Forgot your password?
typodupeerror
Advertising Privacy The Internet Technology

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages 273

Posted by timothy
from the it's-only-wafer-thin dept.
An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."
This discussion has been archived. No new comments can be posted.

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

Comments Filter:
  • by readandburn (825014) on Saturday April 07, 2012 @01:32PM (#39607411)
    I don't think this is news. (Yes, I must be new here.....)
    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday April 07, 2012 @01:38PM (#39607453)

      Well, if you use Firefox that is.

      If the connection between you and the website is encrypted, no one can add code to it.

      • by hairyfeet (841228) <bassbeast1968@@@gmail...com> on Saturday April 07, 2012 @02:41PM (#39607889) Journal

        Weird question: Do you surf porn? Does that HTTPS trick stop the Firefox porn bug? Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that opens a hidden iFrame and uses FF autocomplete to log into their Yahoo mail and then spam the address book. From my tests with a couple of fake yahoo accounts it ONLY seems to work on FF and on the new yahoo layout, no other combo like Chrome and Gmail, IE and Hotmail seems to work. If you want to see how many sites have that bug now put a master password on your password list and see how many times the master password dialog pops up, on several porn sites its pretty much pop up city. Since so many of the guys kept sending me "How come I'm spamming and i don't have a bug?" I switched them to Comodo Dragon as it works with low rights mode and doesn't have the bug.

        As for TFA what does anyone expect? TINSTAAFL and with the economy in the shitter hotels are frankly doing lousy business and i'm sure those ads make their "free Wifi" truly free for the hotel, so surprise surprise they add the ads. would you rather have this, or have to pay for the Wifi, or have it like AT&T where every so many minutes you are stopped cold and forced to watch a commercial? Personally I'd choose door #1, but of course I've got ABP in Dragon so it don't affect me either way.

        • by Skapare (16644) on Saturday April 07, 2012 @03:31PM (#39608187) Homepage

          More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

          Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

          I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

    • by improfane (855034) * on Saturday April 07, 2012 @01:38PM (#39607459) Journal

      This is why websites need to publish policy files a bit like ABE (Application Boundaries Enforcer) [noscript.net]. This would mean that a website would publish what resources that site can request and destinations that are not in that policy are not loaded. Unfortunately if they can intercept anything that you are served then the injector can just modify the policy file too. Perhaps signed policy file could solve this?

      Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

      (Although the guy who wrote ABE/NoScript should be considered in caution because of what he did to NoScript users in the past. He deliberately removed NoScript blocks for his own website so he could raise money on his plugin update page that opens after updates.)

      • Re:HTTP Policies (Score:4, Interesting)

        by icebike (68054) * on Saturday April 07, 2012 @02:10PM (#39607689)

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        They might be able to pull this off, but the revenue they could earn off of such a scheme would never pay the lawyer bills. One could argue this would be a DMCA violation. (In fact, they seem to be on shaky legal ground altering un-encryption streams. It is after all, a form of scraping and perhaps copyright violation [wikipedia.org].)

        The drop everything to HTTP would certainly be noticed.

      • Re:HTTP Policies (Score:5, Interesting)

        by bbecker23 (1917560) on Saturday April 07, 2012 @02:16PM (#39607731)

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

      • Re:HTTP Policies (Score:4, Informative)

        by Restil (31903) on Saturday April 07, 2012 @03:34PM (#39608217) Homepage

        While they couldn't insert code into an encrypted session, they COULD perform a man in the middle attack and accomplish the same thing, provided the user decided to override the certificate warning (which I'm guessing most people would). A more secure solution would be to do all the browsing over a ssh tunnel. That too could be intercepted, but it's less likely, and ssh will catch such an attempt provided the tunnel was first initiated over a trusted connection, so at least you'd be able to avoid using the service if you know it's going to be insecure.

        What's ironic is the fact that the cheap hotels that are out in the middle of nowhere have great, highspeed, well covered wifi with mostly unrestricted or completely unrestricted hotspots (most of the time, all you have to do is agree to a clickthrough agreement, and you're good to go). But go to a big hotel in the city for a convention or something and they want to charge $15 a day for it. I'd just grown accustomed to tethering my cellphone in those instances since I got higher speeds from that than I did from the hotel wifi.

