Consumer Groups Dig Inside NebuAD TechnologyAnd find a slew of controversial (if not illegal) tactics... 05:03PM Wednesday Jun 18 2008 by Karl Bodetags: legal · privacyTipped by funchords  Consumer groups Free Press and Public Knowledge today issued a report (pdf) on NebuAD behavioral advertising technology. ISPs are paid to install a user tracking device that sits on the ISP network, and aids in the delivery of ads tailored to your browsing habits. Broadband Reports user Robb Topolski, who first discovered Comcast's upstream BitTorrent throttling, ran a series of tests and found the technology forges packets, violates IETF standards and more: NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser. NebuAd and ISPs together cooperate in this attack against the intentions of the consumers, the designers of their software and the owners of the servers that they visit. So far all we've had is NebuAD promises that the technology plays fair and protects user privacy, though few have actually dug into how the technology works. There's mounting Congressional pressure to investigate the technology before it's inevitably launched by more than just the handful of carriers I'm currently aware of (WOW, Knology, Charter, Embarq, Broadstripe, Bresnan Communications, and CenturyTel).  (NebuAD) monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you've done, and if you even know that it's happening, it is impossible to opt-out of it. Researcher Robb Topolski |
Topolski suggests the technology takes a few pages out of the playbook of several controversial tactics, including browser hijacks, cross-site scripting (XSS) attacks, man in the middle attacks and more. "NebuAd breaks the rules of acceptable behavior on the Internet," says Topolski. "It monitors what you do and see on the Internet, it breaks in and changes the contents of your private communications, it keeps track of what you've done, and if you even know that it's happening, it is impossible to opt-out of it." "This report shows that NebuAd's Internet wiretapping is highly questionable," says Marvin Ammori, Free Press general counsel. "Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report." "Once again, it shows that ISPs are putting themselves where they don't belong – inserting themselves between consumers and Web sites," says Gigi B. Sohn, president and co-founder of Public Knowledge. "Inserting unwanted information and advertising under false pretenses violates every concept of an open and free Internet."
Related:- Wednesday Evening Links
- Big Brother Is Watching (And Using Deep Packet Inspection)
- EFF Fights Constitutionality Of Telecom Immunity
- Friday Evening Links
- Why Is NY's AG Urging ISPs To Embrace Spyware Company?
- NebuAD, Several ISPs Sued Over Behavioral Ads
- AT&T, Verizon: Privacy Advocates Extraordinaire
- EFF Challenges Telecom Immunity
|
 |  | 
Karl Bode
News Guy
join:2000-03-02
Host:
Road Runner
PC gaming GAMES
PC gaming Tech
| Re: Past BBR stories established Nebuad only monitoring I'm sure Robb will correct me if I'm wrong, but you're talking about two different things.
The "injection" you're thinking of consisted of a Texas ISP named RedMoon using a NebuAD banner technology reserved for free Wi-Fi advertising in general broadband use. That resulted in banners being superimposed over existing websites and ad relationships...That was part of a "Fair Eagle" project that NebuAD stopped.
This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser. | |
| | | jimness000
join:2005-03-28
West Chicago, IL
| Re: Past BBR stories established Nebuad only monitoring What concerns me on the surface is the common practice of using web-based email. My company and my wife's both have web portals into their email systems. My wife, an HR person in her company, has access through web portals to payroll and other private employee information.
It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).
Am I wrong? | |
| | | | 
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
 ·Comcast
edit:
June 18th, @06:08PM
| Re: Past BBR stories established Nebuad only monitoring said by jimness000 :It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).Am I wrong? Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data.
--
My BLOG .. .. Internet News .. .. My Web Page | |
| | | | | 
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
 ·Verizon Online DSL
 ·Skype
·Comcast
edit:
June 19th, @04:22PM
| Re: Past BBR stories established Nebuad only monitoring said by TK Junk Mail :said by jimness000 :It sounds as though this technology could be used to gain access to proprietary info which is assumed to be secure (via HTTPS connections).Am I wrong? Yes. I think you are. The Nebuad device has no decrypting capabilities and can't see inside encrypted packets. They could tell the end points of the conversation but not see the data. The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. **
That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue.
