Taking a HARD look at the Business of Politics

The Plog Politicians love to hate.

Earthlink, my ISP, violates Net Neutrality

Yeah, this burns my buns in a big way, especially since I chose Earthlink for my ISP BECAUSE they supported Net Neutrality. If I had another choice for an ISP right now other than Verizon, who is much worse, or RCN, who is a joke of major proportions, I’d be looking at switching ISPs for sure. Yeah, FCC, I don’t have a real and meaningful choice of ISPs so “The Market” isn’t healthy. GET THAT??? If this isn’t a LOUD argument for Net Neutrality, I don’t know what is.

blah_s4servers_comscreenshot.jpgAnd now comes the absolutely unforgivable part– they were doing it by injecting third party ads, from an incompetent company called Barefruit, on subdomain dns errors, as the image shows (click image for a large view.) Which means that, up until I fixed it on my own domains, if someone accidentally typed in ww.bitchslappin.net they wouldn’t get firefox’s error page which SHOWS you what your potential error was. They would instead be highjacked and brought to an EARTHLINK page showing third party ads, ads which, btw, were highly insecure via code injection. So not only were they stealing MY traffic, they were also putting MY visitors at risk! Big risk at that- the wired blog talks about cookie theft, which can cause major havoc if you have cookies set for webmail or for admin areas of your own websites, opening these avenues to spammers. They also talk about phishing using injection. From the article:

As a result, all those subdomains are only as secure as Barefruit’s servers, which turned out to be not very secure at all. Barefruit neglected basic web programming techniques, making its servers vulnerable to a malicious JavaScript attack. That meant hackers could have crafted special links to unused subdomains of legitimate websites that, when visited, would serve any content the attacker wanted.

The hacker could, for example, send spam e-mails to Earthlink subscribers with a link to a webpage on money.paypal.com. Visiting that link would take the victim to the hacker’s site, and it would look as though they were on a real PayPal page.

Kaminsky demonstrated the vulnerability by finding a way to insert a YouTube video from 80s pop star Rick Astley into Facebook and PayPal domains. But a black hat hacker could instead embed a password-stealing Trojan. The attack might also allow hackers to pretend to be a logged-in user, or to send e-mails and add friends to a Facebook account.

Ironically, I’m a member of the Earthlink Consumer Advisory Board. I posted on that forum over the weekend when this issue came to light in a Washington Post article. I’ve gotten some very sympathetic comments from the non-Earthlink-Employee members of the community, but the Earthlink Employee members have yet to weigh in on this.

For the record, Earthlink isn’t the only ISP doing this. Verizon, QWest, Comcast, and others are also highjacking nonexistent subdomain error traffic, and some of them have also used Barefruit to serve their ads.

If you have your own domains you want to protect, you need to institute a wildcard subdomain 301 redirect, so that any erroneous subdomain entry will redirect to your index page. Since I’m on shared hosting this had to be done by my support guys, since it involved a change in the dns record and the httpd.config file. If you do use a subdomain, you should probably mention this in the support request. I don’t use subdomains, so it wasn’t an issue for me.

And if you, as an Earthlink user, want to opt out of this adserving mess, you can. You need to change your dns servers to these:

207.69.188.171 (west coast)

207.69.188.172 (east coast)

by following the directions here.

Whether that can be done on Verizon I don’t know, since some of my friends who use them have told me that they’re locked into using Verizon software to get online via dsl (WHY????) and that there’s very little they can change. I suspect FiOS is even more locked down. If you’re on a different ISP I would look at changing nameservers. If your ISP doesn’t provide clean ones with no ads, like Earthlink does as an option (though I didn’t know this until reading the Wired article!) you can use the nameservers at OpenDNS (this is ad supported, but very clear about it and they serve their own ads) or it’s possible there are others you can use. I actually have my own nameservers set up for my domains, and I’ve got a support question into my domain name registrar to see if these can be used for that purpose.

Chris Marshall of Earthlink, I can definitively state that this “service” has NOT provided a “positive experience” for THIS “internet user.” You, as a company, better get your message straight, and if you TRULY support Net Neutrality, you’ll stop highjacking the last mile connection for your own greedy purposes.

Share This Post:These icons link to social bookmarking sites where readers can share and discover new web pages.
  • blogmarks
  • del.icio.us
  • digg
  • Furl
  • NewsVine
  • Spurl
  • YahooMyWeb

Technorati Tags: , , , , , ,

BitchSlapped on 04/21/08, 10:27 AM
The FCC, Various Idiots BitchSlapped, and Tagged: , , , , , ,
RSS 2.0, Both Slap Backs and pings closed.

Slaps are closed.


"One of the penalties for refusing to participate in politics is that you end up being governed by your inferiors."
-Plato

Save the Internet: Click here

Become a StrangeBedfellow!

The Commander in Chief says:

With all due respect to the cameras, I hope you read more than you watch TV.

Bitchslappin dot Net

There's a new Kvetch in town. Bipartisan Bull Bashing at its Best.

Brought to you by Vicki, Simone, and BJ.

Rock the Net

C in C quotes Courtesy of:
Go to DubyaSpeak.com