Forgot your password?
typodupeerror
Advertising Privacy The Internet Technology

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages 273

Posted by timothy
from the it's-only-wafer-thin dept.
An anonymous reader writes with this excerpt from the NYT's "Bits" column: "Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott in Midtown Manhattan this week when he saw something strange. On his personal blog, a mysterious gap was appearing at the top of the page. After some sleuthing, Mr. Watt, who has a background in developing Web advertising tools, realized that the quirk was not confined to his site. The hotel's Internet service was secretly injecting lines of code into every page he visited, code that could allow it to insert ads into any Web page without the knowledge of the site visitor or the page's creator."
This discussion has been archived. No new comments can be posted.

Some Hotspot Operators Secretly Intercept, Insert Ads In Web Pages

Comments Filter:
  • by readandburn (825014) on Saturday April 07, 2012 @01:32PM (#39607411)
    I don't think this is news. (Yes, I must be new here.....)
    • by khasim (1285) <brandioch.conner@gmail.com> on Saturday April 07, 2012 @01:38PM (#39607453)

      Well, if you use Firefox that is.

      If the connection between you and the website is encrypted, no one can add code to it.

      • Re: (Score:2, Interesting)

        by hairyfeet (841228)

        Weird question: Do you surf porn? Does that HTTPS trick stop the Firefox porn bug? Because one of the reasons I switched my users away from FF was the FF porn bug. Don't ask me to give an in depth explanation as I'm not an HTML guy but from what i could pick up here is how it basically works: Dude looks at porn, porn page has script that opens a hidden iFrame and uses FF autocomplete to log into their Yahoo mail and then spam the address book. From my tests with a couple of fake yahoo accounts it ONLY seems

        • by Skapare (16644) on Saturday April 07, 2012 @03:31PM (#39608187) Homepage

          More than just porn sites do this. Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone. But it's still a concern. I use separate browsers for every signed-in site I visit, so LinkedIn can't get to my Gmail account, for example. I was prompted by LinkedIn to enter my password for those sites (I'd never do that). I don't know if they would prompt if the same browser instance was already logged in (I'd never do that).

          Browsers should, and maybe FF now does, firewall JS code and data by hostname. Of course that would break using alternate servers for things like static images. But that's fixable by using the base name (remove the "www" part if that's on the name), and allowing access to hostnames that have name components added in front. So site slashdot.org could access images.slashdot.org. But tech.slashdot.org cannot access images.slashdot.org but can access images.tech.slashdot.org (so all sites just need to make their auxiliary servers named as child hostnames of the base hostname). The same wall should apply to Java and Flash, too (in addition to walls blocking access to the filesystem except as configured to be allowed into specific areas).

          I've not done any tests of such security in FF, Chrome, or any other browser. Have fun.

          • by Khyber (864651)

            "Many others, like LinkedIn, are more benign, just using your contacts list from your web email provider(s) to push you to find more people you know within LinkedIn. They don't spam or auto-add anyone."

            Never touched LinkedIn in my LIFE and that shit site is spamming my gmail account CONSTANTLY.

    • This is why websites need to publish policy files a bit like ABE (Application Boundaries Enforcer) [noscript.net]. This would mean that a website would publish what resources that site can request and destinations that are not in that policy are not loaded. Unfortunately if they can intercept anything that you are served then the injector can just modify the policy file too. Perhaps signed policy file could solve this?

      Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection

      • Re:HTTP Policies (Score:4, Interesting)

        by icebike (68054) * on Saturday April 07, 2012 @02:10PM (#39607689)

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        They might be able to pull this off, but the revenue they could earn off of such a scheme would never pay the lawyer bills. One could argue this would be a DMCA violation. (In fact, they seem to be on shaky legal ground altering un-encryption streams. It is after all, a form of scraping and perhaps copyright violation [wikipedia.org].)

        The drop everything to HTTP would certainly be noticed.

