Reader Comments

Subscribe: RSS

View by: Time | Thread

• 

  Anonymous Coward, 5 Aug 2011 @ 2:44pm

  
  

  Civil suit? No, this should be a federal criminal case

  This clearly spans state boundaries, therefore the feds have jurisdiction. And it's clearly illegal wiretapping, AND it may fall under RICO. The feds should come down on those responsible as hard as they possibly can -- I think a lifetime prison sentence for them might just have a little value in discouraging the next idiots who think of trying this.

  [ link to this | view in chronology ]

  • 

    :Lobo Santo (profile), 5 Aug 2011 @ 2:52pm

    
    

    Re: Civil suit? No, this should be a federal criminal case

    Good Science I hope you're right.

    [ link to this | view in chronology ]

  • 

    Anonymous Coward, 5 Aug 2011 @ 3:22pm

    
    

    Re: Civil suit? No, this should be a federal criminal case

    Yeah I had to re-read the first sentence a few times as well - one double negative too many

    [ link to this | view in chronology ]

  • 

    Manabi (profile), 6 Aug 2011 @ 3:37am

    
    

    Re: Civil suit? No, this should be a federal criminal case

    A lifetime sentence might be a bit much, but if the feds would pursue the actual company owners/CEOs/etc. with wiretapping charges, then convict some of them on those charges and put the actual people in jail, it might have a deterrent effect. Right now all that generally happens is there's lots of bad publicity and the company providing the technology either goes under, or renames/sells its assets off and repeats the procedure again in the future.
    
    But if you have the actual masterminds going to jail, well now, the number of people actually willing to take the risk to run such a company will quickly dwindle. Those stupid enough to continue to risk it will end up in jail, and the others will find something else to do. (Probably also unethical and immoral, but maybe not illegal.)

    [ link to this | view in chronology ]

• 

  Dark Helmet (profile), 5 Aug 2011 @ 2:51pm

  
  

  Might wanna check that first sentence, Mike....

  [ link to this | view in chronology ]

  • 

    Dementia (profile), 5 Aug 2011 @ 3:03pm

    
    

    Re:

    I see you caught the "won't get them into trouble" too.

    [ link to this | view in chronology ]

    • 

      Anonymous Coward, 5 Aug 2011 @ 3:11pm

      
      

      Re: Re:

      I was wondering about that. So will it get them into trouble or not? it's hard to know in this day and age

      [ link to this | view in chronology ]

  • 

    Michael Costanza (profile), 5 Aug 2011 @ 3:24pm

    
    

    Re: won't vs will

    I agree. Made the change, though I used "could" not "will," 'cause, you know, it may not... sometimes.

    [ link to this | view in chronology ]

• 

  CD (profile), 5 Aug 2011 @ 3:57pm

  
  

  Comcast and Verizon.

  I had something similar happen back when I was using Avant Browser. I accidentally closed the Verizon FIOS web page and when I used the mouse gesture to reopen the last closed tab it loaded up to a Comcast page selling Internet Service. I did that about 4 or 5 times and it happened each time. I shot a video with my cell phone but I don't think it's of good resolution to see the URL of the page that was closed and that of the one that opened but you can see the images and page content clearly.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 5 Aug 2011 @ 4:19pm

  
  

  this is why you should NEVER install any ISP software, even their "so-called" free anti-virus software. If you always use a router/switch, as you should, they connect to that and your PC/Laptop(s) connect to that and need NO software from your ISP.

  [ link to this | view in chronology ]

  • 

    Anonymous Coward, 5 Aug 2011 @ 4:41pm

    
    

    Re:

    Also, don't use your ISP's DNS servers. Look up public DNS servers, then run a DNS speed test to find the ones that are fastest for you.

    [ link to this | view in chronology ]

• 

  Anonymous Coward, 5 Aug 2011 @ 4:20pm

  
  

  HTTPS Everywhere

  Perhaps due to some sort of synchronicity, HTTPS Everywhere 1.0 was released yesterday.

