[paylesworth]

I'm curious to find out what you guys / gals think about this. Is this just a fear tactic? Or, does ATT have a legit way to check if you're doing unauthorized tethering. Any of you get hit with this text on accident (false positive)?

EDIT Removed the '(Ars)' from the title. N00b mistake :)

[dpritchett]

Supposedly all packets from the iPhone have a TTL of 64; packets from your laptop routed through the iPhone would not necessarily have the same TTL and are thus detectable.

[1] http://www.reddit.com/r/technology/comments/g62wv/i_woke_up_...

[gte910h]

There are dozens of legit ways to automatically detect this, and dozens more if humans are involved.

Requesting non-mobile versions of sites that do not have the option

User Agent strings such as "Internet Explorer" or "Safari" in HTTP requests

Sending screen sizes via relatively common web calls

The use of UA-Pixels at all, especially when specifying large screen sizes.

Use of protocols that are only seen in desktop OS programs (ventrilo, starcraft2, etc for instance is one that should be a good detector).

[eekfuh]

There are 3rd party web browsers on the appstore and though would trigger false-positives, so they probably would't use UA.

[mattmanser]

How are any of these legit, all of that's illegal wiretapping.

[ceejayoz]

It'd be illegal wiretapping if it were the government, perhaps, but I'd imagine the standard contract with AT&T permits this.

[eli]

"AT&T may, but is not required to, monitor your compliance, or the compliance of other subscribers, with AT&T's terms, conditions, or policies"

And, of course, it's now well-known that the government WAS using deep packet inspection on AT&T internet traffic.

I would assume they're just looking at how much you download in a month, though. I don't think AT&T is worried about offending outliers using large amounts of mobile data by inaccurately accusing them of tethering.

[sukuriant]

Could you provide a link to the government using deep packet inspection on ATT internet traffic. I don't remember it/haven't heard about it.

Just curious.

[nitrogen]

Here's what a Google search for "at&t nsa splitter" turned up:

http://arstechnica.com/old/content/2006/04/6585.ars

[weaksauce]

They probably just see that you are using more bandwidth than a normal user and infer that way. If they were packet sniffing your non phone traffic they might be able to infer from a plethora of non phone headers that the system will invariably send out. (system update check in the background. Etc. )

[reemrevnivek]

In spite of all the other, technical ways of doing this (see your sibling comments), I fear that this is what they're doing.

[bcrawford]

It is possible for them to detect this if they are doing Layer 7 inspection. All it would take is parsing the user agent to see that you're not on Mobile Safari. On the iPhone side, it just does a NAT and theoretically passes all information as the public IP of the phone itself.

Honestly, any respectable nerd is going to have either a) a box to SSH to or b) a VPN endpoint... if you encrypt/encapsulate all traffic originating from your tethered machine there's very little chance they'd be able to catch you.

[neilc]

Assuming the IPv4 TTL issue can be worked around (see elsewhere in thread), a phone that does GBs/month of encrypted traffic over SSH would still be a signal that something suspicious is going on.

[sukuriant]

That's where using a VPN comes in. For all they know, you could be connecting to your own, internal business websites.

[edit: changed my response.]

Also, you can connect to a VPN via: Settings > Wireless & Network settings > VPN Settings on Android

[juiceandjuice]

"I'm an Apple developer developing XYZ application that uses encrypted traffic."

Problem solved.

They don't have to know it's just the SOCKS proxy and you're tunneling with SSH to your server as another proxy.