Home News Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Virgin Media Services > Virgin Media Internet Service

Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]
View Poll Results: Will you be opting out of the Virgin Ad Deal?
Yes, Definitely. 958 95.51%
No, I am quite happy to share my surfing habits with anyone. 45 4.49%
Voters: 1003. You may not vote on this poll

Closed Thread
 
Thread Tools
Old 30-05-2008, 00:17   #7561
serial
Inactive
 
Join Date: Apr 2008
Posts: 133
serial is on a distinguished roadserial is on a distinguished road
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by Hank View Post
The ICO "will be strongly influenced by the experience of those users who choose to participate in any trials and the way in which they are able to make that decision to participate."

Erm... so, how will the ICO be influenced if they can't ask the customers because no one knows who they are? I suppose the extremely low number of complaints because 10,000 is not many will help the ICO draw a conclusion that no one cares? Or maybe they will care enough to complain and surprise the ICO.

Hank
That is exactly what I thought, already working on my reply
serial is offline  
Advertisement
Old 30-05-2008, 00:20   #7562
phormwatch
Inactive
 
Join Date: May 2008
Posts: 254
phormwatch will become famous soon enoughphormwatch will become famous soon enoughphormwatch will become famous soon enough
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by mark777 View Post
Regarding the Police, perhaps we need to put together an 'information pack' which includes the appropriate legal sections, the various legislative answers (EU commision, Serial's reply, reply to the Earl of Northesk's question etc), which state that it is a Police responsibility. In short, everything the police would need to proceed.

We use this to make a mass complaint on the first day of the BT trials. (Maybe wait a day or so to try to get information about the ongoing trial?)

We complain about the BT trials in the past and that we have good reason to believe the crimes may be ongoing.

Also, if they fail to respond, given the responses from the various government bodies, we will complain to the IPCC.

Given the Phorm share price, they must be on to BT every hour to start the trial. BT legal bods must be pressing to delay it to try to cover as many issues as possible. We all know about the mistakes that BT make.

EDIT : Anyone know about the BT Unions stance on this?
Actually, we could make that an Event for the AGM Protest. We can collate all the necessary materials, and then all walk to the nearest police station. It'd be a serious media coup.
phormwatch is offline  
Old 30-05-2008, 00:28   #7563
mark777
Inactive
 
Join Date: Mar 2008
Services: 0.4 Mbps BB + Phone
Posts: 447
mark777 is a glorious beacon of lightmark777 is a glorious beacon of lightmark777 is a glorious beacon of lightmark777 is a glorious beacon of lightmark777 is a glorious beacon of lightmark777 is a glorious beacon of lightmark777 is a glorious beacon of light
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by phormwatch View Post
Actually, we could make that an Event for the AGM Protest. We can collate all the necessary materials, and then all walk to the nearest police station. It'd be a serious media coup.
My thought was to do it in hundreds of Police Stations all across the country at the same time. When they 'phone up to to get advice, all the lines will be engaged.

It may be better to get in touch with the Computer Crimes Unit though. Anyone know if all forces have these, or just the big ones?

Phormwatch, a good idea though if we have still got nowhere. A big symbolic march to the local nick in front of the media!
mark777 is offline  
Old 30-05-2008, 00:39   #7564
Wildie
Inactive
 
Join Date: May 2008
Posts: 231
Wildie will become famous soon enoughWildie will become famous soon enoughWildie will become famous soon enough
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by Dephormation View Post
BT CUSTOMERS BEWARE

Do not log into the BT site, then visit any Phorm/third party operated web site with a *.bt.com subdomain;

eg
webwise.bt.com
www.webwise.bt.com

BT.com seem to be using a Siteminder security system that sets one or more cookies in the bt.com domain (potentially including your email address, and a security credential which authenticates you to BT.com).

