
Am I hacked? Oh, it's just Vodafone - cramforce
http://www.sphaero.org/blog:2012:0418_am_i_hacked_oh_it_s_just_vodafone
======
alister
As of 2 months ago Bell Canada has begun intercepting and modifying web
traffic as well.

Back in October, I started receiving notifications that said, “You've reached
50% of your Internet usage”. In the past these notifications would arrive by
email or I could check my usage by logging into the Bell site, either of which
is entirely acceptable. However, in October, these notifications began to
appear embedded into web pages that I was browsing, specifically in web pages
that don't belong to Bell and have nothing to do with Bell.

I don't care that they provide a way to disable this, or that somewhere in
Bell’s terms and conditions I may have ostensibly agreed to this action. They
shouldn't be doing this any more than the post office should be tearing open
my letters to insert notices that they want me to see.

I wrote a complaint to Bell (and canceled my phone and Internet with them!)
but they didn't reply. I also wrote to the CRTC and the Privacy Commissioner.
The Privacy Commissioner said it's not in their jurisdiction. I'm still
waiting to hear from the CRTC.

~~~
Vexs
Suddenlink does the same thing-ish. Sometimes I get a popup that says "service
outage incoming at XXX" at the top of the page- I ended up figuring out there
was a checkbox for that sorta stuff in the account options tab. Similarly, it
redirects non-websites to their own search engine that never seems to go away.
(ex: igrj.43 redirects to
[http://search.suddenlink.net/index.php?origURL=http%3A//igrj...](http://search.suddenlink.net/index.php?origURL=http%3A//igrj.43/&r=&bc=))
Again, not terrible, but really invasive to my mind.

As it stands, they're basically the only supplier near us (sub-rural texas),
so I just got a VPN.

~~~
gdwatson
It's not unheard of for ISPs that typosquat the whole Internet like that to
provide a second set of DNS servers that perform correctly for those who know
how to use them. Mine does.

~~~
hellbanner
Who's your ISP?

~~~
gdwatson
CenturyLink

------
sdoering
How can this even be legal. How can a ISP decide on the content quality, I
would like to receive. Do they next deem words like 'anti-government',
'Democrats' or sites critical of the government too traffic-heavy to deliver
but instead show a "cleaner" version of the world?

I as a hobby web-dev and photographer like my images to be delivered in the
exact quality, I put them on the server. So the Vodafones or O2s of this world
mess with my intended design.

As a user I want to experience the web with best image quality, not censored
(right now in terms of quality) crappy versions of these images.

This paternalism sadly is not felt by the majority of people out there and
will never lead to 'uprising' (in loss for a better word). Be it done by
cooperations or be it done by governments.

We will see more of that in the future and I have lost believe in being able
to tell others, not that tech-savvy why this is not good. They nod their
heads, but it does not register. Sadly so.

------
compbio
Visit [http://1.2.3.50](http://1.2.3.50) to disable this image compression for
your device.

Add "Cache-Control: no-transform" to your headers to disable image compression
for all your site's visitors.

Web devs should make sites that work without javascript, so that turning on
NoScript is also a solution.

The bmi.js injection may look a bit nasty, but it is there to save bandwidth
for users who are on a bandwidth budget. Vodafone would profit from higher
bandwidth usage.

~~~
aaron695
> Web devs should make sites that work without javascript, so that turning on
> NoScript is also a solution.

Sorry but this is a ridiculous statement, it's like saying websites should
still be able to run on Gopher. (Which some people want)

It's cool if you want to run NoScript but if you think website should/would be
made around that you have cognitive dissonance.

Other than that, informative comment.

~~~
pdkl95
Progressive enhancement is easy. Your framework or development tools should do
most of the work for you. Maybe try different tools?

> run on Gopher

Nonsense - CSS is very powerful, and all the functionality most websites need
works fine with <form>s.

Part of the problem may be the difference between _nice_ features with
_necessary_ features. Nobody would expect fancier features such as custom
buttons/widgets or fancy client-side form verification to work without
Javascript. You have to do all the checking on the server anyway.

> cognitive dissonance

Err, no - leaving out progressive enhancement is just lazy. Why would you
prefer to shows people a _broken website_ as a first impression? Do you even
know how many people see a broken website? (i.e. do you check server logs?)

~~~
random_rr
Do you do web development professionally every day? If so, how long would you
estimate you spend on making sure HTML-only pages render correctly?

Do you ever do advanced sites where multiple actions exist on one page that
can't be easily encapsulated in HTML?

I ask because calling devs lazy for not backwards-checking their JS scripts is
a bit much. So you want them to solve the problem they just solved, except
this time, do it without some code assistance? That seems a bit unreasonable.

For many sites these days it is acceptable and justifiable to run Javascript.
That was not true in the early 2000's, but we are a long way from there.

