Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

timothy posted more than 2 years ago | from the it's-only-wafer-thin dept.

Advertising 273

An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."

cancel ×

273 comments

Hasn't this been going on for a while? (5, Insightful)

readandburn (825014) | more than 2 years ago | (#39607411)

I don't think this is news. (Yes, I must be new here.....)

Yep. So use HTTPS-Everywhere. (5, Informative)

khasim (1285) | more than 2 years ago | (#39607453)

Well, if you use Firefox that is.

If the connection between you and the website is encrypted, no one can add code to it.

Re:Yep. So use HTTPS-Everywhere. (2, Interesting)

hairyfeet (841228) | more than 2 years ago | (#39607889)

Weird question: Do you surf porn? Does that HTTPS trick stop the Firefox porn bug? Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that opens a hidden iFrame and uses FF autocomplete to log into their Yahoo mail and then spam the address book. From my tests with a couple of fake yahoo accounts it ONLY seems to work on FF and on the new yahoo layout, no other combo like Chrome and Gmail, IE and Hotmail seems to work. If you want to see how many sites have that bug now put a master password on your password list and see how many times the master password dialog pops up, on several porn sites its pretty much pop up city. Since so many of the guys kept sending me "How come I'm spamming and i don't have a bug?" I switched them to Comodo Dragon as it works with low rights mode and doesn't have the bug.

As for TFA what does anyone expect? TINSTAAFL and with the economy in the shitter hotels are frankly doing lousy business and i'm sure those ads make their "free Wifi" truly free for the hotel, so surprise surprise they add the ads. would you rather have this, or have to pay for the Wifi, or have it like AT&T where every so many minutes you are stopped cold and forced to watch a commercial? Personally I'd choose door #1, but of course I've got ABP in Dragon so it don't affect me either way.

Re:Yep. So use HTTPS-Everywhere. (-1, Flamebait)

jhoegl (638955) | more than 2 years ago | (#39608051)

BAHAHAHAHAHAHAHAHA....
Oh man... it is an average user on the interwebs.
(Dont care if you mod me down, this shit is hilarious).

Re:Yep. So use HTTPS-Everywhere. (5, Informative)

Skapare (16644) | more than 2 years ago | (#39608187)

More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

HTTP Policies (1)

improfane (855034) | more than 2 years ago | (#39607459)

This is why websites need to publish policy files a bit like ABE (Application Boundaries Enforcer) [noscript.net] . This would mean that a website would publish what resources that site can request and destinations that are not in that policy are not loaded. Unfortunately if they can intercept anything that you are served then the injector can just modify the policy file too. Perhaps signed policy file could solve this?

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

(Although the guy who wrote ABE/NoScript should be considered in caution because of what he did to NoScript users in the past. He deliberately removed NoScript blocks for his own website so he could raise money on his plugin update page that opens after updates.)

Re:HTTP Policies (3, Interesting)

icebike (68054) | more than 2 years ago | (#39607689)

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

They might be able to pull this off, but the revenue they could earn off of such a scheme would never pay the lawyer bills. One could argue this would be a DMCA violation. (In fact, they seem to be on shaky legal ground altering un-encryption streams. It is after all, a form of scraping and perhaps copyright violation [wikipedia.org] .)

The drop everything to HTTP would certainly be noticed.

Re:HTTP Policies (5, Insightful)

mwvdlee (775178) | more than 2 years ago | (#39607743)

It isn't so much scraping as it is simply taking somebody's website content and copying it for their own profit.
Plain and simple copyright violation where the website owner is the victim.

Re:HTTP Policies (5, Interesting)

bbecker23 (1917560) | more than 2 years ago | (#39607731)

Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

Re:HTTP Policies (4, Insightful)

SuricouRaven (1897204) | more than 2 years ago | (#39607991)

Stop thinking like an engineer, and lower yourself to the thoughts of a typical computer user.

"A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."