A third party able to impersonate your IP address may be able to access your account details using a copy of the same security credential (SMSESSION cookie) revealed by your browser. Cookies affected;
SMSESSION = (Netegrity site minder encrypted cookie)
A Phorm/third party web site may have access to your email address (even if you do not enter that email address into any contact forms). Cookies affected;
btcom.userName = (email address)
btcom.dateVisited = (date of visit)
If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw.
had a look and found the cookies, logged on to the forum then went to bt.com typed in, clicked at home then clicked login and up pops my a/c without re inputting the login details if thats what you looking for.
Wildie is offline  
Old 30-05-2008, 01:46   #7565
AlexanderHanff
Permanently Banned
 
Join Date: Mar 2008
Posts: 1,028
AlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful one
Re: Emailing police

Quote:
Originally Posted by phormwatch View Post
I'm having an email exchange with the police right now. They wish to know the exact section of the RIPA Act which I allged BT have broken. Can someone please quote the relevant passages?

They also won't accept Emma Sandersons admission on Channel 4 as evidence, since they claim it would not stand up in court. Does anyone have access to a statement by Emma Sanderson or otherwise some other kind of proof that the illegal trials took place?

Thanks!
You should be able to find all the criminal breaches in my dissertation. I don't have time to quote them all at the moment as I am working on the final paper of my degree (due in tomorrow) but if you need any more assistance I will try and put some stuff together tomorrow.

Alexander Hanff

---------- Post added at 01:45 ---------- Previous post was at 01:41 ----------

Quote:
Originally Posted by mark777 View Post
Regarding the Police, perhaps we need to put together an 'information pack' which includes the appropriate legal sections, the various legislative answers (EU commision, Serial's reply, reply to the Earl of Northesk's question etc), which state that it is a Police responsibility. In short, everything the police would need to proceed.

We use this to make a mass complaint on the first day of the BT trials. (Maybe wait a day or so to try to get information about the ongoing trial?)

We complain about the BT trials in the past and that we have good reason to believe the crimes may be ongoing.

Also, if they fail to respond, given the responses from the various government bodies, we will complain to the IPCC.

Given the Phorm share price, they must be on to BT every hour to start the trial. BT legal bods must be pressing to delay it to try to cover as many issues as possible. We all know about the mistakes that BT make.

EDIT : Anyone know about the BT Unions stance on this? Would they have concerns that their members may be asked to break the law?
We should put together a big file and then march down to the Met at the end of the protest (preferably with a paper petition too with signatures collected at the protest) and hand them the whole file, the petition and ask them for a crime reference number in front of the crowd and press/media.

Possibly a good way to end the protest at the end of the day I think.

Alexander Hanff

---------- Post added at 01:46 ---------- Previous post was at 01:45 ----------

Quote:
Originally Posted by mark777 View Post
EDIT : Anyone know about the BT Unions stance on this? Would they have concerns that their members may be asked to break the law?
I can try and get a response from the CWU (Communications Workers Union).

Alexander Hanff
AlexanderHanff is offline  
Old 30-05-2008, 02:39   #7566
Paul Delaney
Guest
 
Posts: n/a
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by mark777 View Post
My thought was to do it in hundreds of Police Stations all across the country at the same time. When they 'phone up to to get advice, all the lines will be engaged.

It may be better to get in touch with the Computer Crimes Unit though. Anyone know if all forces have these, or just the big ones?

Phormwatch, a good idea though if we have still got nowhere. A big symbolic march to the local nick in front of the media!
The Metropolitan Police have a Computer Crimes Unit and I think Avon & Somerset still have theirs but most other regional forces only have access to Computer Forensics. In 2001, 43 Regional Police Hi-Tech Units were created but due to performance related budget cuts (they weren't making enough arrests or convictions) by 2006 almost all of these had been dismantled and amalgamated into / replaced by the Serious and Organised Crime Agency (SOCA), a multi-role goon squad in comparison, loosely based on the FBI, and most of the HTCUs original function was lost.

Terrorism is sexy – computer crime doesn't even come close.

Is this the real reason why they are hesitant to investigate? The police will need to build enough of a case to present to the Director of Public Prosecutions who decides whether there's a good chance of the crown winning a court case which will cost the taxpayer millions. Reduced availability of technical expertise to front line officers is going to severely hamper that process.

Astonishingly, currently most regional forces would not even be able to search eBay for stolen goods...

