Net neutrality in a nutshell: Some advocates have warned that broadband providers will use their control over the "last mile" to discriminate between content providers, particularly competitors. Net neutrality advocates also predict that telecom companies will seek to impose a tiered service model as a means of profiting from their control over the pipeline as opposed to demand for particular content or services.

Some say that providers are already practicing hostility toward Net neutrality. Kaminsky wants those providers to know that people now can detect what they're up to. This is something he stumbled upon when dissecting browser behavior for the DNS binding design flaw.

"Now that I'm understanding what we can make a browser do, we can make very controlled HTTP requests with a browser," he said.

Normally, a browser makes a request that's structured, standardized and doesn't have much flexibility. Plug-in technologies such as Flash, however, are providing people with arbitrary TCP sockets. They're blank, Kaminsky said. HTCP—TCP with headers that describe what's going on—means people can put on any headers they want, or leave out whatever they want.

This flexibility is very interesting, Kaminsky said, in its ability to detect what he called provider hostility—i.e., if a service provider is stuttering, or serving up a given resource at stumble rates, intentionally. In a nutshell, a speed test against "transparent"—easily detectable—proxies used by some consumer networks will directly yield information about hostility.

To detect hostile providers, first people need to filter out the differences. They have to download from two separate sites. Just because one's slow and one's fast doesn't mean a provider's hostile, though. People need two data sets to come from the same site, with the same server, and with the only difference being that the provider's network sees it as the person's site as opposed to someone else's.

Of course, people can just issue a request to wherever they want, such as, "Please send me a movie from Viacom. Also, send me a movie from YouTube." "If it comes faster from one vs. the other, you'll know the network is being hostile to the site" from which it's slowly delivering the movie, Kaminsky said.

However, networks can realize people are trying to test their speed. Just for the purpose of the test, people therefore might get served everything fast.

The question Kaminsky had was, is it possible to make a hostility test that's undetectable?

Here's what he needed: To spoof sites on the Internet, to know what these sites would see, to respond as if he was those sites, and to keep those real sites from interfering with his interference.

Click here to read more about Google hiring hackers.

"I don't want them to be able to tell," he said. "Am I able to make a system" that couldn't tell? Is it possible to build a hostility detection system that uses traffic indistinguishable from real-world traffic?

"The answer is yes," he said. "And it's totally messed up how I'm doing it."

The answer to fashioning a Net neutrality detection tool boils down to "old-school packet stuntage," Kaminsky said.

"Say I want to pretend I'm some site I want to speed test," he said. "I don't want the test to come from me, [rather, I want it to come] from their site. They'll download something from me [and the] entire infrastructure will think it's coming from MySpace or YouTube or wherever I want."

What would normally prevent this is an HTTP session runs over TCP. What protects random people from injecting into the stream is they don't know the stream sequence. They can't know it. Right?

"Oh, wait," Kaminsky said. "There's an ActiveX plugin called PacketX and it's a sniffer that emits JavaScript events on each packet. A packet sniffer for your Web browser. Did you see what I did? I just wrote an entire tunneling layer in JavaScript."

Kaminsky said he laughed for two hours when he came up with it. He's calling it "Inspector Pakket," like "Inspector Gadget."

"Now I can have some fun," he said. "What was keeping me out was not knowing sequence numbers. If I can sniff packets on the client, I can totally know the sequence numbers. So, number one, I can totally spoof the IP of YouTube or CNN or whatever when sending traffic to the client, because I know what sequence numbers to use.

"I'm sending traffic to the client. The client is acknowledging my traffic, but not to me, to the server. The server would normally say, 'Why are you talking to me? I don't have a session open with you, go away, here's some resets,' and it would be game over for me. But everyone's deployed a firewall saying, 'You don't have a session, I don't have to talk to you.' It won't talk to me, and I can just go ahead."

Page 3: The Good, the Bad, the Net Neutrality Detector