Re:HTTP Policies (3, Informative)

Restil (31903) | more than 2 years ago | (#39608217)

While they couldn't insert code into an encrypted session, they COULD perform a man in the middle attack and accomplish the same thing, provided the user decided to override the certificate warning (which I'm guessing most people would). A more secure solution would be to do all the browsing over a ssh tunnel. That too could be intercepted, but it's less likely, and ssh will catch such an attempt provided the tunnel was first initiated over a trusted connection, so at least you'd be able to avoid using the service if you know it's going to be insecure.

What's ironic is the fact that the cheap hotels that are out in the middle of nowhere have great, highspeed, well covered wifi with mostly unrestricted or completely unrestricted hotspots (most of the time, all you have to do is agree to a clickthrough agreement, and you're good to go). But go to a big hotel in the city for a convention or something and they want to charge $15 a day for it. I'd just grown accustomed to tethering my cellphone in those instances since I got higher speeds from that than I did from the hotel wifi.

-Restil

Re:Hasn't this been going on for a while? (0)

Anonymous Coward | more than 2 years ago | (#39607665)

Slashdot raged about this more than five years ago.

Looks like NYT has a n00b columnist. Rage!

Re:Hasn't this been going on for a while? (1)

Anonymous Coward | more than 2 years ago | (#39607703)

But it's good to give it another look if it's still going on.

Since 2007 or earlier (2)

ODBOL (197239) | more than 2 years ago | (#39607851)

I posted a comment below regarding Meraki wireless boxes that did this in 2007. I never experienced an actual deployment, but there must have been some.

Re:Hasn't this been going on for a while? (1)

urbanriot (924981) | more than 2 years ago | (#39608205)

Yea, I was going to post the same, but more as a statement rather than a question, perhaps welcoming the poster to the internet. I'm sure this has been on Slashdot before, probably since there was a Google.

Insert this: (-1)

Anonymous Coward | more than 2 years ago | (#39607425)

First!

Re:Insert this: (2, Funny)

Anonymous Coward | more than 2 years ago | (#39607465)

Obviously posting with the complimentary Hotel wifi.

Re:Insert this: (4, Funny)

Amyntas (1774358) | more than 2 years ago | (#39607499)

Contrary to popular belief, a recent study has found that, 'First,' actually comes before second, and is generally regarded as something that should not be mistaken with second.

Remember, One comes before Two comes before 60 comes after 12 comes before Six Trillion comes after 504.

Re:Insert this: (0)

Anonymous Coward | more than 2 years ago | (#39607541)

Good job. Now go investigate the difference between insert and append and figure out if one or the other can be used to generate lists in non-sequential order.

without the knowledge of the site visitor (5, Informative)

xaosflux (917784) | more than 2 years ago | (#39607429)

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

Re:without the knowledge of the site visitor (5, Interesting)

GamerGirlie (2612257) | more than 2 years ago | (#39607455)

Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

Re:without the knowledge of the site visitor (0)

Anonymous Coward | more than 2 years ago | (#39607483)

How can I see if my ISP is doing this?

Re:without the knowledge of the site visitor (0)

Anonymous Coward | more than 2 years ago | (#39607485)

What if you use an alternative DNS and you do not *change* to https, rather use directly from your first connection to a website?

Re:without the knowledge of the site visitor (2)

GamerGirlie (2612257) | more than 2 years ago | (#39607615)

Using alternative DNS servers doesn't really help as it's not tied to that. The company that provides this man-in-the-middle attack tool for ISP's is Blue Coat Systems [wikipedia.org] , based in California, United States.

Re:without the knowledge of the site visitor (1)

Anonymous Coward | more than 2 years ago | (#39607729)

Could you reveal your ISP too so that people get aware as of who does this kind of stuff?

Re:without the knowledge of the site visitor (0)

Anonymous Coward | more than 2 years ago | (#39607523)

Well, then, get a different ISP, damn you!