We also have NebuAd's word that they won't try it, FWIW.
[Edit: I'm not sure this really means anything, SSL is not my strong point. It includes client sending of a code that can only be decrypted by a server's private key, but also includes several flavors of encryption of various strengths. In a cytological attack, my understanding is that the MITM can affect which get negotiated. All the more reason that we SHOULD be able to trust our ISPs and their vendors.]
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
| |
| | | | | | | | | | | | | | | | | | 
knightmb
join:2003-12-01
Franklin, TN
·Comcast
·Vonage
·Speakeasy
| said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. We also have NebuAd's word that they won't try it, FWIW. I have to agree, they wouldn't need to waste CPU time to do this. That would actually give it a dual purpose perhaps. Serve ads and secret wiretaps. Either way, we might not be able to do anything about the secret wiretap, but at least we can make the regular stuff all look like garbage. As usual in this type of stories, I chime in the link in my signature. 
--
Fight NebuAD and the like:
Click Here to pollute their data | |
| | | | | | |
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
| Re: Past BBR stories established Nebuad only monitoring said by knightmb :said by funchords :The device is inserted in the middle, so it can see the entire transaction, including the cryptographic key exchange. That said, I have no evidence that it decrypts https, and I personally believe that it would use precious CPU time in a middlebox where processing speed must be an issue. We also have NebuAd's word that they won't try it, FWIW. I have to agree, they wouldn't need to waste CPU time to do this. That would actually give it a dual purpose perhaps. Serve ads and secret wiretaps. Either way, we might not be able to do anything about the secret wiretap, but at least we can make the regular stuff all look like garbage. As usual in this type of stories, I chime in the link in my signature. I think espaeth already answered the HTTPS issue here:
»Re: Past BBR stories established Nebuad only monitoring
--
My BLOG .. .. Internet News .. .. My Web Page | |
| | | | | | |
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
·Verizon Online DSL
·Skype
·Comcast
| Re: Past BBR stories established Nebuad only monitoring said by TK Junk Mail :said by Karl Bode :This is different and speaks to the system fundamentals. Topolski is saying the system as a whole forges IP packets so their JavaScript code is written into source code trusted by the Web browser. Some observations on the Topolski study: 1. He turned off the anti-phishing feature in IE. This may have made the attack possible where it normally might not have if turned on by default as it usually is. No, it is off by default, but the user is insistently bugged to turn it on until the user gives a definitive "yes" or "no."
The reason I said "no" is so not to cloud the issue with extra packets.
I'll let you figure out what setting that users who are concerned with privacy are likely to choose.
said by TK Junk Mail :2. If a user blocks ALL cookies not originating at specific list of web site domains, the injected cookie from "faireagle.com" could not be put on the client system for tracking purposes. I assume from reading his writeup that the system he tested with allowed temporary cookies and that is how Nebuad could put cookies on the system. I never allow my system to do that. Good for you. However, that is not what most users do, nor is that the default.
3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed.
Good for you. However, that is not what most users do, nor is that the default.
Do you have a reason on attacking this report?
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
| |
| | | | |
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
| Re: Past BBR stories established Nebuad only monitoring said by funchords :Do you have a reason on attacking this report? Not attacking the report. Just pointing out that following reasonable browser security settings can make the Nebuad monitoring moot.
If I was really paranoid about security I would subscribe to a public VPN service for all web access and then all traffic would be encrypted and untouchable unless someone got a Nebuad device between the VPN server and the internet at large.
--
My BLOG .. .. Internet News .. .. My Web Page | |
| | | | | | | | | | | | 
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| said by TK Junk Mail :following reasonable browser security settings can make the Nebuad monitoring moot.
By "make moot" I understand you to mean that avoiding the injected cookies and Javascript interferes with client-tracking efforts. That much is true, but it does not avoid having all one's packets going thru the data-mining machine. Theoretically (if the spybox company diverges from what they publicly say they'll do) it could still assemble a per-individual browsing history.
