[NANOG] Charter Communications going to sniff traffic for advertising?
Apparently Charter is going to packetsniff its users and use that for commercial purposes. Looks like the only way to somewhat opt out is by getting a cookie set at the below link - which is not only a dumb idea, but still - not even https. http://connect.charter.com/cas/portal/settings/privacyoptout.aspx Anyones thoughts on this? -j
In same spirit, something worst I think ... If you are in some airport with a GSM/Wifi phone, you are going to receive a mail, from local Wifi provider to explain you how to reach his (local wifi) network. Tested in Roissy / France, with iPhone. iPhone will switch from edge to wifi connection. I think that some application try to reach their server (like mail) and local provider sniff differents things (user name / mail sure but what about passwd ??) to send you back an email. Interesting ... ----------------------------- Jean-Michel Planche blog: http://www.jmp.net Chairman and co-founder Witbe web : http://www.witbe.net Follow me http://www.twitter.com/jmplanche ------------------------------------------- 2.0 Monitoring : relevant End to End monitoring for critical app. and carrier class services Le 14 mai 08 à 22:31, Jake Matthews a écrit :
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
Looks like the only way to somewhat opt out is by getting a cookie set at the below link - which is not only a dumb idea, but still - not even https. http://connect.charter.com/cas/portal/settings/privacyoptout.aspx
Anyones thoughts on this?
-j
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
I noticed this as well with a windows mobile device and activesync over the ail. Enforcing SSL communication seems to have fixed it, as I no longer get these after doing that. Of course this assumes that your mail server does not need plain text authentication. I noticed this a lot when I was flying back and forth from Houston and DFW out of Denver. Never identified the culprit of who was harvesting but.... -----Original Message----- From: Jean-Michel Planche [mailto:jmp@witbe.net] Sent: Wednesday, May 14, 2008 2:47 PM To: Jake Matthews Cc: nanog@nanog.org Subject: Re: [NANOG] Charter Communications going to sniff traffic foradvertising? In same spirit, something worst I think ... If you are in some airport with a GSM/Wifi phone, you are going to receive a mail, from local Wifi provider to explain you how to reach his (local wifi) network. Tested in Roissy / France, with iPhone. iPhone will switch from edge to wifi connection. I think that some application try to reach their server (like mail) and local provider sniff differents things (user name / mail sure but what about passwd ??) to send you back an email. Interesting ... ----------------------------- Jean-Michel Planche blog: http://www.jmp.net Chairman and co-founder Witbe web : http://www.witbe.net Follow me http://www.twitter.com/jmplanche ------------------------------------------- 2.0 Monitoring : relevant End to End monitoring for critical app. and carrier class services Le 14 mai 08 à 22:31, Jake Matthews a écrit :
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
Looks like the only way to somewhat opt out is by getting a cookie set at the below link - which is not only a dumb idea, but still - not even https. http://connect.charter.com/cas/portal/settings/privacyoptout.aspx
Anyones thoughts on this?
-j
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
I've found that using SSL for all my SMTP and IMAP transactions and not entering personally identifying information into non-SSL web pages greatly reduces the amount of harvesting results I see. As to Charter, I opt out by simply not purchasing anything from them. It seems to work far better than bothering with their silly cookie process. Owen On May 15, 2008, at 5:31 AM, Blake Pfankuch wrote:
I noticed this as well with a windows mobile device and activesync over the ail. Enforcing SSL communication seems to have fixed it, as I no longer get these after doing that. Of course this assumes that your mail server does not need plain text authentication. I noticed this a lot when I was flying back and forth from Houston and DFW out of Denver. Never identified the culprit of who was harvesting but....
-----Original Message----- From: Jean-Michel Planche [mailto:jmp@witbe.net] Sent: Wednesday, May 14, 2008 2:47 PM To: Jake Matthews Cc: nanog@nanog.org Subject: Re: [NANOG] Charter Communications going to sniff traffic foradvertising?