Sure, if they are evil, your web browser shows a warning "Somebody is being evil!" and you just click OK and move on with your life... then they can do evil things with your connection. And since you continue to do business with them, YOU have just made that look like a winning business strategy, increasing the chance MY isp will do it next. Don't support evil!

Re:without the knowledge of the site visitor (1)

GamerGirlie (2612257) | more than 2 years ago | (#39607675)

Changing ISP isn't really an option, every ISP in the country does it (for certain sites, and slashdot is one of them). However, I do route around it by using VPN.

Re:without the knowledge of the site visitor (4, Insightful)

jonwil (467024) | more than 2 years ago | (#39607533)

Care to tell me which ISP carries out such a man-in-the-middle attack on a secure web site so I can permanently blacklist them and any entity even remotely connected to them?

That should fail. (2)

khasim (1285) | more than 2 years ago | (#39607535)

Unless you have specifically trusted whatever certificate authority server the ISP put up to do that.

Re:That should fail. (2)

Richard_at_work (517087) | more than 2 years ago | (#39607685)

And what if they own one of the large CAs?

Let's just be clear about that. (5, Informative)

khasim (1285) | more than 2 years ago | (#39607811)

And what if they own one of the large CAs?

Just to be clear about that ...

You're postulating a situation where:
The ISP
is owned by a certificate authority
that is, by default, trusted by your browser vendor
and that certificate authority
is creating certificates for 3rd party websites
without the 3rd party websites' permission
in order to facilitate man-in-the-middle attacks
so that the ISP can inject ads into your session.

I would imagine the backlash would kill both the ISP and that certificate authority.

Re:Let's just be clear about that. (1)

Ja'Achan (827610) | more than 2 years ago | (#39608165)

And if you're that paranoid, you shouldn't have any CAs in your browsers anyhow.

Re:That should fail. (1)

Kefabi (178403) | more than 2 years ago | (#39607823)

How can you ever get /.'s cert if the ISP keeps switching it out with the ISP's cert? Just go without /. and all other secure sites while at home? That sucks!

Re:without the knowledge of the site visitor (1)

Kickasso (210195) | more than 2 years ago | (#39608041)

"my ISP serves me their self-signed cert instead of Slashdot's real one."

You see a page/popup that says "this certificate is bogus, somebody is fooling around with your connection". From that point on, if you decide to proceed to the site, you are your own worst enemy.

Then if you don't accept the ISP's self signed (1)

Anonymous Coward | more than 2 years ago | (#39608149)

certificate you don't get to use any https websites at all. Most people will eventually accept rather than lose the ability to access anything that uses https (that means no gmail/yahoo mail, no facebook, no twitter, no logging into slashdot, etc).

Re:without the knowledge of the site visitor (2)

Sir_Sri (199544) | more than 2 years ago | (#39607487)

Occasionally ISPs do this legitimately as well. My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit. This is especially amusing when it injects into steam or the web page previews in opera (and in neither case can you accept it, and move on, so it keeps trying to inject until eventually it hits a web page you're actually viewing).

Re:without the knowledge of the site visitor (1)

Anonymous Coward | more than 2 years ago | (#39607583)

I hardly find that a legitimate reason. This is what email is for.

Re:without the knowledge of the site visitor (0)

lightknight (213164) | more than 2 years ago | (#39607691)

Agreed. Still, metered internet connections? You trying to bit torrent with a cellphone connection?

Re:without the knowledge of the site visitor (1)

SuricouRaven (1897204) | more than 2 years ago | (#39608073)

There's something of an emerging generational issue. I don't know exactly why, but I've read of a number of studies on the subject - it seems that email just isn't used by the younger internet population. They've abandoned it in favor of social networking and instant messaging, mostly the former.

Re:without the knowledge of the site visitor (5, Insightful)

mwvdlee (775178) | more than 2 years ago | (#39607777)

Hmmmm, no... intercepting and changing internet packages is evil.

