Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

[Rchivist]

Quote:

Originally Posted by vicz

Why do I think that the 'blacklist' is just more vapourware? There may be a list that you can add your site to, but how would you know if you were still 'accidentally' being profiled? And what would your remedy be (get in the queue after 108,000 other BT offences).

As BT put my 2 sites on their "do not profile" blacklist I will be very interested to see if they DO get profiled. I may even sign up to Webwise briefly with one of my BTY sub-accounts and visit the site to see what the logs look like. I have to agree - I can't see all that on-the-fly checking working myself, but once the system goes live, if it ever does, I'll be hunting the webmaster sites for ways of detecting the visits. If they are requesting robots.txt then presumably they have to do that from somewhere and it should be fairly easy to visit a site at a set time by arrangement and then check for the robots.txt request by Phorm machinery.

Dephormation.org has various webmaster tools available but I haven't examined them yet - I will if Webwise actually goes live. The one I would most like is the Webwise detector, followed by a redirection of the Webwise-using browser by the affected site, to a Phorm/Webwise information page which encourages people to opt out of Webwise, complain to their ISP and offers links to all the various anti-Webwise sites available. Now that is what I call targeted advertising!

[jelv]

Quote:

Originally Posted by GeoffW

So maybe getting as many things added to the black list *is* a good idea - sorry Alexander.

I'd suggested we should do this in the past, but I've reflected on what Alexander said about it and I now think this is a very bad idea. If an official blacklist exists, it renders any RIPA notice placed on the front of a website totally ineffective - Phorm would have the defence that they should have requested that their site was added to the black list.

What we should be doing is encouraging as many website owners as possible to place a notice on their site prohibiting interception. If we all do it in our own words to make it difficult for Phorm to automatically detect the notice - so much the better. If the notice is there they have to obey it.

What should be happening is that Phorm specify either an entry in robots.txt, or a similar file just for this purpose, which permits Phorm and any similar organisations to intercept the traffic for profiling providing the visitor to the website has also given their informed consent. That is it should be an opt in for websites as well as the Phormed ISPs users.

I'm having a PM conversation with Pete @ dephormation about something that would complement this approach very nicely - I hope he'll have something to announce soon.

---------- Post added at 17:24 ---------- Previous post was at 17:22 ----------

Quote:

Originally Posted by R Jones

Dephormation.org has various webmaster tools available but I haven't examined them yet - I will if Webwise actually goes live. The one I would most like is the Webwise detector, followed by a redirection of the Webwise-using browser by the affected site, to a Phorm/Webwise information page which encourages people to opt out of Webwise, complain to their ISP and offers links to all the various anti-Webwise sites available. Now that is what I call targeted advertising!

Funny you should say that! (see the post above)

[flowrebmit]

Quote:

Originally Posted by jca111

If they managed to break https (SLL) then they would be bl0ody good programmers/mathamatitions. I really dont think we have to worry about the https being profiled as its all but impossible to do - the only way to do it usually is by back door attacks, not man in the middle - so I really dont think we need to wory about our banking transactions.

Unless your bank doesnt use https - but if this were the case - I would dump that bank ASAP!

What if the Russian programmers incorporate a Transparent SSL proxy into the Phorm DPI and web faking computers. If the following URL is to be believed this technology already exists:-

http://www.intelcommsalliance.com/ks...04daf53086f015

[Rchivist]

Quote:

Originally Posted by jelv

Yes they will:

They have a contract with BT.

The Phorm supplied equipment will reside on BT's site(s) and there's a funny arrangement whereby it's owned by BT (but BT have limited access to the equipment).

We've yet to clarify even that - more (deliberate?) BT vagueness - the current BT Webwise site where ALL the info on Webwise is kept, and where the various cookies appeared from briefly (by mistake of course) is NOT on bt.com but on a different redirecting page at webwise.bt.com which is hosted by FASTHOSTS (and has been down recently when FASTHOSTS went down - its the budget end of the hosting market). At the moment it sets a "session" cookie which does disappear at the end of the session. A few weeks ago it was doing less predictable cookie stuff for which BT "apologised".

