Anyone remembers Navitaire vs Easyjet?
Pot. Kettle. Black.
easyJet has confirmed that Expedia is not the only online travel firm to have felt the airline’s wrath – it has also fired off letters to several other UK websites warning them to stop selling its flights. As we revealed earlier this week, the budget airline company wrote to Expedia.co.uk telling it to stop punting easyJet …
I can understand sites which resell flights with their own mark-up, like Expedia. However, sites which depend on agent's fees or advertising revenue, and still send you to Easyjet's site for the final booking, like Skyscanner, I hope would be exempt. Mostly because Skyscanner is a great aggregator, and I would probably just disregard any cheapo that opted out from having their flights appear on it.
While I am sure this is very effective at stopping people blocking MoneySupermarket it is a little wasteful of address space. Also, shouldn't the vendors have the right to choose if they are exploited by screen scraping bots such as this?
What if expedia and the like are screen scraping another service (paying for the EasyJet data) and this third-party doesn't prohibit screen-scraping?
Sounds like a bit of a nightmare proving where the data has come from originally (although I'm sure Expedia would play nice and fess up)
(No doubt there's a backlog of similar comments wending their way through the moderation system but here goes...)
2 million IP addresses?! I would have thought even Google doesn't have that number of machines, let alone that number with individual *public* IP addresses.
Me thinks the PR monkey needs more training...
"...argue the defence that it was unaware of easyJet's terms and conditions, which prohibit screen scraping."
If a company publishes their prices online, then how can they stop someone else from using them? How do some silly T's&c's restrict that?
Price comparison websites provide a simple service. They just automate an activity that you or I would have to do manually - i.e. visit each individual site and compare the costs (including delivery charges, time to deliver, delivery options etc).
I work in Holland, so when I need to fly over, I simply visit the sites of KLM, BA and BMI; manually compare the flight costs and options (times). I don't see the problem in Expedia (or anyone else) automating that for me.
They also provide advertising for companies, too. I.e. Easyjet should pay Expedia for showing off their cheap prices to people that might not otherwise have gone to their site or known that they service the route.
I just don't get this... Is it a simple case of easyJet's Lawyers having too much time on their hands, or a CEO on a stupid power trip?
"No, we're not going to give free advertising to these websites"
"But [price comparision website] Moneysupermarket.com for example uses something in the region of two million IP addresses making the website very hard to block."
And I just checked out their website, and will probably use it to book my flight next month, as it offers a great comparison service. Interestingly, on exactly the same flight that I was going to book, expedia charges around 16 pounds more than ebookers.
Im guessing ebookers are also the recipient of easyjets emails...
Has Moneysupermarket created the biggest bot army ever? How can it have 2 million IP addresses? And of course all in several blocks all around as I can block all the 16 millions address of one class A range in 2 seconds.....
Sounds like some people are still thrying to BS the Daily Mail journalist (oops sorry.... I know they don't recruit any!).
This post has been deleted by its author
What exactly is EasyJet's problem?
Expedia are only making use of information which is already available to the general public, and EasyJet are still getting paid for the flights.
The only people who can be said to be losing out are the customers, because Exdedia must be adding a markup. But presumably they are happy to pay this markup if it means they do not have to check prices right, left and centre.
I guess easyjet won't be competing on price any more then - that's the only reason I could find for not wanting to appear on comparison sites any longer - instead they'll be trading on reputation. Bwahahaha.
Actually they'll be trading on their reputation as a cheap'n'cheerless low-cost carrier that (used to) run the cheapest flights - and now wants more money (in order to stay in business with oil at $XXX per barrel) and would prefer everyone not to be able to compare them with their competition.
Yup, a deluded owner with pretensions towards grandeur and a hypocritical denial of their under-cutting start in the industry.
PH because she's easy and also owns a jet and is also orange coloured.
So let's get this straight. EasyJet want sites who are advertising their brand for free, and in the process bringing them customers without paying commission rates, to stop or face legal action? Stelios really needs to start thinking about harnessing the opportunities from working with the likes of Expedia etc, not trying to make them sworn enemies.
Considering the onslaught of RyanAir this is not exactly the brightest commercial decision ever made. But then, EasyJet have a history of dumbass commercial decisions.
Thought I'd check out the site with the poor TV adverts, just to see what all the fuss is about, comparing prices of flights I have already booked direct with BA for later this year (at the time easyjet were more expensive!). The site asks me how many travellers, so I respond 3 since there's 2 adults and an infant who'll sit on our laps- clicking through to easyjet there's no where to actually specify ages! I doubt I'll go back there...