Also it seems to me (though I've only briefly glanced at the materials) that the user can avoid the Nebuad cookies only by manually evaluating each cookie, because the fraudulent ones are inserted in headers via forged packets. The browser can't tell that they're not from the site the user intends to accept cookies from.
And in the case of the Javascript, even with Noscript, I'm not sure there is any way to run JS from the real site without running the injected JS. | |
| | | | | | |
TK Junk Mail
Go ahead, make my day
Premium
join:2002-03-03
Margate City, NJ
clubs:
·Comcast
| Re: Past BBR stories established Nebuad only monitoring said by swhx7 :Also it seems to me (though I've only briefly glanced at the materials) that the user can avoid the Nebuad cookies only by manually evaluating each cookie, because the fraudulent ones are inserted in headers via forged packets. The browser can't tell that they're not from the site the user intends to accept cookies from. And in the case of the Javascript, even with Noscript, I'm not sure there is any way to run JS from the real site without running the injected JS. From my reading of the tests done as laid out in the linked PDF report, blocking the cookies is possible because the cookies involved are clearly identified as coming from faireagle.com. Also the javascript is an addon at the end that also is marked as executing from the faireagle.com domain. So the javascript can be avoided.
Could Nebuad chg that? Maybe. But the way it is setup now, blocking is easily achieved.
--
My BLOG .. .. Internet News .. .. My Web Page | |
| | | | | | | |
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
·Verizon Online DSL
·Skype
·Comcast
| Re: Past BBR stories established Nebuad only monitoring said by TK Junk Mail :From my reading of the tests done as laid out in the linked PDF report, blocking the cookies is possible because the cookies involved are clearly identified as coming from faireagle.com. Also the javascript is an addon at the end that also is marked as executing from the faireagle.com domain. So the javascript can be avoided. Could Nebuad chg that? Maybe. But the way it is setup now, blocking is easily achieved. Sure. They can change the faireagle domain to something else, to thwart your blocking. Domains are very cheap and you can't block the dictionary. Hell, they could inject 10 different javascripts into each page, until one eventually gets followed.
They can forge HTTP redirects to drive you to the nefarious code, instead of using javascript to do it. I think this is similar to what Phorm is reportedly going to do now.
They could also make deals with web portals so that the nefarious script doesn't have to be forged at all. They buy ad space or even a 1x1 pixel, that ad server realizes you're from an IP address with a NebuAd deal, the ad server loads you up with their profile-identification cookies, and no forgery ever takes place. Fortunately, this won't be allowed to happen by the best services. Most Yahoo's and Google's of the world actually are fans of the Internet and ultimately side with the user, despite our cookie-erasing habits. They don't want 24/7/365 eavesdropping on the internet, either.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
| |
| | | | | | | | | 
deitarion
@teksavvy.com | Re: Past BBR stories established Nebuad only monitoring And NoScript is based on Javascript whitelisting, so they'd have to embed the JS into the page and hope that the user is viewing a site they've granted JS execute permission to. | |
| | | | | | | | | |
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR | Re: Past BBR stories established Nebuad only monitoring I actually have it on this computer... disabled. There's a less agressive plug-in that I'm used to using, but it hasn't been updated for FF3. :-( | |
| | | | 
RARPSL
join:1999-12-08
Suffern, NY
| said by TK Junk Mail :3. If using Firefox with the "noscript" addon, then any injected javascript from faireagle.com wouldn't be executed. Since their box is screwing with the web page HTML will noscript even know that the JavaScript is coming from faireagle.com? I think that they insert the script directly into the HTML Header..\Header area so it is inline not loaded via a LINK tag (which noscript would be able to block by refusing to allow the Link's URL from being executed). | |
| | | | | | | 
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| Re: Past BBR stories established Nebuad only monitoring It is completely different from what GMail does. With GMail you intentionally sign up for their service and they place ads next to your e-mail based on its content. This is a system a user voluntarily agrees to be part of, and the ads are placed by the server.