        -Restil

        • by b4dc0d3r (1268512) on Saturday April 07, 2012 @04:12PM (#39608463)

          How is that ironic? Big hotels in the city pay outrageous prices for land, and operating costs are much higher. Everything costs more in a big city because everything costs more. And people will pay because they are used to paying for little things like that.

          This is how big cities work. Let me guess, you were expecting prices to be based on cost? Oh, well that's not how the world works.

          • Re:HTTP Policies (Score:5, Insightful)

            by colinrichardday (768814) <colin.day.6@hotmail.com> on Saturday April 07, 2012 @05:59PM (#39609093)

            You say that big-city hotels have higher costs, and that they charge more for wifi because of those higher costs (maybe not of bandwidth, but other stuff). You then criticize the GP for expecting prices to be higher based on costs? Hmm. . .

          • by jasen666 (88727) on Saturday April 07, 2012 @11:53PM (#39610467)

            Bull. Shit.
            Different hotels in the same town, next door to each other, have wildly different policies. Budget hotels offer free WiFi almost universally, along with other freebies in EVERY CITY. The more you pay for your room, the more likely it is you will be nickel and dimed for every little thing you use. It's been this way forever. It makes no damn sense to me either. I get free shit with my $80 room, but with the $200 room they tack on surcharges for wiping my ass with the window open.

          • Re:HTTP Policies (Score:5, Interesting)

            by edb (87448) on Sunday April 08, 2012 @02:00AM (#39610855)

            Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

            < $100/night usually includes:
                - FREE wifi, unspecified throughput, non-public IP
                - FREE incoming phone calls
                - FREE incoming faxes
                - FREE outgoing phone calls up to 30 min
                - FREE computer near lobby for guest use
                - FREE document printing for reasonable # pages
                - FREE microwave oven in the room
                - FREE mini-fridge in the room
                - FREE pillows & linens on the bed
                - FREE pull-out drying line for laundry in the bathroom
                - coin-op laundry for hotel guests

            > $100/night often imposes charges for:
                - WIFI: $12.95+tax per day
                - public IP: additional $10+tax per day
                - incoming faxes: $.50/page
                - outgoing phone calls: AT&T Operator rates + 200% surcharge
                - document printing: $.50/page
                - fridge in room: $25 per night, special request
                - microwave in room: $25 per night, special request
                - linens: changed every 3 days at no charge, no discount for multi-day stay
                - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!

      • Re:HTTP Policies (Score:4, Informative)

        by Skapare (16644) on Saturday April 07, 2012 @03:52PM (#39608341) Homepage

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        The SSL layer already knows the hostname of where it wants to go. The signed certificate received from the connected server should have a cert for the Certificate Authority, identifying which public CA key to get from the collection the browser or SSL library has. The CA signature of the web site's cert is decrypted by that public CA key. If that works, it is then known the site cert is signed. If the site name also matches (maybe with wildcard enabled), and today's date is in the range valid for the signature, then the site cert is valid. Otherwise not, and you get that annoting security popup.

        For the proxy to insert anything, it would have to act as the end point for the SSL stream. But that setup would fail unless the proxy has the web site's certificate signed by a valid CA. If you add a new CA the proxy server used (its own), then it could do that. Otherwise they would have to convince some CA to sign certs for ALL the major sites, for use in this proxy. A bad CA could do this. You can then defeat that by removing the bad CA cert from your browser. But the hotel could defeat you by convincing you to add their local CA cert to your browser (and then the proxy can dynamically generate a fake signed cert for any site you visit if they know the name in advance, which can be done with a name server injection). You can defeat that by not allowing any of their stuff into your computer.

        If you have the means, a VPN to your own trusted network can help, though you then have slower responses. Test their network to see if you can access secured services you normally do have access to, like SSH, IMAPS, Submit/TLS. Also check to see if they have IPv6 and complain if not. Tell them "the FREE porn sites are on IPv6 only".

    • by ODBOL (197239) on Saturday April 07, 2012 @02:33PM (#39607851) Homepage

      I posted a comment below regarding Meraki wireless boxes that did this in 2007. I never experienced an actual deployment, but there must have been some.

