bad idea."
Middle Manager: "Do it or you're fired."
At this point, the room becomes very quiet. The engineer thinks very carefully about this ultimatum. The economy is in a shambles, especially the tech sector. There is no shortage of people who would take his job in an instant. And he has a new wife with a child on the way.
Assuming the above scenario, and assuming the engineer capitulated, he has perhaps unwittingly caused the loss of his own job, anyway, once the full force of market backlash hits Belkin's revenue.
I agree that techs should stand up for what they see as ethical behavior, and refuse to perform work that violates it. But not all of them have the same degree of flexibility in enforcing their sense of ethics.
Schwab