Imagine Charter and I standing together; Charter has a bandage around its hand and I have a black eye. The conversation goes like this: "I didn't mean to, baby, I'm sorry." "You'd better be, bitch, look what you did to my hand."
It started with Google. Charter's DNS was borked in March and returned bad IPs for google.com. That means every Google tool except image search was unreachable. Web search, Gmail, Google Talk, blog search, Google Video - dead. This affected users from Missouri, Illinois, Michigan, Iowa, Minnesota, the whole fucking Midwest. Charter blamed it on a routing issue for over a month, which was total bullshit; when I fed google.com's IP to my browser, it connected. That's not a routing issue, that's a name issue. I switched to another set of DNS servers and started wondering when cellular connections would be a suitable replacement for cable and DSL.
Then comes the news about NebuAd. Charter planned and plans to install NebuAd boxes on their network to track users' browsing and deliver tailored ads. The fear was that the box would use deep packet inspection to pull keywords or other data out of pages being viewed by users, but Charter assured us it would look at URL data only. Here's an illuminating interview with Charter veep Ted Schremp, with quotes like:
It's been dissected elsewhere but here's the local version. Opting out of the system is a two-step process. First you're directed to a unencrypted Charter page with a form asking for your name and address. That's a double-whammy: the ISP is asking for private information that it already has access to in an unsafe manner. That page redirects to NebuAd, which sets the opt-out cookie. Remember your first day on the internet, when you went through orientation and they told you that cookies were dangerous, that they could reveal personal information about you, that it was a good idea to block some- most- cookies? It's been standard internet procedure since nineteen-ninety-fucking-five to not let cookies stick around in your browser too long; most people should automatically clear them when the browser exits. That means having to opt-out again to reset the cookie every time you start browsing. Use two different browsers? Have to opt-out for each of them. Home network? Every computer. Upgrade your browser? It might not import the cookies from the old install that you should have deleted anyway. Re-install or upgrade the OS? You know the answer. And the cookie only stops tailored ad delivery; there's no way for the box on Charter's network to read the cookie and know not to track you. This isn't a functional opt-out system. All of this overlooks that the tracking should have been opt-in from the start, since ISPs shouldn't be giving that data to third parties without a signed warrant; why default to giving out personal information?
Congressmen wrote letters the Charter telling them to back off. Charter put the brakes on the roll out, and people might be forgiven for thinking that Charter was seriously looking at their privacy concerns. Then we read:
That's not the end. NebuAd has been implemented at other ISPs and researchers have now figured out how the system works. It's actually a very basic idea that's been used for decades to great effect, classically known as a man-in-the-middle attack. The NebuAd box injects forged data into pages that have no affiliation with NebuAd, like Yahoo! or Google, and can redirect your browser to NebuAd sites to get their cookie. That's called a "cross-site exploit" and "browser hijack." I haven't found it in any reference to internet etiquette, but I think browser hijacks are generally considered pretty fucking impolite.
But wait, there's more! Wired's article contains a little extra somethin-somethin':
The icing on the cake is where NebuAd may be getting its ideas. Internet old-timers will remember a product called Gator. Over the last decade, the parent company Claria has changed Gator's name three times, trying to shake the spyware stigma. Two vice presidents, two high-level managers, and a senior director at NebuAd all worked at Claria or Gator previously.
What. The. Fuck. I need a new ISP.
It started with Google. Charter's DNS was borked in March and returned bad IPs for google.com. That means every Google tool except image search was unreachable. Web search, Gmail, Google Talk, blog search, Google Video - dead. This affected users from Missouri, Illinois, Michigan, Iowa, Minnesota, the whole fucking Midwest. Charter blamed it on a routing issue for over a month, which was total bullshit; when I fed google.com's IP to my browser, it connected. That's not a routing issue, that's a name issue. I switched to another set of DNS servers and started wondering when cellular connections would be a suitable replacement for cable and DSL.