In same spirit, something worst I think ... If you are in some airport with a GSM/Wifi phone, you are going to receive a mail, from local Wifi provider to explain you how to reach his (local wifi) network. Tested in Roissy / France, with iPhone. iPhone will switch from edge to wifi connection. I think that some application try to reach their server (like mail) and local provider sniff differents things (user name / mail sure but what about passwd ??) to send you back an email. Interesting ...
----------------------------- Jean-Michel Planche blog: http://www.jmp.net Chairman and co-founder Witbe web : http://www.witbe.net Follow me http://www.twitter.com/jmplanche ------------------------------------------- 2.0 Monitoring : relevant End to End monitoring for critical app. and carrier class services
Le 14 mai 08 à 22:31, Jake Matthews a écrit :
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
Looks like the only way to somewhat opt out is by getting a cookie set at the below link - which is not only a dumb idea, but still - not even https. http://connect.charter.com/cas/portal/settings/privacyoptout.aspx
Anyones thoughts on this?
-j
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
On May 15, 2008, at 9:34 AM, Owen DeLong wrote:
I've found that using SSL for all my SMTP and IMAP transactions and not entering personally identifying information into non-SSL web pages greatly reduces the amount of harvesting results I see.
As to Charter, I opt out by simply not purchasing anything from them. It seems to work far better than bothering with their silly cookie process.
I think that's fine and all, but there are people where choice doesn't exist. I would chose FIOS (or a fios-like service) for my home internet. That choice does not exist. Verizon has not built that infrastructure in my state, nor does it appear they have any plans to. Where choice does not exist, and there is no high-speed duopoly to choose between, what would you do? Build your own infrastructure a few miles at a cost of $2-50+/foot? - Jared
On Thu, 15 May 2008 09:46:05 -0400 Jared Mauch <jared@puck.nether.net> wrote:
On May 15, 2008, at 9:34 AM, Owen DeLong wrote:
I've found that using SSL for all my SMTP and IMAP transactions and not entering personally identifying information into non-SSL web pages greatly reduces the amount of harvesting results I see.
As to Charter, I opt out by simply not purchasing anything from them. It seems to work far better than bothering with their silly cookie process.
I think that's fine and all, but there are people where choice doesn't exist.
I would chose FIOS (or a fios-like service) for my home internet. That choice does not exist.
Verizon has not built that infrastructure in my state, nor does it appear they have any plans to.
Where choice does not exist, and there is no high-speed duopoly to choose between, what would you do? Build your own infrastructure a few miles at a cost of $2-50+/foot?
The other day, the Wall Street Journal ran a brief piece on VPN providers... The threat they had in mind was wireless hotspots, but any sort of on-link evil can be dealt with that way. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Thu, May 15, 2008 at 9:58 AM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
On Thu, 15 May 2008 09:46:05 -0400
The other day, the Wall Street Journal ran a brief piece on VPN providers... The threat they had in mind was wireless hotspots, but any sort of on-link evil can be dealt with that way.
sure would be nice if some vendor would partner with a CDN-type group (or a vendor that had enough 'local presence') to offer this sort of thing... It doesnt' neessarily have to be IPSEC or SSL I bet... though longer term SSL or IPSEC seem like better options (since phorm/blah will quickly start poking into PPTP/gre tunnels as well). Oh, how do you know you can trust the VPN folks anymore than the cable-modem folks though? eventually the same cost issues are going to arise for the VPN folks as did for cable-modem/dsl folks (downward pressure on pricing and infra/opex/capex costs going up/not-decreasing). -Chris
"Christopher Morrow" <morrowc.lists@gmail.com> writes:
Oh, how do you know you can trust the VPN folks anymore than the cable-modem folks though? eventually the same cost issues are going to arise for the VPN folks as did for cable-modem/dsl folks (downward pressure on pricing and infra/opex/capex costs going up/not-decreasing).
Unlike running fiber to your door, renting a VPS and setting up a vpn server is quite inexpensive to do yourself.
On Thu, May 15, 2008 at 2:14 PM, Luke S Crawford <lsc@prgmr.com> wrote:
"Christopher Morrow" <morrowc.lists@gmail.com> writes:
Oh, how do you know you can trust the VPN folks anymore than the cable-modem folks though? eventually the same cost issues are going to arise for the VPN folks as did for cable-modem/dsl folks (downward pressure on pricing and infra/opex/capex costs going up/not-decreasing).