    • by urbanriot (924981) on Saturday April 07, 2012 @03:33PM (#39608205)
      Yea, I was going to post the same, but more as a statement rather than a question, perhaps welcoming the poster to the internet. I'm sure this has been on Slashdot before, probably since there was a Google.
  • by xaosflux (917784) on Saturday April 07, 2012 @01:33PM (#39607429) Homepage

    Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

  • by Joe_Dragon (2206452) on Saturday April 07, 2012 @01:33PM (#39607431)

    Some ISP's do stuff like this as well

  • by ohnocitizen (1951674) on Saturday April 07, 2012 @01:37PM (#39607449)
    I wonder if there is a way to consistently detect and remove/alter these ads? A nice "Marriot is trying to advertise at you" text notice. A new browser extension perhaps?
    • by History's Coming To (1059484) on Saturday April 07, 2012 @02:09PM (#39607681) Journal
      There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.
      • by 93 Escort Wagon (326346) on Saturday April 07, 2012 @03:34PM (#39608211)

        There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

        Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

      • by Xtifr (1323) on Saturday April 07, 2012 @05:43PM (#39609001) Homepage

        Yes, I'd love to see the bastards sued over this! And I think the Grateful Dead might be a great organization to launch such a suit. They have a couple of advantages: 1) for their "free" music, they have a license similar to CC-NC, but it predates CC-NC by many years, and explicitly forbids Internet advertising (some people claim that the CC-NC is a little vague about this), and 2) one of their songwriters is a lawyer and, moreover, not just any lawyer--he's one of the founders of the EFF (John Perry Barlow).

    • by DrYak (748999) on Saturday April 07, 2012 @02:29PM (#39607815) Homepage

      Use HTTPS Everywhere extension (currently for FireFox, I don't know about chrome equivalents).

      This will make everything coming to you as an encrypted stream, by passing the Hotspot's rewritting.
      Or the Hotspot will attempt to Man-In-The-Middle Attack your encrypted stream (decrypt it itself, as if they were a normal client like you, and then re-encrypting it before sending it to you, as is they were a server. Except they don't know the original private encryption keys, so they will need to use another private key). In that case, it's harder for you to bypass the ads, but HTTPS Everywhere 2.0 or newer or Certificate Patrol will both be able at least to detect the unusual switch of encryption key.

      A harder to bypass way would be to use a SOCKS proxy over SSH ("ssh -D" under unices, or corresponding setting in PuTTY under Windows).

      If SSH connections are blocked, use corckscrew to try connecting over a HTTPS proxy.
      Or use some HTTP tunnel.

      At worst, use a DNS tunnel. Much slower, but almost always work.

      The latest step are more Geek's last measure. But HTTPS everywhere is currently a must on any laptop.

  • by TemplePilot (2035400) on Saturday April 07, 2012 @01:41PM (#39607479) Journal
    Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.
  • by Vandil X (636030) on Saturday April 07, 2012 @01:42PM (#39607481)
    Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.
    • by Chrisq (894406) on Saturday April 07, 2012 @01:51PM (#39607559)

      Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

      Where would you draw the line?

      Adding adverts for their hotel?
      Switching adverts for other hotels to theirs?
      Removing negative reviews of their hotel, or changing the rating?
      Removing news items supporting a political party the owners don't favour?
      Adding fictitious negative news stories about a political party the owners don't favour?

      In my view as soon as you start delivering content that has been changed from that the original author intended (except under complete control of the user such as adblock) then you are on dodgy ground.

      • by joocemann (1273720) on Saturday April 07, 2012 @02:15PM (#39607723)

        Here here!

        imho, a business would not, in good faith, offer 'free' services under the legalese shroud to actually modify and distort what a client would faithfully consider to be happening....

        in other words, this is dishonest business practice, even if its in a ToS or EULA.

      • by admdrew (782761) on Saturday April 07, 2012 @03:44PM (#39608283) Homepage

        I think the line is drawn at the addition of content, versus modifying or removing content from the sites you visit. It's analogous to television; produced programs don't have control of the timing or content of the ads *added* during broadcast, but they know that their show's content won't be modified or edited out (simplification, of course, since networks obviously have ultimate editing power behind their own shows).