  [ link to this | view in chronology ]

• 

  lucidrenegade (profile), 5 Aug 2011 @ 5:13pm

  
  

  ISP List

  Here's the list of ISPs from the article:
  
  Cavalier
  Cincinnati Bell
  Cogent
  Frontier
  Hughes
  IBBS
  Insight Broadband
  Megapath
  Paetec
  RCN
  Wide Open West
  XO Communication

  [ link to this | view in chronology ]

• 

  faceless (profile), 5 Aug 2011 @ 5:55pm

  
  

  There is a similar problem with Mediacom, and they do this on such a low level that it still replaces error pages and search results even when using 3rd party DNS. And their 'Opt Out' page seems to forget that you opted out every few days to every few weeks.

  [ link to this | view in chronology ]

• 

  chris, 6 Aug 2011 @ 12:03am

  
  

  I've never heard much less experienced this before. I thought ISPs only did DNS Hijacking. In that case, all you miss out on is an error message. This sounds F'ed up. Using https://encrypted.google.com/ should put a stop to this.
  
  Since you posed the questions,
  
  (a) Only to an very small percentge of people who actually understand WTF just happened to their search.
  
  (b) Who's going to sue them? The average person is going to conclude it's not worth the time and expense. A privacy rights organization might. However the ISP will probably pull some kind of "it's in the TOS" deal and some crappy judge will uphold it.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 6 Aug 2011 @ 9:57am

  
  

  just to clarify

  is this only happening to those that are utilizing the ISP`s nameservers?

  [ link to this | view in chronology ]

  • 

    chris, 6 Aug 2011 @ 5:07pm

    
    

    Re: just to clarify

    I wouldn't think so because the search terms are part of the http request which has nothing to do with dns

    [ link to this | view in chronology ]

• 

  Freedom, 7 Aug 2011 @ 12:09pm

  
  

  Google -- why not publicly?

  >> The report notes that Google became aware of this earlier this year and complained privately about it (why not publicly?)
  
  If you haven't read the book by "Google Employee #59", it is a great insight into the company and also touches on why Google would handle something like this privately.
  
  The core gist of it (or at least how I read between the lines) is that Google ultimately knows that direct fights are expensive, have unintended consequences, etc. Essentially, they view "fighting the good fight" as declaring "war", and are very hesitant to do so. In contrast, their secret weapon is an incredibly talented tech team that can work around and solve these types of issues for themselves while staying under the radar.
  
  Freedom

  [ link to this | view in chronology ]

• 

  A. Non, 9 Aug 2011 @ 8:59am

  
  

  Google has known about this since at least 2008.

  [ link to this | view in chronology ]

• 

  A. Non, 9 Aug 2011 @ 10:33am

  
  

  Why will Congress not rid us of this pest?

  Paxfire apparently currently occupies quarters formerly used by a janatorial services company which seems to have employed youth offenders in Texas to clean toilets in Brooks Air Force base. Which is interesting because Paxfire is in a much dirtier business.
  
  Paxfire was founded in 2003, but appears to have been a spin-off from a slightly older company, Simena LLC, whose president, Seyzen Uysal, is an inventor named in at least one patent assigned to Paxfire. Both companies are located in Reston, VA, home of many companies which are involved in, shall we say, shady dealings involving the US government. Simena has about 5 employees and annual revenues of about 0.5 million, while Paxfire has about 21 employees with annual revenues of about 29 million. Paxfire operates servers in Asia, Europe, as well as the US, and has offices in the Holland, Germany, the United Kingdom; and Australia. Simena offers a device which sorts and tees traffic for further analysis (for example by a DPI box), while Paxfire offers devices which geolocates consumers and hijacks their search requests (often ALL search requests), sending the consumer to a fake Google server, a server which is actually operated by Paxfire, a company which has no business relations with Google (according to Google, and for once I believe the Chocolate Factory).
  