Unlike running fiber to your door, renting a VPS and setting up a vpn server is quite inexpensive to do yourself.
note the 'close to the user' part of the plan ... limit addtional latency and user experience hit. but other than that sure.
On Thu, 15 May 2008 13:30:52 -0400 "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
Oh, how do you know you can trust the VPN folks anymore than the cable-modem folks though? eventually the same cost issues are going to arise for the VPN folks as did for cable-modem/dsl folks (downward pressure on pricing and infra/opex/capex costs going up/not-decreasing).
They're not more trustworthy, but since they don't require widespread local physical infrastructure it's potentially a more competitive market. --Steve Bellovin, http://www.cs.columbia.edu/~smb
On Thu, May 15, 2008 at 2:22 PM, Steven M. Bellovin <smb@cs.columbia.edu> wrote:
On Thu, 15 May 2008 13:30:52 -0400 "Christopher Morrow" <morrowc.lists@gmail.com> wrote:
Oh, how do you know you can trust the VPN folks anymore than the cable-modem folks though? eventually the same cost issues are going to arise for the VPN folks as did for cable-modem/dsl folks (downward pressure on pricing and infra/opex/capex costs going up/not-decreasing).
They're not more trustworthy, but since they don't require widespread local physical infrastructure it's potentially a more competitive market.
right, so not 'today' not 'tomorrow' if this becomes a service that is percieved as valuable and useful more providers will pop in this market (like cable vs dsl vs dialup), pricing pressure will start, profit margins will shrink... then ... Oh look! If I give my user meta data to CompanyX I'll get profit without any real capex expenditure! Yea, free money!!! So, how long until that happens? Hopefully when that happens there will be enough other vpn provider options so it won't matter as much as it does in the current US Duopoly... I mean 'competitive local landscape'. -Chris
On Wed, May 14, 2008 at 04:31:57PM -0400, Jake Matthews wrote:
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
I think you'd find they'd run pretty far afoul of 18 USC 2511 for that, without prior consent (18 USC 2511 2) (c)). I looked at that page, and as far as I can tell, they are just referring to web ads, likely placed on their consumer portal site. Where do you get the notion that they are intercepting traffic? Everything I see refers to a third party ad network, with no subscriber data provided by charter. i.e. a typical advertisers tracking cookie. Using another cookie to opt out of the first cookie isn't unusual, since it's the same mechanism that would be involved in the first place. In any case, trying to correlate captured traffic to a cookie that would only be exposed in web traffic and to the site that set it, would not be reliably possible. --msa
Majdi S. Abbas wrote:
On Wed, May 14, 2008 at 04:31:57PM -0400, Jake Matthews wrote:
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
I think you'd find they'd run pretty far afoul of 18 USC 2511 for that, without prior consent (18 USC 2511 2) (c)).
I looked at that page, and as far as I can tell, they are just referring to web ads, likely placed on their consumer portal site.
Where do you get the notion that they are intercepting traffic? Everything I see refers to a third party ad network, with no subscriber data provided by charter. i.e. a typical advertisers tracking cookie.
Using another cookie to opt out of the first cookie isn't unusual, since it's the same mechanism that would be involved in the first place.
In any case, trying to correlate captured traffic to a cookie that would only be exposed in web traffic and to the site that set it, would not be reliably possible.
--msa
http://www.dslreports.com/forum/r20461817-HSI-Charter-to-monitor-surfing-ins... Apparently, not just their portal.
Something Jon Devree and I were thinking about: How would they handle cookies the size of 1 MB or larger? Scary as it sounds, looks like a simple DOS attack waiting to happen :\ JOhn Menerick On Wed, May 14, 2008 at 2:19 PM, Jake Matthews <jmatthews@cia.com> wrote:
Majdi S. Abbas wrote:
On Wed, May 14, 2008 at 04:31:57PM -0400, Jake Matthews wrote:
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
I think you'd find they'd run pretty far afoul of 18 USC 2511 for that, without prior consent (18 USC 2511 2) (c)).