      • Re:HTTP Policies (Score:5, Interesting)

        by bbecker23 (1917560) on Saturday April 07, 2012 @02:16PM (#39607731)

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        I've seen some novel approaches to working around SSL but most will tip off the end-user. I run a throttled honeypot on my home network with some ad-injection. I get a couple dollars a month from it, the neighbors get free internet, and it seriously cut-down on the number of auth-attempts against the secured side of my router. Most of the injectors just catch and sniff packets for webpages (trying to inject into, say, SSH would bork everything) and inserts an ad frame. I'll have to test how my setup handles a secured session but I've seen instances of SSL sessions being wrapped in a framed unsecured page (mostly at hotels and airports). Newer browsers (Firefox and Chrome anyway, no Windows box to test on) will pitch a fit about this but if you're connecting to an unsecured network, I doubt security is much of a priority.

        • Re:HTTP Policies (Score:5, Insightful)

          by SuricouRaven (1897204) on Saturday April 07, 2012 @02:57PM (#39607991)
          Stop thinking like an engineer, and lower yourself to the thoughts of a typical computer user.

          "A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."
          • "A weird box just popped up! IT says something about certificates and signing, whatever that means. If I click 'accept' I'll get to see the website, so I'll do that."

            My point exactly. SSL (and a handful of other techniques) will alert the user to something untoward going on, but the lion's share of those users will ignore/not understand the threat.

        • Re:HTTP Policies (Score:5, Insightful)

          by Alex Belits (437) * on Saturday April 07, 2012 @05:08PM (#39608785) Homepage

          if you're connecting to an unsecured network, I doubt security is much of a priority.

          Congratulations, you are an idiot!

          The whole point of encryption is that it allows secure communications over insecure network.

      • Re:HTTP Policies (Score:4, Informative)

        by Restil (31903) on Saturday April 07, 2012 @03:34PM (#39608217) Homepage

        While they couldn't insert code into an encrypted session, they COULD perform a man in the middle attack and accomplish the same thing, provided the user decided to override the certificate warning (which I'm guessing most people would). A more secure solution would be to do all the browsing over a ssh tunnel. That too could be intercepted, but it's less likely, and ssh will catch such an attempt provided the tunnel was first initiated over a trusted connection, so at least you'd be able to avoid using the service if you know it's going to be insecure.

        What's ironic is the fact that the cheap hotels that are out in the middle of nowhere have great, highspeed, well covered wifi with mostly unrestricted or completely unrestricted hotspots (most of the time, all you have to do is agree to a clickthrough agreement, and you're good to go). But go to a big hotel in the city for a convention or something and they want to charge $15 a day for it. I'd just grown accustomed to tethering my cellphone in those instances since I got higher speeds from that than I did from the hotel wifi.

        -Restil

        • by b4dc0d3r (1268512)

          How is that ironic? Big hotels in the city pay outrageous prices for land, and operating costs are much higher. Everything costs more in a big city because everything costs more. And people will pay because they are used to paying for little things like that.

          This is how big cities work. Let me guess, you were expecting prices to be based on cost? Oh, well that's not how the world works.

          • Re:HTTP Policies (Score:5, Insightful)

            by colinrichardday (768814) <colin.day.6@hotmail.com> on Saturday April 07, 2012 @05:59PM (#39609093)

            You say that big-city hotels have higher costs, and that they charge more for wifi because of those higher costs (maybe not of bandwidth, but other stuff). You then criticize the GP for expecting prices to be higher based on costs? Hmm. . .

          • by jasen666 (88727)

            Bull. Shit.
            Different hotels in the same town, next door to each other, have wildly different policies. Budget hotels offer free WiFi almost universally, along with other freebies in EVERY CITY. The more you pay for your room, the more likely it is you will be nickel and dimed for every little thing you use. It's been this way forever. It makes no damn sense to me either. I get free shit with my $80 room, but with the $200 room they tack on surcharges for wiping my ass with the window open.

          • Re:HTTP Policies (Score:5, Interesting)

            by edb (87448) on Sunday April 08, 2012 @02:00AM (#39610855)

            Without exception, in traveling to >30 hotels each year for the past [wayyy too many years], the higher the per-night rate for the hotel, the more the nickel-and-dime charges for what should be included as part of the accomodations.

