BT admits misleading customers over Phorm experiments

Dad's Army?

"Stephen Mainwaring, a BT Business customer in Weston-super-Mare, believes sensitive banking data relating to his online horse racing business was press-ganged into a trial of an unproven technology."

Don't panic Mr. Mainwaring! Actually, on second thought...

Webwise is not available in your area, so it is not possible to switch on or off.

I tried webwise and it said

Webwise is: NOT AVAILABLE

Webwise is not available in your area, so it is not possible to switch on or off.

Went to the vuln site and got a cookie

Webwise is: ON

Switch off Webwise and turn off anti-fraud and relevant advertising features.

Turned if off at webwise site.

Webwise is: OFF

Switch on Webwise and turn on anti-fraud and relevant advertising features.

Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange.

Opt-out Vulnerability

"So unscrupulous websites, receiving a revenue stream from OIX/Webwise/Phorm could just insert a simple modified cookie and then BAM!, you're back in, without consent"

It would take nothing more than a <img src="webwise_opt_in_URL">

It is called a cross site forgery request. http://en.wikipedia.org/wiki/Csrf

It could be turned off just as easily, so bang there goes their phishing protection, but no one need worry about that because modern browsers protects have phishing detection anyway.

I'm sure Phorm are aware of the issue by now and will have it fixed ASAP, but if they miss an obvious potential security issue like that...

@opt-out Vulnerability discovered

So their security got hacked before they even rolled out the service.

Is that a record?

Not much chance we'll believe their other claims now is there!

I'd opt in....

If they paid me £20 per ad served to my router.

Unscrupolous bloody sharks.. and that's just BT, CPW and VM. As for malPHORMed, well the sooner they crawl back under the rock from which they've emerged the better. On second thoughts, they'd better crawl out from under the rock and stay in the open so everyone knows what they're up to with my (and your) web traffic.

in or out

Unbelievable that these guys have their head up their behind.

I understand that they want to make money, but at the same time a lot of people don't want to be profiled or have stuff dropped on their computer.

Why don't they simply do the following :

If a person want customized ads : Go to BT / Vrigan / whatever portal , sign in and click : "I want ads". This places a cookie on your machine that you WANT ads. No cookie is NO ADS. By default this is OFF for every user.

BT/Virgin whatever could send a letter to their subscribers about an 'exciting new service for free, or with a 1 pound reduction of subscription fee if they are willing to look at advertisements'

If you don't accept , nothing happens.

Simple no / But then again , i wonder how many people would sign up .... none ?

@orsen kaht & Maverick

Re: Recommendations:

It changes by the month but at the moment:

Be Internet: - not available everywhere but guaranteed not to phuck around with your connection in any way shape or phorm.

ADSL24: - Entanet reseller (thanks Maverick) caps: 30gb peak, 300gb off peak, one month contract, no setup fee, free migration, no telco tie-in - 19 quid per month!

Easy-peasy

Opt-out vulnerability

"I tried webwise and it said

Webwise is: NOT AVAILABLE

<snipped>

Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange."

I'd think it checks if a Webwise cookie is present on your PC before checking if Webwise is "available in your area", maybe they use that approach in case someone uses their laptop in more than one location.

Delete the webwise.net cookie and it will go back to being not available in your are.

Re: opt-out Vulnerability discovered

Good test.

Browser test results:

FireFox - accepted webwise cookie when accepting cookies was set

SeaMonkey - custom security settings (very high security), did not even try to visit the webwise site

iCab - also did not even try to visit the webwise site

For anyone who uses Safari, you will understand why I did not even test it.

Assuming that SeaMonkey works the same for M$ and Linux as it does for Mac, and as it is not on the 'approved browser list' for sniffing your port 80 http traffic, I can only recommend that anyone who is worried that they may be opted in without their knowledge downloads the browser.

http://www.seamonkey-project.org/

Enjoy

Webwise is: NOT AVAILABLE

"Shouldn't it revert to "Webwise is: NOT AVAILABLE" not "OFF" otherwise all the webwise site is telling me is the state of the cookie, not the state of my exchange."