  Initial mention of Paxfire in the press came mostly from business writers who appear to have been inclined to give the benefit of the doubt to co-founders Mark Lewyn, a former reporter, and Allan Sullivan. What I find remarkable about later coverage from tech writers is the depth of personal revulsion at the business practices of Paxfire (and sleazy ISPs which install Paxfire boxes in their server rooms) which is apparent in their writing. Another interesting feature is that it appears to be standard practice for ISPs to deliberately mislead their own helpline employees and even admins about the presence and function of the Paxfire boxes. It even seems that some smaller ISPs which hired a "modem management company" based in Pittsburgh, Ad-Base Systems, may have misled the ISPs about the presence and function of Paxfire boxes which Ad-Base had installed in its server rooms, allegedly without the knowledge of the ISPs (or at least, their admins). As one might expect, call center techies and admins who find out that they have been passing on misinformations to consumers are usually quite angry when they learn they have been deceived by their own company (or its business partners). (See the Google Knol cited below.)
  
  Another aspect which doesn't come through very clearly in most of the coverage is the extent to which Paxfire tries to hide its ownership of the fake Google servers behind front companies, and more generally of its business activities. It appears to describe itself by saying it offers "telecommunication services, namely, electronic data reception and transmission", which is obviously extremely misleading. One page even mispells Mark Lewyn's last name.
  
  Reaction to VeriSign's New 36-Hour Deadline
  CircleID, 3 October 2003
  
  Broken Links Lined With Gold for Paxfire
  Washington Post, 30 January 2005
  
  Interview with Mark Lewyn, Paxfire.
  Mark talks about his experience raising money from the CIT GAP fund.
  Keywords: Mark Lewyn Paxfire CIT GAP raising money
  MeThings, 14 Jul 2005
  
  Washington Post
  Recent Deals, 23 May 2005
  [quote]
  Paxfire Inc. , an Internet traffic reduction company in Reston, sold $2.1 million of series A preferred stock to three investors, according to an SEC filing. Paxfire will use the money for working capital. On Demand Venture Fund of San Francisco and three Paxfire executives were listed as beneficial owners.
  [/quote]
  
  The Typo Millionaires
  The sordid history of the oldest scam on the Internet�and how to kill it off once and for all.
  By Paul Boutin
  Slate, 11 February 2005
  
  http://knol.google.com/k/dns-squatting
  DNS Squatting
  The marketers are out to get you... and your little browser too.
  How Paxfire stole Google.com - and nobody noticed. An introduction to DNS Squatting - why you should understand how it works and how it affects you when unscrupulous marketers play games with your DNS.
  Joseph Harris
  Google Knol, August 2008
  
  http://www.newscientist.com/article/dn20768-us-internet-providers-hijacking-users-search-queries.h tml
  US internet providers hijacking users' search queries
  Jim Giles
  New Scientist, 4 August 2011
  
  http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
  Widespread Hijacking of Search Traffic in the United States
  Christian Kreibich (ICSI), Nicholas Weaver (ICSI) and Vern Paxson, with Peter Eckersley (EFF).
  EFF, 4 August 2011
  
  http://arstechnica.com/tech-policy/news/2011/08/small-isps-turn-to-malicious-dns-servers-to- make-extra-cash.ars
  Small ISPs use "malicious" DNS servers to watch Web searches, earn cash
  Nate Anderson
  Ars Technica, 5 August 2011
  
  http://www.dslreports.com/shownews/ISPs-Covertly-Hijacking-Search-Traffic-115547
  10 ISPs Using Paxfire Tech to Track Users, Hijack Results
  Karl Bode
  DSL Reports, 5 August 2011
  
  http://venturebeat.com/2011/08/05/isp-search-redirect/
  Why ISPs are hijacking your search traffic & how they profit from it
  Jolie O'Dell
  Venture Beat, 5 August 2011
  
  http://www.theinquirer.net/inquirer/news/2099860/isps-hijack-search-traffic
  Big US ISPs hijack search traffic
  Crikey!
  Inquirer, 5 August 2011
  
