a.oix.net - TTNET'in fişleme motoru!

Recep Baltaş

Technopat
Yönetici
Katılım
14 Ağustos 2010
Mesajlar
68.683
Çözümler
823
Beğeniler
93.994
Yer
İstanbul
Outside of the 'yes please data rape me' subscription I was looking for evidence that Phorm were setting cookies. Perhaps they have been warned off that tactic.

Well, yeah. Now I have 3 cookies in my browser:







You say this cookie is on your work computer. Depending on what work is and which network you were on, perhaps you work from home, then the implication is that TTNET is performing Deep Packet Inspection upon, perhaps, all the communications from the company you work for.

You might wish to mention this to your IT department, perhaps that is you, and 'duh' The Management. If you believe what Phorm claims then you will have enabled the system at the network level, as if they were not fiddling about anyway.

I might be being alarmist but this now means that the company you work for is exposed to the gathering of Business Intelligence by TTNET/Phorm.

Major Major Major Issue.


We are about 40 people using this connection at work. We have two connections. One is TTNET VDSL, the other is Superonline F/O. You are damn right about the "whole network inspection". When I visit gezinti.com, I now see two options. These are:


  • Gezinti for this Browser
  • Gezinti for the Internet Line




I know that it will sound funny, but we don't have an IT department :) Welcome to Tukey :)


Fundamental question is.... Do TTNET/Phorm avoid Business and Educational, or indeed any other 'delicate' for example Hospital, connections. Apparently not.

Definitiley not!
 

MorbidFractal

Hectopat
Katılım
27 Haziran 2012
Mesajlar
73
Beğeniler
9
HTTP/1.1 200 OK
Date: Sat, 24 May 2014 10:40:30 GMT
Server: Apache
Cache-Control: no-store, no-cache
Set-Cookie: uid=Yj56gM0fRy-OwqjZQxVNHwJZcAQOQ3KgUCaXS32Xmfo9HXp4Q9oeo1B3qNXO5L00Y; expires=Sun, 24-May-2015 10:40:30 GMT; domain=adobur.com; path=/
Set-Cookie: OPTED_IN=1; expires=Sun, 24-May-2015 10:40:57 GMT; domain=.adobur.com; path=/
P3P: CP="NON COR PSAo PSDo OUR BUS UNI STA PRE"
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4252
Keep-Alive: timeout=15, max=100
Content-Type: application/javascript
 
Son düzenleme:

Dephormation

Hectopat
Katılım
27 Haziran 2012
Mesajlar
10
Beğeniler
2
Keith, guess what! I've hit the jackpot. Last week, I was about to visit my bank's web site. I googled my bank and hit the first result. Guess what. I got an invitation to gezinti.com. Of course, to investigate the system, I have accepted the invitation. Now tell me what to do :)Oh, an of course it gave me a nice cookie that I will share later. It is in my work computer.

Hi Recep.

Please drop me a line with the technical details ;)

If you've got Firefox/Dephormation... you'll see details of the redirections Phorm are using to monitor your internet use as warnings. If you enable the Firefox Web Console.. you will see a log of requests/responses that might be useful for diagnostic analysis (Ctrl+Shift+k).

As Keith suggests... you may also find you have an unexpected Flash Local Shared Object too.

You can view the contents of the LSO using a tool called 'SolEdit'. The LSO preserves your ID, so that if you 'change you mind' (to borrow Kent's explanation) your ID is restored.

Probably here;

C:\Documents and Settings\ \Application Data\Macromedia\Flash Player\#SharedObjects\6GC8WKR5\b.oix.net\cs\memo2.swf

Dephormation can be configured to overwrite the LSO too.

Pete
 
Son düzenleyen: Moderatör:

MorbidFractal

Hectopat
Katılım
27 Haziran 2012
Mesajlar
73
Beğeniler
9
HTTP/1.1 200 OK
Date: Sat, 24 May 2014 10:40:30 GMT
Server: Apache
Cache-Control: no-store, no-cache
Set-Cookie: uid=Yj56gM0fRy-OwqjZQxVNHwJZcAQOQ3KgUCaXS32Xmfo9HXp4Q9oeo1B3qNXO5L00Y; expires=Sun, 24-May-2015 10:40:30 GMT; domain=adobur.com; path=/
Set-Cookie: OPTED_IN=1; expires=Sun, 24-May-2015 10:40:57 GMT; domain=.adobur.com; path=/
P3P: CP="NON COR PSAo PSDo OUR BUS UNI STA PRE"
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 4252
Keep-Alive: timeout=15, max=100
Content-Type: application/javascript
 
Son düzenleme:

Recep Baltaş

Technopat
Yönetici
Katılım
14 Ağustos 2010
Mesajlar
68.683
Çözümler
823
Beğeniler
93.994
Yer
İstanbul
You are the Man!

These are the same cookies I/We see using a proxy on the TTNET network. CT, OPTED_IN and UID. Probably unimportant but you will see that your UID is longer than the 24 characters claimed by Phorm.

What!! No IT department? Rest assured, every other 'small' company on the Planet is probably in a similar situation. I have also noticed that Turkish people come with two arms, two legs, a head thing and a bit in the middle to join them together.

