said by TKJunkMail :

From my reading of the tests done as laid out in the linked PDF report, blocking the cookies is possible because the cookies involved are clearly identified as coming from faireagle.com. Also the javascript is an addon at the end that also is marked as executing from the faireagle.com domain. So the javascript can be avoided.

Could Nebuad chg that? Maybe. But the way it is setup now, blocking is easily achieved.

said by knightmb :

I have to agree, they wouldn't need to waste CPU time to do this. That would actually give it a dual purpose perhaps. Serve ads and secret wiretaps. Either way, we might not be able to do anything about the secret wiretap, but at least we can make the regular stuff all look like garbage. As usual in this type of stories, I chime in the link in my signature. :D

said by funchords :

The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange.

That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue.

We also have NebuAd's word that they won't try it, FWIW.

said by wifi4milez :

Let me be clear about this; if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here.

said by funchords :

Nebuad is injecting code where it did not previously exist, this code is to force-load their cookies.

Nebuad is reportedly not injecting ads where they did not previously exist. This is a common misconception, likely brought on by a NebuAd patent and the business model of their sister-company Fair Eagle, which did exactly what you described.

said by wifi4milez :

I thought the same thing when I read the article, and then Karl came out and said it wasnt true. As I dont think anyone here really knows what Nebuad does (myself included), why dont we table this discussion until we have all the facts? If not, we are all just speculating anyway.

said by Maxo :

According to the article, "NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser." and "it breaks in and changes the contents of your private communications"
Google does not do this, and neither does any other website. It is not uncommon for websites, including e-mail providers, to put ads next to the content that they are providing.
Google injects code into their own code, NebuAd injects code into another providers code.

said by wifi4milez :

The problem with your theory is that what you describe (injecting ads where they didnt previously exist) isnt actually happening. Check Karls reply to the OP on this very topic here. So, this is in effect no different than what any other search engine does, and my example still holds true.

said by wifi4milez :

However, the Nebuad privacy policy is clearly posted on their website

said by swhx7 :

Also it seems to me (though I've only briefly glanced at the materials) that the user can avoid the Nebuad cookies only by manually evaluating each cookie, because the fraudulent ones are inserted in headers via forged packets. The browser can't tell that they're not from the site the user intends to accept cookies from.

And in the case of the Javascript, even with Noscript, I'm not sure there is any way to run JS from the real site without running the injected JS.

said by wifi4milez :

The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. ... Gmail is a service you chose to use. However, the Nebuad privacy policy is clearly posted on their website (numerous times), and my point was that the delivering of targeted ads (ie. Gmail et al) is nothing new. ... if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here.

said by TKJunkMail :

following reasonable browser security settings can make the Nebuad monitoring moot.

said by Maxo :

NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow.
Google does not inject ads into other people's content.

said by funchords :

The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange.

That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue.

said by TKJunkMail :

3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed.

said by funchords :

There are HUGE differences -- you use Gmail completely at your option, and if you use them, their privacy disclosures are always available within a click or two from the page you are viewing.

said by TKJunkMail :

Not attacking the report. Just pointing out that following reasonable browser security settings can make the Nebuad monitoring moot.

said by wifi4milez :

The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail.

said by funchords :

Do you have a reason on attacking this report?

said by TKJunkMail :

Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data.

said by TKJunkMail :

Some observations on the Topolski study:

1. He turned off the anti-phishing feature in IE. This may have made the attack possible where it normally might not have if turned on by default as it usually is.

said by TKJunkMail :

2. If a user blocks ALL cookies not originating at specific list of web site domains, the injected cookie from "faireagle.com" could not be put on the client system for tracking purposes. I assume from reading his writeup that the system he tested with allowed temporary cookies and that is how Nebuad could put cookies on the system. I never allow my system to do that.

3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed.

said by TKJunkMail :

This article implies that Nebuad is altering code to insert ads. But past stories here have said that Nebuad gave up that method and are just monitoring traffic and selling that data to web sites so they can use directed ads.

Not that I am in favor of Nebuad monitoring as well, but Free Press should get more up to date. They are battling a system that has already been defeated.

said by jimness000 :

It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).

Am I wrong?

said by Karl Bode :

This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser.

said by TKJunkMail :

This article implies that Nebuad is altering code to insert ads. But past stories here have said that Nebuad gave up that method and are just monitoring traffic and selling that data to web sites so they can use directed ads.