I've flown Easyjet in the past, but the prices are just not low enough to put up with all the long queues, extra charges to check in baggage, seating (non assigned & squashed in). They should welcome any other site that generates them some traffic!
It's not really that hard to protect your website against most scrapers with a little bit of work.
For one thing, you display your prices on screen as an image, and never have the price shown within the page as a text entry. That'll slow the buggers down.
Also, having lots of variability within your code, different form element names, different page structure, etc, all randomised, will make Mr Scraper's job very difficult.
They have about 60 IP addresses for the travel side. The 2 million IP addresses are those of the customers deeplinking into the providers site, by banning travelsupermarket/moneysupermarket they would be turning away that many customers.
Sounds more like an excuse from the lazy admins at easyJet
This post has been deleted by its author
I suspect the reason easyJet are doing this is because they depend heavily on a pricing model that relies on customers behaving in a certain way.
The models will depend on only a small minority of passengers buying the cheapest tickets and the vast majority paying full price. This is how they acheive seemingly much cheaper flights while maintaining a profit margin. The no frills aspect doesnt really represent a whole lot of price difference.
Advertising cheaper tickets more widely will break the pricing model and hence they take the action.
>So basically on top of the allready very slow sites they typically run,
>you want to add multiple website errors and some big images? Heh.
Not really! A price in an image as a PNG or GIF is going to be bugger-all in size (yes much > than plain text, but not a significant hit overall).
Plus, who says randomized page content and form field names, etc would have to generate "website errors". Do it properly and it can still all generate perfectly compliant and valid HTML. It's just it'll be slightly different HTML every time you look at the source, but the result would render the same.
Now.... I'm not suggesting that it is right or wrong for companies to be scraping EasyJet's content, I find the comparison sites very useful - but not always cheaper - trying to book a flight to Texas recently found that the air fair on continental.com was far cheaper than any of the fares - even from continental - listed on the main comparison sites. Same with airport parking - almost always cheaper to go direct to the parking company websites and join their 'club'!
So, I'm the comparison site's worst customer. I use them as an index and then go and check up/book directly on the vendor's website. So I'd love these people to keep scraping the EasyJet site for my benefit!
...because they would have to have a name, so the price comparison site could just pick up on the name and use that. More of a pain, but workable.
Unless of course you had a cipher that renamed the images at the server prior to each refresh... or some other crap like that!
"It's not really that hard to protect your website against most scrapers with a little bit of work.
For one thing, you display your prices on screen as an image, and never have the price shown within the page as a text entry. That'll slow the buggers down"
Doing that would breach the Disabilities Discrimination Act (Many companies breach it by doing this sort of thing, Ingram Micro etc). Those people with poor or no sight can have web pages 'read' to them, putting text into a graphic stops this being possible.
You can have Text as Graphics if you also include the text e.g. alt="my data"
Tony - it would be easy to write a script that generated images with a unique URL. Not every URL is a file - many (most?) are caught and the content is generated automatically by a script. This can be done with images too.
Chris - it isn't illegal to use text only as graphics. The law says the site operator must make 'reasonable adjustments' to make it suitable for disabled users.
If there is evidence that the site is being 'scraped' - it might not be reasonable to make the prices available as text (unless there was a better way to stop the site being scraped).
Even then, websites could allow alternative methods - e.g. a button that will play a sound file of the price.
As EasyJet.com is a very well known website, EasyJet would have to be careful to make sure any changes they make complied with the law, but - as ever - nothing is black and white.
Whereas your allocations would most likely be correct in a LAN environment this is not a LAN environment.
It is unlikely that an address range of 8-11 will use 8 as subnet and 11 as broadcast as this would (a) make half the addresses unusable and (b) be pointless.
You can have a subnet with all zeros or ones, since about IOS version 12.0 it has been default on Cisco kit to allow this. (previously it was allowed, it was just not allowed by default).
As an example look at a typical home user type allocation of say:
In this instance, 18.104.22.168 would be the network, 22.214.171.124 would be the broadcast and 126.96.36.199 would be reserved for the router leaving -2 addresses available for your computer.
In an internet facing scenario, every IP address will belong to a NAT router, it is extremely rare (and dangerous) to attach non-firewalls directly to the interweb in a corporate environment.
for some explanations.
"Chris - it isn't illegal to use text only as graphics. The law says the site operator must make 'reasonable adjustments' to make it suitable for disabled users."
You are correct in that the law doesn't say that expicitly, but how else do you "make it suitable for disabled users." having a button that played a sound file to you is the only other way I can see of complying, and that wouldn't realy be sensible. Can you think of another way?