Name: PHPSESSID
Content: 6eb1b36ac1a808a682d5c741990b14aa
Host: www.webwise.bt.com
Path: /
Send For: Any type of connection
Expires: at end of session

Do the lookups and see - webwise.bt.com WHOIS lookup appears kosher, but the reverse IP lookups on the resultant IP's
88.208.250.85
88.208.248.102
88.208.250.66
show the FASTHOSTS details.

They seem to have got rid of the IP address that resolved back to Phorm, within the last week. So the pressure is getting to them!

They do pretend it's on bt.com in some of their links which put http://bt.com/webwise/ in your browser - but after a lengthy pause and a lot of status bar activity, it ends up at http://www.webwise.bt.com/webwise/index.php and that doesn't resolve to a BT host.

I've been asking BT to put their Webwise FAQ on pages hosted on their own domain and they said to me they would do it (a week ago) but they haven't done it yet - at least a site search doesn't find it except on the webwise.bt.com pages. So anyone with Webwise urls blocked can't read the BT Webwise FAQ. Bit much when your ISP puts really vital information on pages hosted outside the internal IP range it is officially responsible for.

[JHM]

Quote:

Originally Posted by Ratastic

BT have said that if someone sets their browser e.t.c. to block webwise during the trial, then they won't be able to access the internet for the duration of the trial.

If thats the case then, it's irrelevant whether you opt in or out, your data will still be redirected to webwise servers, and will be dependant on the functioning of those servers.

So if Phorm's equipment fails, it could in theory leave hundreds of thousands of people without the ability to surf the web regardless of whether or not they opted in or out.

This means that if someone can't access the web, they won't know whether the liability rests with BT or with Phorm.

Not sure if your first paragraph is correct.

The BT produced schematic for how the trial will work, shows that if there is an opt-out cookie present or if you block Webwise.net, then you data goes nowhere near the profiler. See: http://webwise.bt.com/webwise/customer_choice.html

However, if you op-in to the trial and then block Webwise.net, then my understanding is that your browsing could well grind to a halt.

John

[Rchivist]

Quote:

Originally Posted by JHM

Not sure if your first paragraph is correct.

The BT produced schematic for how the trial will work, shows that if there is an opt-out cookie present or if you block Webwise.net, then you data goes nowhere near the profiler. See: http://webwise.bt.com/webwise/customer_choice.html

However, if you op-in to the trial and then block Webwise.net, then my understanding is that your browsing could well grind to a halt.

John

Here is the reply I got on 18th April from a BT manager.
Beginning of quote -
11) What will happen to the "browsing experience" of a BT customer who adds all the various oix/phorm/webwise domains to his/her HOSTS file, once Webwise/Phorm is in place? Will that "break" my browsing experience?

Answer from manager - If a customer who is invited to participate in the trial adds www.webwise.net to their local HOSTS file with the resolved address of 127.0.0.1, they will not be able to browse the Internet on HTTP port 80 on that PC for the period of the trial. This is because access to www.webwise.net is required in order to process the consent status of the user during the trial. Instead, and as per the advice on the www.bt.com/webwise site, the recommended approach for excluding a PC from the Webwise service if the user regularly deletes cookies is to add www.webwise.net to the browser's blocked cookie list. As previously stated, in parallel with the forthcoming trial, we are developing a solution which will manage the choice of users without the use of cookies. We believe this approach is reasonable and is supported by the advice we have received. - end of quote

As you can see the answer is ambiguous, and only refers to the trial. It suggests that the trial will require a cookie based opt-out but leaves open the possibility of a non cookie based opt-out for the future.

As you can see the answer avoids dealing with the situation of a customer who is NOT in the trial, but has no cookie, and who has the webwise.net domain blocked in HOSTS. I'm sure this vagueness is deliberate. If the trial goes ahead, we'll find out very easily.It could be argued from this manager's answer that even opting out (or ignoring) the trial altogether, will require a cookie and access to www.webwise.net.

[CaptJamieHunter]

Quote:

Originally Posted by jelv

Yes they will:

They have a contract with BT.

