Cable Forum - Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Cable Forum (https://www.cableforum.uk/board/index.php)

- Virgin Media Internet Service (https://www.cableforum.uk/board/forumdisplay.php?f=12)

- - Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797] (https://www.cableforum.uk/board/showthread.php?t=33628733)

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by Florence

Might also be worth checking these again think Phorm are manipulating NS to hide locations.

Quote:

Originally Posted by serial (Post 34559501)

Checked againt for www.webwise.bt.com, now on 207.44.186.90 with:

openinternetalliance.net
www.121media.com
www.phorm.com
www.webwise.bt.com
www.webwise.com
www.youcanoptin.com
youcanoptin.org
youcanoptout.net

So they are now resolving to the US again:

(Asked whois.arin.net:43 about +207.44.186.90)

OrgName: ThePlanet.com Internet Services Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US
ReferralServer: rwhois: //rwhois.theplanet.com: 4321
NetRange: 207.44.128.0 - 207.44.255.255
CIDR: 207.44.128.0/17
OriginAS: AS13749 AS13884 AS21844 AS30315
OriginAS: AS36420
NetName: NETBLK-THEPLANET-BLK-EV1-9
NetHandle: NET-207-44-128-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1SERVERS.NET
NameServer: NS2.EV1SERVERS.NET

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by icsys (Post 34559518)

Just shows you that you cannot trust this man or company an inch.. if they do place servers insice the ISP the informatin willwing its way to america then to the highest bidder.. adverts bah that is the smoke screen that the daft ISPs hace fallen for hook line and sinker sad to say thye seem to have sat on their brains and killed them..

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by serial (Post 34559501)

What are you using to get the IP addresses? My DNS lookup says (for example) that www.webwise.com is still on Gyron in London E14 at 89.145.112.31 and 89.145.112.32.

I am using the tools at:
http://cgibin.erols.com/ziring/cgi-bin/nsgate/gate.pl

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by Portly_Giraffe (Post 34559642)

This is what I get:

Quote:

$ dig www.webwise.bt.com

; <<>> DiG 9.4.1-P1 <<>> www.webwise.bt.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29860
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;www.webwise.bt.com. IN A

;; ANSWER SECTION:
www.webwise.bt.com. 600 IN A 207.44.186.90

;; AUTHORITY SECTION:
webwise.bt.com. 600 IN NS DYDNS0.bt.com.
webwise.bt.com. 600 IN NS DYDNS1.bt.com.
webwise.bt.com. 600 IN NS EDDNS0.bt.com.
webwise.bt.com. 600 IN NS EDDNS1.bt.com.

;; ADDITIONAL SECTION:
DYDNS0.bt.com. 133199 IN A 193.113.32.156
DYDNS1.bt.com. 53 IN A 193.113.32.157
EDDNS0.bt.com. 53 IN A 193.113.57.242
EDDNS1.bt.com. 53 IN A 193.113.57.243

;; Query time: 37 msec
;; SERVER: REMOVED
;; WHEN: Sun May 25 16:35:19 2008
;; MSG SIZE rcvd: 218

Quote:

$ dig openinternetalliance.net

; <<>> DiG 9.4.1-P1 <<>> openinternetalliance.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61265
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;openinternetalliance.net. IN A

;; ANSWER SECTION:
openinternetalliance.net. 86400 IN A 89.145.112.31
openinternetalliance.net. 86400 IN A 89.145.112.32

;; AUTHORITY SECTION:
openinternetalliance.net. 86400 IN NS ns1.openinternetalliance.net.
openinternetalliance.net. 86400 IN NS ns2.openinternetalliance.net.

;; ADDITIONAL SECTION:
ns1.openinternetalliance.net. 86400 IN A 38.105.138.53
ns2.openinternetalliance.net. 86400 IN A 38.105.138.54

;; Query time: 140 msec
;; SERVER: REMOVED
;; WHEN: Sun May 25 16:38:43 2008
;; MSG SIZE rcvd: 166

Quote:

$ dig www.121media.com

; <<>> DiG 9.4.1-P1 <<>> www.121media.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63399
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.121media.com. IN A

;; ANSWER SECTION:
www.121media.com. 900 IN CNAME phorm.com.
phorm.com. 98 IN A 89.145.112.31
phorm.com. 98 IN A 89.145.112.32

;; AUTHORITY SECTION:
phorm.com. 172598 IN NS ns1.phorm.com.
phorm.com. 172598 IN NS ns2.phorm.com.

