It might not be a big deal now, but if you give an ISP an inch, they'll take over the last mile. Comcast is also 'only' interfering with bittorrent traffic-- they're still messing with traffic, they're still causing users headaches, and they're still butting in where they just aren't wanted. I might just be protective because I've had internet access my entire life, but there's absolutely no reason they should be excused for doing this just because it's a small deal for us. There's no reason for them to control what their customer's computers see and do like this, and no reason why people should just ignore it. If it's such a small deal, they should have no problem simply stopping the practice and apologizing.

--- Jonathan Hutchins hutchins@tarcanfel.org wrote:

On Tuesday 26 February 2008 13:06:06 Billy Crook wrote:

...

If one were to look at how their opt-out page works, you http get with a few args, one of which is your modem's mac address. You could just as easily post with any other cable modem's mac address, if say, you had multiple, and didn't want to visit each physical location of them, or maybe ....

... you could just type the correct url in the first place.

Yes, it's annoying. No, it's not the end of Western Civilization.

Get a grip, guys.

It may not be the end of Western Civilization, but its certainly being handled very insecurely by RoadRunner.

This guy (blogger link below) has done some poking around and discovered how RoadRunner is going about the "opt-in/opt-out" process for its new services (thats right, plural, see below), and it is a little scary from a security perspective.

http://rgov.org/road-runners-dns-wildcard

Basically RoadRunner is using an open HTTP GET request, and no SSL, for your "Preferences" page. It is possible for anyone to request the "Preferences" page for every single customer, and with this information you gain the geographical location of every single RoadRunner customer (and thus where to direct your own ISP's advertising to best effect, especially if you don't redirect "failed DNS requests" to an advertising page).

But RoadRunner has not one but *three* new services you can opt into or out of. Services which, when their options are set very unfavorably to the customer, result in an interesting and profitable situation for Internet Advertisers, and in particular a certain class of advertiser.

# Web Address Error Redirect Service: (the service everyone is complaining about, which sends you to a page containing ads from advertisers who are advertising with RoadRunner)

# Typo Correction Service: (fixes common typos in URLs, such as cmo or nte)

But the third one should be of some concern for those with small children:

# Safe Search Filter: "This preference allows you to restrict adult-oriented content from search results on the non-existing domain landing service."

Since there are only approximately 16,777,216 MAC addresses the way RoadRunner is handling the service, you could write a script which, for example, opted every RoadRunner customer *into* "Web Address Error Redirect Service", *out of* "Typo Correction Service" (which increases the possibility that the RoadRunner "Failed DNS Request" page will pop up), and *out of* "Safe Search Filter". And it wouldn't take long to run the script, or be much trouble to run it once a week.

And then you, as the owner of "Adult Content Website Advertising Consortium", then use the advertising revenue you collect from your adult website members to buy HUGE amounts of adult content web advertising. Every time a RoadRunner customer mistypes a URL, or types in a non-existent URL, the RoadRunner page will pop up and send adult content advertising related to the customer's failed URL request (Rule #34 of the Internet: "If it exists, there is porn of it.").

You don't even need to be an adult content advertising consortium. Just pay for "first placement" on the RoadRunner Ad Page...err, I mean "Failed DNS Request Page", and then run the script opting every RoadRunner customer *into* "Web Address Error Redirect Service" and *out of* "Typo Correction Service". The RoadRunner customer will see the RoadRunner "Failed DNS Request Page" more often than they would like to see it, and your ads will be seen more often than any other ad.

Spam has proven that many Internet Advertisers have no shame, decency, and/or ethics. This move by RoadRunner will be exploited, and exploited soon, and with any luck the complaints from customers (and the lawsuits from parents) will bring it to an end fairly quickly.

____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

On Tue, Feb 26, 2008 at 2:01 PM, David Nicol davidnicol@gmail.com wrote:

On Tue, Feb 26, 2008 at 12:34 PM, Arthur Pemberton pemboa@gmail.com wrote:

...

My fellow RoadRunner using geeks have no doubt noticed this themselves by now, but for everyone else, an article is up on Slashdot: http://slashdot.org/article.pl?sid=08/02/26/1741253

thanks, slashdot! laughing until it hurts.

http://ww23.rr.com/index.php?origURL=http://our.own.ass.with.both.hands

The initial 2 questions raised are Motive and Ethics.2 sub elements each. With some ominous potential apparent when one expands the issues a bit. If you feel me alarmist do please recall that history is being written by how we handle issues like this one. The internet is unarguably now a part of our lives. Control of the internet thus becomes a control of our lives! Oh, my questions?

Is it a profit motive of picocredits per typo cash flow, or some motive where breaking something in DNS as preparation to net anti-neutrality directs this.

Is it ethical to break established de facto practices for self serving reasons? And is it ethical to alter the responses of a customer's software by literal misdirection!

That last one is the most potentially abusive. Consider the history lesson of how we got dial telephones. Almon Strowger was losing bodies to a rival undertaker when human telephone operators "redirected" his calls. Is DNS any different of a "redirection?" Or consider it as social /religious /political agenda.

THINK HARD on the next implied endpoints Type in X issue expecting truth and be directed to profitable lies. But of course truth is the enemy of some profits.

time warner trying to own dns misses is a smaller thing than when the guys who were responsible for the root servers tried to do it in 2002 in my opinion. Now _that_ was a scandal!

On Tue, Feb 26, 2008 at 4:53 PM, Oren Beck orenbeck@gmail.com wrote:

On Tue, Feb 26, 2008 at 4:32 PM, Arthur Pemberton pemboa@gmail.com wrote:

...

On Tue, Feb 26, 2008 at 2:40 PM, Oren Beck orenbeck@gmail.com wrote:

...

Is it ethical to break established de facto practices for self serving reasons?

If it was only that I wouldn't really care. Unless I'm mistaken, this is more than a "de facto" standard, this is a agreed upon standard, ie spec. This isn't some office format, this is something several engineers sat down, through about, published, RFCed and then finalized.

-- Fedora 7 : sipping some of that moonshine ( www.pembo13.com )

Yet RFC to all it's adhocracy cred- still is de facto. Absent a legal precedent elevating RFC above what it presently is. Were RFC considerd actionable to break? The vulture lawyers would be circling comcraptastic's undead corpse.

I think you give too much cred to "legal law". I myself only give this level of cred to "natural law". That aside, I would think one's pride as a computer scientist or engineer would lead one to consider RFCs unbreakable. Being or not being a legal law really seems besides the point to me.