NebuAd intercepts your traffic whether you like it or not, and changes the code that was sent from the server to your computer.
Also, changes mail providers is easy, changing ISPs is not. | |
| | | | | | | 
wifi4milez
In Need Of Garbage Pail Kids 1st Series
join:2004-08-07
New York, NY
 ·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| Re: Past BBR stories established Nebuad only monitoring said by funchords :said by wifi4milez :The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. There are HUGE differences -- you use Gmail completely at your option, and if you use them, their privacy disclosures are always available within a click or two from the page you are viewing. Yes, I should clarify by saying that Gmail is a service you chose to use. However, the Nebuad privacy policy is clearly posted on their website (numerous times), and my point was that the delivering of targeted ads (ie. Gmail et al) is nothing new. When people do searches with Google or any other major search engine they also receive targeted ads, Nebuad simply uses a new technology to deliver them. Let me be clear about this; if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
| |
| | | | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| Re: Past BBR stories established Nebuad only monitoring Yes, but Google's ads are still completely differently. You get them be visiting a site that delivers ads. Just like when you turn on the TV, you get the commercials from that TV station.
NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow.
Google does not inject ads into other people's content.
--
"Padre, nobody said war was fun now bowl!" - Sherman T Potter
»www.cafepress.com/maxolasersquad
»maxolasersquad.com/
»maxolasersquad.com/network/ My DSL Network Guide
»myspace.com/mlsquad | |
| | | | | |
wifi4milez
In Need Of Garbage Pail Kids 1st Series
join:2004-08-07
New York, NY
·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| Re: Past BBR stories established Nebuad only monitoring said by Maxo :NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow. Google does not inject ads into other people's content. The problem with your theory is that what you describe (injecting ads where they didnt previously exist) isnt actually happening. Check Karls reply to the OP on this very topic here. So, this is in effect no different than what any other search engine does, and my example still holds true.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
| |
| | | | | | |
swhx7
Premium
join:2006-07-23
Elbonia
·RoadRunner Cable
| Re: Past BBR stories established Nebuad only monitoring said by wifi4milez :The other thing is that regardless of how you feel about what Nebuad does, its really not any (fundamentally) different then what happens when you use Gmail. ... Gmail is a service you chose to use. However, the Nebuad privacy policy is clearly posted on their website (numerous times), and my point was that the delivering of targeted ads (ie. Gmail et al) is nothing new. ... if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here.
The "fundamental difference" is that on a clean ISP, you can avoid whatever data-mining the online service is trying to do by either not using the service or by policing what cookies, scripts and other stuff you accept from the service. And if you have to avoid the service as contrary to your policies, you still have the whole rest of the internet.
With something like Nebuad, in contrast, the choice is either being data-mined or not having internet, unless you're fortunate enough to have another ISP with an honest pipe in your area, and it may be only dialup if there is one.
A further fundamental difference is that on a clean pipe you can tell what's coming from the online service and what's coming from elsewhere and choose what to accept accordingly, while Nebuad forges packets, impersonates sites and otherwise fraudulently tampers with your intended connections.
The appeal to so-called "consent" is always dishonest when the alternatives are so coercively manipulated and distorted by monopolies and oligopolies that they no longer resemble what you could choose from in a well-functioning market. | |
| | | | | | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| said by wifi4milez :said by Maxo :NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow. Google does not inject ads into other people's content. The problem with your theory is that what you describe (injecting ads where they didnt previously exist) isnt actually happening. Check Karls reply to the OP on this very topic here. So, this is in effect no different than what any other search engine does, and my example still holds true. According to the article, "NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser." and "it breaks in and changes the contents of your private communications"
Google does not do this, and neither does any other website. It is not uncommon for websites, including e-mail providers, to put ads next to the content that they are providing.
Google injects code into their own code, NebuAd injects code into another providers code. | |
| | | | | | | |
wifi4milez
In Need Of Garbage Pail Kids 1st Series
join:2004-08-07
New York, NY
·Sprint Mobile Broa..