Oh, hang on, you're right. I keep forgetting Webwise is supposed to be protecting us against phishing, so if we were to use our laptops at another location, saying it is enabled when it is not available at our current location might make us think we don't need phishing protection enabled on our browsers.

I guess it is poor coding.

Why not rob BT

I suggest a wages clerk at BT walks off with as much cash as he can lay his hands on. When questioned he merely has to reply that it was a very small sum of money in comparison with BT's total wage bill and that he carefully destroyed the payslips.

Paris because she would see the logic of this.

Like the noise. Noise good.

My learned friend informs me that "Due Diligence" in law has a well defined meaning. STFW comes up with this link:

http://research.lawyers.com/glossary/due-diligence.html

This definition I think is most relevant: "The care that a prudent person might be expected to exercise in the examination and evaluation of risks affecting a business transaction." You can use it as a defense if one of your jobs goes pear-shaped, but you genuinely analysed all the risks and nobody would have expected the sudden outbreak of squid in the computer room.

Now "significant due diligence" on the other hand, has no legal meaning whatsoever. If taken logically (hah!) it means that Due Diligence was <i>not</i> taken, only a "significant" portion thereof.

Frankly, not telling a number of users that you're syphoning off their -until then- private conversations on the web is about as far away from "Due Diligence" as it is possible to get without actually breaking into their homes.

Paris, because she, too, is now an expert on legal matters.

sageamp cookies

I noticed after visiting the Mirror website that two turdware cookies were installed to do with sageamp with the domain set to '.co.uk' - I didn't actually think it was possible to set a cookie as a root-level domain (but I guess .uk would be the root in this case), but apparently it is.

I've written a little bit of js to stick on my .co.uk websites that clears these out for anyone who visits, but shouldn't browsers prevent the creation of cookies that are at a higher-level domain than the visiting page?

Jolyon

Yes, yes, yes, it's definitely malware: BT says so! (plus rant at no addtional cost)

BT: "customers whose DNS requests were being redirected must have a malware problem."

So even BT agrees that Phorm's system is malware. There you have it folks, straight from the horse's mouth.

Deeper thoughts: once again the malaise that infects business worldwide appears: the idea that you can do anything you want in the pursuit of profit (or shareholder value) as long as there's no explicit law against it. IANAL, but my understanding is that statute law is only part of the law, and a minor one at that, that common law is in fact the main part of law. Plus there's the old concept that the courts must seek justice, without being held to the restrictions of both statutory & common law: a legacy from the good old days of the Courts of Chancery.

Time for a new legal principle to be promulgated: business must act ethically, responsibly, honestly, morally, and openly at all times in all ways, never mind the impact of profit or shareholder value. Behaving honestly and morally, sensu *very* latu, simply becomes a condition for doing business at all.

As for the scumbags at Phorm and BT, we need a new legal penalty as well: do something dishonest, and you are issued a sort of ASBO that precludes you ever again being involved in business in any kind of responsible capacity. Perhaps tattoo the word "dishonest" across the foreheads of those found guilty? Think of it: no more directorships, no more management jobs, no job involving money or confidential data, nothing much but a being a salaried grunt at the lowest level of the hierarchy: the janitor or the guy who cleans the toilets, for example.

And make sure that even consultancies are out of the question.

Vengeance is mine, sayeth the Lord!

Alternative ISP

If its on your exchange get the ADSL2+ service from be*

www.bethere.co.uk

Check your exchange here:

www.dslzoneuk.net

Unlimited (£18) is cheaper than BT and runs at 24mbits and (pro £22) if you want 2.6kbit upload.

I get advertised rate 24/24 although on BT kit I only ever got 6/8.

And no Phorm, and no plans, Direct from staff on the forum.

@Jolyon Ralph re: cookies

You can't set a TLD cookie, but .co.uk is not a TLD. .uk is a TLD.

