Covert BT Phorm Trial Report Leaked 292
stavros-59 writes "An internal BT report on the BT secret trials of Phorm (aka 121Media) Deep Packet Inspection has been revealed on Wikileaks today. The leaked document shows that during the covert trial a possible 18 million page requests were intercepted and injected with JavaScript and about 128 thousand charity ads were substituted with the Phorm Ad Network advertisements purchased by advertisers specifically for the covert trial period. Several ISPs are known to be using, or planning to use, DPI as a means of serving advertising directly through Layer 7 interception at ISP level in the USA and Europe.
NebuAd claim they are using DPI to enable their advertising to reach 10% of USA internet users." CT: nodpi has updated their page with a note that says that the charity ads were "purchased and not hijacked"- read there to see what the latest is.
Ouch (Score:4, Interesting)
Re:Ouch (Score:5, Informative)
Re:Ouch (Score:5, Insightful)
If it doesn't exist then it's generated by this, since all it does is randomly create addresses. It'd be better if it just loaded random websites. Of course, that'd eat up a lot more of the users bandwidth though.
Re:Ouch (Score:5, Informative)
Two FF exntensions generate fake queries on search segines to pollute the collected data (at search engine level, but it also pollute ISP data). SquiggleSR [mozilla.org] and TrackMeNot [mozilla.org]. Notice that the former also clicks on non-sponsored results and may deceive cookie tracking.
Re: (Score:3, Insightful)
That's a big leak and a big privacy breach, but can this realistically lead to legal action against BT?
Whether it does or not, someone has already taken the initiative to setup a page to generate fake web pages (or real ones) to pollute the data they collect. So if you can't get them out legally, you can make the data they collect useless, which hits them in the pocketbook and might be more effective than legal countermeasures.
You're not being cynical/paranoid enough. You assume the motivation is strictly economic, while it actually might be a cover for plain ol' surveillance. "Extra data" isn't as damaging in this scenario, where they are monitoring you for specific behavior.
Re:Ouch (Score:5, Interesting)
to make it even worse, my current provider not only injects ads while I browse, they also supply the advertiser with a unique ID, which I can't easily turn off. since the image is inserted on the server i also assume the phone is sending referer headers, so the advertiser can collect your browsing history (and, that being a phone, your URL session cookies too) for good measure.
when i complained, i was told to go away, because there was no such thing as "personal" information being disclosed to the advertiser. to me such arrogance calls for more encryption as a kind hint to the ISPs to go and do the job i'm paying em for.
unless, of course, that option is also defeated by the copyright cretins and the gubbermint, working hard together to prevent child pr0n and terrorists.
in which case, thicker tinfoil will also be necessary.
Re: (Score:2)
Re: (Score:2, Informative)
IPv6 is supposed to have IPSec as a required element. I don't know how much this means; whether it'll actually be *used*, and resist MITM attacks.
Re: (Score:3, Insightful)
Atleast when certificates are properly checked it shouldn't be possible.
Re: (Score:3, Insightful)
Re:Ouch (Score:5, Insightful)
Re:Ouch (Score:5, Insightful)
Legal action strong enough to totally stop them is unlikely, as the power seekers who run a lot of countries unfortunately seem to be rushing towards building their own Big Brother, so as they make the rules, they choose whats considered legal. So they simply need to change the laws, which is what they keep doing. It seems nearly every week now we are getting ever more stories of new grabs for information and/or power over people. At this rate, 2008 should go down in history as the start of a Worldwide Big Brother.
Its ironic that our so called free countries appear to be building Big Brother as fast, if not faster than other countries. Maybe we just have better technology. Its also ironic that the war on terrorists is a war against people who wish to force others into their point of view. Yet now the people already in power are seeking to clamp down and hold control over everyone. Its like all of us who don't seek power are caught up in a power struggle between the different groups of power seekers who do seek to impose their views on everyone.
I guess the ones in power in some way fear some lost of power, as it can't be just about protecting us. Its got to be about seeking more power, which is what they do thoughout their political lives and all of us who don't seek power are not going to be heard by them. Especially as most people don't seem to even see how much harm can be done with so much power and no way to tell them they are behaving unfairly. They are becoming like a machine which is loosing its feedback mechanism and so running towards ever more extremes.
