GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
|  Past BBR stories established Nebuad only monitoring
This article implies that Nebuad is altering code to insert ads. But past stories here have said that Nebuad gave up that method and are just monitoring traffic and selling that data to web sites so they can use directed ads.
Not that I am in favor of Nebuad monitoring as well, but Free Press should get more up to date. They are battling a system that has already been defeated.
--
My BLOG .. .. Internet News .. .. My Web Page |
|
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| I'm sure Robb will correct me if I'm wrong, but you're talking about two different things.
The "injection" you're thinking of consisted of a Texas ISP named RedMoon using a NebuAD banner technology reserved for free Wi-Fi advertising in general broadband use. That resulted in banners being superimposed over existing websites and ad relationships...That was part of a "Fair Eagle" project that NebuAD stopped.
This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
1 edit | reply to GOLFnSUN
said by GOLFnSUN  :This article implies that Nebuad is altering code to insert ads. But past stories here have said that Nebuad gave up that method and are just monitoring traffic and selling that data to web sites so they can use directed ads. Then they're wrong -- or they started doing that after June 1st.
Any links? I'm not sure what specifically you are referring to...
Edit: nevermind, I see Karl's response above. He's right.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
jimness000
join:2005-03-28
West Chicago, IL
| reply to Karl Bode
What concerns me on the surface is the common practice of using web-based email. My company and my wife's both have web portals into their email systems. My wife, an HR person in her company, has access through web portals to payroll and other private employee information.
It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).
Am I wrong? |
|
GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
1 edit | reply to Karl Bode
said by Karl Bode :This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser. Some observations on the Topolski study:
1. He turned off the anti-phishing feature in IE. This may have made the attack possible where it normally might not have if turned on by default as it usually is.
2. If a user blocks ALL cookies not originating at specific list of web site domains, the injected cookie from "faireagle.com" could not be put on the client system for tracking purposes. I assume from reading his writeup that the system he tested with allowed temporary cookies and that is how Nebuad could put cookies on the system. I never allow my system to do that.
3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed.
--
My BLOG .. .. Internet News .. .. My Web Page |
|
GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
1 edit | reply to jimness000
said by jimness000 :It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).Am I wrong? Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data.
--
My BLOG .. .. Internet News .. .. My Web Page |
|
wifi4milez
Big Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY
 ·Verizon FIOS
·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| reply to GOLFnSUN
said by GOLFnSUN :This article implies that Nebuad is altering code to insert ads. But past stories here have said that Nebuad gave up that method and are just monitoring traffic and selling that data to web sites so they can use directed ads. Not that I am in favor of Nebuad monitoring as well, but Free Press should get more up to date. They are battling a system that has already been defeated. Agreed, the article leads one to believe that ads will be inserted by altering code (at least thats what I got out of it), which doesnt appear to be the case with this product at the current time. The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. Unless it can be proven that something is going on other than targeted ads being delivered (things Google has been doing for years), then this whole argument is pointless.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
|
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| It is completely different from what GMail does. With GMail you intentionally sign up for their service and they place ads next to your e-mail based on its content. This is a system a user voluntarily agrees to be part of, and the ads are placed by the server.
NebuAd intercepts your traffic whether you like it or not, and changes the code that was sent from the server to your computer.
Also, changes mail providers is easy, changing ISPs is not. |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to GOLFnSUN
said by GOLFnSUN :said by Karl Bode :This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser. Some observations on the Topolski study: 1. He turned off the anti-phishing feature in IE. This may have made the attack possible where it normally might not have if turned on by default as it usually is. No, it is off by default, but the user is insistently bugged to turn it on until the user gives a definitive "yes" or "no."
The reason I said "no" is so not to cloud the issue with extra packets.
I'll let you figure out what setting that users who are concerned with privacy are likely to choose.
said by GOLFnSUN :2. If a user blocks ALL cookies not originating at specific list of web site domains, the injected cookie from "faireagle.com" could not be put on the client system for tracking purposes. I assume from reading his writeup that the system he tested with allowed temporary cookies and that is how Nebuad could put cookies on the system. I never allow my system to do that. Good for you. However, that is not what most users do, nor is that the default.
3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed.
Good for you. However, that is not what most users do, nor is that the default.
Do you have a reason on attacking this report?
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
2 edits | reply to GOLFnSUN
said by GOLFnSUN :said by jimness000 :It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).Am I wrong? Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data. The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. **
That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue.
We also have NebuAd's word that they won't try it, FWIW.
[Edit: I'm not sure this really means anything, SSL is not my strong point. It includes client sending of a code that can only be decrypted by a server's private key, but also includes several flavors of encryption of various strengths. In a cytological attack, my understanding is that the MITM can affect which get negotiated. All the more reason that we SHOULD be able to trust our ISPs and their vendors.]
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
GOLFnSUN
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
| reply to funchords
said by funchords :Do you have a reason on attacking this report? Not attacking the report. Just pointing out that following reasonable browser security settings can make the Nebuad monitoring moot.
