Wednesday, June 24, 2015

Your ISP Could Be Using Javascript Injection Attacks Against You

You are sitting at your computer surfing the web like the time waster you are. You click on a web site link and the web site comes up. But another tab opens asking you to take a short survey. Even novice computer users are skeptical these days with all the hacks, attacks and phishing attacks.

But you are not on a shady site. You just got a popup from a legitimate site asking you to take a survey from your local Internet provider. Maybe you close the popup and ignore it. But an hour later, the same popup appears on a different web site.

Are all those companies in cahoots, or is your computer infected? What's going on?

What's happening is that your Internet provider is using hacking techniques on you in order to put that survey tab in front of your eyeballs. When you go to load a web page, your provider gives you the web page you asked for, but injects its own code into that web page, masquerading as part of the page.

Now, your browser doesn't think there's any security issue because that injected code is pretending to be part of the page you asked for. The browser has no way of knowing what should be the legitimate content of that legitimate site you are trying to browse.

You trust your Internet provider to give you the content of web sites you visit. That's the whole point of their service. But your trust is misplaced for several reasons, and one of these reasons is these man-in-the-middle style attacks where they trick the browser into accepting code that's not part of the site you are browsing.

Does it sound like hacking to you? It sounds like hacking to me. I'm not lawyer but I was under the impression that these type of attacks are exactly what the Computer Fraud and Abuse Act was created for, if only for high-value computers. Again, I'm no lawyer, but since the ISP is injecting these surveys into everyone's traffic, doesn't that mean any bank or government employee who sees this survey is a victim of a man-in-the-middle hacking attack under the CFAA?

Other than the recent backbone shown by the FCC comminsioner with net neutrality, when it comes to technology, the law for the most part does not apply to large corporations. It's usually the Aaron Swartz's of the world that technology law applies to.

They threatened Aaron Swartz with 30 years for making copies of public domain documents before he took his own life. What jail time do you think anyone at Comcast will do for using black hat hacking techniques against you in order to show you surveys?

And everything in this post so far ignores the security implications of not being able to verify the authenticity of this on-the-fly injected javascript code. How do I know the difference between this opportunity to tell my provider how much they suck and a black hat attack, trying to steal my identity?

Wednesday, June 10, 2015

Clickbait Must Be Stopped

Early TV was free. If you owned a television set from the 1950's all the way up through the early 1980's, free programming was the norm. Most people understood it was free because sponsors paid large sums to these stations to sell us more beer, soda and cars.

Newspapers traditionally have cost money. They take plenty of money from advertisers, but they have other costs involved with printing and transporting their media around, unlike a TV station that just beams a signal out. Most people understood that it was a decent value to pay a small amount to buy a newspaper.

Enter the Internet, where not just media but all forms of information move at the speed of light. And with it came societal expectations for news more in line with broadcast TV. Now the "signal" is a web site, but conceptually it's similar.

With the Internet, lots of media companies and just companies in general had to change the way they do business. I'm not going to pay a dollar to find out what happened overseas yesterday. I understand that just like for broadcast TV, these media companies are still taking in vast sums of money from advertisers, and seeing ads on a web site doesn't bother me in the least.

...Except that somewhere along the line, the tone of these media companies changed dramatically. Some of them didn't meet their ridiculous estimates to grow to a size big enough to blot out the sun. Some media companies even *gasp* lost  money because they refused to adapt.

Did they blame their own complacency or hubris for refusing to capitalize on what's obviously a lucrative medium like the Internet? Nope. They saw the Internet as bad, and they saw you the customer as a freeloading potential thief.

Since you have the poor taste to try to find out what's happening in the world without having to pay one of a handful of gatekeepers, you are obviously a freeloader trying to steal legitimate content off the hard working backs of the mega-media-corporations.

It should then be no surprise that most of the big media web sites are partners hand-in-hand with click bait, shock photo ad banner farms with no ethics or scruples whatsoever. The "good" ones will put "sponsored" in tiny letters.

Some corporations have grown so big that they just dropped all pretense of caring about their customers or their own conduct as corporate citizens.

I remember reading iconic magazines like Popular Mechanics and newspapers like the LA Times growing up, and none of these proud institutions went out of their way to steer your towards their advertisers by pretending that their ads were content and news articles.

This behavior of throwing you, the reader, under the bus to make a few extra bucks from their uber-aggressive advertisers is shamefully commonplace among even the biggest news sites. I won't even go into depth that most of the new sites these days are clickbait sites.

In my opinion, if the business model of your company involves tricking people into clicking on ads you know they probably don't want to see because they think it's your content, then you are only diluting and devaluing your own content over time. I think many of these huge media corporations are click-baiting themselves out of a job.

My blogs have ads and affiliate links. They pretty much have to, though it barely covers my own expenses of running my sites. I put the ads where Google tells me it thinks I should put them and it looks reasonable to me. For every business decision about my blog, I ask myself "would my mom approve?"

Everyone tells me "You are so good at this stuff-- you should be making millions on the Interwebs." And I say "Yep, I probably could. All I have to do is stop being passionate about writing real content and start cranking out the cat photos and clickbait captions like "12 reasons why these cute kittens will be dead tomorrow" and "Emily Blunt wore what dress?" which take them to even shadier sites, in an increasingly-shameful progression of faux content usually ending in the purchase of a Chinese made waffle iron or similar high margin item. No, I won't do that. But that's OK, because there's only about a million hands up saying "I will!" So: I get to be poor for my ideals--go me.

What will stop clickbait? Well, there are some good news apps for phones and tablets which seem good at filtering it out and showing just bona fide news, eventually you will get linked to something that will spam you with clickbait.