Re:Ouch (Score:5, Insightful)
It never flew, because the people I was dealing with weren't complete cunts.
From the document: The advertisements were used to replaced [sic] a 'default' charity advertisement (one of Oxfam, Make Trade Fair or SOS Children's Villages) when a suitable contextual or behavioural match could be made by the PageSense system.
So not only are the bastards hijacking our traffic, they are overwriting paid-for charity ads as well.
I repeat, CUNTS!
Re:Ouch (Score:5, Insightful)
Given the outrage following the several Audiocall staff kept 100K of children in need cash for itself [thisislondon.co.uk], I hope BT get the same treatment.
Re: (Score:3, Insightful)
121Media, who ran the trial, placed charity ads (at its own expense) on a number of websites, and then intercepted them and replaced them with commercial or other charity adverts on the fly. Thus they were replacing their own adverts
Thus there is no question of damage to charities, quite the contrary; nor to websites advertising revenues.
There is, though, the privacy is
Re:And created a copyright violation (Score:4, Insightful)
Re:And created a copyright violation (Score:5, Informative)
Phorm in the UK [digitalspy.co.uk]
One business user was updating the website for his home business. He used his home network connection to inspect the appearance of his website. To his surprise, he could not understand why the format of his website was consistently different from what he had intended. Disturbed by this, he reinstalled the OS on all his servers in fear of being rootkitted, rechecked all his security settings, reconfigured his firewall, and performed a packet trace on every connection made. In the end he noticed that various links on his webpages were being changed and that in particular some were coming from dns.sysip.net. Basically, this system redirected any links to adverts back to Phorm servers.
Customer who was Phormed [adslguide.org.uk]
Re: (Score:3, Interesting)
Re:Ouch (Score:5, Insightful)
Something tells me that if I did the same thing with a billboard - charging customers for me to go out and paste their adverts over the top of paid for adverts at night - Clear Channel would quite quickly be attempting to sue me.
Re: (Score:3, Funny)
Advertisement Injection (Score:5, Insightful)
Isn't that sort of like someone from the electrical company who breaks into your house to turn the lights on while you're gone?
I won't even mention the privacy issues, cause those aren't "in" nowadays, nor are they likely to be a sufficient cause to nip this practice in the bud. Cheating people out of money, on the other hand, is always a great way to apply the US tort law to the cause.
Re:Advertisement Injection (Score:5, Interesting)
Past that, maybe we can start seeing more "regular" traffic served over https -- DPI or not, it looks like garbage unless you can break the encryption. If someone comes up with a way to do that, there are a lot more serious problems to worry about than ad injection.
Re:Advertisement Injection (Score:5, Insightful)
Re:Advertisement Injection (Score:4, Insightful)
It's 2008, why aren't most websites just using https by default? A low-volume site can handle the load with today's superfast CPUs, and high-volume sites can afford to buy one of those crypto engine thingies.
Re: (Score:2)
Because you have to go to a third party and pay them money. That would be the problem. We don't (AFAIK) have a free signer with a widely distributed public certificate at present.
AFAIK, anyway.
Re:Advertisement Injection (Score:4, Insightful)
Re:Advertisement Injection (Score:4, Interesting)
A sort of "You probably shouldn't trust me that much, but at least nobody's eavesdropping or screwing with the datastream" setting.
Re: (Score:3, Informative)
Re: (Score:3, Interesting)
Perhaps a way to take most of the load off the server would be to have trusted certificate but use an RSA_NULL_SHA1 ciphersuite where secrecy isn't important but authentication and integrity are.
Re: (Score:2)
You need to spend CPU cycles encrypting each page for each browser rather than just firing the same data in response to multiple requests,often from a cache.
To make matters worse, browsers for good reason won't cache data received over SSL, so each page view sees much more data having to be served.
Re: (Score:2)
But maybe it's a direction we should be heading in when it looks like we are going to have ever-increasing difficulty in trusting that what we're receiving is what the originator actually sent.
Maybe sometime the backbones decide they want a piece of the action, hell, maybe some government decide that company X isn't using any of the infrastructure
Re:Advertisement Injection (Score:4, Interesting)
There's still a cpu overhead, but at least we don't lose all the other methods needed to keep http traffic flowing quickly.