If I was really paranoid about security I would subscribe to a public VPN service for all web access and then all traffic would be encrypted and untouchable unless someone got a Nebuad device between the VPN server and the internet at large.
--
My BLOG .. .. Internet News .. .. My Web Page |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to wifi4milez
said by wifi4milez :The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. There are HUGE differences -- you use Gmail completely at your option, and if you use them, their privacy disclosures are always available within a click or two from the page you are viewing.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to GOLFnSUN
said by GOLFnSUN :Not attacking the report. Just pointing out that following reasonable browser security settings can make the Nebuad monitoring moot. Cool. That advice is always valuable.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
|
|
ctgreybeard
Old dogs can learn new tricks
Premium
join:2001-11-13
Bethel, CT
clubs: 
·AT&T Yahoo
| reply to funchords
I believe that even if it can view the key exchange it still cannot decrypt the conversation unless it actually performs a "man in the middle" attack which would require it to spoof the certificates of BOTH ends of the conversation. This would be especially BAD, hopefully illegal, and DEFINITELY underhanded!
--
Old dogs can learn new tricks! |
|
wifi4milez
Big Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY
·Verizon FIOS
·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| reply to funchords
said by funchords :said by wifi4milez :The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. There are HUGE differences -- you use Gmail completely at your option, and if you use them, their privacy disclosures are always available within a click or two from the page you are viewing. Yes, I should clarify by saying that Gmail is a service you chose to use. However, the Nebuad privacy policy is clearly posted on their website (numerous times), and my point was that the delivering of targeted ads (ie. Gmail et al) is nothing new. When people do searches with Google or any other major search engine they also receive targeted ads, Nebuad simply uses a new technology to deliver them. Let me be clear about this; if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
|
|
RARPSL
join:1999-12-08
Suffern, NY
| reply to GOLFnSUN
said by GOLFnSUN :3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed. Since their box is screwing with the web page HTML will noscript even know that the JavaScript is coming from faireagle.com? I think that they insert the script directly into the HTML Header..\Header area so it is inline not loaded via a LINK tag (which noscript would be able to block by refusing to allow the Link's URL from being executed). |
|
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| reply to wifi4milez
Yes, but Google's ads are still completely differently. You get them be visiting a site that delivers ads. Just like when you turn on the TV, you get the commercials from that TV station.
NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow.
Google does not inject ads into other people's content.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter
»www.cafepress.com/maxolasersquad
»maxolasersquad.com/
»maxolasersquad.com/network/ My DSL Network Guide
»myspace.com/mlsquad |
|
espaeth
Digital Plumber
Premium,MVM
join:2001-04-21
Minneapolis, MN
·voip.ms
·Vitelity VOIP
·Callcentric
·VoiceStick
·ViaTalk
·Comcast
·Embarq
| reply to funchords
said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. To be able to decrypt the conversation you need the private key (stored only on the hosting server/load balancer) that matches up with the public key served up in the https negotiation process.
The SSL cert also needs to match up as being issued by one of the default Certificate Authorities that had their authentication keys distributed with the web browser software.
Corporate SSL decoding solutions like that provided by Bluecoat work by having a "special" CA key installed on each of the client machines so that the appliance can spoof the https negotiation of valid Internet sources and have the public SSL key authenticate with the "special" CA that gets installed to the web browser so that the user never sees a pop-up to clue them in to the practice. Where you can notice this is if you look at the SSL cert details itself in the browser you will see that sites like Yahoo would be certified by some mystery CA instead of Verisign/Equifax/GeoTrust/Thawte/etc. The scary thing is that in a corporate environment this key can be distributed very easily/silently through Active Directory.
To be honest, the whole thing creeps me out and I'm usually pretty liberal in my view on acceptable practices in networking. |
|
wifi4milez
Big Russ, 1918 to 2008. Rest in Peace
join:2004-08-07
New York, NY
·Verizon FIOS
·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| reply to Maxo
said by Maxo :NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow. Google does not inject ads into other people's content. The problem with your theory is that what you describe (injecting ads where they didnt previously exist) isnt actually happening. Check Karls reply to the OP on this very topic here. So, this is in effect no different than what any other search engine does, and my example still holds true.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
|
|
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| reply to GOLFnSUN
said by GOLFnSUN :following reasonable browser security settings can make the Nebuad monitoring moot.
By "make moot" I understand you to mean that avoiding the injected cookies and Javascript interferes with client-tracking efforts. That much is true, but it does not avoid having all one's packets going thru the data-mining machine. Theoretically (if the spybox company diverges from what they publicly say they'll do) it could still assemble a per-individual browsing history.
Also it seems to me (though I've only briefly glanced at the materials) that the user can avoid the Nebuad cookies only by manually evaluating each cookie, because the fraudulent ones are inserted in headers via forged packets. The browser can't tell that they're not from the site the user intends to accept cookies from.
And in the case of the Javascript, even with Noscript, I'm not sure there is any way to run JS from the real site without running the injected JS. |
|