  http://www.maximumpc.com/article/news/several_us_isps_hijacking_and_redirecting_their_custom ers_search_queries
  Several US ISPs Hijacking And Redirecting Their Customers' Search Queries
  Brad Chacos
  MaximumPC, 5 August 2011
  
  http://techcrunch.com/2011/08/05/study-some-isps-still-hijacking-search-results-lawsuit-foll ows/
  Study: Some ISPs Still Hijacking Search Results (Lawsuit Follows)
  Devin Coldewey
  Techcrunch, 5 August 2011
  
  http://boingboing.net/2011/08/05/many-us-isps-in-epidemic-of-covert-search-hijacking-of-thei r-customers.html
  Many US ISPs in epidemic of covert search-hijacking of their customers
  Cory Doctorow
  BoingBoing, 5 August 2011
  
  See also
  US Patent 7631101, Systems and methods for direction of communication traffic
  US Patent 7310686, Apparatus and method for transparent selection of an Internet server based on geographic location of a user
  
  The Wikipedia article was apparently edited by Lewyn and has recently been moved which erased prior history; see
  https://secure.wikimedia.org/wikipedia/en/wiki/Paxfire
  The version as on 8 August seemed pretty good, but it is strange that it describes Paxfire as a "startup" since it has been operating since 2003.
  
  So why has Paxfire been allowed to operate unmolested for so long, despite such widespread knowlege of and revulsion from its business practices? Practices which, everyone seems to agree, are either criminal or ought to be? The explanation might be some contributions during the most recent presidential election:
  
  http://www.campaignmoney.com/finance.asp?type=io&cycle=08&criteria=Paxfire
  Dou g, Armentrout, COO, Paxfire, $250, National Republican Trust PAC
  Kris Carter, General Counsel, Paxfire, $250, National Republican Trust PAC
  Michael Subotin, Research Scientist, $1050 (total), Obama for America
  
  Is that really the price of protection? A mere 1500? Can't we collectively beat that and put this company out of business and its executives in the dock?
  
  Actually, the true story may be even worse than that. Several of the fake Google servers reported to Google in 2008 were registered to L-3 Communications. Back in 2008, L-3's webpages said little about the nature of its business, and the Wikipedia article described L-3 as a company which owned a lot of dark fiber. Convenient if you want to hide something ugly. But the current Wikipedia article is much more accurate. L-3 Communications is in fact the 8th largest US federal government contractor, with about 3.8 billion in federal contracts in 2011. It has annual revenue of about 15.7 billion, employs some 63,000 people, has offices all over the world. Its business? The current Wikipedia article says
  [quote]
  L-3 Communications ... supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
  [/quote]
  And this description is an accurate summary of how L-3 now describes itself.
  
  The fake Google servers reported to Google in 2008 are still owned by L-3, but if they assigned to anyone, they are bogons. But one subnet previously used (allegedly) by Paxfire in 2008 to hide fake Google servers appears to have popped up again recently in what appears to be a scam in which traffic from US service persons seeking insurance is hijacked and sent to a malware serving site. Nasty, huh? Another of these subnets has recently been named in the ongoing genuine but improperly issued certificate issue, in which a certificate for the International Criminal Court appears to have been given up to an imposter.
  
  Another company which sells multi GB/second deep packet inspection equipment to ISPs and internet backbone providers is Cisco, which has been accused for many years of close cooperation with the Chinese government in its population surveillance and censorship programs. And a UK based company, Gamma International, apparently tried to sell its own DPI equipment to pre-revolution Egypt, and appears to maintain an office in Syria. And there are possible indications here that a third company, Paxfire, may be involved in something which ought to concern the US Congress, even if trampling on consumer rights does not.

  [ link to this | view in chronology ]

• 

  A. Non, 9 Aug 2011 @ 12:37pm

  
  

  Why not publically?

  My (much) longer comment appears to have been lost, but I believe that identicon's guess is correct, based on my own conversations about this issue with Google.