~~~
jedrek
Agreed. Neither Facebook nor YouTube run without JS enabled, which means that
the vast majority of your users will never even consider turning it off.

~~~
pdkl95
Facebook and YouTube, as highly interactive applications, are not "most
websites".

Practically ever single blog, news site, _store_ , business page, and the like
have zero _need_ for Javascript, and requiring it only makes your site look
broken. The maybe _better_ with Javascript, of course.

While I haven't worked on websites in the last year or so, I have made
websites professionally in the past for many years. Making a progressively
enhanced store that works without Javascript in Rails 2/3 was really easy.

> vast majority of your users will never even consider turning it off.

How do you know this? Are you guessing? Are you relying on Javascript-based
analytics and are therefore blind to people that disable Javascript? Do you
have server logs that show how many people disable Javascript? Is you site
broken without Javascript so this claim becomes a self-fulfilling prophecy?

I ask this every time someone makes that claim, and have never gotten a
response.

~~~
jand
> How do you know this? Are you guessing?

> I ask this every time someone makes that claim, and have never gotten a
> response.

Well, i am glad to help out. Have a look at [1] which presents data of 509.314
visitors.

Isn't that great? Now you don't have to ask every time somebody makes that
claim!

[1] [https://gds.blog.gov.uk/2013/10/21/how-many-people-are-
missi...](https://gds.blog.gov.uk/2013/10/21/how-many-people-are-missing-out-
on-javascript-enhancement/)

------
rdancer
Should have [2012] somewhere in the title. This is older than dirt, in
Internet years.

~~~
lorenzhs
I noticed this as far back as 2009 on Vodafone Germany

------
Klathmon
And people still fight "HTTPS everywhere"...

Secure should be the default with insecure being left for special cases that
need it.

~~~
r3bl
If by "HTTPS everywhere" you mean the browser extension, that isn't very
helpful since a huge chunk of websites that have properly implemented HTTPS
turn it on by default.

If by "HTTPS everywhere" you mean enabling HTTPS on all websites, I could not
agree more.

In any case, I haven't heard of a single source fighting against this switch.
Some sources please?

~~~
Klathmon
I mean the latter.

And it's generally random web developers who are against HTTPS on everything.
Generally the reasons are:

* Cost (this one is going away hopefully)

* Performance (tls is too slow!)

* CPU/Memory overhead on the server

* What they are showing doesn't need to be secured anyway.

I don't really agree with any of those points, but that is what I hear when I
bring it up.

------
ubercow13
Yes this is why I left Vodafone. They aggressively recompress images so that
they look noticably awful, including in phone apps where resources are loaded
on demand, and there's nothing you can do about it bar using a VPN. O2 are
exactly the same and all the virtual network operators using either network
are the same.

~~~
kuschku
T-Mobile is known in Germany for having done the exact same.

~~~
patates
They also remove comments from your markup. That removes the possibility of
progressive enhancements with, say, knockout.js which would most easily rely
on comments (unless you're using https, which you should).

~~~
huuu
Using comments for programming is very bad practice. I don't know knockout but
that just sounds bad.

------
joenathan
Just left my host for a similar issue, Arvixe shared Linux server. One of the
shared users apparently installed some utility called siteapps, which some how
effected my side of the server, not certain what it all does but it started
showing 'badges' on all my pages saying 'this site has been optimized by
siteapps'. I found a way to turn that off in cpanel but the siteapps was still
injecting JavaScript code into all of my pages. I could not see any visual
changes to the pages but found this unacceptable.

I tried to contact support only to find out the company had been sold recently
and the new owners saw fit to fire all the support staff and do away
completely with telephone support for technical issues. Tried chat and after
waiting, no joke, three hours for someone to show up in the chat was told that
the problem was with my code. Even after telling the agent I could upload a
blank page and the code would be injected into the page.

Long story short, I am now hosting on my own server. Now looking for a good
host I can point my customers to, one that won't try to nickle and dime them
like godaddy.

~~~
mort96
For $5/month, you can get a pretty great VPS at digital ocean; 512MB RAM, 20GB
SSD, 1Gbit/s bandwidth with 1TB/month trabsfer, giving you root access to your
own server. You also get your own IP address, instead of sharing IPs and using
virtualhost hacks like those web hosts do. Been using them for a while now,
works really well.

------
onslauth
The system in question is developed by a company called Byte Mobile, which was
bought by Citrix.

Normally all port 80, and 8080 traffic are redirected to the system, and then
rules are run to determine what happens to the traffic, and or code to be
injected into the page.

~~~
onslauth
So let me add some more detail.

The system is used to help reduce bandwidth, as well as including a better TCP
algorithm for use over the radio links, to help cut down lag and
retransmissions, because the radio links are notoriously bad, and the standard
algorithm doesn't quite cut it.