;; ADDITIONAL SECTION:
ns1.phorm.com. 172598 IN A 38.105.138.53
ns2.phorm.com. 172598 IN A 38.105.138.54

;; Query time: 127 msec
;; SERVER: REMOVED
;; WHEN: Sun May 25 16:39:50 2008
;; MSG SIZE rcvd: 170

Quote:

$ dig www.phorm.com

; <<>> DiG 9.4.1-P1 <<>> www.phorm.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5394
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.phorm.com. IN A

;; ANSWER SECTION:
www.phorm.com. 900 IN CNAME phorm.com.
phorm.com. 300 IN A 89.145.112.31
phorm.com. 300 IN A 89.145.112.32

;; AUTHORITY SECTION:
phorm.com. 172800 IN NS ns1.phorm.com.
phorm.com. 172800 IN NS ns2.phorm.com.

;; ADDITIONAL SECTION:
ns1.phorm.com. 172800 IN A 38.105.138.53
ns2.phorm.com. 172800 IN A 38.105.138.54

;; Query time: 489 msec
;; SERVER: REMOVED
;; WHEN: Sun May 25 16:36:27 2008
;; MSG SIZE rcvd: 158

Quote:

$ dig www.webwise.com

; <<>> DiG 9.4.1-P1 <<>> www.webwise.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8547
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.webwise.com. IN A

;; ANSWER SECTION:
www.webwise.com. 900 IN A 89.145.112.31
www.webwise.com. 900 IN A 89.145.112.32

;; AUTHORITY SECTION:
webwise.com. 900 IN NS ns1.webwise.com.
webwise.com. 900 IN NS ns2.webwise.com.

;; ADDITIONAL SECTION:
ns1.webwise.com. 900 IN A 38.105.138.53
ns2.webwise.com. 900 IN A 38.105.138.54

;; Query time: 141 msec
;; SERVER: REMOVED
;; WHEN: Sun May 25 16:41:21 2008
;; MSG SIZE rcvd: 148

And if I check all 3 IPs I get the following:

Quote:

$ whois 207.44.186.90

OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 315 Capitol
Address: Suite 205
City: Houston
StateProv: TX
PostalCode: 77002
Country: US

ReferralServer: rwhois://rwhois.theplanet.com:4321

NetRange: 207.44.128.0 - 207.44.255.255
CIDR: 207.44.128.0/17
OriginAS: AS13749, AS13884, AS21844, AS30315
OriginAS: AS36420
NetName: NETBLK-THEPLANET-BLK-EV1-9
NetHandle: NET-207-44-128-0-1
Parent: NET-207-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.EV1SERVERS.NET
NameServer: NS2.EV1SERVERS.NET
Comment:
RegDate:
Updated: 2008-02-28

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: The Planet Abuse
OrgAbusePhone: +1-281-714-3560
OrgAbuseEmail: abuse@theplanet.com

OrgNOCHandle: THEPL-ARIN
OrgNOCName: The Planet NOC
OrgNOCPhone: +1-281-714-3555
OrgNOCEmail: noc@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com

# ARIN WHOIS database, last updated 2008-05-24 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Found a referral to rwhois.theplanet.com:4321.

%rwhois V-1.5:003eff:00 whois.theplanet.com (by Network Solutions, Inc. V-1.5.9.5)
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok

Quote:

$ whois 89.145.112.31
% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Note: This output has been filtered.
% To receive output for a database update, use the "-B" flag.

% Information related to '89.145.112.0 - 89.145.113.255'

inetnum: 89.145.112.0 - 89.145.113.255
netname: G-CUS-PH02
descr: Phorm IPv4 Assignment
country: GB
admin-c: GAT1-RIPE
tech-c: GAT1-RIPE
status: ASSIGNED PA
mnt-by: GYRON-MNT
mnt-lower: GYRON-MNT
mnt-routes: GYRON-MNT
source: RIPE # Filtered

role: Gyron Admin Team
address: Gyron Internet Ltd
address: 6 Greenwich View Place
address: Millharbour
address: LONDON
address: E14 9NN
phone: +44 (0) 207 043 1443
fax-no: +44 (0) 207 043 1444
abuse-mailbox: abuse@gyron.net
admin-c: RB30-RIPE
tech-c: RB30-RIPE
tech-c: OB924-RIPE
tech-c: BPM1-RIPE
nic-hdl: GAT1-RIPE
remarks: Please use this contact in preference to any others
remarks: that may be listed in the RIPE database
source: RIPE # Filtered

