You thought it was just your local ISP messing with your HTTP traffic
From February this year: Website-Targeted False Content Injection by Network Operators Gabi Nakibly1,3, Jaime Schcolnik2, and Yossi Rubin3 1 Computer Science Department, Technion, Haifa, Israel 2Computer Science Department, Interdisciplinary Center, Herzliya, Israel 3Rafael – Advanced Defense Systems, Haifa, Israel Over the last few years there have been numerous reports of ISPs that alter or proxy their customers’ traffic, including, for example, CMA Communications in 2013 [6], Comcast in 2012 [16], Mediacom in 2011 [9], WOW! in 2008 [27], and Rogers in 2007 [32]. Moreover, several extensive studies have brought the details of this practice to light [17, 30, 25, 35]. The main motivations of ISPs to alter traffic are to facilitate caching, inject advertisements into DNS and HTTP error messages, and compress or transcode content. All of these reports and studies found that these traffic alterations were carried out exclusively by edge ISPs,namely, retail ISPs that sell Internet access directly to end customers, and are their “first hop” to the Internet. This finding stems from the server-centric approach the above studies have taken. In this approach, one or a handful of servers are deployed to deliver specific content to users, after which a large number of clients are solicited to fetch that content from the servers. Finally, an agent on the clients – usually a JavaScript delivered by the server itself – looks for deviations between the content delivered by the server and that displayed to the user. Figure 1(a)illustrates the traffic monitored in this server-centric approach. Such an approach can be used to inspect the traffic of many clients from diverse geographies who are served by different edge ISPs. The main disadvantage of this approach is that the content fetched by the clients is very specific. All clients fetch the same content from the same web servers. This allows only the detection of network entities that aim to modify all of the Internet traffic1 of a predetermined set of users and are generally oblivious to the actual content delivered to the user. Such entities indeed tend to be edge ISPs that target only the traffic of their customers. In this work we show that the above approach misses a substantial portion of the on-path entities that modify traffic on the Internet. Using extensive observations over a period of several weeks, we analyzed petabits of Internet traffic carrying varied content delivered by servers having over 1.5 million distinct IP addresses. We newly reveal several network operators that modify traffic not limited to a specific set of users. Such network operators alter Internet traffic on the basis of its content, primarily by the website a user visits. The traffic of every Internet user that traverses these network operators is susceptible to alteration." www.arxiv.org/pdf/1602.07128v1.pdf -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/04/2016 05:04 PM, Rayzer wrote:
From February this year:
Website-Targeted False Content Injection by Network Operators Gabi Nakibly1,3, Jaime Schcolnik2, and Yossi Rubin3
1 Computer Science Department, Technion, Haifa, Israel 2Computer Science Department, Interdisciplinary Center, Herzliya, Israel 3Rafael – Advanced Defense Systems, Haifa, Israel [...]
www.arxiv.org/pdf/1602.07128v1.pdf
