
ISP Advertisement Injection - CMA Communications - cramerica
http://zmhenkel.blogspot.com/2013/03/isp-advertisement-injection-cma.html
======
_conehead
I posted about this on reddit a few weeks ago[0]. Someone in the thread said
they had contacted the Better Business Bureau, but I'm not sure what their
process is or how far it's gotten.

There has also been a short email thread in which their official response is
this:

> Mr. [redacted],

> CMA is in the process of trying to find ways to drive income from our
> internet service in new ways. These new ways would allow us to expand our
> service offering and maintain the cost of the current residential and
> business internet services.

> We’ve been testing a new service which allows us to overlay / insert some
> local advertisement on certain web pages. A company called Route 66 is our
> partner. Right now, you’re barraged with a lot of internet advertising,
> popups, etc… This has become part of the internet experience. At the core,
> we’re simply trying to better customize some of this experience. And
> possibly give you access to highly relevant local advertising.

> Having said that, I’ve recently become a little more familiar with what some
> of these ads look like and how they operate. I will concede that I’m not
> sure they strike the perfect balance between being information and non-
> invasive. Like I mentioned, we’re involved in a test and the feedback we’re
> getting from the test is helping us to refine and improve how (or if) we’ll
> continue here. So I’m stopping short of saying that we’ll be ceasing this
> type of internet advertising experiment. But I do want you to know that your
> feedback has resulted in the beginning of a pretty intense internal
> dialogue.

> Thanks for your feedback.

> [redacted]

> CMA Communications

It's absolute insanity and a major breach of trust that they'd inject their
own content into webpages I visit. I'm permanently using a remote VPN for all
outgoing traffic through CMA.

[0]: Didn't know exactly where the post belonged, so I put it in /r/self:
[http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injec...](http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injecting_advertisements_into_my/)

~~~
devicenull
The BBB has exactly 0 power over anyone, so I really doubt that will fix
anything.

~~~
astrodust
Complaining to the BBB is slightly less useful than posting an angry comment
on a YouTube video.

------
pdeuchler
Immediately cancel your account and switch. If you are forced to use them as
an ISP due to municipal/geographical regions complain to your city manager.

The only way to slap these companies back into line is with your wallet. If
you can't do that then a couple complaints to the city manager can go a lot
farther than you think, especially in smaller areas where there isn't a lot of
support staff in city hall.

~~~
HarryHirsch
Considering just how big the outcry was over ISPs delivering advertisements
instead of an NXDOMAIN response, and how many ISPs are continuing to mess with
DNS over ten years after the execrable practice started, I haven't got much
faith in the power of the market. Has there been just one ISP that stopped
hijacking DNS over customer complaints?

~~~
austinheap
Sonic.net ftw! Not available everywhere but great ISP who stands up for a free
and open Internet.

~~~
matthuggins
Looks like Sonic only provides service in CA.

~~~
joshAg
And as far as i know, only in certain parts of the bay area. I wish i could
get it in cupertino.

------
ConstantineXVI
"knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct
furthers the intended fraud and obtains anything of value, unless the object
of the fraud and the thing obtained consists only of the use of the computer
and the value of such use is not more than $5,000 in any 1-year period"

Injecting or replacing ads in other people's content on the wire: 'knowingly
and with intent to defraud', 'exceeds authorized access', 'furthers the
intended fraud'

Ad revenue from doing so: 'obtains anything of value'

Forget copyright infringement: a case could be made that CFAA applies here.

~~~
jiggy2011
Wouldn't this depend on the TOS of the ISP? Perhaps by signing the contract
you "authorise" this.

This sort of thing doesn't surprise me any more. AFAIK DNS on every major ISP
in the UK is broken, there is no NXDOMAIN. Unresolvable domains are simply
redirected to a specific IP address which happens to host a page of ads and a
search bar on port 80. This might not matter to most people, but it's a huge
PITA when I'm testing some things.

~~~
ConstantineXVI
I'm not aware of any similar arguments being tested in court, so this is all
conjecture.

That said, barring an explicit definition of 'Internet service' in your
service contract, it's commonly understood that requesting a page from
example.com, all the data your ISP returns implicitly is sourced from
example.com. Introducing your own content in between is therefore fraud, as
you've mis-represented the origin of the content.

I believe the owner of an involved web server would have standing as well, not
just the users.

~~~
jiggy2011
But in such a case you could make the same argument for ad supported wifi
connections or proxies.

~~~
tomsthumb
You do enter into agreement (usually), but do you have a valid contract when
using those connections?

------
cramerica
They go as far as even replacing existing ads with their own, this seems
criminal, especially when they are directly impacting google/microsoft/apple
by removing their ads and replacing them with their own.

------
degenerate
A picture speaks a thousand words here; the author did a great job supplying
plentiful screenshots to emphasize how _wrong_ this practice is. I read about
this in the past but wasn't too moved until I scrolled through all those
screenshots and thought, wow, this is not good for ad publishers OR brands OR
anybody. This is only good for the greedy ISP.