The Phorm supplied equipment will reside on BT's site(s) and there's a funny arrangement whereby it's owned by BT (but BT have limited access to the equipment).

BT (or any ISPs who sign up to Phorm) will have no access to the Phorm equipment. This has been mentioned a few times in this thread (and the IT pros who contribute are as shocked as me they would allow this) and it is confirmed by Nicholas Bohm's legal analysis.

Phorm's approach is "Trust us, we're the good guys even though we won't let you anywhere near our kit".

[AlexanderHanff]

Quote:

Originally Posted by JHM

Not sure if your first paragraph is correct.

The BT produced schematic for how the trial will work, shows that if there is an opt-out cookie present or if you block Webwise.net, then you data goes nowhere near the profiler. See: http://webwise.bt.com/webwise/customer_choice.html

However, if you op-in to the trial and then block Webwise.net, then my understanding is that your browsing could well grind to a halt.

John

Nope not quite correct. If you are in one of the exchanges being used for the trial irrespective of whether or not you opt-in, if you block the webwise domains in your hosts file by redirecting them to localhost (127.0.0.1) then you will not be able to browse the web.

The reason for this is all traffic for the entire exchange will be passed through the Layer 7 technology during the trial and then redirected as described by Dr Richard Clayton to a "special machine" masquerading as the web site you want to access. This is the main consequence of the cookie system they are currently using.

If you note the correspondence R Jones had with BT (above) you can see it states any user who is "invited" to the trials, not any user who "accepts" an invite. When you read that statement and understand the technical analysis by Richard it is clear that this will include everyone in the exchange as it specifically needs to go to the webwise domain to get the opt-out cookie. If you redirect to localhost that cookie will never be set and you will be stuck in a loop. The loop that Kent stated could only ever effect a maximum of 1% of customers...

Alexander Hanff

[Florence]

Quote:

Originally Posted by AlexanderHanff

Nope not quite correct. If you are in one of the exchanges being used for the trial irrespective of whether or not you opt-in, if you block the webwise domains in your hosts file by redirecting them to localhost (127.0.0.1) then you will not be able to browse the web.

The reason for this is all traffic for the entire exchange will be passed through the Layer 7 technology during the trial and then redirected as described by Dr Richard Clayton to a "special machine" masquerading as the web site you want to access. This is the main consequence of the cookie system they are currently using.

If you note the correspondence R Jones had with BT (above) you can see it states any user who is "invited" to the trials, not any user who "accepts" an invite. When you read that statement and understand the technical analysis by Richard it is clear that this will include everyone in the exchange as it specifically needs to go to the webwise domain to get the opt-out cookie. If you redirect to localhost that cookie will never be set and you will be stuck in a loop. The loop that Kent stated could only ever effect a maximum of 1% of customers...

Alexander Hanff

I made bold the part I wished to check up on it should be impossible to do the whole exchange since there will be some on the exchange that are not BT BB customers so not part of their network to trial this on...

[AlexanderHanff]

Quote:

Originally Posted by Florence

I made bold the part I wished to check up on it should be impossible to do the whole exchange since there will be some on the exchange that are not BT BB customers so not part of their network to trial this on...

Sorry let me clarify, all BT retail customers at the exchange. Of course it could be that the BT statement sent to R Jones was inaccurate but if it is true than I believe my analysis is correct.

Alexander Hanff

[Florence]

Quote:

Originally Posted by AlexanderHanff

Sorry let me clarify, all BT retail customers at the exchange.

Alexander Hanff

Cheers Alexander or we would have been starting more legal proceedings for intercepting other ISPs customers..

Quote:

Originally Posted by Florence

Cheers Alexander or we would have been starting more legal proceedings for intercepting other ISPs customers..

And what makes you think that BT would not do this or has not already?

LOL - Only joshing

(I imagine that would be a step too far and technically hard to do)

Hank

[Chroma]

RE: Secure banking.

Most users online that i know of, myself included have a list of maybe half a dozen passwords/datasets that are frequently used, for instance some people use the same passwords for email (secure and unsecure webbased), forums and banking.