Inadvertent (?) geek humor: ~/Desktop $ wget http://www.arxiv.org/pdf/1602.07128v1.pdf - --2016-04-05 13:36:35-- http://www.arxiv.org/pdf/1602.07128v1.pdf Resolving www.arxiv.org (www.arxiv.org)... 128.84.21.199 Connecting to www.arxiv.org (www.arxiv.org)|128.84.21.199|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://arxiv.org/pdf/1602.07128v1.pdf [following] - --2016-04-05 13:36:36-- http://arxiv.org/pdf/1602.07128v1.pdf Resolving arxiv.org (arxiv.org)... 128.84.21.199 Reusing existing connection to www.arxiv.org:80. HTTP request sent, awaiting response... 403 Forbidden 2016-04-05 13:36:36 ERROR 403: Forbidden. Apparently they like the user agent string from Firefox better; I did get a copy of the article via the said browser. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJXA/i1AAoJEDZ0Gg87KR0LFk8P/3+Wp459pXXXzHlWdZPY++YC 7/QviGkh0ZF5jNC4J+glxcSDCu7q9jQ5dEi/Io2jusOHr2y+YBddyWHEz3zx7J3Q sNIsAseU1PlDR+y+9HD65IR8LYxOncEKLMq5569R7+D9AA1igFYeZ7ROjviVLDPX clQSKZ8VfU5Tf/kSG5cJdm2b+48zSsjVzr4t1R6hjHGbBgbfXgpe/JPv9z3j++R/ QzSOxCpwj/nGaVsDDoLKE0TWYsZHcmjXaSqYYNP8vcwvO4wFyy9K9O7LDToZh+T6 X2EfU8Ax2MSDPAaawWWNgQ1R/2k3nFDtwGo2YfK1/MBmm/DWduzVdrq0KvrzIswk /EQvk6X4q5VKFYpRPP4Y4DphLJEyfX7LgkibhQPGGPUPwqimI53PxWuMEnyHVA3S nlXqgBbGAKH49LKsA+SXS8pYJkcX24OBEJOpFDXPnecW0zDsjqEQlj7YAq58XNAW JBSAKugruuhJsC5UA1FYEECuQ54XbgKPuhAsVg9/ll4vim9ooGiTX+Ss9FDwHx13 TPrPIsx7NhIva4HeBJNOrhEvNu9G6Cj0pD8QDKd6tEeeDNQv9U9i9bx1maCTGBaR xMBbymjicTNFHHLiXee2JC4hjsyZHpauQ1qW/bCytVcCP6O95QTnUeyFo7uv0X8a Ucwd9r+NfSlNM8/hemrT =Ctt9 -----END PGP SIGNATURE-----
Steve Kinney wrote:
On 04/04/2016 05:04 PM, Rayzer wrote:
From February this year:
Website-Targeted False Content Injection by Network Operators Gabi Nakibly1,3, Jaime Schcolnik2, and Yossi Rubin3
1 Computer Science Department, Technion, Haifa, Israel 2Computer Science Department, Interdisciplinary Center, Herzliya, Israel 3Rafael – Advanced Defense Systems, Haifa, Israel [...]
www.arxiv.org/pdf/1602.07128v1.pdf
Inadvertent (?) geek humor:
~/Desktop $ wget http://www.arxiv.org/pdf/1602.07128v1.pdf --2016-04-05 13:36:35-- http://www.arxiv.org/pdf/1602.07128v1.pdf Resolving www.arxiv.org (www.arxiv.org)... 128.84.21.199 Connecting to www.arxiv.org (www.arxiv.org)|128.84.21.199|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://arxiv.org/pdf/1602.07128v1.pdf [following] --2016-04-05 13:36:36-- http://arxiv.org/pdf/1602.07128v1.pdf Resolving arxiv.org (arxiv.org)... 128.84.21.199 Reusing existing connection to www.arxiv.org:80. HTTP request sent, awaiting response... 403 Forbidden 2016-04-05 13:36:36 ERROR 403: Forbidden.
Apparently they like the user agent string from Firefox better; I did get a copy of the article via the said browser.
http://chrispederick.com/work/user-agent-switcher/ -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
On Tue, Apr 05, 2016 at 11:09:25AM -0700, Rayzer wrote:
Steve Kinney wrote:
On 04/04/2016 05:04 PM, Rayzer wrote:
From February this year:
Website-Targeted False Content Injection by Network Operators Gabi Nakibly1,3, Jaime Schcolnik2, and Yossi Rubin3
1 Computer Science Department, Technion, Haifa, Israel 2Computer Science Department, Interdisciplinary Center, Herzliya, Israel 3Rafael – Advanced Defense Systems, Haifa, Israel [...]
www.arxiv.org/pdf/1602.07128v1.pdf
Inadvertent (?) geek humor:
~/Desktop $ wget http://www.arxiv.org/pdf/1602.07128v1.pdf --2016-04-05 13:36:35-- http://www.arxiv.org/pdf/1602.07128v1.pdf Resolving www.arxiv.org (www.arxiv.org)... 128.84.21.199 Connecting to www.arxiv.org (www.arxiv.org)|128.84.21.199|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://arxiv.org/pdf/1602.07128v1.pdf [following] --2016-04-05 13:36:36-- http://arxiv.org/pdf/1602.07128v1.pdf Resolving arxiv.org (arxiv.org)... 128.84.21.199 Reusing existing connection to www.arxiv.org:80. HTTP request sent, awaiting response... 403 Forbidden 2016-04-05 13:36:36 ERROR 403: Forbidden.