Re:without the knowledge of the site visitor (1)

1u3hr (530656) | more than 2 years ago | (#39607935)

My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit.

Why screw around with that instead of just sending you an email? If you block it and get cut off, no skin off their nose.

Re:without the knowledge of the site visitor (2)

Tsingi (870990) | more than 2 years ago | (#39607507)

I can't see this being any better or worse than ISP's hijacking DNS lookups and returning search pages, instead of a fail (Which is what they are supposed to do.)

Re:without the knowledge of the site visitor (1)

Anonymous Coward | more than 2 years ago | (#39607819)

Indeed, had some site users a couple of years back on a 'free' ISP, the ISP were inserting ads into their forum posts, then filtering the same ads for people on the service so that the people making the posts didn't even know they'd had ads inserted into their forum posts...

Some ISP's do stuff like this as well (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39607431)

Some ISP's do stuff like this as well

Seen it too! (1)

Anonymous Coward | more than 2 years ago | (#39607441)

I was at a Hampton Hotel and noticed it. It was very annoying (randomly changed words into links which popped up ads when hovered).

Guess the $120 a night I was paying wasn't enough for 1/100th of a Broad band connection, they also needed the $.00001 per ad impression too.....

Complimentary breakfast was good though.

Re:Seen it too! (1)

Joe_Dragon (2206452) | more than 2 years ago | (#39607955)

What about the resort fee that is forced and has the internet as part of it.

Yay a New Arms Race! (1)

ohnocitizen (1951674) | more than 2 years ago | (#39607449)

I wonder if there is a way to consistently detect and remove/alter these ads? A nice "Marriot is trying to advertise at you" text notice. A new browser extension perhaps?

Re:Yay a New Arms Race! (5, Interesting)

History's Coming To (1059484) | more than 2 years ago | (#39607681)

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Re:Yay a New Arms Race! (5, Interesting)

93 Escort Wagon (326346) | more than 2 years ago | (#39608211)

There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

HTTPS everywhere (1)

DrYak (748999) | more than 2 years ago | (#39607815)

Use HTTPS Everywhere extension (currently for FireFox, I don't know about chrome equivalents).

This will make everything coming to you as an encrypted stream, by passing the Hotspot's rewritting.
Or the Hotspot will attempt to Man-In-The-Middle Attack your encrypted stream (decrypt it itself, as if they were a normal client like you, and then re-encrypting it before sending it to you, as is they were a server. Except they don't know the original private encryption keys, so they will need to use another private key). In that case, it's harder for you to bypass the ads, but HTTPS Everywhere 2.0 or newer or Certificate Patrol will both be able at least to detect the unusual switch of encryption key.

A harder to bypass way would be to use a SOCKS proxy over SSH ("ssh -D" under unices, or corresponding setting in PuTTY under Windows).

If SSH connections are blocked, use corckscrew to try connecting over a HTTPS proxy.
Or use some HTTP tunnel.

At worst, use a DNS tunnel. Much slower, but almost always work.

The latest step are more Geek's last measure. But HTTPS everywhere is currently a must on any laptop.

Captive Portals Do That You Know? (4, Interesting)

TemplePilot (2035400) | more than 2 years ago | (#39607479)

Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

Re:Captive Portals Do That You Know? (-1, Flamebait)

EdIII (1114411) | more than 2 years ago | (#39607569)

Mental speedbump in ......

irregardless

Your post was going so well right up to that point :)

Hint: That's not a word.

Otherwise, very interesting.

Re:Captive Portals Do That You Know? (0)

sotweed (118223) | more than 2 years ago | (#39607593)

You want he shoulda said irregardful?

Re:Captive Portals Do That You Know? (0)

Anonymous Coward | more than 2 years ago | (#39607621)

Yes it is. Learn how language works and come back later.