        If (when?) ISPs at any level (since the hotel in this fashion is operating as an ISP to its patrons) start modifying or remove code/content from the sites they serve up, I think there may be more public outcry - I hope.

        EDIT: QoS of traffic may already fit under this, since its very nature is to modify how content is served... maybe it's still 'ok' because it's still not actually changing the content? Dunno...

      • by Restil (31903) on Saturday April 07, 2012 @03:57PM (#39608377) Homepage

        At some point, it's not really worth the trouble. I can see the reasoning behind trying to make an extra buck off the customer, but in the end, they need the customer or nothing else matters, so anything that involves making the customer's stay an uncomfortable one is going to make them a non-customer in the future. Anytime you screw around with a webpage, you're greatly increasing the chances that the page will not display properly. It's hard enough as it is to code a page so that it works identically with all browsers. Inserting an ad might not be too difficult, but cherrypicking out content from them is going to be considerably more complicated.

        -Restil

    • by joocemann (1273720) on Saturday April 07, 2012 @02:19PM (#39607749)

      As the saying goes "protect yourself with awareness, but let your neighbors burn in the fire of ignorance".

      'the market' isnt the answer to everything.

    • by Culture20 (968837) on Saturday April 07, 2012 @02:34PM (#39607859)
      Did they have the rest of the world wide web sign the terms of service so that their copyrighted works could be modified and used for profit?
    • by gdshaw (1015745) on Saturday April 07, 2012 @03:10PM (#39608089) Homepage

      Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire [...]

      Even if that lets them off the hook so far as the user is concerned, the website owner is not a party to those terms of service.

  • by Filter (6719) on Saturday April 07, 2012 @01:44PM (#39607505)

    Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

       

    • by Vandil X (636030) on Saturday April 07, 2012 @03:10PM (#39608091)
      1. The websurfer agrees to a Terms of Service that allows the ISP to make changes to inbound website page requests.
      2. The websurfer proceeds to request pages from a remote webserver. The ISP injects ads as the customer consented.


      No where in this was the remote webserver compromised or hacked. The website still loads as the content owner designed on computers accessing the website through ISPs that have not adjusted the content. Since the customer is agreeing to allow the ISP to alter his web browsing experience in exchange for Internet Access, this is permissible. Unethical, perhaps, but permissible. Certainly not compyright infringement.
    • by Jah-Wren Ryel (80510) on Saturday April 07, 2012 @04:36PM (#39608579)

      Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

      I don't think so. Alteration by itself is not infringement. Redistribution by itself is infringement. So take the derivative work part out of the equation and you have what every caching proxy in the world does and that does not appear to be considered infringement.

    • by slazzy (864185) on Saturday April 07, 2012 @04:47PM (#39608643) Homepage
      I wouldn't think it would be a clear case of copyright infringement. It could be argued that the ISP putting an advertising bar at the top of a webpage is not that different from a browser toolbar containing advertising. If it turned out to be, then using programs such as adblock would also be copyright infringement or in fact viewing a webpage with images or javascript turned off in your browser? In any case it's an evil practice in which I'm sure a solution can be found, maybe web servers should send some kind of hash which can be verified by the browser to make sure nothing changed in transit.
  • by ickleberry (864871) <web@pineapple.vg> on Saturday April 07, 2012 @01:49PM (#39607545) Homepage
    You can make money from running an open wifi AP. I might try this myself and replace all google ads with my own, also deprive the Goog of some money for their driverless car pet project
    • by ODBOL (197239) on Saturday April 07, 2012 @02:30PM (#39607831) Homepage

      I can't tell if you are joking or being sarcastic here. I'm pretty sure that you have just described a business model in actual use. It seemed to be promoted by Meraki as a way to make money with their wireless boxes.

      I also believe that there was a dispute some years ago regarding television broadcasts inserting advertisements as if they were posted on the fences at baseball stadiums.

      I would greatly appreciate reliable pointers that anyone could provide to these behaviors. I will try to find some later. For now, this is what I remember, and I think it's right, but it hasn't been checked.