·RoadRunner Cable
·BroadVoice
| Re: Past BBR stories established Nebuad only monitoring said by Maxo :said by wifi4milez :said by Maxo :NebuAd is injecting ads in places they didn't previously exist. You could have a paid login to DSLReports so that you don't have to deal with the ads, but BAM your ISP injects them in anyhow. Google does not inject ads into other people's content. The problem with your theory is that what you describe (injecting ads where they didnt previously exist) isnt actually happening. Check Karls reply to the OP on this very topic here. So, this is in effect no different than what any other search engine does, and my example still holds true. According to the article, "NebuAd exploits normal browser and platform security behaviors by forging IP packets, allowing their own JavaScript code to be written into source code trusted by the Web browser." and "it breaks in and changes the contents of your private communications" Google does not do this, and neither does any other website. It is not uncommon for websites, including e-mail providers, to put ads next to the content that they are providing. Google injects code into their own code, NebuAd injects code into another providers code. I thought the same thing when I read the article, and then Karl came out and said it wasnt true. As I dont think anyone here really knows what Nebuad does (myself included), why dont we table this discussion until we have all the facts? If not, we are all just speculating anyway.
--
If history teaches us anything, it teaches that simple-minded appeasement or wishful thinking about our adversaries is folly.
-Ronald Reagan-
| |
| | | | | | | | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| Re: Past BBR stories established Nebuad only monitoring said by wifi4milez :I thought the same thing when I read the article, and then Karl came out and said it wasnt true. As I dont think anyone here really knows what Nebuad does (myself included), why dont we table this discussion until we have all the facts? If not, we are all just speculating anyway. Agreed. But then I still stands that they are just doing what Google is doing cannot be determined either. | |
| | | | | | | | | | | | |
Maxo
Your tax dollars at work.
Premium,VIP
join:2002-11-04
Tallahassee, FL
clubs:
·Embarq
| Re: Past BBR stories established Nebuad only monitoring said by funchords :Nebuad is injecting code where it did not previously exist, this code is to force-load their cookies. Nebuad is reportedly not injecting ads where they did not previously exist. This is a common misconception, likely brought on by a NebuAd patent and the business model of their sister-company Fair Eagle, which did exactly what you described. Then it still stands that they are not doing what Google is doing. | |
| | | | | | | | | |
funchords
Robb
Premium,MVM
join:2001-03-11
Hillsboro, OR
·Verizon Online DSL
·Skype
·Comcast
edit:
June 19th, @01:34PM
| said by wifi4milez :Let me be clear about this; if Nebuad is doing nothing more than serving ads then I congratulate them on a very smart business model. On the other hand, if something sinister is going on then of course I would have an issue with it. Thus far however, nobody can conclusively prove anything untoward is happening here. The sinister aspects are these:
1. They employ packet forgery, XSS, MITM to break the security designed into your browser and operating system.
2. They don't "inject" ads, but they do inject javascript. This javascript drives your browser to server(s) that it otherwise wouldn't necessarily trust.
3. While they do assure us about what "they" will and will not do with our data, we only have NebuAd's word for it. We can trust NebuAd, can't we? After all, I hear that they're the fine folks that brought us Gator.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon
HTTP is the new Bandwidth Hog...
| |
| pbarrow
Premium
join:2003-09-16
Montgomery, AL
edit:
June 18th, @05:09PM
| Consumer Groups Dig Inside NebuAD Technology I emailed my State District represetatives and US senators with links to the Charter NebuAd article and some other articles and objections to Deep Packet Inspection.
Everyone should look up their State and US Reps on the Gov web sites and email them your objections.
ISP's have no right to determine what Ad's I see - that's why I surf the web when I'm looking to buy something - so I can find it for myself at the best price.
NebuAd is like have the advertisers with the most money sending me ads (probably with products at higher prices).
Then there's the bigger problem of them invading my privacy.
Maybe it's time the whole internet went to DES encryption. And any company attempting to break or decipher that encryption for any reason (without a court order) would be breaking the Law. | |
| | |
See 9 replies to this post | |
|
|
|
Past BBR stories established Nebuad only monitoring
·