I looked at that page, and as far as I can tell, they are just referring to web ads, likely placed on their consumer portal site.
Where do you get the notion that they are intercepting traffic? Everything I see refers to a third party ad network, with no subscriber data provided by charter. i.e. a typical advertisers tracking cookie.
Using another cookie to opt out of the first cookie isn't unusual, since it's the same mechanism that would be involved in the first place.
In any case, trying to correlate captured traffic to a cookie that would only be exposed in web traffic and to the site that set it, would not be reliably possible.
--msa
http://www.dslreports.com/forum/r20461817-HSI-Charter-to-monitor-surfing-ins...
Apparently, not just their portal.
_______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
http://www.dslreports.com/forum/r20461817-HSI-Charter-to-monitor-surfing-ins...
This is definitely taking the position that its "their" pipe and not the *Internet*. I can only imagine the issues that will get wrangled around in the courts over this. (ahem, Google, ahem). This is not fundamentally different than a TV station digitally inserting their own ads on the stadium instead of whatever is there you might see in person. This *seems* like a problem because most people only have 1 connectivity provider at a time and often few options around it. Regulation could address this, a differentiated service could address this, but this smacks of paying for a service to then get additional ads sent to you. (like everytime you dialed a number into your Skype for Pizza Delivery, they sent you to their paid-Pizza Delivery provider instead). Depending on how invasive (or effective) this gets, it has wild common-carrier implications. Deepak Jain AiNET
I think that a TV station cannot just digitally insert an ad into copyrighted material, as it would be considered a derivative work. .. they have approval and pay to do that. I wonder what the legal implications for a web page would be, I would almost assume they would be the same. -Patrick ----- Original Message ----- From: "Deepak Jain" <deepak@ai.net> To: "Jake Matthews" <jmatthews@cia.com> Cc: nanog@nanog.org Sent: Wednesday, May 14, 2008 3:30:42 PM (GMT-0800) America/Los_Angeles Subject: Re: [NANOG] Charter Communications going to sniff traffic for advertising?
http://www.dslreports.com/forum/r20461817-HSI-Charter-to-monitor-surfing-ins...
This is definitely taking the position that its "their" pipe and not the *Internet*. I can only imagine the issues that will get wrangled around in the courts over this. (ahem, Google, ahem). This is not fundamentally different than a TV station digitally inserting their own ads on the stadium instead of whatever is there you might see in person. This *seems* like a problem because most people only have 1 connectivity provider at a time and often few options around it. Regulation could address this, a differentiated service could address this, but this smacks of paying for a service to then get additional ads sent to you. (like everytime you dialed a number into your Skype for Pizza Delivery, they sent you to their paid-Pizza Delivery provider instead). Depending on how invasive (or effective) this gets, it has wild common-carrier implications. Deepak Jain AiNET _______________________________________________ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
On Wed May 14, 2008 at 04:31:57PM -0400, Jake Matthews wrote:
Apparently Charter is going to packetsniff its users and use that for commercial purposes.
Anyones thoughts on this?
There's a company called Phorm (www.phorm.com) trying to do this in the UK, running some trials with some of the large broadband providers. It hasn't gone down well at all... http://www.theregister.co.uk/2008/02/29/phorm_roundup/ Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info@bogons.net *
On Wed, May 14, 2008 at 11:47:22PM +0100, Simon Lockhart wrote:
There's a company called Phorm (www.phorm.com) trying to do this in the UK, running some trials with some of the large broadband providers.
Phorm has been linked to the Russian Business Network (RBN), which is unsurprising given that Phorm is in the spyware/adware business. For a particular insightful writeup, please see: Some notes from the Phorm sales pitch http://yro.slashdot.org/comments.pl?sid=489948&cid=22777122 ---Rsk
participants (14)
-
Blake Pfankuch -
Christopher Morrow -
Deepak Jain -
Jake Matthews -
Jared Mauch -
Jean-Michel Planche -
John Menerick -
Luke S Crawford -
Majdi S. Abbas -
Owen DeLong -
Patrick Clochesy -
Rich Kulawiec -
Simon Lockhart -
Steven M. Bellovin