Re:Captive Portals Do That You Know? (3, Interesting)

mikkelm (1000451) | more than 2 years ago | (#39608071)

So you're asking him to learn how language works because he objects to people who make up contradictory words as a consequence of apparently not understanding how the language that they're using works. I don't generally have a problem with new words to explain new concepts, or even new words to explain existing concepts, but making up a new word consisting of an existing word with the same definition, preceded by a prefix that typically serves to negate the following word, that's just.. well.. dense.

Wouldn't it be easier if people just used the right words?

Re:Captive Portals Do That You Know? (1)

admdrew (782761) | more than 2 years ago | (#39608223)

Wouldn't it be easier if people just used the right words?

Yes, it would, but did you really have that much difficulty understanding TemplePilot's post with a nonstandard word in it?

Re:Captive Portals Do That You Know? (3, Informative)

eht (8912) | more than 2 years ago | (#39607647)

Hint, that is a word. From Merriam Webster

http://www.merriam-webster.com/dictionary/irregardless [merriam-webster.com]

"The most frequently repeated remark about it is that âoethere is no such word.â There is such a word, however."

Just because you choose to not recognize it, even though you understand perfectly what he meant by it, shows your ignorance. By the way, ain't is a word too, well a contraction at any rate.

Re:Captive Portals Do That You Know? (-1, Offtopic)

admdrew (782761) | more than 2 years ago | (#39608189)

Just like "ain't", I would never use "irregardless" in an serious writing. I also personally don't use it in other situations because I think its inception was born out of ignorance (versus convenience) and lowers the quality of my speech. There are obviously different levels of acceptance of nonstandard language, and I suspect most that know what "irregardless" is would heed M-W's advice: "It is still a long way from general acceptance. Use regardless instead."

Re:Captive Portals Do That You Know? (2)

admdrew (782761) | more than 2 years ago | (#39608215)

...that said, I think the person who said "Hint: That's not a word." totally derailed the conversation and took away from what TemplePilot was trying to say. (sorry for the double post)

Re:Captive Portals Do That You Know? (1)

Anonymous Coward | more than 2 years ago | (#39607657)

Or perhaps it is a word, just not accepted as a proper part of the English language at this time.

http://grammar.quickanddirtytips.com/irregardless.aspx [quickanddirtytips.com]

In other words it's accepted that people are using the word and as such is in most dictionaries but it isn't considered a proper part of the English language at this time. That may change at some point in the future. Though it likely won't be any time soon.

Re:Captive Portals Do That You Know? (2)

spire3661 (1038968) | more than 2 years ago | (#39607701)

Hint: Usage defines what is a word. People use 'irregardless', even if you think its wrong, it is a word. Dictionaries are not the end all be all of language either. A dictionary isnt all inclusive, it is not a listing of all 'proper' words, thats a fallacy. Its a best effort to put as many well defined words as possible in one place.

Re:Captive Portals Do That You Know? (0)

Anonymous Coward | more than 2 years ago | (#39607771)

Shit like this leads to "I could care less" or "I literally ..." (meaning figuratively) and other bullshit. No. Use the words correctly, and drop absolute abominations like "irregardless". Sure, you might think it's OK, but I and many like me will judge you to be likely a drooling imbecile if you do.

Re:Captive Portals Do That You Know? (2)

Nidi62 (1525137) | more than 2 years ago | (#39607867)

Shit like this leads to "I could care less" or "I literally ..." (meaning figuratively) and other bullshit. No. Use the words correctly, and drop absolute abominations like "irregardless". Sure, you might think it's OK, but I and many like me will judge you to be likely a drooling imbecile if you do.

I literally could care less if you think I'm a drooling imbecile

Re:Captive Portals Do That You Know? (2)

mrmeval (662166) | more than 2 years ago | (#39607599)

DD-WRT has had this for a while now.

http://blog.anchorfree.com/news-events/ad-supported-wi-fi-network-launches/ [anchorfree.com]

"Consumers on an AnchorFree hotspot are presented with a display ad that remains at the top of the screen with every Web site they visit, and those ads can be contextually matched to the content on each page, according to Mark Smith, EVP strategy and product development for AnchorFree."