Apparently they like the user agent string from Firefox better; I did get a copy of the article via the said browser.
http://chrispederick.com/work/user-agent-switcher/
--
RR
"Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
[redacted] at ~ ✔ wget --user-agent="kek http://www.arxiv.org/pdf/1602.07128v1.pdf --2016-04-05 14:35:50-- http://www.arxiv.org/pdf/1602.07128v1.pdf Resolving www.arxiv.org (www.arxiv.org)... 128.84.21.199 Connecting to www.arxiv.org (www.arxiv.org)|128.84.21.199|:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://arxiv.org/pdf/1602.07128v1.pdf [following] --2016-04-05 14:35:50-- http://arxiv.org/pdf/1602.07128v1.pdf Resolving arxiv.org (arxiv.org)... 128.84.21.199 Reusing existing connection to www.arxiv.org:80. HTTP request sent, awaiting response... 200 OK Length: 184185 (180K) [application/pdf] Saving to: ‘1602.07128v1.pdf’ 1602.07128v1.pdf 100%[======================================================================================================================>] 179.87K 776KB/s in 0.2s 2016-04-05 14:35:51 (776 KB/s) - ‘1602.07128v1.pdf’ saved [184185/184185] Why bother?
Sangy wrote: Why bother? It's "Why did *I* bother" If you have a critique of the doc you might want to state it now since you seem to think it's a waste of bandwidth... -- RR "Through counter-intelligence it should be possible to pinpoint potential trouble-makers ... And neutralize them, neutralize them, neutralize them"
Not related though, but somehow this reminded me when I bought my domain at Transip.nl, where I set fake details (such as address and etc, though real name), and after paying, a day later I received an email requesting a copy of my passport + bank card to make sure I was really how I said I was, otherwise they would be forced to block my account and further address this "fake" issue. It reminded me of how ICANN can really mess you up too, and personally. On 04/04/2016 06:04 PM, Rayzer wrote:
From February this year:
Website-Targeted False Content Injection by Network Operators Gabi Nakibly1,3, Jaime Schcolnik2, and Yossi Rubin3
1 Computer Science Department, Technion, Haifa, Israel 2Computer Science Department, Interdisciplinary Center, Herzliya, Israel 3Rafael – Advanced Defense Systems, Haifa, Israel
Over the last few years there have been numerous reports of ISPs that alter or proxy their customers’ traffic, including, for example, CMA Communications in 2013 [6], Comcast in 2012 [16], Mediacom in 2011 [9], WOW! in 2008 [27], and Rogers in 2007 [32]. Moreover, several extensive studies have brought the details of this practice to light [17, 30, 25, 35]. The main motivations of ISPs to alter traffic are to facilitate caching, inject advertisements into DNS and HTTP error messages, and compress or transcode content.
All of these reports and studies found that these traffic alterations were carried out exclusively by edge ISPs,namely, retail ISPs that sell Internet access directly to end customers, and are their “first hop” to the Internet. This finding stems from the server-centric approach the above studies have taken. In this approach, one or a handful of servers are deployed to deliver specific content to users, after which a large number of clients are solicited to fetch that content from the servers. Finally, an agent on the clients – usually a JavaScript delivered by the server itself – looks for deviations between the content delivered by the server and that displayed to the user. Figure 1(a)illustrates the traffic monitored in this server-centric approach.
Such an approach can be used to inspect the traffic of many clients from diverse geographies who are served by different edge ISPs. The main disadvantage of this approach is that the content fetched by the clients is very specific. All clients fetch the same content from the same web servers. This allows only the detection of network entities that aim to modify all of the Internet traffic1 of a predetermined set of users and are generally oblivious to the actual content delivered to the user. Such entities indeed tend to be edge ISPs that target only the traffic of their customers.
In this work we show that the above approach misses a substantial portion of the on-path entities that modify traffic on the Internet. Using extensive observations over a period of several weeks, we analyzed petabits of Internet traffic carrying varied content delivered by servers having over 1.5 million distinct IP addresses. We newly reveal several network operators that modify traffic not limited to a specific set of users. Such network operators alter Internet traffic on the basis of its content, primarily by the website a user visits. The traffic of every Internet user that traverses these network operators is susceptible to alteration."
www.arxiv.org/pdf/1602.07128v1.pdf
-- Kind Regards, Ben Mezger https://benmezger.nl
participants (4)
-
Ben Mezger -
Rayzer -
Sangy -
Steve Kinney