            < $100/night usually includes:
                - FREE wifi, unspecified throughput, non-public IP
                - FREE incoming phone calls
                - FREE incoming faxes
                - FREE outgoing phone calls up to 30 min
                - FREE computer near lobby for guest use
                - FREE document printing for reasonable # pages
                - FREE microwave oven in the room
                - FREE mini-fridge in the room
                - FREE pillows & linens on the bed
                - FREE pull-out drying line for laundry in the bathroom
                - coin-op laundry for hotel guests

            > $100/night often imposes charges for:
                - WIFI: $12.95+tax per day
                - public IP: additional $10+tax per day
                - incoming faxes: $.50/page
                - outgoing phone calls: AT&T Operator rates + 200% surcharge
                - document printing: $.50/page
                - fridge in room: $25 per night, special request
                - microwave in room: $25 per night, special request
                - linens: changed every 3 days at no charge, no discount for multi-day stay
                - laundry: 24-48 hr turnaround; $5.00 per shirt, $10.00 per pants, don't even ask about other items!

      • Re:HTTP Policies (Score:4, Informative)

        by Skapare (16644) on Saturday April 07, 2012 @03:52PM (#39608341) Homepage

        Does anyone know if SSL solves the problem? Can a malicious endpoint act as a proxy so the SSL connection is between the endpoint and the real site and then serve you a different SSL certificate with the adverts included. (Although I doubt they can make a certificate look like the legitimate website.) Alternatively they could just drop everything down to HTTP...

        The SSL layer already knows the hostname of where it wants to go. The signed certificate received from the connected server should have a cert for the Certificate Authority, identifying which public CA key to get from the collection the browser or SSL library has. The CA signature of the web site's cert is decrypted by that public CA key. If that works, it is then known the site cert is signed. If the site name also matches (maybe with wildcard enabled), and today's date is in the range valid for the signature, then the site cert is valid. Otherwise not, and you get that annoting security popup.

        For the proxy to insert anything, it would have to act as the end point for the SSL stream. But that setup would fail unless the proxy has the web site's certificate signed by a valid CA. If you add a new CA the proxy server used (its own), then it could do that. Otherwise they would have to convince some CA to sign certs for ALL the major sites, for use in this proxy. A bad CA could do this. You can then defeat that by removing the bad CA cert from your browser. But the hotel could defeat you by convincing you to add their local CA cert to your browser (and then the proxy can dynamically generate a fake signed cert for any site you visit if they know the name in advance, which can be done with a name server injection). You can defeat that by not allowing any of their stuff into your computer.

        If you have the means, a VPN to your own trusted network can help, though you then have slower responses. Test their network to see if you can access secured services you normally do have access to, like SSH, IMAPS, Submit/TLS. Also check to see if they have IPv6 and complain if not. Tell them "the FREE porn sites are on IPv6 only".

    • I posted a comment below regarding Meraki wireless boxes that did this in 2007. I never experienced an actual deployment, but there must have been some.

    • by urbanriot (924981)
      Yea, I was going to post the same, but more as a statement rather than a question, perhaps welcoming the poster to the internet. I'm sure this has been on Slashdot before, probably since there was a Google.
  • by xaosflux (917784) on Saturday April 07, 2012 @01:33PM (#39607429) Homepage

    Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

    • by GamerGirlie (2612257) on Saturday April 07, 2012 @01:38PM (#39607455)

      Of course this is in no way limited to hotels, even ISP's have been shown to do this. Using Client-Server encryption like SSL should easily bypass that.

      And that is easily bypassed by the ISP. For example when I try to login to slashdot and it changes from http to https, my ISP serves me their self-signed cert instead of Slashdot's real one. This way they are capable to intercept secure communications too.

    • by Sir_Sri (199544)

      Occasionally ISPs do this legitimately as well. My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit. This is especially amusing when it injects into steam or the web page previews in opera (and in neither case can you accept it, and move on, so it keeps trying to inject until eventually it hits a web page you're actually viewing).

      • by mwvdlee (775178) on Saturday April 07, 2012 @02:22PM (#39607777) Homepage

        Hmmmm, no... intercepting and changing internet packages is evil.

      • by 1u3hr (530656)

        My ISP keeps trying to inject a message into HTTP traffic when we reach 75% of our monthly download limit.

