Feeds

Simple hack yields free Times Web content outside UK

Security through obscurity fails again

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

I don't normally read Establishment gazettes like the London Times or the Sunday Times, but whilst trawling the Web yesterday I spotted a link to a story which I thought might interest me. Imagine my disappointment when I attempted to access it and learned that only those Netizens located in the UK are permitted to read the Times for free.

Of course I was cordially invited to register and pay a subscription fee; but I didn't want a subscription -- I merely wanted to look at a single item. To me, £39.99 (about US $56.00) seemed an awfully steep price for the privilege of reading one lousy story.

So I decided to bamboozle the Times' electronic customs inspector if I could. That took all of ten minutes to accomplish, as the first (and easiest) workaround that occurred to me succeeded. They didn't even try to make a challenge of it. Essentially, I took a virtual trip to England courtesy of the Web: I merely resolved a list that I keep of working proxies to domains so I could see which ones were located in the UK. As soon as I spotted one, I entered it into my browser and then registered with the Times (using fictional personal data, naturally).

I was prepared for a struggle; but sadly, that's all it takes. And if your favourite UK proxy is slow, don't worry; you won't need it again. Just use it while you're registering. Once that's done, it makes no difference where you surf in from afterwards. The whole trick consists simply of having a UK domain showing in your http header while you're setting up an account. Once that's done, your user-name and password will 'clear' you for free access thereafter.

It's amusing to see a company getting clever with IP, trying to erect the virtual equivalent of a national frontier on the Web to exact a toll from hapless foreigners. The sheer stupidity of this effort is illuminated nicely by the sheer ease with which it's defeated. Did no one tell them that the Internet simply isn't built that way?

I do hope the Times is a good deal more diligent with the credit card data they collect from subscribers. But after seeing their 'security' scheme to lock out overseas freeloaders and protect their own revenues, I don't imagine I'll be trusting them with my CC data any time soon. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.