<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; "><br>On Mar 26, 2013, at 16:40, Rick Troth <<a href="mailto:rmt@casita.net">rmt@casita.net</a>> wrote:<br><br></div><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div><span>Others will know better details than I do,</span><br><span>but it comes to mind that it's *easy* for any provider to insert their</span><br><span>own caching layer between you and the world. Not saying WOW is doing</span><br><span>this, but it's trivial for them to trap all port 80 traffic and serve</span><br><span>up cached content ... or doctored content (or redirection, or</span><br><span>whatever!). Caching is justified by reducing their upstream port 80</span><br><span>burden. (For varying values of "justified".)</span><br><br></div></blockquote><br><div style="-webkit-text-size-adjust: auto; ">If I was an ISP and wanted to do this nonsense, a web cache/proxy is exactly how I would do it.</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; ">If you have an offsite ssh server, you can try tunneling your HTTP traffic (so WOW can't see it) and try to make Firefox behave the same way (Urls etc). </div><div style="-webkit-text-size-adjust: auto; "><span style="font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.296875); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-text-size-adjust: none; "><br></span></div><div style="-webkit-text-size-adjust: auto; ">ssh -D1080 your-remote-host</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; ">Tell FF to use a SOCKS5 proxy, localhost port 1080.</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; ">I used this technique years ago to thwart a jerk of a BOFH sysadmin who wasn't very bright. <span style="font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469); -webkit-text-size-adjust: none; "><a href="http://blog.flyovercountry.org/2006/10/no-more-spying">http://blog.flyovercountry.org/2006/10/no-more-spying</a></span></div><div><span style="font-size: 15px; line-height: 19px; white-space: nowrap; -webkit-tap-highlight-color: rgba(26, 26, 26, 0.292969); -webkit-composition-fill-color: rgba(175, 192, 227, 0.230469); -webkit-composition-frame-color: rgba(77, 128, 180, 0.230469);"><br></span><div style="-webkit-text-size-adjust: auto; ">If you don't have an offsite ssh account, let me know and I'll set you up with a temp account on my rr hosted box. It would be better to use a non-ISP ssh server -ie a hosting provider like dream host. Barring that this should at least give some indication.</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; ">If the problem is WOW, it should go away. If the problem is local - say a plugin - you'll likely have the same kind of issue.</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; ">If the problem is WOW, you can very likely complain and opt out. When the ISPs started rewriting/redirecting misspelled URL hostnames to their own search engines (argh!), there was usually a way somewhere on the page to opt out, which was supposed to get tied to your cable modem's MAC address.</div><div style="-webkit-text-size-adjust: auto; "><br></div><div style="-webkit-text-size-adjust: auto; "><br></div><br><blockquote type="cite" style="-webkit-text-size-adjust: auto; "><div><span>Conspiracy theorists unite! :-)</span><br><span></span><br><span>-- R; <><</span><br><span></span><br><span></span><br><span></span><br><span>On Tue, Mar 26, 2013 at 5:12 PM, Rob <<a href="mailto:res@colnet.cmhnet.org">res@colnet.cmhnet.org</a>> wrote:</span><br><blockquote type="cite"><span>For the past few days, I have been working on building Mint 14 system</span><br></blockquote><blockquote type="cite"><span>on a second disk on my main PC. I hate to transition, but my preferred</span><br></blockquote><blockquote type="cite"><span>OS for the past three years (Ubuntu 10.04) will be going EOL next month</span><br></blockquote><blockquote type="cite"><span>and I have to do something. Frankly, I've run into a number of problems</span><br></blockquote><blockquote type="cite"><span>with Mint that I find rather disturbing -- is Mint really being marketed</span><br></blockquote><blockquote type="cite"><span>as made-for-prime-time? -- but perhaps the most disturbing might not</span><br></blockquote><blockquote type="cite"><span>even involve Mint, although I'm increasingly suspicious it does.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>First, I'm a WOW customer for broadband, and have generally been happy</span><br></blockquote><blockquote type="cite"><span>with them. The Firefox disseminated with Mint comes with several</span><br></blockquote><blockquote type="cite"><span>add-ons which cannot be removed (at least not easily), although they</span><br></blockquote><blockquote type="cite"><span>can be disabled. One is "Mint Search Enhancer 1.0" (whatever that is).