RFC2965 explains all.

@anonymous coward :re: browser test

Anonymous coward...why did you "not even bother" to test Safari? Is is not susceptible to this attack vector, or is it just that nobody in their right mind would be using it in the first place?

The FIPR letter to the ICO

http://www.fipr.org/080317icoletter.html

FIPR Open Letter/Press Release

http://www.fipr.org

FIPR state "Phorm system illegal to operate in the UK" (based on their analysis of RIPA, DPA and European Data Protection Law).

Phorm Stock down 1.5% since the press release. (down 8.81% so far today).

Good one FIPR

A choice move by FIPR. They've thoughtfully analysed many of the arguments that have been floating around and presented them in a very comprehensible manner. It should certainly attract some attention and concentrate minds at the ICO.

Well done guys!

Was I a test subject?

So, as a BT customer is there any way I can find out if I was part of the Phorm testing?

Paris, because she's almost as big a slag as BT.

@anonymous coward :re: browser test

>>Anonymous coward...why did you "not even bother" to test Safari? Is is not susceptible to this attack vector, or is it just that nobody in their right mind would be using it in the first place?

>>

One of the options for cookies in Safari is:

Accept cookies - Only from sites you navigate to. For example, not from advertisers on those sites.

3rd party cookies are blocked :D

This is why Safari is not on the Phorm approved browser list: no point is using CPU on a browser that will reject all their cookies.

While the latest Safari browsers are a lot better and more compliant than earlier versions they are still very bugsy and therefor not my browser of choice.

The cookie security filters on SeaMonkey are are lot easier to set and block from specific sites, i.e. block, session or allow.

Why use a Mini when there is a Rolls in the garage?

That's odd...

...I was under the impression that Lewis Hamilton is the greatest living Briton.

I asked Freedom2Surf whether they were thinking about Phorm - here's the reply-

Take particular note of the bit I surrounded in asterisks. Well - that a lovely attitude. Since I already pay them a fee every month I wonder why they think that they should get every extra bit of revenue out of me by whatever means they see fit just because the are 'not a non profit making organisation' - grrrr :-(

Dear **********,

To my knowledge we are not looking at using PHORM, however we in sales are usually the last to hear

of this so all I suggest is to keep an eye out on your members area and the website. It appears that

those ISP's that are trialling this appear to be using an opt in or opt out system anyway.

***** At the end of the day all ISP's are not non profit making organisations ***** and PHORM offers a revenue

stream so unless people raise this in profile more with those that are trialling now then all ISP's

will probably end up using it in one form or another. If you wish to raise your concerns officially

I suggest that rather than emailing your concerns to us in sales you put it in writing to:

<SNIP>

Best regards

************

Freedom2surf sales

Sorry to bring up system details again

but I've been feeling a little slow lately, I've only just clocked onto the following;

Phorms system, IIRC, will send two requests to the server you are accessing (i.e. msn.com) which has raised concerns about forms being submitted twice, but what about my bandwidth as a webhost? now my server is not the busiest on the net by a long shot, but imagine you get 1000 hits a day, if all your readers are on Phorm-infested-lines then your bandwidth will take the equivalent of 2000 hits.

Am i right? or is there a reason that last coffee tasted strange?

Who to contact

Does anyone have the email address of the various ISP's to register your complaint about using the Phorm system.

Being a webmaster, some of my clients have asked me to protect their sites from being profiled, capture etc by Phorm. Not even Google has access to the sites.

These sites are behind a password protect logon system using normal http protocol.

I know moving the sites over to https but this involves cost to myself and my clients but we should not have to finance this.

So I would like to email the various ISP's (ie the correct person and not the monkeys on the helpdesk) and explain that they can not profile the sites as the data is not for their eyes.

Thank you

why work when you can steel?

http://news.bbc.co.uk/1/hi/technology/7301379.stm

"A spokesman for BT told BBC News: "Provided the customer has consented, we consider that there will generally be an implied consent from website owners."

so they are going to ask them then???