 
Old 30-05-2008, 03:28   #7567
AlexanderHanff
Permanently Banned
 
Join Date: Mar 2008
Posts: 1,028
AlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful oneAlexanderHanff is the helpful one
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

OK the march from the Barbican to the nearest met police station is 1.5 miles (Charing Cross Police Station on the Strand). We should be able to walk straight down Fleet Street and The Strand to get there, which is somewhat convenient for press coverage

Alexander Hanff

---------- Post added at 03:28 ---------- Previous post was at 02:40 ----------

Some more info.

The BT Centre (BT HQ) is just down the road from the Barbican (and enroute almost to the Met Police).

So as I am hashing this together in my head, I propose the following:

Stage 1: 10:00 - End of AGM
Protest starts outside the Barbican until the AGM finishes. Hopefully this will be sometime around lunchtime.

Stage 2: 12:00 - 14:00
Guest speakers. It would be ideal to have this outside the Barbican because I expect it gets quite a lot of foot traffic during lunch time.

Stage 3: 14:00 - 16:00
Protest outside BT Centre.

Stage 4: 16:00 - 17:00
March to Charing Cross Metropolitan Police Station via Fleet Street and The Strand. Once there we hand over the case file and a petition, requesting a crime reference number and an official statement on whether or not they intend to investigate.

During all stages there will be a petition available for people to sign, demanding that the Metropolitan Police investigate the covert trials of 2006/2007 under RIPA, Computer Misuse Act, Fraud Act. This petition will be supplemented with:
Dr Richard Clayton's Technical Report
Mr Nicholas Bohm's Legal Report
Home Office statement saying it is the responsibility of the police
EU Commission Statement stating it is illegal
My Dissertation
Signed and witnessed statements from victims of the trials

We will put together some digital media for people to download and printout as fliers.

I will try and get some sponsorship from somewhere so we can hire a PA and Generator for the speeches. If not we will need to find someone with a PA and Generator who doesn't mind them being used for the event.

Placards are obviously going to need sorting out as well (so start getting your slogan ideas in).

I will send a formal letter to the Met next week telling them about the event and explaining it will be a peaceful protest from 10am - 6pm ending with a March from Newgate St. to Charing Cross Met Police Station. I will include a full itinerary with the letter.

That's how I envision the day going at the moment. I am happy to hear any suggestions people may have.

Alexander Hanff
AlexanderHanff is offline  
Old 30-05-2008, 05:34   #7568
popper
Inactive
 
Join Date: Jan 2006
Posts: 3,270
popper has a bronze arraypopper has a bronze arraypopper has a bronze array
popper has a bronze arraypopper has a bronze arraypopper has a bronze arraypopper has a bronze arraypopper has a bronze arraypopper has a bronze array
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

i dont know if these mobile phone streaming services will work, but i thought id remind people that they exist, if you want to try and set one of them up if you have the right phones etc, and test them ready for use on the protest perhaps.

there may be some interesting bits of activity that are werth capturing for later reference or near realtime public video record of police refusal to give a crime No. etc.

OC mobile phone 14 FPS Video isnt great, but the sound quality for the qik service seems to show its good enough, so werth a go perhaps if your video camera battery gets drained with overuse

http://www.dailywireless.org/2008/05/19/7771/

http://www.comvu.com/comvu/Support.htm
talks about a 2007 beta but DW references it as though its still beta?...

http://qik.com/
seems to be functioning although again that makes reference to invites?
http://qik.com/blog
http://qik.com/info/faq

---------- Post added at 05:28 ---------- Previous post was at 05:11 ----------

http://usatoday.jiwire.com/wi-fi-wir...re-1250985.htm
Here are details on the Wi-Fi hotspot at Barbican Centre, Silk Street, London, England, GB,WiFi Zone - The Cloud.

interactive picture but heres the static pic from there


---------- Post added at 05:34 ---------- Previous post was at 05:28 ----------

iv not looked very hard, but it seems if theres only the cloud there, then Fleet Street and The Strand will be a problem for laptop wifi connections.