Re:Advertisement Injection (Score:5, Informative)
Let's say you're sending index.html. Take a hash of the page, put the hash early on the page.
In the bottom of the page, insert javascript code that removes the hash value, hashes the page, and compares it to the removed hash. If they mismatch, do an alert("warning: the page has been tampered with since it left Foocorp.com's servers."). The hash function doesn't have to be overly secure; here is actually a good time to write your own bad crypto.
The ISP would then have a hard time modifying the page, because they would have to generate the hash value of the modified page before seeing the page they want to modify only slightly.
They could, of course, buffer the whole page (if the server sends it out, or it could spoof your ACKs) and run the javascript on their modified version to compute the hash function. But how are they to know which functions to call? Include an infinite loop and some exploits that you never call yourself if you want to be really disruptive.
Re: (Score:2)
I believe you're right, for normal values of "widely distributed", but I am aware of a promising candidate. Cacert.org provides free authority certificates, and their root certificates are bundled with Debian, and some other Linux distros. If the Firefox guys got on board, this could work.
Re: (Score:3, Funny)
I've heard that BT is willing to do that for free...
Re: (Score:2)
Re: (Score:2)
Which is why FF3 makes it so much more difficult to accept an invalid certificate.
Re: (Score:2)
Certificates cost money. In order to have an encrypted site that does not pop up a warning about unauthenticated certificates, you have to buy a certificate rather than generate your own. As an example (warning: shameless plug) visit https://pagewash.com/ [pagewash.com] (in Firefox 3.0 it not only gives a warning, but actually shows an "error" page.
If you do not buy one, many people will view your "safer" site as unsafe and simply not visit it.
Re: (Score:2, Insightful)
Re:Advertisement Injection (Score:4, Insightful)
No, you will see more lawsuits.
Advertisers paid for their ads to be served. Phorm is theft.
Re: (Score:3, Interesting)
Glad I have a small ISP that likely won't do this, but I wonder if this means that random routers across the internet can use this to inject code into web pages.
Misrepresentation (Score:5, Interesting)
The ISP is then responsible for using my image to endorse their product to my readership, without my permission. Do I have recourse against them for perpetrating such a fraud? IANAL, etc.
Loss of Common Carrier Exemption? (Score:3, Interesting)
Consider that the data is being edited on-the-fly based on its content -- i.e., whether or not it's a banner ad. I think a good case could be made that this violates the conditions for a common carrier.
Question is, does this have any legally useful consequences in trying to prevent ISPs from doing it?
Re:Loss of Common Carrier Exemption? (Score:5, Informative)
This means that whatever safeguards you associate with common carriers, are not enforceable wrt ISPs. A lot of the big ISPs are very happy with the current situation, since they basically get the benefits of common carriers, without the drawbacks (such as not be allowed to throttle certain users).
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
Is that legal? (Score:5, Insightful)
It's like a cable company changing the channel ads with their own. I doubt any channel would sit and bear it, especially since their customers (i.e. ad buyers) won't accept that.
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
The -eventual- outcome would be every ISP that can afford to do it will create something vaguely like television only with some extra free info out there where they can't sell adverts.
In the time that it takes for the case to make it's way through court, they could make plenty of progress toward this end without consequences
Re: (Score:2)
I would wonder what this would do for "common carrier" status held by these ISPs?
It's like a cable company changing the channel ads with their own
Seen it. In a very small city I used to live in, Time Warner injected their own ads over other ads on the cable network. You could always tell it was an injected ad because it was local and it was off by a fraction of a second, so you saw the beginning or end of an alternate commercial.
Re: (Score:2)
Re: (Score:2)
They already do.
Re: (Score:3, Interesting)
Re: (Score:3, Insightful)
Take
Re: (Score:2)
Without going into it again, I posted a prospected stance that the ISP would take once challenged on this here [slashdot.org].
Before people start flaming me to death, please note I am not taking the stance that I think this is great and awesome, just being honest with myself about the shit that is going to get thrown back at me when I take action.
Re: (Score:3, Insightful)
So I could take a song, add "Buy Coke" in the middle, and release that? No, especially not for commercial gain.