------
ChuckMcM
This is an interesting problem. On a broadcast channel, when a local station
attempts to replace the ads the network has put in their shows, with their own
ads, the network has some leverage to shut down that process. But on the
Internet there are a bunch of web sites and they don't have any leverage at
all. They could do an IP filter, which is to say put up a page "This site
unavailable on this ISP's network" when a request came in from a CMA
communications IP block. That would cause a support headache for CMA with all
their customers calling into complain. The other defense would be to create a
web page that doesn't cache (it pulls the actual page content through AJAX
calls gets around any local script injection). Lastly there seems to be
"product" here where you bundle up an EC2 instance and some friendly software
on the PC that spins up a VPN tunnel for all of your traffic.

~~~
betterunix
"on the Internet there are a bunch of web sites and they don't have any
leverage at all"

They could use TLS...

------
richardwhiuk
HTTPS everywhere would solve this, and the Comcast Javascript injection - I
wonder how many more people will deploy things like this before that happens?

~~~
joshAg
https is the wrong solution. that is for preventing others from seeing what
you're sending/receiving, not verifying the integrity of what is
sent/received. well, it does do that too, but it adds extra unneeded overhead
by encrypting everything. Besides, the ISP can easily man-in-the-middle any
connection you make and then inject their ads into the webpage, even if you
use https.

The correct solution is signing the webpage (but not necessarily encrypting
it). More technically, that means the server/website would hash the source of
the webpage, and then send the webpage, the signed hash, and if needed, the
cert it used to sign the hash. Upon receiving both the webpage and the signed
hash, the browser would then check to make sure that the signature can be
trusted (using a chain of trust the same way we do with certs for https pages
already), hash the webpage source it received, and then verify that that hash
matches the signed hash it received from the website.

It doesn't matter if any of that is sent in plaintext, because there is no
sensitive information, and as long as the hashing algorithm used is strong (ie
sha2 family, not md5), then the isp can do fuck all to inject javascript.

~~~
astrodust
If TLS could negotiate certificates instead of supporting one and only one,
the backbone of any sane "virtual host" system, then https: wouldn't be a big
deal. It'd be the default.

Now you need a separate IP (expensive) or port (annoying) for each virtual
host configured with a different SSL cert. This has to stop, but it will not
be easy to fix.

~~~
rwg
RFC 3546, which includes TLS Server Name Indication, has existed since June
2003. The problem preventing deployment is the lack of client support,
especially Internet Explorer on Windows XP and Android 2.x [1].

\--

1\.
[http://en.wikipedia.org/wiki/Server_Name_Indication#No_suppo...](http://en.wikipedia.org/wiki/Server_Name_Indication#No_support)

------
michaelfeathers
Technically, isn't this copyright violation? People who inject ads into a page
are creating a derived work without permission of the rights holders. I'm sure
Apple didn't okay that addition to their HTML.

It would be interesting to see a lawsuit along those lines.

------
tantalor
If they had only replaced ads and not created new ads at the bottom of the
page, nobody would have noticed.

------
afreak
It's been long enough for me to state, but I used to work for a contractor
hired by CMA Communications.

ISPs of this size try and maximise as much profit out of their customers and
being that a lot of CMA's sites were over provisioned and are barely able to
provide telephony service without incompetence-y along the way, it is not
shocking that ads being injected into pages is a new thing for them.

To see these bullshit ads showing up on random pages is far from surprising.

------
DanBC
The first screenshot has the Google squiggle. Am I right there? That somehow
Google ads are being injected?

Because that seems like something that Google would not tolerate.

------
johnvschmitt
This was inevitable.

That's why I bought Google stock after they got into Android, as Android makes
it possible for Google to now step in & protect against the MITTM attacks by
ISP's blocking their ads. The OS gets the final word before it displays
content to the user & it can detect & block these.

Now, they just have to deploy the fix to Android...

~~~
grecy
And what happens when Google are the one doing the MITTM attack?

It all comes down to who do you trust.

~~~
marshray
Has Google ever modified other websites' pages like this?

~~~
baseh
Yes, I believe they call it Adsense.

~~~
marshray
<https://en.wikipedia.org/wiki/AdSense> "How AdSense works

(1) The webmaster inserts the AdSense JavaScript code into a webpage."

So this is _the webmaster_ modifying his own page. It's not Google injecting
Javascript into someone else's page like CMA Communications or Comcast is said
to be doing.

------
coldcode
The sad thing about this is in many places (at least in the US) there are few
if any alternatives. In my city, I can either get Time Warner Cable or AT&T
DSL. I'm 20 miles from Verizon's office but FIOS is illegal in my city. So if
the ISP starts screwing with the content then you have virtually no
alternative.

~~~
ancarda
I'm interested to know why FiOS is illegal in your city? I don't know of any
regulation that would make it.

~~~
coldcode
Some odd law in Texas. But I think FIOS is no longer being expanded anyway in
favor of wireless.

------
nkorth
Sprint is another (lesser?) offender -- their mobile broadband injects a
script in every page that loads compressed versions of images until told
otherwise. (Annoying, but at least it's well-intentioned.) I've long since
blocked the IP, but it gave me a bit of a scare to see unfamiliar code in my
own websites.

------
na85
Ugh, I hate that attitude of "Macs can't get malware" that this guy exudes so
smugly.

~~~
FireBeyond
Yep. I rolled my eyes at this, before I even got to the meat:

"I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I
was a computer science grad student who had managed to get malware on a Mac,
so I wasn’t in a position to judge."

------
6thSigma
My parents use CMA Communications. I can confirm that they receive injected
ads as well.

I looked into switching then to another ISP, but the only one available is
1.5Mbps DSL vs their 15Mbps connection now.

------
gesman
Top contender for "worst publicity"

------
tomjen3
Damn, that is low. Time to get a vpn.

------
betterunix
Another reason to use ABP...

------
ttrreeww
Every website should use https