Re:Captive Portals Do That You Know? (1)

ericloewe (2129490) | more than 2 years ago | (#39607941)

Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

Actually pfSense does that (at least most of it) for free. So does DD-WRT, I've heard.

I'm sure he agreed to this in the TOS. (3, Informative)

Vandil X (636030) | more than 2 years ago | (#39607481)

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Re:I'm sure he agreed to this in the TOS. (3, Interesting)

Chrisq (894406) | more than 2 years ago | (#39607559)

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

Where would you draw the line?

Adding adverts for their hotel?
Switching adverts for other hotels to theirs?
Removing negative reviews of their hotel, or changing the rating?
Removing news items supporting a political party the owners don't favour?
Adding fictitious negative news stories about a political party the owners don't favour?

In my view as soon as you start delivering content that has been changed from that the original author intended (except under complete control of the user such as adblock) then you are on dodgy ground.

Re:I'm sure he agreed to this in the TOS. (1)

joocemann (1273720) | more than 2 years ago | (#39607723)

Here here!

imho, a business would not, in good faith, offer 'free' services under the legalese shroud to actually modify and distort what a client would faithfully consider to be happening....

in other words, this is dishonest business practice, even if its in a ToS or EULA.

Re:I'm sure he agreed to this in the TOS. (0)

Anonymous Coward | more than 2 years ago | (#39607587)

As the saying goes: Ignoring a problem doesn't make it go away.

Re:I'm sure he agreed to this in the TOS. (1)

joocemann (1273720) | more than 2 years ago | (#39607749)

As the saying goes "protect yourself with awareness, but let your neighbors burn in the fire of ignorance".

'the market' isnt the answer to everything.

Re:I'm sure he agreed to this in the TOS. (1)

Culture20 (968837) | more than 2 years ago | (#39607859)

Did they have the rest of the world wide web sign the terms of service so that their copyrighted works could be modified and used for profit?

Re:I'm sure he agreed to this in the TOS. (1)

gdshaw (1015745) | more than 2 years ago | (#39608089)

Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire [...]

Even if that lets them off the hook so far as the user is concerned, the website owner is not a party to those terms of service.

Re:I'm sure he agreed to this in the TOS. (0)

Anonymous Coward | more than 2 years ago | (#39608109)

but can i send them a bill for advertising on my site.

Copyright infringement? (3, Interesting)

Filter (6719) | more than 2 years ago | (#39607505)

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

   

Re:Copyright infringement? (0)

Anonymous Coward | more than 2 years ago | (#39607651)

Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

 

Yes it is, but it hasn't stopped Phorm or NebuAd from still trying it.

Re:Copyright infringement? (1)

folderol (1965326) | more than 2 years ago | (#39607965)

Not only is it definitely copyright infringement (but try doing anything unless you have huge wads of spare cash) but it doesn't matter what T&C the ISP tries to put on their users, it's not the users that own the copyright!

No. (1)

Vandil X (636030) | more than 2 years ago | (#39608091)

1. The websurfer agrees to a Terms of Service that allows the ISP to make changes to inbound website page requests.
2. The websurfer proceeds to request pages from a remote webserver. The ISP injects ads as the customer consented.


No where in this was the remote webserver compromised or hacked. The website still loads as the content owner designed on computers accessing the website through ISPs that have not adjusted the content. Since the customer is agreeing to allow the ISP to alter his web browsing experience in exchange for Internet Access, this is permissible. Unethical, perhaps, but permissible. Certainly not compyright infringement.

Re:No. (2)

overnight_failure (1032886) | more than 2 years ago | (#39608175)

Assuming this is copyright infringement, your logic is wrong. Just because the consumer of the product agrees to receiving modified content, it does not allow someone to modify a copyrighted work.