        Why screw around with that instead of just sending you an email? If you block it and get cut off, no skin off their nose.

      • by Restil (31903)

        My isp gives me a page saying "Your bill is late" when for some reason the automated charge didn't go through. Click ok on that page and I'm back online again... at least for several days when they put up a more permanent message, but it gives me time to figure out what went wrong with the process. However, that's the only
        attempt I've seen at hijacking the internet connection by my ISP. Not that they don't suck in a variety of other ways.....

        -Restil

    • by Tsingi (870990)
      I can't see this being any better or worse than ISP's hijacking DNS lookups and returning search pages, instead of a fail (Which is what they are supposed to do.)
  • Some ISP's do stuff like this as well

  • I wonder if there is a way to consistently detect and remove/alter these ads? A nice "Marriot is trying to advertise at you" text notice. A new browser extension perhaps?
    • by History's Coming To (1059484) on Saturday April 07, 2012 @02:09PM (#39607681) Journal
      There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.
      • by 93 Escort Wagon (326346) on Saturday April 07, 2012 @03:34PM (#39608211)

        There's a simpler solution - if I write a web page and somebody copies all of my text and graphics as part of an advert (without my permission) then it's a fairly clear copyright infringement. So if you find a hotspot doing this just navigate to one of your own web pages and then sue the operator for copying your work and serving it up as an advert.

        Or, better yet, send an email to each significant site you've visited while at Marriott and tell them what's going on. It's likely they've got deeper pockets than you do. Most probably won't bother to go after the hotel; but it only takes one.

      • by Xtifr (1323)

        Yes, I'd love to see the bastards sued over this! And I think the Grateful Dead might be a great organization to launch such a suit. They have a couple of advantages: 1) for their "free" music, they have a license similar to CC-NC, but it predates CC-NC by many years, and explicitly forbids Internet advertising (some people claim that the CC-NC is a little vague about this), and 2) one of their songwriters is a lawyer and, moreover, not just any lawyer--he's one of the founders of the EFF (John Perry Barl

    • Use HTTPS Everywhere extension (currently for FireFox, I don't know about chrome equivalents).

      This will make everything coming to you as an encrypted stream, by passing the Hotspot's rewritting.
      Or the Hotspot will attempt to Man-In-The-Middle Attack your encrypted stream (decrypt it itself, as if they were a normal client like you, and then re-encrypting it before sending it to you, as is they were a server. Except they don't know the original private encryption keys, so they will need to use another priva

  • by TemplePilot (2035400) on Saturday April 07, 2012 @01:41PM (#39607479) Journal
    Thats right Captive Portal operators routinely inject advertisements either for their own operations or to suplement the donation button's found on the captive portal login at coffee shops, hotels and so on. Its a fairly common way to monetize what to a consumer might just be a temporary waystation to access the internet for free an hour or so. Often once some kind of payment has been tendered those 'ads' can be made to go away by the captive portal operator if they so choose. Sometimes CPO's even drop people into a walled garden featuring local businesses so you can freely web-shop the neighborhood once your free 2 hours is up. So you either pay or wait 24 hours when the captive portal resets. Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.
    • by mrmeval (662166)

      DD-WRT has had this for a while now.

      http://blog.anchorfree.com/news-events/ad-supported-wi-fi-network-launches/ [anchorfree.com]

      "Consumers on an AnchorFree hotspot are presented with a display ad that remains at the top of the screen with every Web site they visit, and those ads can be contextually matched to the content on each page, according to Mark Smith, EVP strategy and product development for AnchorFree."

    • Usually a captive portal is a combination of server-router-software solutions and they don't exactly come cheaply irregardless what you might've been led to believe. Its an interesting side business if you have the time and witherwhal.

      Actually pfSense does that (at least most of it) for free. So does DD-WRT, I've heard.

  • by Vandil X (636030) on Saturday April 07, 2012 @01:42PM (#39607481)
    Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.
    • by Chrisq (894406) on Saturday April 07, 2012 @01:51PM (#39607559)

      Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire either explicitly or with ambiguous language. As the saying goes: Don't like it? Don't use it.

      Where would you draw the line?