3G mobile broadband will work OC but thats more restrictive and costs per Mbit usually...
popper is offline  
Old 30-05-2008, 07:15   #7569
Rchivist
Inactive
 
Join Date: Apr 2008
Posts: 831
Rchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of Quads
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by Wildie View Post
had a look and found the cookies, logged on to the forum then went to bt.com typed in, clicked at home then clicked login and up pops my a/c without re inputting the login details if thats what you looking for.
The bt.com and the BT Beta forum login are the same anyway.

But even if you ARENT logged in to bt.com if you go to Webwise then it acccesses the BT login information and Pete is investigating how much of the cookie information may be getting sent to phorm.

We're watching BT watching us.
Rchivist is offline  
Old 30-05-2008, 08:30   #7570
Dephormation
Inactive
 
Join Date: Apr 2008
Location: Bristol
Services: Aquiss.net and loving it. No more Virgin Media, no more Virgin Phone, no more Virgin Mobile.
Posts: 629
Dephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to all
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

BT CUSTOMERS BEWARE

To repeat last nights warning in plain English...Do not log into the BT site, then visit any Phorm/third party operated BT.com web site.

Sites Potentially Affected Include
webwise.bt.com
www.webwise.bt.com
Explanation

BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites.

During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites).

Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com.

This creates a security and privacy risk for the following reasons.

A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions.

A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to link your email address and IP address simply by visiting their web site.

When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address.

Cookies Affected
SMSESSION = (Netegrity site minder encrypted cookie)
btcom.userName = (email address)
btcom.dateVisited = (date of visit)
Conclusion

By allowing Phorm to operate a *.bt.com web site... BT may be giving your email address, and security credentials away to Phorm.

Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites).

If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw.

If I'm proved incorrect I will (of course) immediately post a retraction, but until you hear otherwise you may prefer to log out of BT.com before you visit webwise.bt.com or www.webwise.bt.com.
Dephormation is offline  
Old 30-05-2008, 09:46   #7571
Rchivist
Inactive
 
Join Date: Apr 2008
Posts: 831
Rchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of Quads
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by Dephormation View Post
BT CUSTOMERS BEWARE

To repeat last nights warning in plain English...Do not log into the BT site, then visit any Phorm/third party operated BT.com web site.

Sites Potentially Affected Include
webwise.bt.com
www.webwise.bt.com
Explanation

BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites.

During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites).

Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com.

This creates a security and privacy risk for the following reasons.

A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions.

A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to link your email address and IP address simply by visiting their web site.

When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address.

Cookies Affected
SMSESSION = (Netegrity site minder encrypted cookie)
btcom.userName = (email address)
btcom.dateVisited = (date of visit)
Conclusion

By allowing Phorm to operate a *.bt.com web site... BT may be giving your email address, and security credentials away to Phorm.

Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites).

If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw.

If I'm proved incorrect I will (of course) immediately post a retraction, but until you hear otherwise you may prefer to log out of BT.com before you visit webwise.bt.com or www.webwise.bt.com.
Do you mind if I copy this post to BT Beta forum AND send an email copy direct to Emma Sanderson (it should delay the trials again)
Rchivist is offline  
Old 30-05-2008, 10:14   #7572
Dephormation
Inactive
 
Join Date: Apr 2008
Location: Bristol
Services: Aquiss.net and loving it. No more Virgin Media, no more Virgin Phone, no more Virgin Mobile.
Posts: 629
Dephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to all
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by R Jones View Post
Do you mind if I copy this post to BT Beta forum AND send an email copy direct to Emma Sanderson (it should delay the trials again)
Not at all, the earlier this is confirmed (or denied) the better.

If I'm correct, the solutions BT need to implement are one of

Either
Spoiler: 
a significant change to the single sign on system (unlikely?)

or
Spoiler: 
immediately bring webwise.bt.com / www.webwise.bt.com web servers into the core BT network (unlikely?)

or
Spoiler: 
immediately drop webwise.bt.com/www.webwise.bt.com domains from DNS until a fix if any can be found


Pete
Dephormation is offline  
Old 30-05-2008, 10:33   #7573
Rchivist
Inactive
 
Join Date: Apr 2008
Posts: 831
Rchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of QuadsRchivist has a fine set of Quads
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

Quote:
Originally Posted by Dephormation View Post
BT CUSTOMERS BEWARE

To repeat last nights warning in plain English...Do not log into the BT site, then visit any Phorm/third party operated BT.com web site.