Some derivative works are protected by fair use, but they generally have to be mostly newly created content, and can't just be the website with a little bit changed, per Wikipedia [wikipedia.org].
Re: (Score:3, Informative)
No, they most certainly are not. Certain derivative works are protected under fair use, but they must fall into one of a few narrow categories such as parody or commentary (they vary from country to country). There is no blanket derivative work fair use protection.
For the uninitiated (Score:4, Informative)
I hate it when people use too many arbitrary abbrivations. Let's start actually typing out names to set a context, then let people abbrivate in comments...
Re: (Score:3, Informative)
Over here in the UK, nobody needs to expand BT. Everyone knows what it means. (I assume you are not from the UK).
I'm sure stavros-59 just used it out of habit.
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
No, it doesn't (anymore). The whole brand and company is "BT". They dropped the British bit (I forget when) when trying to become a global brand.
The full name of the company is "BT Group", but typically when naming companies you don't include the "group" or "plc / ltd. / llc" bits.
The website is also www.bt.com - check out the page, no mention of "British" whatsoever.
If you wanted to identify the company better, for folks that don't know it, you could say "BT - a major
Um, Replacing Charity Ads? (Score:5, Insightful)
Re:Um, Replacing Charity Ads? (Score:5, Interesting)
Great way to influence public opinion against them and convince even usually non-caring people that something evil was going on.
Now if only major news picked this up and made big deal out of it...
Mod Parent Up! (Score:3, Insightful)
I noticed that quote too. It is completely despicable that they would remove charity advertisements. Actually, I think the entire system boils down to theft and unlawful interception of traffic.
What if the phone company inserted commercial adds when you were talking to someone on the phone?
Re:Mod Parent Up! (Score:5, Funny)
"Oh yeah, what did you get"
"A Sony Pzzzzzzzzzzzzzz^^^^^T Nintendo DS proudly sponsors this phonecall! Your pal loves Nintendo DS! bzzzzzt *click* so yeah you should totally get one so we can play against each other dude!"
Re:Mod Parent Up! (Score:4, Funny)
That's nothing. What if they intercepted and changed what was said:
You say: Hey Jim, How are ya?
He hears: Hey Jim, I wish I was eating a tasty Mars bar.
He says: Ok.
You hear: Ok.
You say: Wanna go see a movie?
He hears: Wanna go see Superbad, and get some popcorn?
He says: Uh... sure.
You hear: Uh... sure.
You say: Cool see ya.
He hears: Cool. Can you pick me up some Laramie cigarretes. They take me to flavor country!
He says: Uh... say what?
You hear: Uh... you too.
Re: (Score:2)
It's a big win for BT, and probably Comcast here in the U.S because there are so many legal issues that none of the harmed companies can afford to litigate it. It would be a career's-worth of work for both sides, with the ISP getting the vast majority of their wishes met either through litigation or purchasing legislation.
Re: (Score:2)
Litigation? I can see the likes of Michael Mansfield [wikipedia.org] sharpening his pencil and accepting the case pro bono without a second thought.
As to what they would litigate, theft seems a good starting point - if I have paid for advertisements to be served from a site, and some Jumped-Up Fucking Marketing Shyster then intercepts those adverts before the user has a chance to accept or reject them, then the JUFMS has sto
Re: (Score:3, Informative)
Copyright infringement (Score:2)
Some lawyers are going to make megabucks off this one.
Spidey Sense Tingling (Score:2)
I like how it's charity ads that were intercepted (Score:3, Informative)
What's next, Nike tests shoes (leaked codename: "rental") that deteriorate in 30 days -- on retarded children. Through a charity donation. That they write off their taxes the full value of.
Seriously: these are the times I'm glad to procrastinate about being an internet activist[1], because YOU CAN'T MAKE THIS STUFF UP. I couldn't have warned of this if I had tried.
[1] CHILL, guy with the sig 'whenever I hear the word activist I reach for my revolver' It's going to be all right.
Sites and others will move to SSL (Score:2)
redirect Http://youriste.com to https://yoursite.com/ [yoursite.com] before anything is served.
If anyone thinks any of the CPM ad networks or major sites will allow this for even an instant, your eye is not on the money.