Depending on how The Pointy Haired Boss might react,

Dilbert comic strips archive at the official Dilbert website

you might wish to inform her/him about the situation.

Obviously people use their work computers for other activities and this is something that should be expected. I would suggest that one thing she/he does not need is her/his ISP 'spying' on their activities, personal, but more importantly in respect of her/his business. Make sure she/he understands that 'opted_in' or 'opted_out' her/his business communications are still being subjected to interception.

It looks like you are running Chrome. I have no idea how you might find it but if you also have the Flash Player installed you will probably also find that you have a SOL cookie from b.oix.net on your computer. Phorm presumably hope/expect that if people delete normal cookies on browser exit they will not know about the Flash ones and therefore will still be tracked.

It looks like, in fact it is, you are being offered the chance to 'opt_out' for your particular computer. If you choose that then your cookies should be updated to show that 'choice'. The other one is to 'disable' at the network level. As far as I am concerned these are all meaningless terms.

One thing I have seen via a proxy server is that if I 'enable' the system and then visit,

http://www.gezinti.com

as a different user, new account set up on the same computer, I am told that the system is not available. Perhaps this is something you or one of your colleagues might wish to try.

One thing that confuses me is that there appears to be no effort from Phorm/TTNET to actually promote Gezinti. It seems you sign up, to nothing, and then carry on browsing receiving no benefit. I am guessing/assuming that having signed up you are not asked to bookmark the 'portal' page and even if you did you would still receive the same tired old news articles scraped or stolen from elsewhere and totally unrelated to your 'interests'.

Again using Chrome I would not know what tools might be available to you and it is probably too much to ask, especially on a work connection. Phorm claim advertising 'partners'. I would assume that if they are going to deliver 'targeted adverts' then any web page you visit which carries one will 'call home' to check what to deliver. As a result you might be able to see who these 'partners' are and inform others that the associated companies should not be trusted.

It's probably too much to ask because I think you will find nothing of any interest.

https://twitter.com/tahsin_yilmaz

What's that Tahsin? No new tweets since the fourth? And there was I thinking you were so ultra cool with the social networking thing. After all you claimed it was important.

https://twitter.com/#!/search/realtime/Phorm

Oh Dear. Turkey thinks you and Kent are as welcome as wet farts in a spacesuit.


I really don't think that my boss will care about the situation. Really!

I will check the Flash cookie and let you know.

Hi Recep.

Please drop me a line with the technical details ;)

If you've got Firefox/Dephormation... you'll see details of the redirections Phorm are using to monitor your internet use as warnings. If you enable the Firefox Web Console.. you will see a log of requests/responses that might be useful for diagnostic analysis (Ctrl+Shift+k).

As Keith suggests... you may also find you have an unexpected Flash Local Shared Object too.

You can view the contents of the LSO using a tool called 'SolEdit'. The LSO preserves your ID, so that if you 'change you mind' (to borrow Kent's explanation) your ID is restored.

Probably here;

C:\Documents and Settings\ \Application Data\Macromedia\Flash Player\#SharedObjects\6GC8WKR5\b.oix.net\cs\memo2.swf

Dephormation can be configured to overwrite the LSO too.

Pete

I will report back right away.

Update:

OK, I think I have removed the cookies with CCleaner cuz the folder was nearly empty. I am at home now. I will report the situation when I get to work tomorrow. Looks like my IPS does not have service now even if it uses TTNET infrastructure.
 

Dephormation

Hectopat
Katılım
27 Haziran 2012
Mesajlar
10
Beğeniler
2
Hürriyet gazetesi bir kaldırma seçeneği sunmuş ama size danışmadan denemedim yararmı bilmiyorum.. İlgili konu. Gezinti.com nasıl kaldırılır / 1 - Hürriyet

Beware! That article is wrong, and completely misleading.

Modifying your registry will have *no effect at all* on Phorm. (Particularly if you aren't running Windows :) ).

Because Phorm infects your ISP, the only way to get rid of Phorm is a new ISP, or encryption (TOR/VPN etc).
 

Burak Alkan

Gigapat
Yönetici
Katılım
12 Haziran 2011
Mesajlar
14.712
Beğeniler
6.512
Yer
Nebuchadnezzar
Beware! That article is wrong, and completely misleading.

Modifying your registry will have *no effect at all* on Phorm. (Particularly if you aren't running Windows :) ).

Because Phorm infects your ISP, the only way to get rid of Phorm is a new ISP, or encryption (TOR/VPN etc).

Yeah, it is completely BS. We are about to release an article about Phrom today. We will add that notice...
 

Ali Güngör

Genel Yayın Yönetmeni
Yönetici
Katılım
22 Haziran 2011
Mesajlar
30.148
Çözümler
11
Beğeniler
25.076
Yer
İstanbul Türkiye
Hürriyet'te yayınlanan Phorm kaldırma makalesi ne yazık ki hiç bir işe yaramıyor arkadaşlar... Bilgileri kontrol etmemişler, kurcalamamışlar hiç yakıştıramadım.

Bu konuda en son gelişmeleri bu haberimizde özetledik TTNET'in Fişleme Motoru Nasıl Çalışıyor? | Technopat
 



Yukarı