  [ link to this | view in chronology ]

• 

  A. Non, 9 Aug 2011 @ 12:54pm

  
  

  The role of Ad-Base Systems, L-3 Communications, HBGary

  I meant "Freedom"'s comment.
  
  The EFF summary and these two research papers are well worth reading:
  http://www.eff.org/deeplinks/2011/07/widespread-search-hijacking-in-the-us
  http://www.ici r.org/christian/publications/2011-satin-netalyzr.pdf
  http://www.usenix.org/event/leet11/tech/full_p apers/Zhang.pdf
  The EFF researchers admitted they were surprised that millions of US persons turn out to have been victimized in this DNS hijacking, but their figure agrees with my estimate in 2008.
  
  In the papers, "ISP" can be confusing. The researchers found that all the searches of 98% of the customers of Ad-Base Systems, based in Pittsburgh, were being hijacked (apparently by Paxfire boxes, with the connivance of Ad-Base). Ad-Base is not only a local ISP in that area but also operates a "managed modem" business, so dial-up customers of many local ISPs in other areas were actually being redirected to Ad-Base, and then their search requests were being sent to fake Google servers, apparently actually operated by Paxfire. In 2008 I found that some of these servers seemed to be registered to L-3 Communications and Internap, which also agrees with the EFF researcher's findings. L-3 is the eighth largest US federal government contractor, and the nature of its business raises questions about its involvement in this business:
  
  https://secure.wikimedia.org/wikipedia/en/wiki/L-3_Communications
  [quote]
  L-3 Communications Holdings, Inc. (NYSE: LLL) is a company that supplies command and control, communications, intelligence, surveillance and reconnaissance (C3ISR) systems and products, avionics, ocean products, training devices and services, instrumentation, space, and navigation products. Its customers include the Department of Defense, Department of Homeland Security, U.S. Government intelligence agencies, NASA, aerospace contractors and commercial telecommunications and wireless customers.
  [/quote]
  
  The HBGary leak revealed that L-3 had solicited a prospectus from HBGary for a project which appears morally ambiguous, to say the least.

  [ link to this | view in chronology ]

• 

  Anonymous Coward, 9 Aug 2011 @ 1:10pm

  
  

  The managed modem business

  Forgot to say that Ad-Base System's managed modem business is called GlobalPops.
  
  Some other companies which appeared to be associated with rogue servers in 2008 were Allmar Networks and WOW.
  
  As examples of Paxfire boxes performing typo-squatting: it seems that customers of some ISPs trying to search Google have recently wound up at pages with urls like this:
  goto.searchassist.com/find?p=paxfire&s=www.wikipedia.org&t=9_33_1_0_1_12_1
  autocorre ct.sendori.com/autocorrect?p=paxfire&t=9_31_1_42_1_0_27
  goto.searchassist.com/find?p=paxfire&s=wwwurnextenant.info&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire &s=www.sabteahval.ir&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=axxo.superfundo.org&t=9_26_1_0_1_4_1 goto.searchassist.com/find?p=paxfire&s=www.mcdgc.go.tz&t=9_33_1_0_1_12_1 goto.searchassist.com/find?p=paxfire&s=goto.searchassist.comhttp%3A&t=9_33_1_0_1_12_2 hxxp://goto.searchassist.com/ find?p=paxfire &s=www.cfjvhjgcjfvhgkjh.net goto.searchassist.com/find?p=paxfire&s=www.filesonic.com&t=9_32_1_0_1_7_2
  In these examples, something like wwwurnextenant.info is obviously a typo, but www.filesonic.com should resolve just fine. This is already objectionable and possibly illegal, I think. But what the EFF researchers found (as did I and others in 2008) is that Paxfire is in many cases hijacking ALL search requests, regardless of whether any typos occur, with Paxfire's meddling being entirely hidden from the user (the fake Google pages being visually indistinguishable from the real thing). See
  
  http://knol.google.com/k/dns-squatting
  How Paxfire stole Google.com - and nobody noticed.
  Joseph Harris
  8 August 2008
  
  for a screenshot from 2008, obtained by an ISP tech. In 2008, it seems that at least some ISPs which had hired GlobalPops were misled about the causes of customer complaints of hijacking. Surely that cannot be legal, can it?
  