I don't have a sight problem but do like to save information out and search it. e.g. I get sent many many details of special offers and may want to find them some time later, if it comes to me as text then that can easily be filed and searched, as graphics no chance.
I've asked companies like Ingrams a number of times how do they think they comply, but they never reply.
and would not always have the pain tolerance to look at an individual airline's website. Plus Easyjet should be grateful for any business they can get, especially with the price of oil rising daily (and don't they have many aircraft on order?) I don't think you need to be a chartered accountant to work that out.
Nothing has to be passed to the browser that would give it any clue what the images are about. Here, for information only, is how it works:
1. The server sends a cookie to the browser when a login session is established. That cookie is a filename (or a key within a database) on the server. The file (or database record) contains the actual price to be disguised.
2. When your browser asks for the images showing the prices, it sends back the same cookie along with each request..
3. The server looks up the price in the appropriate file or database, renders the text as an image and returns the image to the browser.
Not that I condone such practices for a minute. I actually think Expedia are doing EasyJet a favour by sending customers their way ..... but no doubt EasyJet will have to mention out loud in court whatever it is that they think they are being deprived of.
How does this work?
How does Expedia sell Easyjet tickets? Surely your credit card transaction has to go via Easyjet or else Easyjet won't get paid. If that happens then how does Expedia get its cut? If Expedia take your money and then buy the ticket on your behalf using their own account Easyjet could simply refuse the transaction.
I'm not denying they can do it, I'd just like to know how.
Also why is this not a problem for Ryanair? I've just tried Stansted-Krakow 8th July, return 15th July. On Expedia all I get is LOT at over GBP500 (change in Munich) but at Ryanair I can get it for GBP120.
Actually I tried Luton-Krakow for same dates and Expedia finds nothing at all but Easyjet has seats at GBP137. So has Expedia already caved in? Or is Expedia, as I've always suspected, only interested in selling expensive tickets and gets a commission from the airlines like any other travel agent.
IT? because there are only two icons with a question mark and I don't wan't to go to Paris.
According to yesterdays article, Easyjet flights are available through the GDS. So why would Expedia need to screenscrape - Easyjet are putting the info in the GDS!
GDS queries may cost more than web scraping, but I'm pretty sure that Expedia doesn't webscrape every other airlines website for prices - getting a comparison would be next to impossible if they had to wait for slow airline websites to respond.
Expedia can also use the GDS to book the flight on for _their_ customer. If Easyjet doesn't want companies to use the GDS to book Easyjet flights, they shouldn't be listing their flights there.
When I go web shopping to certain web sites I often use two or more computers. The reason for this is variable pricing where the price offered to you reflects the level of interest that you have in the product. The specific products offered will vary as well. So depending on what I have in mind I often come in with a 'clean' computer, pull the URL and then hit the site from the computer I do the purchasing from. This seems to bypass the logic.
I suspect Easyjet is also using this type of mechanism. They are locked in a battle with consumers -- they want to sell the product for more than the consumer wants to pay so there's a delicate confidence trick being worked. If EJ knows you're a regular customer who's not that discriminating (doesn't comparason shop) then they'll drop a bit more onto the price.
Its a fun activity, a bit like watching the price tags in stores go up and down throughout the week. Its also a waste of my time -- I usually haven't got the time or the interest for these games.
So a third party website (acting like my 'clean' computer) messes the game up which is why EJ doesn't like it. They don't know who's buying the ticket so they don't know how much they can charge.
BTW --- Amazon was the first to experiment with this.
Seriously, how do these website purchase tickets? I suppose they could have a system that just registers with the Easyjet website and uses that (easy enough with a little ingenuity).
However, this would also be expensive, as they would buy the tickets at the same cost as the consumers, then have to add something to make a profit.
Still, having seen the prices at Expedia and Lastminute, they may well be doing this.
AVG seems to have a lock on having multiple computers on the Internet running their product. Since we now know that AVG will auto-follow links and pre-load and pre-screen content, it isn't that far of a stretch to sell this (screen scraping) service to Easyjet competitors. This alone could cover the developments costs of AVG and allow it to become commercial freeware.
The counter-measure to this would be unthinkable as Easyjet would have to identify and block nearly every AVG user.
@Anonymous Coward (GDS): I am a developer for a site similar to expedia and I've never heard of 'GDS' as an API to buy flights from. We can buy flights through different systems, ranging from screen-scraping ViewData (an old teletext-style booking interface), screen-scraping websites, scheduled flat-file imports (in CSV, EDI or AVALIBLE format) or ideally XML services. The majority of low cost airlines we get through screen-scraping. We send search requests to all the airlines simultaneously and if and airline doesn't respond in time then they won't make it into our flight results.