</span><br></blockquote><blockquote type="cite"><span>I told Firefox early-on to disable it and it said it did. Mint Firefox</span><br></blockquote><blockquote type="cite"><span>also does not have a Google option in the search box on the Navigation</span><br></blockquote><blockquote type="cite"><span>toolbar by default, but it is fairly easy to add it. And that's where</span><br></blockquote><blockquote type="cite"><span>the trouble starts:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>When I add Google, and then try to use it to search from the search box,</span><br></blockquote><blockquote type="cite"><span>I (often, but not always) get redirected to the following website:</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span><a href="http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups">http://64.233.232.17/bg/search-col/index.html?policy=1285&q=tab+groups</a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>(Here, I was searching for "tab groups" at the time.) This website</span><br></blockquote><blockquote type="cite"><span>has WOW branding -- that is, if it returns at all, I often get left</span><br></blockquote><blockquote type="cite"><span>high and dry -- but no useful information that I can tell, and a</span><br></blockquote><blockquote type="cite"><span>small opt-out URL at the very bottom. If I opt out, it appears to</span><br></blockquote><blockquote type="cite"><span>leave me alone for good, i.e., it doesn't seem to rely on a cookie.</span><br></blockquote><blockquote type="cite"><span>However, if I go to another userid on that machine and again invoke</span><br></blockquote><blockquote type="cite"><span>Firefox, it's back, so it does seem to be browser dependent.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>A reverse DNS lookup yields 64-233-232-17.<a href="http://static.nap.wideopenwest.com">static.nap.wideopenwest.com</a></span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>When I first click on the search box with Google selected as the</span><br></blockquote><blockquote type="cite"><span>engine, my DNS server sees two <a href="http://google.com">google.com</a> inquiries and nothing else.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>My question: How are they doing this? First, I run my own DNS</span><br></blockquote><blockquote type="cite"><span>servers on my local LAN. I do not use WOW (or any other external)</span><br></blockquote><blockquote type="cite"><span>servers for my DNS. A dump of my Bind named cache only shows the</span><br></blockquote><blockquote type="cite"><span>64.233.232.17 IP on a reverse lookup which I did. But, it does seem</span><br></blockquote><blockquote type="cite"><span>to more-or-less happily be serving up the copious lookups that Firefox</span><br></blockquote><blockquote type="cite"><span>requests of it. So, it would appear to me this cannot be a DNS exploit.</span><br></blockquote><blockquote type="cite"><span>So, how is it being perpetrated? If I visit Google directly, the browser</span><br></blockquote><blockquote type="cite"><span>globs onto its https entry, and of course, then I get the real McCoy.</span><br></blockquote><blockquote type="cite"><span>Even if force a non-encrypted connect, it seems to work OK there.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Did Mint serve me a doctored search-engine add-on that redirects my</span><br></blockquote><blockquote type="cite"><span>queries to WOW? (But, if so, how did they even know I'm a WOW customer?)</span><br></blockquote><blockquote type="cite"><span>Is WOW doing something really nefarious like masquerading as Google's IP</span><br></blockquote><blockquote type="cite"><span>addresses on their network and then doing a redirect? Has anyone else</span><br></blockquote><blockquote type="cite"><span>encountered this? There does seem to be some hits about this when I</span><br></blockquote><blockquote type="cite"><span>query the search engines, but nothing that comes close to a good</span><br></blockquote><blockquote type="cite"><span>explanation of that's going on. It's really got me baffled.</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Any ideas?</span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>Rob</span><br></blockquote><blockquote type="cite"><span>_______________________________________________</span><br></blockquote><blockquote type="cite"><span>colug-432 mailing list</span><br></blockquote><blockquote type="cite"><span><a href="mailto:colug-432@colug.net">colug-432@colug.net</a></span><br></blockquote><blockquote type="cite"><span><a href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a></span><br></blockquote><span></span><br><span></span><br><span></span><br><span>-- </span><br><span>-- R; <><</span><br><span>_______________________________________________</span><br><span>colug-432 mailing list</span><br><span><a href="mailto:colug-432@colug.net">colug-432@colug.net</a></span><br><span><a href="http://lists.colug.net/mailman/listinfo/colug-432">http://lists.colug.net/mailman/listinfo/colug-432</a></span><br></div></blockquote></div></body></html>