% Information related to '89.145.64.0/18AS29017'

route: 89.145.64.0/18
descr: GYRON-AGG Gyron Internet Ltd AS29017
origin: AS29017
mnt-by: GYRON-MNT
source: RIPE # Filtered

NOTE: the .32 IP is the same

So it seems the www.webwise.bt.com is in fact in the US and all the rest are controlled by Phorm in the UK (registered to Phorm in the UK).

Of course this means the www.webwise.bt.com is subject to US Law and can have all the logs subpoenaed. It would be advisable not enter any information onto that website. It also seems it should be classed as illegal under Data Protection Act which disallows the exporting of personal data outside the EU.

Anyone brought this to the attention of ICO yet? I notice there is at least 1 form on there which requires you to enter sensitive personal data:

http://www.webwise.bt.com/webwise/contact.php

So this would indeed appear to be in direct breach of the DPA. In theory if ThePlanet have any DPI kit in their data centre (which I believe although I could be wrong, is required under US anti terrorist initiatives) they could in essence get all the details you enter on that form. I know there is a degree of logging in the US similar to data retention laws in the EU, but I don't know to what extent so I can't give any informed comments on it. I will however try to find out.

One thing I do know however, is there are no rights afforded under the Fourth Amendment of the Constitution for any personal data given to third parties (I covered this just the other day on a paper I wrote about the Patriot Act Sunset Clauses), so in essence if ThePlanet were to use any of the data going through their networks, I don't think BT would have any recourse (or the public).

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by AlexanderHanff (Post 34559656)

snip
So it seems the www.webwise.bt.com is in fact in the US and all the rest are controlled by Phorm in the UK (registered to Phorm in the UK).

Of course this means the www.webwise.bt.com is subject to US Law and can have all the logs subpoenaed. It would be advisable not enter any information onto that website. It also seems it should be classed as illegal under Data Protection Act which disallows the exporting of personal data outside the EU.

Anyone brought this to the attention of ICO yet? I notice there is at least 1 form on there which requires you to enter sensitive personal data:

http://www.webwise.bt.com/webwise/contact.php

So this would indeed appear to be in direct breach of the DPA. In theory if ThePlanet have any DPI kit in their data centre (which I believe although I could be wrong, is required under US anti terrorist initiatives) they could in essence get all the details you enter on that form. I know there is a degree of logging in the US similar to data retention laws in the EU, but I don't know to what extent so I can't give any informed comments on it. I will however try to find out.

Alexander Hanff

I am in the process of cotacting ICO with reference particularly to the BT Webwise Contact Us page, and the trace information above will be very helpful. I will copy the ICO complaint to the BT legal department.

Interesting that the page has the BT logo in the same place as it is on bt.com homepage, and the links at the bottom are just the same as on the genuine BT page, and the link to contact.php says "contact BT" but contains NO warnings that you just stepped out of the EU privacy protection zone. It's a complete utter con - and what's more - they know, and they know that we know - because I asked them about it AGES ago, and they even put up mirror BT Webwise pages on bt.com in response to my complaint about not wanting to visit FASTHOSTS or US hosted pages - but they didn't create any warnings.
Add to this the fact that BT Retail's own ISP pages currently offer NO customer route to information about BT Webwise, and it looks pretty pathetic - their BTYahoo! help returns zero hits for "webwise", and the bt.com search pages return one hit for "webwise" with a broken link (because they've just changed all the webwise pages to php but not told the bt.com search engine which still links to index.html rather than index.php so returning an error page). And they talk about informed consent!

I've also made reference to it in my original letter to BT Retail Legal department but not with all that trace info as the letter went in over a week ago.

I've also asked Emma Sanderson if she could just fill in the blanks with regard to which coloured boxes on the BT Webwise network diagram relate to which IP addresses, at which location, in which country, and under whose control, and in partiucular, which of the coloured boxes are FASTHOSTS and which are THEPLANET.COM and which are BT.