The system will actively try to down sample both images and video to help
reduce bandwidth usage. In the case of video, it also tries to limit the
buffered video to no more than X seconds ahead.

And finally, it is also big cache, and it tries to keep the most requested
content locally. One of the new features is the ability to 'guess' what video
is being viewed inside a HTTPS stream and try to cache it too.

As mentioned above with regards to the Canada telcos inserting iframes or
content regarding their data usage and caps, the system can inject any content
into the HTML page if it is provided over HTTP. They do this because normally
they have no way to contact customers that have tablets, or 3G modems /
dongles, to alert them of limits or just to be able to contact them.

~~~
tempestn
How could they not have any way to contact their customers? You need to
provide contact information when you sign up for a data plan, don't you?

Even if you accept that the only way for them to contact their users is via
their data connection (which, again, doesn't make sense,) there are far less
intrusive methods than injecting content into existing pages. For instance,
they could send the user to a separate notification page, perhaps with a
helpful link to the resource that the user was intending to browse to. No need
to mess with (or see) the contents of any pages.

~~~
onslauth
They very possibly can do all of the above.

However you have to understand how a lot of the cellular operators function.
They don't build much of the systems in house, but buy from large companies
like Ericsson, Huawei and so forth. Therefore all their functionality is
controlled by those companies.

That being said, the cellular operators don't like to hand out contact
information about their customers. All billing is normally done via a MSISDN
to a single system that stores a customers credit, and records all billing
information. It does not contain any customer details.

I have actually seen a different approach, wherein any messages going to a
MSISDN that has been identified as a tablet or modem / dongle, will be
redirected to another MSISDN as a SMS or an email address, depending on the
customers preferences. All these details were stored in another database.

------
asztal
The company I work for had problems with users who couldn't install our
ClickOnce-deployed application. It turned out that they were using a 3G dongle
which modified one of the JPEG files in-flight such that it didn't match the
hash in the application manifest. We moved to HTTPS anyway so thankfully this
stuff is more or less history.

------
rnhmjoj
I use H3G on a tablet: every time I reconnect (after the connection drops,
when I reboot or switch from wifi to cellular network) the first http request
is somehow redirected to a shitty H3G website full of ads.

This is not only annoying but also manages to break everything using an
internet connect. For example it overwrites bookmarks, reading list entries,
applications fail to load.

Anyway injecting scripts is crazy. Are they still doing it?

~~~
pavel_lishin
How does it overwrite bookmarks?

~~~
jackweirdy
If a user has a bookmark for [http://a.com/](http://a.com/), and the ISP
redirects with a 301 Permanent Redirect to [http://isp.net/](http://isp.net/),
the browser will rewrite a.com to isp.net.

~~~
pavel_lishin
Huh, interesting - what browser is that?

~~~
ryanlol
Like, all of them?

~~~
pmontra
Mmm, that's a browser that attempts to be smart at bookmarks management. I
have a tablet with a SIM of that company. I'm using Dolphin on that tablet and
I get redirected. However Dolphin doesn't rewrite my bookmarks. Maybe it's not
a 301 redirect or maybe Dolphin is (luckily) not so smart.

~~~
TeMPOraL
Not browsers being smart as much as this is being explicitly mentioned in the
RFC - updating bookmarks and other references is kind of the point of 301
Moved Permanently. To quote from RFC 7231:

    
    
       The 301 (Moved Permanently) status code indicates that the target
       resource has been assigned a new permanent URI and any future
       references to this resource ought to use one of the enclosed URIs.
       Clients with link-editing capabilities ought to automatically re-link
       references to the effective request URI to one or more of the new
       references sent by the server, where possible.
    

[https://tools.ietf.org/html/rfc7231#section-6.4.2](https://tools.ietf.org/html/rfc7231#section-6.4.2)

~~~
pmontra
I didn't know about that, thanks.

Then I looked for the sanctioned meaning of "ought to" and found
[https://www.ietf.org/rfc/rfc6919.txt](https://www.ietf.org/rfc/rfc6919.txt)

"The phrase "OUGHT TO" conveys an optimistic assertion of an implementation
behavior that is clearly morally right, and thus does not require
substantiation."

But it's dated 1st April 2013 so that's a dead end :-)

Still I think that "ought to" in RFC 7231 is close to what 6919 "prescribed"
or they would have used MUST or SHALL. Furthermore there is the matter of
history and URL autocompletion. I don't know if it should be OK to rewrite
history. I'm fine with handling all of that manually.

------
golergka
This is awful.

But to understand why and how awful that is, you need to think of HTTP traffic
as private letters. Unfortunately, because HTTP traffic is usually associated
with access to public websites, a lot of laypeople think of it as _public_,
instead of _private_ communication. Opening NYT website is more like browsing
TV that having a correspondence with a trusted friend for them.

This is the real reason shit like this happens. Would you expect Vodafone to
modify contents of your private facebook messages or emails, if they had the
chance? Of course not; the same suits that authorized this system would scream
about user's privacy and never greenlight it. However, _this_ system, to an
average user, and average manager, doesn't seem the same.

If you imagine a high-level user story description for it, it won't read "new
code is injected in private HTTP traffic", it likely was "make pictures
download faster in 3G". Yes, they describe the same awful shit that shouldn't
be happening — but the first description screams PRIVACY VIOLATION, while the
second seems like a very good thing to do for the sake of the customers.

Never attribute to malice that which is adequately explained by stupidity. And
if you want to fight this, don't fight it as you would fight malice. Fight as
you would actually fight stupidity.

------
mosselman
Deep packet inspection is forbidden in the Netherlands as far as I know. Is
there anyone who can confirm both this and if Vodafone is doing this in the
Netherlands regardless of this, alleged, legal restriction?

