Thread: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Single Post
Old 18-07-2008, 23:27   #12230
madslug
Inactive
 
Join Date: Jun 2008
Posts: 161
madslug is a jewel in the roughmadslug is a jewel in the roughmadslug is a jewel in the roughmadslug is a jewel in the roughmadslug is a jewel in the rough
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
Quote:
Originally Posted by rryles View Post
Pretty good article on ZDNet:

http://news.zdnet.co.uk/security/0,1...48963-1,00.htm

Note there are 6 pages of text - 1 with each photo.
Thanks for the pointer to 6 pages of text. I had already looked at the 6 photos but missed the extra text as that was below the fold.

The comments from BT are most interesting.

"The protest against Phorm's technology, which BT will rebrand 'Webwise', would have no impact on BT's upcoming trial, said Morgan.

"There is a tiny but vocal minority who believe there is an issue here," said Morgan. "It is a very small protest. When we've spoken to customers, they've been interested and see the benefits. We don't get the impression it's a significant shareholder issue.""

And, Stephen Mainwaring's quote sums it all up for me "I have to comply with the Data Protection Act and, when this was going on, I had to assume the worst — that customer data had been compromised."

This next comment is not aimed at Stephen Mainwaring at all - just acknowledging the wisdom of that comment.

Not everyone uses ssh to communicate with their server. Most popular hosting does not offer control panels and database interfaces on https. Where the webmaster does not use https for the contact forms, do you think they will be more security conscious when it comes to looking at the content of the database that form has populated?
'You' may be careful and ensure that your internet connection is DPI free - what about the interception of the connection used by the Admin of the site you are sharing your data with?
We only have Phorm's word that they will not look at anything beyond a login.
It is very frightening to see browser logs showing, in the raw, the login and password for the control panel for each page within the control panel that I view for one of my hosting plans. (I don't want to frighten you, but this is one of the most popular cheap hosting control panels used by millions of site Admins to maintain their sites - and I am in the process of moving sites to more secure hosting - https login - for this very reason.)

[login urls: - do we just write all our URLs to look like logins so that the intercept script will ignore them? - so much easier than non-existent useragents for robots.txt and spending a lot of server resources doing reverse DNS look-ups to send phormed visitors to image only pages so that there is nothing for the profiler to harvest.]
madslug is offline