      • by SuricouRaven (1897204) on Saturday April 07, 2012 @03:22PM (#39608139)
        When I was with Virgin cable (I'm not now) they actually inserted ads into the channels themselves - you could tell because their editing tended to be off by a couple of seconds, and because the adverts were invariably for Virgin cable/phone/internet. They only advertised themselves, and I assume that a huge payment was made to the channel providers to get them to agree to such editing. This was years ago though, so they probably don't do it any more.
  • by sotweed (118223) on Saturday April 07, 2012 @01:52PM (#39607563)

    IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
    is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
    a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
    seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
    be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).

    I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
    people look as if they're 20% fatter (wider) than they actually are...

  • by FudRucker (866063) on Saturday April 07, 2012 @02:03PM (#39607627)
    someone should crack it and turn it in to something useful like advertising for something free & open source like Linux, Debian, Emacs or Vim
  • VPN (Score:4, Insightful)

    by SuperTechnoNerd (964528) on Saturday April 07, 2012 @02:14PM (#39607715)
    So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?
    • by FudRucker (866063) on Saturday April 07, 2012 @02:42PM (#39607901)
      goats.cx the front desk if they are snooping on people's browsing habits, after some of that i bet they get disgusted and quit
    • by kybred (795293) on Saturday April 07, 2012 @03:44PM (#39608285)

      So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?

      FireFox + QuickProxy [mozilla.org] FTW!

      I use that combo when traveling. You just have to set up a machine at home to accept a ssh tunnel.

  • by element-o.p. (939033) on Saturday April 07, 2012 @02:20PM (#39607759) Homepage
    I work for an ISP, and we had a vendor try to sell us a box that would insert ads into downloaded web pages. My boss and I kicked the idea around for about half a second before turning our noses up at it.

    Having said that, as a consumer, I wouldn't care if someone providing free WiFi inserted ads to offset the cost of providing bandwidth as long as the ads weren't too egregious. If you are providing a service that I value for free, then I don't care if you throw a few ads up to generate some revenue to fund your free service. For example, I've started seeing targeted ads on some web pages I visit, and quite frankly I don't much mind seeing ads for motorcycle parts and camping gear (two of my interests) when viewing web pages. Viagra and match.com, on the other hand...not so much.

    The difference between this and what the vendor was trying to sell the company I work for is that we are already charging our customers for bandwidth. Inserting an ad on their connection after they've already paid to receive service seemed just a little...sleazy. WiFi at a hotel would seem similar to the ISP example.
  • by ODBOL (197239) on Saturday April 07, 2012 @02:23PM (#39607779) Homepage

    In November 2007, I bought a wireless box from Meraki (http://www.meraki.com/). I intended to use it to provide a free wireless hotspot for my neighborhood, and to be ready to peer with any neighbor who chose to work on the grassroots network. These were primarily symbolic acts, since neither service is likely to get much use in my neighborhood.

    In most respects, the Meraki box appeared to do a good job of exactly what I wanted. But I noticed a little blank stripe at the top of Web pages. I found that Meraki hacked HTTP packets to add that stripe. As owner, I was able to set the contents of the stripe (e.g., to advertise myself as the provider of the free hotspot, or to ask for payment if it's not free). But, I was not able to eliminate the stripe. I called support, and they confirmed that the stripe is not optional, but its contents are owner controlled. I sent the box back for a refund. I understand why Meraki provided the feature (I don't like it, but I understand). I don't understand why they made it impossible to turn it off. They were very good about delivery, support, and refund in all other respects.

    I think that Open Mesh (http://www.open-mesh.com/) provides something like the Meraki box, but cheaper and transparent to all Internet traffice. I have not tried their products yet.

    For the time being, I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network. But there's no chance of peering to help avoid the last-mile bottleneck.

    • people occasionally park in front of my house to use the network

      Or they are casing the house, as since you are 'above' the average end user out there they know you have some electronics in there they might want to steal..

    • Two quick things:
      - Thanks for the Open Mesh link, I hadn't heard of it before and I'll definitely check it out.
      - I'd be wary about running an open AP for the purposes of distributing a connection to your neighborhood; you may be violating your own ISP's terms of service (although not ethically an issue to me), and, far worse, you may open yourself up to people attempting to do illegal/unethical things, something that could fall back to you.