Re:No. (1)

corsec67 (627446) | more than 2 years ago | (#39608177)

So, I can make a TOS that you agree to which allows me to violate the copyright of CNN.com and send that to you?

Re:No. (1)

user32.ExitWindowsEx (250475) | more than 2 years ago | (#39608209)

By inserting the ads without telling the site owner (and obtaining approval) the ISP is creating an copyright-infringing derivative work.

Great idea (2)

ickleberry (864871) | more than 2 years ago | (#39607545)

You can make money from running an open wifi AP. I might try this myself and replace all google ads with my own, also deprive the Goog of some money for their driverless car pet project

Re:Great idea (0)

Anonymous Coward | more than 2 years ago | (#39607755)

I doubt it works. Google checks that the sites has the code or not.

I think this is a business model in use (2)

ODBOL (197239) | more than 2 years ago | (#39607831)

I can't tell if you are joking or being sarcastic here. I'm pretty sure that you have just described a business model in actual use. It seemed to be promoted by Meraki as a way to make money with their wireless boxes.

I also believe that there was a dispute some years ago regarding television broadcasts inserting advertisements as if they were posted on the fences at baseball stadiums.

I would greatly appreciate reliable pointers that anyone could provide to these behaviors. I will try to find some later. For now, this is what I remember, and I think it's right, but it hasn't been checked.

Re:I think this is a business model in use (1)

SuricouRaven (1897204) | more than 2 years ago | (#39608139)

When I was with Virgin cable (I'm not now) they actually inserted ads into the channels themselves - you could tell because their editing tended to be off by a couple of seconds, and because the adverts were invariably for Virgin cable/phone/internet. They only advertised themselves, and I assume that a huge payment was made to the channel providers to get them to agree to such editing. This was years ago though, so they probably don't do it any more.

It's a copyright violation. (4, Insightful)

sotweed (118223) | more than 2 years ago | (#39607563)

IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).

I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
people look as if they're 20% fatter (wider) than they actually are...

Re:It's a copyright violation. (2)

sprior (249994) | more than 2 years ago | (#39608057)

Actually I think you'd use an MPAA case as a precedent. Wasn't there a case from the MPAA against a company that was creating a side editing track to cut out the bad(good) parts of a movie to reduce it from R to PG-13?

those clever bastards! (1)

FudRucker (866063) | more than 2 years ago | (#39607627)

someone should crack it and turn it in to something useful like advertising for something free & open source like Linux, Debian, Emacs or Vim

Re:those clever bastards! (1)

rrohbeck (944847) | more than 2 years ago | (#39608115)

Inject ads for porn sites. That'll get some attention.

oh good good--we now have step 2. (0)

Anonymous Coward | more than 2 years ago | (#39607643)

Marriot you say?

Time to register a copyright on my webpage, put up a local bulletin board offering $100 per screenshot of my website, and then offer their legal department the chance to settle for $2,000 per infringement, an 80% saving over the statutory rate...

VPN (3, Insightful)

SuperTechnoNerd (964528) | more than 2 years ago | (#39607715)

So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?

Re:VPN (2)

FudRucker (866063) | more than 2 years ago | (#39607901)

goats.cx the front desk if they are snooping on people's browsing habits, after some of that i bet they get disgusted and quit

Not exactly news (1)

element-o.p. (939033) | more than 2 years ago | (#39607759)

I work for an ISP, and we had a vendor try to sell us a box that would insert ads into downloaded web pages. My boss and I kicked the idea around for about half a second before turning our noses up at it.

Having said that, as a consumer, I wouldn't care if someone providing free WiFi inserted ads to offset the cost of providing bandwidth as long as the ads weren't too egregious. If you are providing a service that I value for free, then I don't care if you throw a few ads up to generate some revenue to fund your free service. For example, I've started seeing targeted ads on some web pages I visit, and quite frankly I don't much mind seeing ads for motorcycle parts and camping gear (two of my interests) when viewing web pages. Viagra and match.com, on the other hand...not so much.