@Stuart Castle: Yes - most travel sites selling EasyJet/RyanAir tickets will be booking the tickets on the website's debit card, then adding their own markup and debit / credit card fee on top. Without the low cost airlines offering account based systems they don't have much choice.
(Posted as anonymous because I don't want this to get me or my employer in trouble)
"However, this would also be expensive, as they would buy the tickets at the same cost as the consumers, then have to add something to make a profit.
Still, having seen the prices at Expedia and Lastminute, they may well be doing this."
According to these articles, that's exactly what Easyjet are alleging the screen scrapers do. And indeed that is exactly how a screen-scraped interaction works. Dead easy with Python, Perl, PHP or similar.
UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.
Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.
In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].
A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.
In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.
"Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.
In brief More than half of the 24.6 billion stolen credential pairs available for sale on the dark web were exposed in the past year, the Digital Shadows Research Team has found.
Data recorded from last year reflected a 64 percent increase over 2020's total (Digital Shadows publishes the data every two years), which is a significant slowdown compared to the two years preceding 2020. Between 2018 and the year the pandemic broke out, the number of credentials for sale shot up by 300 percent, the report said.
Of the 24.6 billion credentials for sale, 6.7 billion of the pairs are unique, an increase of 1.7 billion over two years. This represents a 34 percent increase from 2020.
Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.
Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.
StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.
The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.
Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.
According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.
Miscreants have dumped on Telegram more than 142 million customer records stolen from MGM Resorts, exposing names, postal and email addresses, phone numbers, and dates of birth for any would-be identity thief.
The vpnMentor research team stumbled upon the files, which totaled 8.7 GB of data, on the messaging platform earlier this week, and noted that they "assume at least 30 million people had some of their data leaked." MGM Resorts, a hotel and casino chain, did not respond to The Register's request for comment.
The researchers reckon this information is linked to the theft of millions of guest records, which included the details of Twitter's Jack Dorsey and pop star Justin Bieber, from MGM Resorts in 2019 that was subsequently distributed via underground forums.
India's Computer Emergency Response Team (CERT-In) has given many of the nation's IT shops a big job that needs to be done in a hurry: complying with a new set of rules that require organizations to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.
The national infosec agency stated the short deadline is needed as it has identified "certain gaps causing hindrance in incident analysis."
Organizations can use email, phone, or fax to send incident reports. Just how the analog mediums will improve improve analysis gaps is uncertain.
Coca-Cola confirmed it's probing a possible network intrusion after the Stormous cybercrime gang claimed it stole 161GB of data from the beverage giant.
"We are aware of this matter and are investigating to determine the validity of the claim," Coca-Cola communications global vice president Scott Leith told The Register on Tuesday. "We are coordinating with law enforcement."
The ransomware gang, which has declared its support for the Russian government's illegal invasion of Ukraine, this week bragged it "hacked some of the company's servers and passed a large amount of data inside them without their knowledge." It's now trying to sell the stolen data for about $64,000, or nearest offer "depending on the amount of data you want," Stormous wrote on its website where it leaks pilfered information.
Intuit is being sued in the US after a security failure at its Mailchimp email marketing business allegedly led to the theft of cryptocurrency from one or more digital wallets.
In a proposed class-action lawsuit [PDF] filed in federal court in northern California on Friday, the plaintiff – Alan Levinson of Illinois – claimed he and potentially others fell victim to a sophisticated phishing attack in which their Trezor cryptocurrency wallets were unlawfully accessed and funds siphoned.
Someone earlier stole from Mailchimp details of Trezor's mailing-list subscribers, and used this information to reach out to those users with an email engineered to trick them into installing malware designed to hijack their digital wallets. Levinson said he believes millions of dollars in crypto-coins were stolen in this attack, including $87,000 from his own wallet.
Analysis GitHub says it has identified and alerted developers who have had their private repositories accessed and downloaded via stolen authentication tokens.
In this multifaceted fiasco, Microsoft-owned GitHub insisted its security was not breached. Instead, we're told, "compromised OAuth user tokens from Heroku and Travis-CI-maintained OAuth applications were stolen and abused to download private repositories belonging to dozens of victim organizations that were using these apps."
Salesforce-owned Heroku confirmed someone compromised an OAuth token – presumably an internal staffer's token – to get into Heroku's GitHub account and rifle through, and potentially update, users' GitHub repositories "using OAuth tokens issued to Heroku’s OAuth integration dashboard hosted on GitHub."
Biting the hand that feeds IT © 1998–2022