Sites Potentially Affected Include
webwise.bt.com
www.webwise.bt.com
Explanation

BT seem to be using a 'single sign on' product (called Siteminder) which allows you to log in once and gain access to any BT.com web site without being prompted for your user name or password. This is convenient, you sign on once and gain seamless access to all BT.com web sites.

During the login process cookie values are set for all BT.com web sites (cookies which include your email address, and a security credential which authenticates you to BT.com web sites).

Your browser will present those cookies to any BT.com web site trusting that those sites would not exist without BT consent. This will include BT.com web sites operated by Phorm/third parties outside BT's network, such as webwise.bt.com and www.webwise.bt.com.

This creates a security and privacy risk for the following reasons.

A security risk is created because an untrustworthy third party able to operate a BT.com web site, who is able to impersonate your IP address, and present a copy of your security credential, may be able to access your BT.com services and account details. This is called a replay/spoofing attack, a known security risk in single sign on solutions.

A privacy risk is created because a third party able to operate a BT.com web site has immediate access to your email address, whether or not you choose to enter that information. This allows third parties to link your email address and IP address simply by visiting their web site.

When Webwise/OIX is trialled, third parties would be able to link your email address, IP address and Webwise UID. If you delete your Webwise UID cookie, third parties would be able to link old/new Webwise UIDs knowing your email address.

Cookies Affected
SMSESSION = (Netegrity site minder encrypted cookie)
btcom.userName = (email address)
btcom.dateVisited = (date of visit)
Conclusion

By allowing Phorm to operate a *.bt.com web site... BT may be giving your email address, and security credentials away to Phorm.

Sites like bt.custhelp.com and bt.webwise.com will not be affected (because the browser will not recognise them as BT.com sites).

If my analysis is correct (I'd appreciate independent confirmation by a BT subscriber with Netegrity Siteminder knowledge, or sufficient tech insight to confirm the presence and configuration of the cookies manually) this is a very serious privacy and security flaw.

If I'm proved incorrect I will (of course) immediately post a retraction, but until you hear otherwise you may prefer to log out of BT.com before you visit webwise.bt.com or www.webwise.bt.com.
this morning the BT Webwise contact.php page
http://webwise.bt.com/webwise/contact.php
is redesigned with two submission options
for contacting or complaining!
Both now point with url links to contact forms on bt.custhelp.com locations which is different from yesterday where they were javascript and ended up with ww3.phorm.com via a webwise.bt.com location
Rchivist is offline  
Old 30-05-2008, 10:41   #7574
jelv
Inactive
 
Join Date: Apr 2008
Posts: 128
jelv is an unknown quantity at this point
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

They objected to the pages being reported as phishing and strongly denied this was the case. However the fact that they've changed them so quickly proves one thing: they know they were in the wrong.
jelv is offline  
Old 30-05-2008, 11:10   #7575
Dephormation
Inactive
 
Join Date: Apr 2008
Location: Bristol
Services: Aquiss.net and loving it. No more Virgin Media, no more Virgin Phone, no more Virgin Mobile.
Posts: 629
Dephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to allDephormation is a name known to all
Re: Virgin Media Phorm Webwise Adverts [Updated: See Post No. 1, 77, 102 & 797]

*CONFIRMED*

The btcom.userName/btcom.dateVisited/btcom.isLoggedIn are 'domain cookies' that will be sent to any *.bt.com web site... including webwise.bt.com and www.webwise.bt.com... revealing your email address to Phorm (simply by browsing the pages on webwise.bt.com/ www.webwise.bt.com).

I've asked Rob to do an additional test; I suspect btcom.userName cookie remains set even if you have logged out of bt.com... If so, this would make your email address almost unconditionally available to third parties such as Phorm if you have ever logged in to BT.com.

And presumeably it has been leaking email addresses for months.
Dephormation is offline  
Closed Thread


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 07:26.


Server: xenon.zmnt.net
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2018, vBulletin Solutions Inc.