Its not outside the realm of possibility to get a users profile and figure out his half dozen passwords and the URL of his bank, then brute force the account with a very small list (generaly 3 attempts before the account is locked and you need to call up your bank) that would result in a 50% chance of gaining access to someones account.

This without even discusing the possibilities of an external organisation gaining control of the packet filtering equipment and monitoring the streams from users at a given exchange to their own ends, then redirecting traffic to a spoofed DNS that again redirects people to a frudulent mirror of your banks site.

You honestly think that serious criminal and terrorist organisations have no interest in an almost unlimited free source of additional income to pay for whatever will forward their agendas? even if such a move involved actual physical access to the equipment its a striaght forward matter to hand an openreach worker a nice fat brown envelope to look the other way for 30 mins whilst you peruse the premises.

Think about this:
I (Being a criminal mastermind genius) start sniffing on customers data and begin compiling a list for each customers passwords over unsecured connections.
I also generate a list for each customers online banking urls (not the actual secure stuff just the site URL)
I also spend a couple of hundred opening bank accounts to the sites found to be most frequently used, i do this merely to gain access to those bank sites and set up my own fake servers, you have to speculate to accumulate

Now after mirroring my own bogus servers i start redirecting traffic to them using phorms equipment to route everything through my own shady DNS servers, i do this only to harvest customer passwords and once i have these passwords i display an error stating the website is currently down for "Maintainance" followed by an appology and a request to "please allow up to 24hrs while we fix our errors." (Masterminds are not all like Blofeld we can be nice too)

After 12~18hrs i stop redirecting traffic, and do this same redirection every few weeks for the next 6 months farming as much as i can.
After this 6 months i would purchase my flights to a non extradition country with a damned good telecommunications network (Russia and China spring to mind as fun destinations)
i then run my script to systematicaly log in to and transfer money out of the millions of valid accounts now at my disposal, starting with all business accounts (netting me the most cash) right down through to individal personal accounts.
Funneling all this cash into a long list of seperate accounts abroad (that i would have been spending the 6 month profiling time setting up) this is to avoid suspicion of every british resident dumping money into a single tracable account and raising a red flag.
Then i would start phase 2 to swap the money around these accounts and bounce it around a little before trickling into a nice large private account, the trick is to keep it moving around and confuse anoyone looking to trace it to a single point, after nine hours of reviewing logs anyone will go squeg eyed and begin to make errors.
After touching down in Russia i would then extract as much cash as i could by hand and place it onto a few banks over there before transfering it around further, using some to get myself a nice "black market" new identity. To move around to another country where i would hapily reside for the rest of my life knee deep in banknotes.
Once set up i would forward Kent an email enquiring as to the point of targeting adverts to anyone online in the UK when they no longer had any money to be interested in any of them.

Thereby pulling off the biggest bank heist in history and netting myself a nice little sum to start a new life of absurd and unending pleasures beyond anyones wildest dreams.
Of course i would totaly cripple the UK economy as residents and businessmen woke the next day to have their cards eaten by the machines.
But frankly to hell with you guys, i can afford a slew of lawyers to fend you off

All this with a few months of setup, without having to resort to violence or raising my voice and not placing a single hostage or even myself at any risk.

The best of it is that since the police and home office are entirely reluctant to investigate what happens online it could take months of red tape before a single suspect is generated let alone people pointing the finger at me

It would however make an awesome screenplay (and this has the added benifit of not having an angry nation track me down like the dog that i am.)

Ok so maybe im scaremongeing and just a touch sarcastic and upon rereading it, I seem to descend entirely into paranoid drivel and sheer tinfoil hattery.
But the simple fact is that monitoring SSL and https isnt nessisary to gain some seriously sensitive information on a person that could be used to his or her detriment.

[mark777]

Quote:

Originally Posted by Chroma

RE: Secure banking.

Most users online that i know of, myself included have a list of maybe half a dozen passwords/datasets that are frequently used, for instance some people use the same passwords for email (secure and unsecure webbased), forums and banking.
{snip}

Well, on a day when German TV bought 'Allo 'Allo, I suppose anything is possible!