      Adding adverts for their hotel?
      Switching adverts for other hotels to theirs?
      Removing negative reviews of their hotel, or changing the rating?
      Removing news items supporting a political party the owners don't favour?
      Adding fictitious negative news stories about a political party the owners don't favour?

      In my view as soon as you start delivering content that has been changed from that the original author intended (except under complete control of the user such as adblock) then you are on dodgy ground.

      • Here here!

        imho, a business would not, in good faith, offer 'free' services under the legalese shroud to actually modify and distort what a client would faithfully consider to be happening....

        in other words, this is dishonest business practice, even if its in a ToS or EULA.

      • by admdrew (782761)

        I think the line is drawn at the addition of content, versus modifying or removing content from the sites you visit. It's analogous to television; produced programs don't have control of the timing or content of the ads *added* during broadcast, but they know that their show's content won't be modified or edited out (simplification, of course, since networks obviously have ultimate editing power behind their own shows).

        If (when?) ISPs at any level (since the hotel in this fashion is operating as an ISP to i

      • by Restil (31903)

        At some point, it's not really worth the trouble. I can see the reasoning behind trying to make an extra buck off the customer, but in the end, they need the customer or nothing else matters, so anything that involves making the customer's stay an uncomfortable one is going to make them a non-customer in the future. Anytime you screw around with a webpage, you're greatly increasing the chances that the page will not display properly. It's hard enough as it is to code a page so that it works identically w

    • As the saying goes "protect yourself with awareness, but let your neighbors burn in the fire of ignorance".

      'the market' isnt the answer to everything.

    • by Culture20 (968837)
      Did they have the rest of the world wide web sign the terms of service so that their copyrighted works could be modified and used for profit?
    • by gdshaw (1015745)

      Whether it's free Wi-Fi or paid Wi-Fi, read those Terms of Service. I'm sure this activity was disclosed in theire [...]

      Even if that lets them off the hook so far as the user is concerned, the website owner is not a party to those terms of service.

  • by Filter (6719) on Saturday April 07, 2012 @01:44PM (#39607505)

    Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

       

    • by Vandil X (636030)
      1. The websurfer agrees to a Terms of Service that allows the ISP to make changes to inbound website page requests.
      2. The websurfer proceeds to request pages from a remote webserver. The ISP injects ads as the customer consented.


      No where in this was the remote webserver compromised or hacked. The website still loads as the content owner designed on computers accessing the website through ISPs that have not adjusted the content. Since the customer is agreeing to allow the ISP to alter his web browsing
      • Assuming this is copyright infringement, your logic is wrong. Just because the consumer of the product agrees to receiving modified content, it does not allow someone to modify a copyrighted work.
      • by corsec67 (627446)

        So, I can make a TOS that you agree to which allows me to violate the copyright of CNN.com and send that to you?

      • By inserting the ads without telling the site owner (and obtaining approval) the ISP is creating an copyright-infringing derivative work.

    • Wouldn't this be copyright infringement? The web page as you intended is your creative work, they are altering and distributing your work. I don't think you are allowed to do that.

      I don't think so. Alteration by itself is not infringement. Redistribution by itself is infringement. So take the derivative work part out of the equation and you have what every caching proxy in the world does and that does not appear to be considered infringement.

    • by slazzy (864185)
      I wouldn't think it would be a clear case of copyright infringement. It could be argued that the ISP putting an advertising bar at the top of a webpage is not that different from a browser toolbar containing advertising. If it turned out to be, then using programs such as adblock would also be copyright infringement or in fact viewing a webpage with images or javascript turned off in your browser? In any case it's an evil practice in which I'm sure a solution can be found, maybe web servers should send so
  • by ickleberry (864871) <web@pineapple.vg> on Saturday April 07, 2012 @01:49PM (#39607545) Homepage
    You can make money from running an open wifi AP. I might try this myself and replace all google ads with my own, also deprive the Goog of some money for their driverless car pet project
    • I can't tell if you are joking or being sarcastic here. I'm pretty sure that you have just described a business model in actual use. It seemed to be promoted by Meraki as a way to make money with their wireless boxes.