Then comes the news about NebuAd. Charter planned and plans to install NebuAd boxes on their network to track users' browsing and deliver tailored ads. The fear was that the box would use deep packet inspection to pull keywords or other data out of pages being viewed by users, but Charter assured us it would look at URL data only. Here's an illuminating interview with Charter veep Ted Schremp, with quotes like:
What you said is correct. What's being said is incorrect.and:
The enhanced advertising solution does not utilize deep packet inspection. It looks at URL level information only.The nebulous devices were to be tested in four major markets. Notices were sent to affected users. An opt-out procedure was in place. Charter even had the gall to say it would enhance the browsing experience. Fucking smoke and mirrors, every bit of it.
It's been dissected elsewhere but here's the local version. Opting out of the system is a two-step process. First you're directed to a unencrypted Charter page with a form asking for your name and address. That's a double-whammy: the ISP is asking for private information that it already has access to in an unsafe manner. That page redirects to NebuAd, which sets the opt-out cookie. Remember your first day on the internet, when you went through orientation and they told you that cookies were dangerous, that they could reveal personal information about you, that it was a good idea to block some- most- cookies? It's been standard internet procedure since nineteen-ninety-fucking-five to not let cookies stick around in your browser too long; most people should automatically clear them when the browser exits. That means having to opt-out again to reset the cookie every time you start browsing. Use two different browsers? Have to opt-out for each of them. Home network? Every computer. Upgrade your browser? It might not import the cookies from the old install that you should have deleted anyway. Re-install or upgrade the OS? You know the answer. And the cookie only stops tailored ad delivery; there's no way for the box on Charter's network to read the cookie and know not to track you. This isn't a functional opt-out system. All of this overlooks that the tracking should have been opt-in from the start, since ISPs shouldn't be giving that data to third parties without a signed warrant; why default to giving out personal information?
Congressmen wrote letters the Charter telling them to back off. Charter put the brakes on the roll out, and people might be forgiven for thinking that Charter was seriously looking at their privacy concerns. Then we read:
A Charter spokesperson attributed the delay to technology issues. "It will happen when we're technologically ready," the spokesperson told Online Media Daily.Thanks a fucking heap, guys. Really.
That's not the end. NebuAd has been implemented at other ISPs and researchers have now figured out how the system works. It's actually a very basic idea that's been used for decades to great effect, classically known as a man-in-the-middle attack. The NebuAd box injects forged data into pages that have no affiliation with NebuAd, like Yahoo! or Google, and can redirect your browser to NebuAd sites to get their cookie. That's called a "cross-site exploit" and "browser hijack." I haven't found it in any reference to internet etiquette, but I think browser hijacks are generally considered pretty fucking impolite.
But wait, there's more! Wired's article contains a little extra somethin-somethin':
NebuAd has conceded that its boxes peer deep into internet packets to pull out URLs and search terms in order to classify each user's interests. That profile is then used deliver tailored ads on various partner websites.Which is the exact opposite of what Schremp said earlier. I've chosen to think of him as a shill rather than a lying cocktwister, but that's a personal preference and you're free to differ.
The icing on the cake is where NebuAd may be getting its ideas. Internet old-timers will remember a product called Gator. Over the last decade, the parent company Claria has changed Gator's name three times, trying to shake the spyware stigma. Two vice presidents, two high-level managers, and a senior director at NebuAd all worked at Claria or Gator previously.
What. The. Fuck. I need a new ISP.
2 comments:
This is an awesome blog entry. I plan on pointing it out to people who want a quick reviewer on NebuAd.
Robb Topolski
Hillsboro, Oregon
author of the report,
NebuAd and Partner ISPs: Wiretapping, Forgery and Browser Hijacking
Most of what you have to say is well said and I respect your oppinion, but good grief, grow up and act more professional! Do you honestly think using all the profanity improves your credibility? Ok so you're upset, but why don't you leave junior high and high school behind and learn to write with intelligence and class. If you really want to stick it to the man you should really spend some time learning bigger more sophisticated words to express yourself.
Post a Comment