  I believe that investigations by Attorneys General of the various states, the Congress, the FTC, and the Department of Commerce (which investigated Paxfire back around 2005) are warranted.

  [ link to this | view in chronology ]

• 

  A. Non, 10 Aug 2011 @ 12:57pm

  
  

  Why is Paxfire apparently hiding its fake Google servers behind front companies?

  The paper by Weaver et al., "Implications of Netalyzr's DNS Measurements", mentions two subnets:
  8.15.228.0/24
  69.25.221.0.24
  
  Anyone can look up the registration:
  
  8.15.228.0/24 is associated with
  Co-Location.com Inc.
  Development Gateway, Inc.
  Level 3 Communications, Inc.
  The first and last are two companies which came up when I investigated hijacking (of ALL searches, not just "typos") in 2008. The second, oddly, claims to be a company which works with the UN to develop communication tools.
  
  69.25.221.0.24 is associated with:
  Almar Networks LLC
  Internap Network Services Corporation
  
  As I said earlier, both these companies also came up in 2008 investigations as apparently having some murky affiliation with Paxfire. See the Knol by Joseph Harris.
  
  Here some addresses for Almar Networks LLC which appear on the web:
  
  ALMAR NETWORKS, LLC
  4231 DANT BLVD
  RENO, NV 89509-7020
  
  Almar Networks LLC
  297 Kingsbury Grade, Suite D
  Post Office Box 4470
  Lake Tahoe, NV 89449-4470
  
  Almar Networks LLC
  Stateline, NV
  
  And at www.nvsos.gov/SOSEntitySearch/CorpDetails.aspx? we find that Almar is a registered commercial agent in the US State of Nevada, which is "managed" by
  PAXFIRE INC.
  45665 WILLOW POND PLAZA
  STERLING, VA 20164
  
  Some other companies also turn up which appear to be affiliated with Almar, in places like Florida and Zurich, so following the corporate structure should be a fruitful line of investigation.

  [ link to this | view in chronology ]

• 

  A. Non, 10 Aug 2011 @ 1:31pm

  
  

  A consumer and a Paxfire victim, one of millions

  Forget to say:
  
  I am not affiliated in any way with Google, Comcast, Microsoft, or any other company, and I have absolutely no financial interest whatever in this mess. I am simply a consumer, a customer of an ISP and a former (current?) victim of Paxfire search term hijacking, possibly the one described in the Knol by Joseph Harris.
  
  It is crucial to understand that, as my ISP verified in 2008 in independent testing, ALL my google searches were being hijacked, and this appeared to be true for ALL the customers of my ISP.
  
  Once again I would like to draw the attention of reporters to the multiple-redirection documented by the research papers cited above. The authors note that this appears to be designed to fool advertisers into paying for supposed click throughs by many customers, when in fact these companies are paying because the search of one consumer was hijacked by equipment operated by murky companies which appear to be front companies for Paxfire. Now there is a name for that, isn't there? Its called click-jacking, isn't it?
  
  Mark Lewyn's protests that his company is doing nothing wrong, that this is all due to misunderstanding by consumers of what is going wrong with their searches, that if anything did go wrong it is only "by mistake" [sic], are in my view simply not credible. If this is "all a misunderstanding", why do so many people, including admins for ISPs, say that Paxfire appears to routinely deceive them (the admins), not to mention the consumer?
  
  I renew my call for investigation of Paxfire by the US Congress and by the Attorneys General of the US states (they can start by calling the AG of Nevada to ask about the relations between Almar and Paxfire, and the AG of Pennsylavania, to ask about the relations between Ad-Base, GlobalPops, and Paxfire).

  [ link to this | view in chronology ]