×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

42 comments

Can it be? (0)

Anonymous Coward | more than 2 years ago | (#38829531)

The oxygen network is important!

Trusted partners? (5, Informative)

daveewart (66895) | more than 2 years ago | (#38829537)

I see they keep banging on about "trusted" partners. Trusted by whom? That's the point which they seem to be missing... Certainly not "trusted by O2 customers".

Re:Trusted partners? (1)

Sockatume (732728) | more than 2 years ago | (#38829603)

Presumably they mean sites which fall within O2's web portal. For example, my mobile phone company's web portal can bring up my customer billing page without logging in, which indicates it's uniquely identifying me. It may be that they did something similar for AnnoyingInternetVidsAsRingtones.blah when visited through their web portal, to make it easier to bill people.

Re:Trusted partners? (0)

Anonymous Coward | more than 2 years ago | (#38829765)

Yes, I would think it is exactly that.

Re:Trusted partners? (3, Insightful)

biodata (1981610) | more than 2 years ago | (#38830129)

Does trusted partners include every internet link and server between them and their trusted partners? The main problem seems to be that they are sharing people's private information in an insecure, unencrypted format (plain text), using an insecure, unencrypted mechanism (http headers) with the internet at large. Isn't this a dereliction of their duty to protect the privacy of their customers' information?

Script for checking (2)

Inda (580031) | more than 2 years ago | (#38829599)

I got this link from the BBC News site. It just displays the headers (something most of us could do, I know):

http://lew.io/headers.php

My number did not appear. I'm on Tesco, who are a reseller for O2.

Re:Script for checking (1)

Sockatume (732728) | more than 2 years ago | (#38829625)

It was corrected at 2pm yesterday according to one of the stories linked to in the summary.

Re:Script for checking (1)

jo_ham (604554) | more than 2 years ago | (#38829795)

They fixed the issue before most of the stories went up, and it was also specific to cellular connections - if you visited via WiFi it would not show the error (since the problem was inside O2's network rather than happening at the handset end).

Re:Script for checking (1)

rapiddescent (572442) | more than 2 years ago | (#38830053)

I tried it yesterday (before o2 removed it) from my mobile phone and it showed a http header with 4478****** which is my number. Clearly there is some sort of transparent proxying going on - one has to wonder what else they are using that proxy for? The cat is out the bag that they are actively proxying port 80 traffic. However, no doubt they'll get no more than a slap on the wrist from the ICO for this breach.

Re:Script for checking (2)

jo_ham (604554) | more than 2 years ago | (#38830337)

Like they said - it (was) used for convenience with sites they were linked with, like O2 tickets and ringtone sites within their portal. There's nothing inherently Machiavellian about this, but I suppose it is the slashdot modus operandi to assume that companies can't do anything *but* be evil.

Re:Script for checking (0)

Anonymous Coward | more than 2 years ago | (#38830967)

They were using the proxy for image compression. I think that was the original idea but I don't trust it. You can change your APN settings to bypass the proxy if you are on O2 (not resellers like giffgaff and Tesco Mobile).

Re:Script for checking (2)

viperidaenz (2515578) | more than 2 years ago | (#38831311)

You'll find most ISP's run transparent caching proxies. The benefit to customers is decreased page load time, the benefit to the ISP is decreased bandwidth.

Re:Script for checking (1)

Zaiff Urgulbunger (591514) | more than 2 years ago | (#38833737)

...it showed a http header with 4478****** which is my number.

Luckily it just shows as stars to everyone else. They must be using that same tech that Facebook uses that makes your password appear as stars when you type it. I'm pretty confident you are completely 100% safe!

;)

O2 "Fixes" ? (0)

Anonymous Coward | more than 2 years ago | (#38829611)

More like hurriedly tries to go into damage limitation mode after being caught red handed.

My O2 phone was cancelled over this. Was yours ?

Re:O2 "Fixes" ? (3, Insightful)

jo_ham (604554) | more than 2 years ago | (#38829761)

"Caught red handed"

What do you mean? It was a mistake that started on January 12th and was corrected when it was noticed, yesterday.

You make it sound like this was some secret, evil scheme.

Re:O2 "Fixes" ? (1)

Patch86 (1465427) | more than 2 years ago | (#38831213)

I don't get it, and I don't get the suspicious quotes in the headline either. Why on earth would O2 be doing it on purpose? What possible reason would they have to pass your phone number to every random non-affiliated website you visit (particularly when they freely admit that they've always passed it to trusted websites such as ones they own, and will continue to do so).

Sounds like a text-book coding cock up to me. Embarassing for the developers involved, possibly indicative that they don't test things properly, or are rushing releases- but that sounds pretty familiar to me.

me.surprise==0 (0)

Anonymous Coward | more than 2 years ago | (#38829633)

O2...aka BT Cellnet. This just sounds like the standard level of incompetency you'd expect from BT. Yeah great idea, automatically share your phone number with "trusted" websites. WTF would a website need that info for, and as customers, why would we want to do that?

Re:me.surprise==0 (1)

jo_ham (604554) | more than 2 years ago | (#38829733)

It allows for convenient billing, for example, if you buy ringtones from O2's store (if you're the type to do this - it used to be huge here before the rise of the smartphone), or O2's link with ticketing for the O2 Arena, where customers get priority and discounted tickets for being on O2.

Privacy is like virginity (2)

aglider (2435074) | more than 2 years ago | (#38829707)

Once you've lost it, it's gone forever.
Unless you change something really ... low level.
Like the phone number.