I'm expecting at least a reply from ICO.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by R Jones (Post 34559664)

I am in the process of cotacting ICO with reference particularly to the BT Webwise Contact Us page, and the trace information above will be very helpful. I will copy the ICO complaint to the BT legal department.

I've also made reference to it in my letter to BT Retail Legal department but not with all that trace info as the letter went in over a week ago.

I've also asked Emma Sanderson if she could just fill in the blanks with regard to which coloured boxes on the BT Webwise network diagram relate to which IP addresses at which location in which country and under whose control and in partiucular, which of the coloured boxes are FASTHOSTS and which are THEPLANET.COM and which are BT.

I'm expecting at least a reply from ICO.

Good job, did you read the paragraph I added to the end of my previous post. I added it after you quoted it so I just want to make sure you have seen it.

Actually, saying that, even if personal data given to third parties was protected under the constitution, I can't see even that would help a non US citizen, since the constitution would not apply afaik.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

it appears 4 people so far have submitted that the
http://www.webwise.bt.com
is not a Phish , but it seems they may not know about the background as it related to Phorm and BT or the statement nothing personal goes outside the internal BT network etc.

perhaps it needs explaining to them and others so as to make it clear ,as it stands currently it is ....!
http://www.phishtank.com/phish_detai...hish_id=450504

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by R Jones (Post 34559664)

I've also asked Emma Sanderson if she could just fill in the blanks with regard to which coloured boxes on the BT Webwise network diagram relate to which IP addresses, at which location, in which country, and under whose control, and in partiucular, which of the coloured boxes are FASTHOSTS and which are THEPLANET.COM and which are BT.

And don't forget Gyron, who now appear to be the main hosting provider for Phorm.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by AlexanderHanff (Post 34559666)

just posted a link over on the BT forums back to this information and added some of the information about the webwise opt-in pages hosted in US

http://www.beta.bt.com/bta/forums/th...D=23149&#23149

peter

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Is it beneficial for multiple complaints to be sent to the ICO regarding the direct breach of the DPA with 'webwise.bt.com/webwise/contact.php' or is it better to just have one concise complaint?

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by popper (Post 34559669)

http://www.phishtank.com/phish_detai...hish_id=450834

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

iv marked that
http://www.phishtank.com/phish_detai...hish_id=450834
as a phish, you can do the same for the original one too,
http://www.phishtank.com/phish_detai...hish_id=450504
the more it gets the more it becomes confirmed ( it appears 4 are enough to get it listed as "is not a phish").

although there does not seem to be a way to add information to the page explaining why we know it to be the case.....!
or that it can be classed as the new form of Phishing, that being the intra-ISP assisted Phishing.

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by popper (Post 34559692)

iv marked that as a phish, you can do the same for the original one too,the more it gets the more it becomes confirmed.

although there does not seem to be a way to add information the the page explaining why we know it to be the case.....!
or that it can be classed as the new form of Phishing, that being the intra-ISP assisted Phishing

Verified.

Alexander Hanff

Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:

Originally Posted by popper (Post 34559692)

I joined and verified it as phishing

---------- Post added at 19:05 ---------- Previous post was at 18:47 ----------

I have sent an email to Emma Sanderson which I hope will answer a few questions if I get a reply it will depend on if I have permission to copy and paste the email or just summerize it.

Quote:

Hello Emma Sanderson,

I have been following the phorm problems but became aware that a BT.com domain name that requests personal identifiable information is located on a hosting company in America that is listed in the top 10 phishing hosting companies.

Could you please explain the reasons for this, if it is within the DPA since the personal information would be outside the EU and have customers been informed this contact us page is hosted in America. If this site is not yours then you have someone out there phishing BT which is strange since you are not a bank so not such a good lucrative phish.

I am aware of Phorm and do not agree to this method of intrusion but I am not a customer this would involve. While I do work on a website that goes that extra little bit to help protect members from phishing.

This link to http://www.webwise.bt.com and the hosting phishing will be made public on our forums. I will also be posting a copy of this email.
To try and help members and customers be prepared to protect their privacy from American phishing sites it could help if you would let us know if not BTwho has control of http://www.webwise.bt.com?
If this Domain is BT's why it is hosted on third party hosting outside the EU?
If you intended to notify visitors that this domain was gathering information that was personal to them and outside the EU so not protected by the UK DPA?

I await your reply which will be posted if you agree otherwise I will just post quick summery the reply to the members.

Regards
*****