The End Of Western Civilization (was Re: RoadRunner nonsense)

Leo Mauler webgiant at yahoo.com
Mon Mar 3 14:11:31 CST 2008 

--- Jonathan Hutchins <hutchins at tarcanfel.org> wrote:

> On Tuesday 26 February 2008 13:06:06 Billy Crook
> wrote:
> 
> > If one were to look at how their opt-out page
> > works, you http get with a few args, one of 
> > which is your modem's mac address.  You could 
> > just as easily post with any other cable 
> > modem's mac address, if say, you had multiple, 
> > and didn't want to visit each physical location 
> > of them, or maybe ....
> 
> ... you could just type the correct url in the 
> first place.
> 
> Yes, it's annoying.  No, it's not the end of Western
> Civilization.
> 
> Get a grip, guys.

It may not be the end of Western Civilization, but its
certainly being handled very insecurely by RoadRunner.

This guy (blogger link below) has done some poking
around and discovered how RoadRunner is going about
the "opt-in/opt-out" process for its new services
(thats right, plural, see below), and it is a little
scary from a security perspective.

http://rgov.org/road-runners-dns-wildcard

Basically RoadRunner is using an open HTTP GET
request, and no SSL, for your "Preferences" page.  It
is possible for anyone to request the "Preferences"
page for every single customer, and with this
information you gain the geographical location of
every single RoadRunner customer (and thus where to
direct your own ISP's advertising to best effect,
especially if you don't redirect "failed DNS requests"
to an advertising page).

But RoadRunner has not one but *three* new services
you can opt into or out of.  Services which, when
their options are set very unfavorably to the
customer, result in an interesting and profitable
situation for Internet Advertisers, and in particular
a certain class of advertiser.

# Web Address Error Redirect Service:
(the service everyone is complaining about, which
sends you to a page containing ads from advertisers
who are advertising with RoadRunner)

# Typo Correction Service:
(fixes common typos in URLs, such as cmo or nte)

But the third one should be of some concern for those
with small children:

# Safe Search Filter:
"This preference allows you to restrict adult-oriented
content from search results on the non-existing domain
landing service."

Since there are only approximately 16,777,216 MAC
addresses the way RoadRunner is handling the service,
you could write a script which, for example, opted
every RoadRunner customer *into* "Web Address Error
Redirect Service", *out of* "Typo Correction Service"
(which increases the possibility that the RoadRunner
"Failed DNS Request" page will pop up), and *out of*
"Safe Search Filter".  And it wouldn't take long to
run the script, or be much trouble to run it once a
week.

And then you, as the owner of "Adult Content Website
Advertising Consortium", then use the advertising
revenue you collect from your adult website members to
buy HUGE amounts of adult content web advertising. 
Every time a RoadRunner customer mistypes a URL, or
types in a non-existent URL, the RoadRunner page will
pop up and send adult content advertising related to
the customer's failed URL request (Rule #34 of the
Internet: "If it exists, there is porn of it.").

You don't even need to be an adult content advertising
consortium.  Just pay for "first placement" on the
RoadRunner Ad Page...err, I mean "Failed DNS Request
Page", and then run the script opting every RoadRunner
customer *into* "Web Address Error Redirect Service"
and *out of* "Typo Correction Service".  The
RoadRunner customer will see the RoadRunner "Failed
DNS Request Page" more often than they would like to
see it, and your ads will be seen more often than any
other ad.

Spam has proven that many Internet Advertisers have no
shame, decency, and/or ethics.  This move by
RoadRunner will be exploited, and exploited soon, and
with any luck the complaints from customers (and the
lawsuits from parents) will bring it to an end fairly quickly.


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

More information about the Kclug mailing list