Re:Privacy is like virginity (1)

tgd (2822) | more than 2 years ago | (#38830167)

Once you've lost it, it's gone forever.
Unless you change something really ... low level.
Like the phone number.

And did you miss your virginity after it was gone?

Re:Privacy is like virginity (1)

viperidaenz (2515578) | more than 2 years ago | (#38831365)

I had a new desire to keep doing what it was that caused its loss.

Sounds like a facebook user...It starts by signing up and sharing a few photos, next thing you know they're on there hours a day posting constant updates noone but themselves and those already involved (and the stalkers) care about

Re:Privacy is like virginity (0)

Anonymous Coward | more than 2 years ago | (#38836733)

Do you miss your privacy?

They cocked up but... (2)

iB1 (837987) | more than 2 years ago | (#38829735)

O2 screwed up by making what appears to be a school-boy error. However, after they were notified of the fault, they admitted blame, fixed it quickly and told everyone what happened. It would have obviously been preferable if this leak hadn't happened in the first place, but I can't blame them for how they handled it.

Re:They cocked up but... (1)

Spad (470073) | more than 2 years ago | (#38829823)

I can blame them because they are sending phone numbers as HTTP headers to websites. I don't care if they're "selected, trusted 3rd-party sites" and that sending them to everyone was an accident, I want to know why they're using phone numbers *at all*. If you need to identify a customer to a 3rd party site for whatever reason then you use a unique identifier that isn't directly connected to that user and you certainly don't use their phone number.

It may have been an accident, but it was an accident that should never have been able to happen.

Re:They cocked up but... (0)

viperidaenz (2515578) | more than 2 years ago | (#38831397)

How dare they send YOUR phone number to THEIR sites.

Oh wait, its their phone number and you're only borrowing it on the terms and conditions you signed when you agreed to take their services, which includes sharing your information with their affiliates.

Re:They cocked up but... (1)

aztracker1 (702135) | more than 2 years ago | (#38832403)

Personally, I would have preferred they used IdentD services on the proxy endpoints, and allowed queries from selected IPs... The technology in place essentially allows you to go to "their" portal and related sites, and have those sites know it is you. In this case, the number is merely an identifier, and doesn't automagically tie your phone number to your person. Though could, combined with other information, be used to avoid privacy. The fact is that phone numbers are rather limited in nature, and given 10K guesses, with your relative home location, could probably come up with your number, as well as your neighbor, etc.

Re:They cocked up but... (1)

biodata (1981610) | more than 2 years ago | (#38829857)

Not really. They are still sharing people's phone numbers with anyone they decide they want to.

Who's lying/incorrect? (1)

biodata (1981610) | more than 2 years ago | (#38829819)

In the linked article the Sophos 'expert' Grham Cluley said the problem had been known for around two years. On the BBC news site, however, an O2 spokesperson was reported as saying that the fault had only been happening since 10th January (i.e. the Twitter user who caught them red-handed was lucky to have spotted the problem as soon as it happened).

I wonder where the truth lies?

Re:Who's lying/incorrect? (2)

IAmGarethAdams (990037) | more than 2 years ago | (#38829999)

The paper from two years ago [computerworld.com] mentions the problem in relation to

the U.K.'s Orange and Canada's Rogers Wireless

and not in relation to O2. Had they been involved 2 years ago, I would have expected them to be named in that original paper.

Gotta love those quote marks (2)

Burb (620144) | more than 2 years ago | (#38829843)

Compare:
O2 Fixes 'Accidental' Leak of Phone Numbers
vs
O2 Fixes Accidental Leak of Phone Numbers

Re:Gotta love those quote marks (2)

jo_ham (604554) | more than 2 years ago | (#38830447)

It's to be expected for the standard slashdot groupthink - didn't you get the memo? Anything a company does, without exception, has a secret, ulterior motive designed to crush the common man, hurt open source, and destroy privacy.

It's simply not possible for a company to ever do anything accidental. This was clearly O2's plan all along and they've been "caught" trying to be evil. Score one for the little guy!

DISCLAIMER: The above comments might be facetious. YMMV.

Re:Gotta love those quote marks (0)

Anonymous Coward | more than 2 years ago | (#38832485)

> It's to be expected for the standard slashdot groupthink - didn't you get the memo? Anything a company does, without exception, has a secret, ulterior motive designed to crush the common man, hurt open source, and destroy privacy.

Unless it's Google ('cos their shills wrote the memo).

Re:Gotta love those quote marks (1)

eastlight_jim (1070084) | more than 2 years ago | (#38830485)

They're brilliant aren't they? They crop up everywhere now. The BBC uses them with gay abandon and whilst I'm sure that they're just using them in their traditional sense (i.e. to delineate a quote) the results can often be hilarious.

Here's another amusing example from today on the BBC: 'Cloaking' a 3-D object from all angles demonstrated [bbc.co.uk]. You can just hear the derisive journalist as he writes the headline...

Ellipsis (1)

CanHasDIY (1672858) | more than 2 years ago | (#38830491)

Remember a time when corporations were held fiscally and criminally responsible for their actions?

Pepperidge Farms remembers.

Danger to abuse HTTP Headers? (1)

Zwerg_Sense (2560833) | more than 2 years ago | (#38834911)

now we know they have certain headers for billing purposes, not the smartest way... Is there a danger in these headers now? going to the 'trusted partner' with your own fake headers without going through the O2 proxies?
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...