An Anonymous Coward writes:
Is it just me or have ISP (Internet Service Provider) terms and conditions gotten a lot more one-sided about what you can't do and what they can do?
I was considering switching to the new Vodafone Connect broadband and phone service as there are some nice discounts for existing Vodafone customers (and I've had enough of BT's high prices for FTTC) but reading through the text of their Acceptable Use Policy (AUP) has caused me to think again. I'm sure a lot of the text in the agreement is fairly standard, and to be honest it's been a while since I switched providers, but some of these terms seem rather overreaching. For example:
2.7. You must not use the Vodafone Connect Services to access, download, send, receive, store, distribute, transmit, upload or in any way deal with material or data that we deem:
i. to be offensive, threatening, defamatory, racist, abusive, harassing, invasive of privacy, obscene, harmful, indecent or menacing;
Those words cover one hell of a lot of territory... sorry, did you deem my use of the "H" word offensive? What if I'm in a private chat with a friend and he calls me a "####" so I tell him to "#### off"? Use your imagination, we could be covering offensive, abusive, obscene and indecent right there (if not more).
Further on there's a section titled "Actions we may take" (where "we" is Vodafone) and this one really got my attention:
[More after the break...]
4.1. We may, at our sole discretion, run manual or automatic systems and monitoring in order to ensure that you remain compliant with the terms of this AUP at all times (for example we may scan for open mail relays, or open proxy servers). By accessing the internet via our Vodafone Connect Services you are deemed to have granted us permission to access and monitor your computer systems and networks.
So just by using their service I've given permission for them to access and monitor all my systems and networks! Well, given that they bought Cable & Wireless they do have a history of working closely within the surveillance system. Funny though, that they deem it acceptable to "access and monitor" my systems when earlier in the AUP it states:
2.11. Without the explicit permission of the relevant operators you may not run "scanning" software which accesses remote machines, networks or other computer systems.
Of course, they've got the usual "we can change this document at any time without explicitly telling you, and continuing use of the service means you agreed to any new conditions we've set" (See section 1.3) and finally you better not ever get a virus (goodbye Windows users):
2.13.You must ensure that your computer systems and network are not configured in such a way that others are able to exploit them in order to disrupt the internet or any other third party network. This includes but is not limited to ensuring that your network cannot be exploited as an open mail relay, open proxy server, or as a component of a wider network used in denial, or distributed denial of service attacks by third parties.
What is the problem?Install a firewall, nothing to be seen here. Their probing goes to the a bit bucket.
Yes maybe so, but on their side of the firewall they're free to do what they like to your traffic
Install a VPN, nothing to be seen here either. Your traffic is unreadable to them.
And, no doubt, once identified, will be QoS'd to such an extent that it becomes unusable
Choose your own DNS lookup base. Your lookups cannot be tracked by them. Also your whole house is "protected" not just your machine.
Hah,I've just discovered today that my ISP was silently redirecting all DNS requests on their cable to their 'CDN' to 'improve customer experience' (or somesuch BS).The way I found this out, I was having problems with windows update on a netbook today, so started sniffing my internal traffic at the boundary firewall, seems they've expanded this silent redirect of DNS to also include silently redirecting both http and https requests to the selfsame CDN.
I'm not naming names just yet, as I'm getting others to independently confirm this.
Please name names.
yes, well, I found that Comcast had handed out hardware that has hardcoded lookups to their own and 188.8.131.52.
Why they would give customer habits to google for free is somewhat beyond me, so I have to think that it isn't being provided as a concurrent lookup resource that the cable modem does without the customer devices actually seeing the responses, is actually a value add for comcast. Since the field is grayed out and cannot be changed, I have to think it's not for my benefit.
So, what happens on that particular piece of business hardware is that DNS traffic leaving the unit also goes elsewhere. Client traffic gets the results expected. Comcast profits from the unexpected behavior, and google too, I would imagine. Being the type that null routed 184.108.40.206 and 220.127.116.11, it shocked me to see this on the modem management's ipv4 info page.
It didnt even matter that I prevented the devices in my home from reaching those IPs. Comcast reached them for me.
fuck the cloud
You're assuming they are routing the 18.104.22.168 to Google's machines, and haven't for instance just routed them to their own machine(s) which is logging all your DNS queries. Doing that would net them all their own queries on modems they supplied and anyone who had their own and set it to Google's servers.
A company like Comcast is not likely to be giving Google a free lunch. They are getting paid for that data in some way or perhaps just hi-jacking it for themselves.
VPN over funny cat videos uploaded to facebook? Surely there's an RFC.
I am curious about this "just add a VPN!"
Where, exactly, is one doing this? Don't tell me some other end point that isn't under the user's control. that isnt much better. you never get a chance to agree or disagree to the VPN endpoint's eula.
What you agree to with the VPN provider may have nothing to do with the antics that their ISP does to them.
People seem to now call VPN a type of security that the same types of people had called NAT, once upon a time. Security through obscurity. The problem is with the VPN is that yes you are secure to that endpoint and then you go out their NAT. If you were being spied on, your VPN would be allowed and then they'd just watch where the traffic came out.
NAT never stopped anyone from watching, NAT only stopped from direct connections from the outside without a prior hook to a device behind the NAT itself.
VPNs are just as vulnerability to ignorance of its use and purpose as was NAT.
Your traffic is only obscured between you and the end point; for all you know everything unencrypted after leaving the tunnel is being sold or watched. If *privacy* is your concern, all it will do is ensure that your ISP sends you generic ads as opposed to specific ones. If security is your concern, then why are you surfing the web over a VPN to an uncontrolled endpoint and logging into various places that clearly reveal who you are?
If privacy and security are your concerns, the advice is invalid and I'd suggest rethinking how to avoid being seen. Hiding behind one of two bushes will still get you blown up and exposed...
Hence sit under a rock in the woods and wait for the rock to fall on head.
nothing is prefect.
From what you say, using a VPN isn't solving the problem, just moving it somewhere else.
If you have somewhere else that is safe, secure, under your control, and not filtered or redirected or throttled, then fine — but what about those of us who don't? Perhaps, like free IP4 addresses, the long-term solution isn't to fight over the remaining ones, but to arrange something better.