If they use such tech for the less easily encrypted protocols... you'll find those as well slowly pushed into it.
Which leaves the ISP's with two options if they wish to pursue this, they can proxy everything their
Oxfam ads substituted (Score:3, Insightful)
The problem here (Score:2)
iptables or squid-cache: ads -- /dev/null (Score:2)
Possible temporary fixes.... (Score:5, Interesting)
2) Use page receipts to vet page authentication
3) litigate, especially for copyright violation as the page has been misused by an intermediary for a purpose not intended by the page's author
4) other solutions that someone will think of; stop the page vandals NOW!
Re: (Score:2)
So much for using adblock.
Re: (Score:2)
'course, these products could just re-compute and re-insert the checksum into the page...
Re:Possible temporary fixes.... (Score:4, Insightful)
Brief Overview (Score:3, Informative)
Do we have to... (Score:2)
Do we really have to go down this road? I mean, if we can't trust that the page we're looking at is the page that was served... Are we going to have to go to HTTPS for our browsing now? Are we
Google Ads (Score:2)
Would a copyright challenge be possible? (Score:2)
My bet is that if they once replace a google ad with one of thier own they will drown in subpeonas.
Tortuous Interference W/ Contractual Relations? (Score:2, Interesting)
As an Oxfam contributor, I am pissed (Score:2, Interesting)
I give money to Oxfam. They take my money, and use it to run their charity, which includes helping people as well as doing some overhead like, for example, creating ads and managing ad campaigns. Seems like a perfectly good use of my donation.
But now I find out that some of these efforts have been sabotaged, stealing part of the money I donated!
Not only does Oxfam have standing to sue, I would think Oxfam donors have also been wronged.
But worst of all, of course, is the
https (Score:2)
Re: (Score:2)
Term and conditions (Score:3, Interesting)
The system does provide an opt-out mechanism and this was laboratory tested and verified. However the method of opt-out requires consideration. Since it involves the dropping of a web-cookie on the users machine to indicate an opt-out preference, which if wiped by the user means they will be opted back in.
The solution would of course be to make it a opt-in instead of opt-out. Most users would of course not opt-in without seeing a clear benefit for doing so. One obvious benefit would be that those that opt-in recive a discount on their internet connection. Simple and fair.
Pot calling the kettle black? (Score:4, Insightful)
Absolutely actionable (Score:3)
Insertion or replacement of advertising is vandalism, which is a criminal act.
It is probably arguable as product tampering.
I would say that even if the ISP has an agreement with the end user (overlooked in the small print) that allows this, they need to properly compensate the originating web site. These hijacked ads represent an improper interference of lawful business practices of the web site, i.e. providing a service sponsored by advertisement. By hijacking the ads, they deprive the website of earned revenue, which is theft.
I love it--use SSL for everything (Score:4)
Re:I love it--use SSL for everything (Score:4, Interesting)
I interviewed at a company (a few years ago) that had designed a hardware 'appliance' that intercepts SSL web comms and fools the user into accepting a fake cert that looks VERY VERY much like the real thing. he clicks 'ok' and whammo - he FEELS safe but his link is now MITM attacked and compromised. and he didn't even know it.
technically, SSL didn't break but the middle box (cough cough) did some very evil things and asked both ends to talk to it, instead. essentially.
how many people really scrutinize the MESS OF TEXT that comes up in those cert popups? even experts tend to say 'yeah yeah, OK' and click it away.
morale: assume your company is using one of these boxes and go from there. over time, more and more companies WILL be snooping on their employees or users using these 'SSL feel good' faker boxes.
be advised.
Legal Threats (Score:3, Interesting)
Re: (Score:2)
Why not just use Google's ads (which are far superior) and monetize them? It's not like google refuses to cut you a share of the profits.
Or you can use completely irrelevant ads that nobody reads, that don't work, such as the viagra/enhance your mangina ads. If an ad isn't relevant and interesting, nobody will read it. This is more on the intrusive category, which means its unwelcome and useless.
Also, what about the funds the companies already have? Surely you dont' think they'd keep pocketing the money
Re: (Score:2)
Oh, and good luck to the Shots [theshots.co.uk] for next season in the League :P
Re: (Score:2)
Re: (Score:2)