~~~
mosselman
As rdancer pointed out this article is older than the internet and I, and
probably some others, hadn't noticed. Still interesting, but not very.

~~~
TrevorJ
4 years ago is hardly 'older than the internet'.

~~~
tempestn
Since it's an article _about_ the internet, I'm guessing parent realizes that
and was exaggerating for emphasis.

~~~
TrevorJ
I think that's accurate. I just get tired of the culture of newness. Knowledge
who's age could best be described in months gets derided for be old and
irrelevant.

------
batuhanicoz
Last time I've saw this behaviour (using Vodafone Turkey network) was not more
than 6 months ago. Haven't checked since, they could still be doing this. So
it's not "older than the internet".

------
tikums
Vodafone's also actively pushing for "network management" (read, MITM) for
HTTP/2\. Previous discussion here:
[https://news.ycombinator.com/item?id=9422311](https://news.ycombinator.com/item?id=9422311)

------
akerro
More reasons to encrypt everything and start HSs.

------
darkhorn
When you reach your download quote TTnet, biggest in Turkey, shows a
notification in your first HTTP visit. It completely removes the original
content. So you lost your POST for example.

They even had a user tracking for advertisment. It constantly asked in
StackOverflow (since most of the time I'm there) whether I want to join "track
my online activities".

Well, here exist laws too, and they are in sction but it lacks a good
philosophy. No wonder they (Turkey) are between Europe and Middle East, both
phisicall and mentally.

Edit: I should note that TTnet's big part is now owned by Arabs. That's why
they don't care much.

------
pravj
I remember 'Airtel' doing something similar in India, in May-June.

Here is a story about the expose published in Hindustan Times,
[http://goo.gl/FX31Of](http://goo.gl/FX31Of)

~~~
junktest
[http://www.medianama.com/2015/06/223-airtel-says-it-had-
noth...](http://www.medianama.com/2015/06/223-airtel-says-it-had-nothing-to-
do-with-the-legal-notice-sent-to-thejesh-gn/)

------
ozim
So https and content security policy should be enough to mitigate this kind of
stuff or am I wrong?

If they would amend csp headers and inject stuff I would be worried but still
there would be https for the rescue.

~~~
profmonocle
Yep, ISPs can't do stuff like this to HTTPS traffic. This is one reason some
people are advocating HTTPS for _all_ sites, not just sites containing
sensitive data.

------
Buge
Great, the blog post is not served over https.

Do we actually want to fix the problem?

------
markdown
Vodafone Fiji used to do this over their 3G network, but that changed when
they started serving over 4G 2 years or so ago.

What's worse is that the script changes the content of the alt attribute for
all images to something like (off the top of my head) "Press CTRL+A to load
full-sized images".

They did respect no-transform though, so I made sure all my sites had that.

------
hartator
I wonder what country this is? France, Germany?

~~~
lis
Based on the other content: Netherlands.

------
sharjeel
Someone recently noticed it on UFone (Pakistan) too:
[https://www.i.com.pk/ufone-3g-is-injecting-popup-ads-into-
yo...](https://www.i.com.pk/ufone-3g-is-injecting-popup-ads-into-your-normal-
browsing/)

------
codezero
Sprint shows very compressed images on mobile as well. I had assumed they
compress the images on the wire rather than injecting JavaScript but I didn't
check. Maybe I should.

------
binwiederhier
This is why I switched carriers, too. I had the same "Am I hacked?" moment a
while back. Thanks for posting details!

------
0898
O2 does the same thing – with almost the same messaging ("Shift+R improves the
quality of this image").

------
venomsnake
Aren't they violating CFAA? Committing wire fraud by substituting the traffic?

------
thomseddon
SSL.

That is all.

------
WrofNiraid5
> In a little while we'll all be on TOR.

Tried that. Can't get past the impossible Cloudflare captcha.