The difference between this and what the vendor was trying to sell the company I work for is that we are already charging our customers for bandwidth. Inserting an ad on their connection after they've already paid to receive service seemed just a little...sleazy. WiFi at a hotel would seem similar to the ISP example.

China (0)

Anonymous Coward | more than 2 years ago | (#39607775)

This is standard practice here in China. Whenever I'm not using my VPN, my ISP injects code to pages I visit that opens a pop-up window with ads. It is quite annoying as you can imagine. I've seen this at multiple locations, so it's not specific to this one ISP.

HTML modification going on since 2007 or earlier (3, Interesting)

ODBOL (197239) | more than 2 years ago | (#39607779)

In November 2007, I bought a wireless box from Meraki (http://www.meraki.com/). I intended to use it to provide a free wireless hotspot for my neighborhood, and to be ready to peer with any neighbor who chose to work on the grassroots network. These were primarily symbolic acts, since neither service is likely to get much use in my neighborhood.

In most respects, the Meraki box appeared to do a good job of exactly what I wanted. But I noticed a little blank stripe at the top of Web pages. I found that Meraki hacked HTTP packets to add that stripe. As owner, I was able to set the contents of the stripe (e.g., to advertise myself as the provider of the free hotspot, or to ask for payment if it's not free). But, I was not able to eliminate the stripe. I called support, and they confirmed that the stripe is not optional, but its contents are owner controlled. I sent the box back for a refund. I understand why Meraki provided the feature (I don't like it, but I understand). I don't understand why they made it impossible to turn it off. They were very good about delivery, support, and refund in all other respects.

I think that Open Mesh (http://www.open-mesh.com/) provides something like the Meraki box, but cheaper and transparent to all Internet traffice. I have not tried their products yet.

For the time being, I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network. But there's no chance of peering to help avoid the last-mile bottleneck.

Re:HTML modification going on since 2007 or earlie (1)

nurb432 (527695) | more than 2 years ago | (#39608225)

people occasionally park in front of my house to use the network

Or they are casing the house, as since you are 'above' the average end user out there they know you have some electronics in there they might want to steal..

Never seen before? (2)

fermion (181285) | more than 2 years ago | (#39607791)

He said in an interview that he had never seen an Internet provider modifying Web pages that a person visits.

I guess this speaks to inexperience of the web developer. It was not long ago that ISPs were trying to do this. It was not that long ago that web developers put third content within a frame along with ads that generated personal revenue. AFAIR, this idea of pushing personal ads over third party content is as old as the mass advertising on the web. And I know some ISPs specifically did this.

This is a negative practice. It is one of the primary reason used to justify web blockers. While one might trust the website, there are many ways to inject other ads and content into a web page. As such, it is best, from a security perspective, not to load ads.

Huh? (0)

Anonymous Coward | more than 2 years ago | (#39607803)

And this guy claims he's a web developer and this is the first time he has ever seen someone do something like this before?

Yeah, he's some web developer all right. He may know how to write HTML a bit, but he obviously is lacking in a few other tools of the trade or in his own personal knowledge / experience...

Old news. Move along.

So? (0)

Anonymous Coward | more than 2 years ago | (#39608003)

"I have news for you. When Roscius was an actor in Rome..."

Remember free Dial-Up Providers from the 1990s? (2)

Vandil X (636030) | more than 2 years ago | (#39608179)

In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users, but since the websites themselves were not hacked or damaged and displayed correctly on the computer screen of those not using ad-managed ISPs/web browsers, there is probably not a tangible copyright issue.

Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.

Nothing is free (1)

nurb432 (527695) | more than 2 years ago | (#39608185)

They have to pay the bills somehow. A bigger deal would be if they were removing others ads..

Don't like ads, don't use their service or block them.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...