[Rchivist]

More answers from a BT manager. As the person in question is now going on holiday, no more answers for a while! (unless I can provoke someone else or head back upstairs to the CEO's penthouse!)

The questions are somewhat edited, but I've left their version of the question for clarity. These are official management level BT responses.

The good thing is that having got someone's attention, I have been given answers and courteous replies for which I am grateful. The content of the replies may still be very very unsatisfactory, but I am getting responses. I'm grateful for small mercies.

(beginning of BT quote)
1. Website cookie forging by Webwise/Phorm remains murky and unexplained by Phorm - who gave anyone permission to forge a cookie purporting to come from one of my registered domains? I withhold consent for BT/Phorm to use the domain names of my sites within any cookie set by Webwise.

A: Webwise cookies are clearly associated with the Webwise service. Where a website uses cookies, we prefix the Webwise UID (unique ID, a random number) to a cookie coming from the website. It is clear in this cookie at what point the Webwise UID starts and the domain cookie stops (and vice versa). Where cookies are not used by a website, only the Webwise UID is placed into a new cookie which will be associated with the domain of the website being visited. In both cases, the Webwise UID element of the cookie is clearly labelled so as to be associated with the Webwise service.

2. In response to your question this week - whether or not you are liable to prosecution if you visit websites like Amazon etc....

A: Any user who has consented to taking the BT Webwise service will not make any unauthorised use of a website as a result of taking the Webwise service. BT has carefully considered the privacy and legal issues arising from the BT Webwise service and we are confident that operating the service does not lead to issues for our users in this regard.

3. In response to your question yesterday regarding the legality of Webwise/Phorm following the publication of the latest FIPR report and the forthcoming trial dates.....

BT and Phorm have sought extensive legal advice over the last two years and been in regular contact with both the ICO and Home Office. I am sure you have seen their recent statements also. We have also reviewed the FIPR report. BT is, of course, aware of the legal requirements regarding interception of communications under the Regulation of Investigatory Powers Act 2000. We consider that the steps we are taking will meet the legal requirements of RIPA and also ensure that customers are able to take a fully informed decision as to whether to take the service (it will be optional and customers will have a clear choice). Furthermore we are confident that Webwise/our approach conforms with other relevant UK laws.

We will commence trialling BT Webwise shortly and have committed to providing at least 24 hours notice prior to commencing the trial. We will do this via the BT forums etc.. Rest assured it is not unusual for trial/launch dates to change..... (end BT quote)

I think that does not add anything much - it all basically reads to me like - "we know what we are doing and its legal so there!"

The cookie answer leaves me somewhat speechless. I hope this person never finds my credit card or cheque book in the street - they may feel they can write my signature on the cheques and use them in the few shops that still take such things. Maybe they would clone my credit card, stick a Webwise logo on it and use it to buy things! If they say that is legal, it must be!

I suppose its now time to examine cookies from a variety of organisations to see how obvious it is where they come from. I'll start with BT.

And the one good bit - I can now access Webwise FAQ without going to webwise.bt.com.

It is interesting to see BT being responsive - I've never ever experienced this level of responsiveness from senior management - usually its one emollient email promising the earth and then back to the normal business of ignoring us and leaving us to the mercy of the outsourced drones - they must be really really rattled.

(Recommence BT quote here)
Finally we have been working on the Webwise FAQ information on bt.com. It is a work in progress at the moment and there will be further changes to it between now and the trial but for the time being you can access the information via the URL http://www.productsandservices.bt.co...=CON-WEBWISE-I
End of BT quote

I recommend the experts here to browse the BT Webwise FAQ. It has some gems - for example

Q - Will this disrupt my service or make browsing slower?
A- No. BT Webwise is run from BT's networks, so it won't disrupt your service or make it slower.

Note that - not even 1% of people will be affected. Just a straight NO

I love it. If BT were the ministry of Transport...
Q - Will the three lanes of roadworks on the M25 and the closure and diversion between Junctions 23 and 27 during June, July and August, affect my commuting journey?
A- No, it won't disrupt your journey or make it slower.

Bye.