injection – Techdirt (original) (raw)

from the ill-communication dept

US telco CenturyLink is under fire for temporarily disabling the broadband connections of broadband customers in Utah unless they click on an ad for CenturyLink security software. Even more oddly, the telco is repeatedly (and falsely) trying to blame a new Utah law for its ham-fisted behavior.

It began when a CenturyLink user in Utah posted to Twitter that his CenturyLink broadband line suddenly and mysteriously stopped working. Using what appears to be JavaScript ad injection (an already contentious practice), Centurylink then sent the user a notice stating his broadband connection would not be restored until he acknowledged receipt of the message, which appears to be a glorified advertisement for CenturyLink’s @Ease filtering and security software:

Just had @CenturyLink block my internet and then inject this page into my browser (dns spoofing I think) to advertise their paid filtering software to me. Clicking OK on the notice then restored my internet… this is NOT okay! pic.twitter.com/NtCZUeJF8I

— Rich Snapp (@Snapwich) December 9, 2018

In a blog post first spotted by regional Utah news outlets and subsequently Ars Technica, the user explains how he was initially under the impression that CenturyLink had tried to block him from visiting a phishing website, only to realize later that the ISP was really just temporarily holding his connection hostage until he engaged with a product ad:

“At first glance I was worried that I had somehow been redirected to a malicious website and that this was some kind of phishing attempt… After all, I didn’t navigate here. I attempted to do another search but still ended up at this same notice. I considered the idea that maybe my ISP had detected some kind of threat coming from my network and that’s why I was seeing this official looking page. Eventually, after reading over the page several times, I clicked “OK” and my internet was back.”

When criticized, CenturyLink repeatedly told the user and many reporters (myself included), that it had to block user access in this fashion due to a new Utah law:

Legislation requires us to notify Utah consumers of content filtering options to protect minors in a conspicuous method. To protect those most vulnerable, the most conspicuous method is a pop-up. We did not engage in DNS hijacking. – Zac

— CenturyLinkHelp Team (@CenturyLinkHelp) December 18, 2018

Except that’s false. Utah is, Techdirt readers will be aware, home of what has been a near-constant stream of ridiculous efforts to filter porn, a technically impossible task (something backers of the idea refuse to learn). And while this new law in question is dumb, it’s not quite that dumb. The law requires ISPs to inform users that filtering software is available to them as a sort of half-measure toward combating porn. ISPs can do this in a number of ways; the law specifically recommends either including mailers in user bills or sending an email.

The law does not require that ISPs sever access to the internet in order to show them ads for an ISP’s own software, something CenturyLink executives appear to have come up with on their own. That’s something the bill’s author himself confirmed when asked by the impacted user on Twitter:

I?m sorry you are having problems. SB134 did not require that ? and no other ISP has done that to comply with the law. They were only required to notify customers of options via email or with an invoice.

— Todd Weiler (@gopTODD) December 10, 2018

Users on Reddit indicate this wasn’t isolated to just this user — all Utah CenturyLink customers appear to be experiencing this unnecessary, heavy-handed nonsense. Now it’s possible CenturyLink could argue it was just over-complying to adhere to the law, but since the law is pretty clear an email is ok, this argument doesn’t hold up. More likely, CenturyLink executives either thought they’d use the law as a marketing opportunity, or wanted to bring attention to the dumb new law. Unfortunately that’s not really accomplished by behaving stupidly yourself.

Of course this is the kind of ISP behavior our since-discarded net neutrality rules were designed specifically to prevent. And while a few days of press shame may drive Centurylink away from the policy if users are lucky, that’s really no substitute for an attentive FCC that actually cares about keeping the internet free from idiotic monopoly ideas exactly like this one. The battle over net neutrality has always been about slippery slopes, and letting an ISP interrupt internet traffic to market its own products–and then lie about it–is slippery as hell.

Filed Under: ads, blocking, broadband, filters, injection, packet injection, utah
Companies: centurylink

Dear ZDNet: Comcast Has Been Sketchily Injecting Messages Into User's Browsers For Years

from the old-news-bad-news dept

Comcast has been dutifully modeling its behavior in such a way so as to fill up Techdirt’s story pages for years now. So, when we come across a story somewhere discussing how Comcast is doing some bad new thing, it’s tempting to simply assume it’s true and move on. Such might be the case for some readers of ZDNet’s recent post about how Comcast was injecting notices into browsers warning of potential copyright infringement.