      To me, access to my wireless AP should be treated like my own home's front door; I'd gladly give my trusted neighbors keys, but I'd do everything I reasonably could to protect myself from the rest of the world, who I do not implicitly trust as a group.

      • by ODBOL (197239) on Saturday April 07, 2012 @04:57PM (#39608707) Homepage

        Thanks for the advice, but I studied the issue quite a bit, and read the careful insights from Bruce Schneier (http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html), and I decided that I don't want to treat any portion of the world-connected IP network as my personal domain. I carefully chose an ISP (Speakeasy) who allows, and even caters to, sharing.

        I have no interest in convincing you to take my attitude. But you should be aware that it isn't necessarily a matter of naivety.

  • by fermion (181285) on Saturday April 07, 2012 @02:23PM (#39607791) Homepage Journal
    He said in an interview that he had never seen an Internet provider modifying Web pages that a person visits.

    I guess this speaks to inexperience of the web developer. It was not long ago that ISPs were trying to do this. It was not that long ago that web developers put third content within a frame along with ads that generated personal revenue. AFAIR, this idea of pushing personal ads over third party content is as old as the mass advertising on the web. And I know some ISPs specifically did this.

    This is a negative practice. It is one of the primary reason used to justify web blockers. While one might trust the website, there are many ways to inject other ads and content into a web page. As such, it is best, from a security perspective, not to load ads.

    • by Thing 1 (178996) on Saturday April 07, 2012 @08:26PM (#39609727) Journal

      And I know some ISPs specifically did this.

      So, would this work? (I realize that it might make "page delivery" take twice as long; although, I just made it better, here it is.)

      After the page completes, have a JavaScript routine that runs which calculates the page's MD5 sum (or similar) and sends it back to the server. The server can then determine whether what it sent is what the user saw.

      This of course might also be a way for the server to violate ad blockers. If it didn't match, then the server could negotiate with the client as to which parts of the page didn't match, and then re-send them through a side channel and show the ads.

      (The "twice as long" was the initial implementation, which was to send the page back; then the server would re-send anything missing. But the checksum idea seems to use less bandwidth.)

  • by Vandil X (636030) on Saturday April 07, 2012 @03:29PM (#39608179)
    In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

    I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users, but since the websites themselves were not hacked or damaged and displayed correctly on the computer screen of those not using ad-managed ISPs/web browsers, there is probably not a tangible copyright issue.

    Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.
    • by SeaFox (739806) on Saturday April 07, 2012 @04:53PM (#39608677)

      In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

      I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users,

      No, because the ads were in a frame around the webpage. It's not any different than having two browser windows open on your desktop where a few inches of a background window is visible below/beside the frontmost window.

      Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.

      Except the ads are being added in a way where the viewer cannot distinguish what is an original part of the page with what has been added by the service provider. What if a site dealt with a certain political viewpoint or sensitive topic and the ads being added were in a contrary viewpoint or otherwise in bad taste for the web page topic? What if the viewer was using a site where they pay a fee to access it ad-free? If they started seeing these ads (injected by the service provider on the sly), they might think the website operator was doing it despite their subscription.

  • by nurb432 (527695) on Saturday April 07, 2012 @03:30PM (#39608185) Homepage Journal

    They have to pay the bills somehow. A bigger deal would be if they were removing others ads..

    Don't like ads, don't use their service or block them.

  • by CohibaVancouver (864662) on Saturday April 07, 2012 @04:03PM (#39608407)

    Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott

    C'mon editors - "Web Engineer?" What the hell does that mean? It's amazing how engineers allow their title to be attached to every job under the sun these days. You certainly don't hear about 'Web Laywers' or 'Web Dentists.'

  • by glorybe (946151) on Saturday April 07, 2012 @04:20PM (#39608505)
    If it is ok for a business to make changes in other peoples' materials then the reverse is also true so if I want to make huge changesd in Marriot's web pages that should not be illegal at all. good for one is good for all.

I took a fish head to the movies and I didn't have to pay. -- Fish Heads, Saturday Night Live, 1977.

Working...