      I also believe that there was a dispute some years ago regarding television broadcasts inserting advertisements as if they were posted on the fences at baseball stadiums.

      I would greatly appreciate reliable pointers that anyone could provide to these behaviors. I will try to find some later. For

      • When I was with Virgin cable (I'm not now) they actually inserted ads into the channels themselves - you could tell because their editing tended to be off by a couple of seconds, and because the adverts were invariably for Virgin cable/phone/internet. They only advertised themselves, and I assume that a huge payment was made to the channel providers to get them to agree to such editing. This was years ago though, so they probably don't do it any more.
  • by sotweed (118223) on Saturday April 07, 2012 @01:52PM (#39607563)

    IANAL, and I don't play one on TV, but it seems pretty clearly a violation of a web site's copyright to do this. A web page
    is a visual work, and at least for any country that is party to the Bern Convention (this includes the US and most or all of Europe),
    a page is copyright even if it doesn't say so. So for the hotel or ISP to modify the page, especially when it is being paid to do so,
    seems a clear violation. Some web site should make a big stink (lawsuit!) about this and put an end to the practice. I think it wouldn't
    be a difficult case to win, particularly with all the other copyright enforcement actions going on (MPAA, etc.).

    I wonder if a similar case can be made for organizations like health clubs that show TV programs at the wrong aspect ratio, making
    people look as if they're 20% fatter (wider) than they actually are...

    • by sprior (249994)

      Actually I think you'd use an MPAA case as a precedent. Wasn't there a case from the MPAA against a company that was creating a side editing track to cut out the bad(good) parts of a movie to reduce it from R to PG-13?

  • someone should crack it and turn it in to something useful like advertising for something free & open source like Linux, Debian, Emacs or Vim
  • VPN (Score:4, Insightful)

    by SuperTechnoNerd (964528) on Saturday April 07, 2012 @02:14PM (#39607715)
    So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?
    • by FudRucker (866063)
      goats.cx the front desk if they are snooping on people's browsing habits, after some of that i bet they get disgusted and quit
    • by kybred (795293)

      So set up an encrypted tunnel to your home machine and set it up so you can browse the web through the tunnel as if you were at home. Slower perhaps, but worth it. If they are injecting stuff, then what else are they doing? Looking at your traffic?

      FireFox + QuickProxy [mozilla.org] FTW!

      I use that combo when traveling. You just have to set up a machine at home to accept a ssh tunnel.

  • I work for an ISP, and we had a vendor try to sell us a box that would insert ads into downloaded web pages. My boss and I kicked the idea around for about half a second before turning our noses up at it.

    Having said that, as a consumer, I wouldn't care if someone providing free WiFi inserted ads to offset the cost of providing bandwidth as long as the ads weren't too egregious. If you are providing a service that I value for free, then I don't care if you throw a few ads up to generate some revenue to
  • by ODBOL (197239) on Saturday April 07, 2012 @02:23PM (#39607779) Homepage

    In November 2007, I bought a wireless box from Meraki (http://www.meraki.com/). I intended to use it to provide a free wireless hotspot for my neighborhood, and to be ready to peer with any neighbor who chose to work on the grassroots network. These were primarily symbolic acts, since neither service is likely to get much use in my neighborhood.

    In most respects, the Meraki box appeared to do a good job of exactly what I wanted. But I noticed a little blank stripe at the top of Web pages. I found that Meraki hacked HTTP packets to add that stripe. As owner, I was able to set the contents of the stripe (e.g., to advertise myself as the provider of the free hotspot, or to ask for payment if it's not free). But, I was not able to eliminate the stripe. I called support, and they confirmed that the stripe is not optional, but its contents are owner controlled. I sent the box back for a refund. I understand why Meraki provided the feature (I don't like it, but I understand). I don't understand why they made it impossible to turn it off. They were very good about delivery, support, and refund in all other respects.

    I think that Open Mesh (http://www.open-mesh.com/) provides something like the Meraki box, but cheaper and transparent to all Internet traffice. I have not tried their products yet.

    For the time being, I just leave my Tomato (http://www.polarcloud.com/tomato) box unprotected, and I think that people occasionally park in front of my house to use the network. But there's no chance of peering to help avoid the last-mile bottleneck.