The cable and media giant has been accused of tapping into unencrypted browser sessions and displaying warnings that accuse the user of infringing copyrighted material — such as sharing movies or downloading from a file-sharing site. Jarred Sumner, a San Francisco, Calif.-based developer who published the alert banner’s code on his GitHub page, told ZDNet in an email that this could cause major privacy problems.

Well, sure, this is horrible, and it is a privacy issue — but it isn’t new. In fact, Comcast as been doing some flavor of this sort of browser injection for the better part of a decade. The company started this practice way back in 2009, using the tactic to warn users of potential malware infections, and there was even discussion about expanding the use for other security purposes in 2011. More specifically on browser injections being used as a copyright warning system, our own Karl Bode noted in 2013 that this was all specifically laid out in Comcast’s six-strike plan. Per Karl’s post, Comcast isn’t even alone in using this tactic.

Comcast has now put information on their implementation of six strikes online. According to the nation’s largest broadband company, their version of the program will involve a persistent nagging pop up that continues to alert the user after the fourth warning. Time Warner Cable, who outlined their version of the plan to me last November , stated they’re using a similar pop up warning system that blocks browsing until users acknowledge receipt of “educational” copyright materials.

None of that is to say that the privacy and security concerns aren’t very real, of course, and ZDNet does a nice job of discussing those concerns. But it’s not new. Perhaps the better conversation to be had is why anyone in their right minds would think that Comcast deserves anyone’s trust to the level where users’ browsers should be injected with copyright violation notices in a system rife with abuse from pretty much every player involved.

Filed Under: alerts, copyright, deep packet inspection, injection
Companies: comcast

Last week, an Indian blogger, Thejesh GN, discovered that mobile operator Airtel was injecting javascript into subscribers’ browsing sessions, which is both incredibly sketchy and a huge security concern (not to mention raising net neutrality issues on the side). He posted the proof to GitHub and tweeted about it:

He posted the evidence showing that javascript was being quietly inserted, and that it apparently tried to insert some sort of toolbar:

That’s all super sketchy. But that’s just the very beginning of this story. Because days later, Thejesh received the most ridiculous legal threat letter, coming from a lawyer named Ameet Mehta from the law firm Solicis Lex. It claims to be representing an Israeli company, Flash Network, which is apparently responsible for the code injection software… and it claims that by merely revealing to the public that Airtel was doing these injections, he had engaged in criminal copyright infringement under the Information Technology Act, 2000.

If that sounds familiar, that’s because we wrote about that ridiculous law last year, noting that it would technically allow people to be put in jail for merely thinking about infringing someone’s copyright.

And the Solicis Lex lawyers, to show they’re not messing around, cc’d the police on the letter they sent:

The crux of the “copyright” claim seems fairly ridiculous:

The said code is closed source software and our client is sole proprietor of the same. Therefore, no one can use the said code without obtaining license from our client against payment of fees and/or royalties and on commercial and legal terms acceptable to our client. Your aforementioned actions constitute a blatant violation of our client’s copyrights and other proprietary rights in the said code.

Remember: all Thejesh GN did was show the code that Airtel inserted into his browser. If Flash Network thinks that showing the code that it dumps into each of your browsing sessions is criminal copyright infringement, just about anyone who does a “view source” could be guilty. That’s a plainly ridiculous reading of the law.

On top of that, the lawyers sent a DMCA notice to GitHub, which caved in and took it down:

This is despite GitHub’s recent promise not to take things down without first alerting the users in question.

Absolutely everything about this is insane and bad. The initial injections by Airtel/Flash are bad and dangerous. Both companies should be called out for such javascript injections. But, Flash’s response to not only threaten a completely bogus copyright takedown/cease and desist claim, but also to allege criminal violations that could lead to jail time just adds an insane layer on top of all that. Even arguing that merely posting screenshots of the injected code is civil copyright infringement is crazy. And then issuing a DMCA takedown to GitHub (not to mention GitHub agreeing to take the screenshots down…). All of it is ridiculous and a clear abuse of copyright law to silence someone who revealed Airtel and Flash Network were up to questionable activities.

