I was sitting in my hotel room doing some work this evening and I accidentally followed a link in email to a company internal web site. In a world where the rules of the internet are obeyed, my web browser should have given me a "Page not found" error, because that site is not visible in any way from the outside world. I was not in that world tonight.
Instead, the ISP which this hotel uses has hooked up with OpenDNS (http://www.opendns.com/). OpenDNS does something unforgivably wrong. It lies about not finding the web site and directs your request to it's own servers. The result is that my web browser happily passes the full request to OpenDNS. This request contains a URL which could leak proprietary information.
Now, in my case, this is only corporate information. But, what if I had been an employee of the federal government? I think a judge would have to consider that this might be a violation of section 6 of the Computer Fraud and Abuse Act (18 USC 1030). It's a question of using incorrect information to get my computer to release information that it otherwise should not.
To be fair, it's not only OpenDNS that does this. I've run into this problem all over the country, in hotels and with residential ISPs. At home, Cablevision does the same thing. They do give you an opportunity to opt-out, but you have to understand the danger of their practice before you would choose that. That's not really enough, business practices should protect people by default, not by option. Comcast is also one of the guilty players in this game, with their "DNS Helper" service. Yeah - big help.
Monday, September 21, 2009
Subscribe to:
Posts (Atom)