    • by nurb432 (527695)

      people occasionally park in front of my house to use the network

      Or they are casing the house, as since you are 'above' the average end user out there they know you have some electronics in there they might want to steal..

    • by admdrew (782761)

      Two quick things:
      - Thanks for the Open Mesh link, I hadn't heard of it before and I'll definitely check it out.
      - I'd be wary about running an open AP for the purposes of distributing a connection to your neighborhood; you may be violating your own ISP's terms of service (although not ethically an issue to me), and, far worse, you may open yourself up to people attempting to do illegal/unethical things, something that could fall back to you.

      To me, access to my wireless AP should be treated like my own home

      • Thanks for the advice, but I studied the issue quite a bit, and read the careful insights from Bruce Schneier (http://www.schneier.com/blog/archives/2008/01/my_open_wireles.html), and I decided that I don't want to treat any portion of the world-connected IP network as my personal domain. I carefully chose an ISP (Speakeasy) who allows, and even caters to, sharing.

        I have no interest in convincing you to take my attitude. But you should be aware that it isn't necessarily a matter of naivety.

  • by fermion (181285) on Saturday April 07, 2012 @02:23PM (#39607791) Homepage Journal
    He said in an interview that he had never seen an Internet provider modifying Web pages that a person visits.

    I guess this speaks to inexperience of the web developer. It was not long ago that ISPs were trying to do this. It was not that long ago that web developers put third content within a frame along with ads that generated personal revenue. AFAIR, this idea of pushing personal ads over third party content is as old as the mass advertising on the web. And I know some ISPs specifically did this.

    This is a negative practice. It is one of the primary reason used to justify web blockers. While one might trust the website, there are many ways to inject other ads and content into a web page. As such, it is best, from a security perspective, not to load ads.

    • by Thing 1 (178996)

      And I know some ISPs specifically did this.

      So, would this work? (I realize that it might make "page delivery" take twice as long; although, I just made it better, here it is.)

      After the page completes, have a JavaScript routine that runs which calculates the page's MD5 sum (or similar) and sends it back to the server. The server can then determine whether what it sent is what the user saw.

      This of course might also be a way for the server to violate ad blockers. If it didn't match, then the server could negotiate with the client as to which parts o

  • by Vandil X (636030) on Saturday April 07, 2012 @03:29PM (#39608179)
    In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

    I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users, but since the websites themselves were not hacked or damaged and displayed correctly on the computer screen of those not using ad-managed ISPs/web browsers, there is probably not a tangible copyright issue.

    Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.
    • by SeaFox (739806)

      In the 1990s, there used to be tons of free dial-up ISP providers that gave you free access so long as you agreed to surf the web through their branded version of Internet Explorer that framed websites in ads. Some providers required you to click the ads so many times within a certain interval of time or get disconnected.

      I'm sure these frames and banner ads "violated" the design of websites that were browsed by these users,

      No, because the ads were in a frame around the webpage. It's not any different than having two browser windows open on your desktop where a few inches of a background window is visible below/beside the frontmost window.

      Hotel Wi-Fi is just the modern version of this same model, albeit without using software or requiring ad clicks.

      Except the ads are being added in a way where the viewer cannot distinguish what is an original part of the page with what has been added by the service provider. What if a site dealt with a certain political viewpoint or sensitive topic and the ads being added were in a contrary viewpoint or

  • They have to pay the bills somehow. A bigger deal would be if they were removing others ads..

    Don't like ads, don't use their service or block them.

  • by CohibaVancouver (864662) on Saturday April 07, 2012 @04:03PM (#39608407)

    Justin Watt, a Web engineer, was browsing the Web in his room at the Courtyard Marriott

    C'mon editors - "Web Engineer?" What the hell does that mean? It's amazing how engineers allow their title to be attached to every job under the sun these days. You certainly don't hear about 'Web Laywers' or 'Web Dentists.'

  • If it is ok for a business to make changes in other peoples' materials then the reverse is also true so if I want to make huge changesd in Marriot's web pages that should not be illegal at all. good for one is good for all.

"The only way for a reporter to look at a politician is down." -- H.L. Mencken

Working...