For those who argue that copyright is never used for censorship: explain this story.

Of course, it all seems to be backfiring in a big way. Flash may have wanted to hide what they were up to, but now it’s getting much, much, much more attention. Maybe, next time, rather than threatening whistleblowers of your bad practices with claims of criminal copyright infringement, Flash and Airtel will think more about their own crappy business practices that put users at risk.

Filed Under: cease and decist, copyright, criminal copyright, dmca takedown, free speech, india, injection, israel, javascript, javascript injection, thejesh gn
Companies: airtel, flash network, github, solicis lex

China's Great Firewall Turned Around: Why China Wants To Censor Global Internet

from the pay-attention----this-matters-a-lot dept

If you pay attention to Github (and you should), you know that late last week the site started experiencing some problems staying online, thanks to a massive and frequently changing DDoS attack. Over the past few days a lot more details have come out, making it pretty clear that the attack is coming via China with what is likely direct support from the Chinese government. While it’s messing with all of Github, it’s sending traffic to two specific Github pages: https://github.com/greatfire and https://github.com/cn-nytimes. Those both provide tools to help people in China access Greatfire and the NY Times. Notably, Greatfire itself notes that prior to the DDoS on Github, its own site was hit with a very similar DDoS attack.

If you want the technical details, Netresec explains how the DDoS works, noting that it’s a “man-on-the-side” attack, injecting certain packets alongside code loaded by Chinese search engine Baidu (including both its ad platform and analytics platform), but is unlikely to be coming directly from Baidu itself.

But the much more interesting part is why China is using a DDoS attack, rather than its standard approach of just blocking access in China, as it has historically done. The key is that, two years ago, China tried to block Github entirely… and Chinese programmers flipped out, pointing out that they couldn’t do their jobs without Github. The Chinese censors were forced to back down, leading to a sort of loophole in the Great Firewall. That leads to the next question of why China doesn’t just block access to the URLs of the two repositories it doesn’t like? And the answer there: HTTPS. Because all Github traffic is encrypted via HTTPS, China can’t just block access to those URLs, because it doesn’t know specifically what’s being accessed.

And thus, we get the decision to turn its firewall around, launching a rather obvious DDoS attack on the two sites it doesn’t like, with the rather clear message being sent to Github: if you stop hosting these projects, the DDoS will stop. Of course, so far Github is taking a stand and refusing to take down those projects (which is great and exactly what it should be doing).

However, this does suggest an interesting escalation in questions about the increasing attempts to fragment the internet. You see various countries demanding (or forcing) certain websites get blocked. But those solutions are truly only temporary. Because the overall internet is too important to block, and because some sites are necessary (like Github) there are always holes in the system. Add in a useful dose of encryption (yay!) and the ability to control everything that’s read in one particular country becomes increasingly difficult. You might hope the response would be to give up attempts to censor, but China isn’t likely to give up just like that. So, instead, it’s basically trying to censor the global internet, by launching a high powered attack on the site that is the problem, while basically saying “get rid of these projects and we’ll stop the attack.”

It seems likely that this sort of escalation is only going to continue — but in some ways it’s actually a good sign. It shows that there are real cracks in China’s attempts to censor the internet. We’re basically realizing the limits of the Great Firewall of China, and useful services like Github have allowed a way to tunnel through. China is responding by trying to make life difficult for Github, but as long as Github and others can figure out ways to resist, censorship attempts like the Great Firewall will increasingly be useless.

In the early days of the internet, people talked about how it was resistant to censorship. Over the past decade or so, China has challenged that idea, showing that it could basically wall off large parts of the internet, and actually keep things semi-functional. Yes, there were always cracks in the wall, but for the most part, China showed that you could censor large parts of the internet. This latest move suggests that we may be moving back towards a world where the internet really is resistant to censorship — and China is freaking out about it and responding by trying to increase the censorship globally. It’s a battle that is going to be important to follow if you believe in supporting free expression online.

Filed Under: censorship, china, ddos, encryption, great firewall, injection, man in the side
Companies: github, greatfire, ny times