
How a South African ISP Hacks Its Subscribers Each Month - defplex
https://defplex.wordpress.com/2017/08/15/how-a-south-african-isp-hacks-it-subscribers-each-month/
======
userbinator
IMHO those who say "just use HTTPS/some other encryption" are missing the
point --- I should be able to send whatever bytes I want through the network,
and have them arrive at their destination verbatim. If it's a custom protocol
that just happens to look like HTML, the injected data would break things.
That's what an Internet connection used to mean, but sadly that seems to be an
increasingly rare condition. In fact, I'm curious how many "pure ISPs" are
around, not just in South Africa but anywhere else --- one of the workarounds
is to use a VPN or other tunneling like TOR, but that relies on the exit node
having a "pure" connection to the Internet.

At least make it an option.

(I don't know if it's just me, but I found the tone of the article a little
alarmist, starting with "hacks" in the title. Then again, a lot of security
researchers seem to write like that.)

~~~
JoshMnem
> I should be able to send whatever bytes I want through the network, and have
> them arrive at their destination verbatim.

It's copyright violation to modify copyrighted content before delivery without
permission, especially when it's commercial content (ads) that is being
injected. Maybe lawsuits could stop it.

Other examples from the US:

[https://www.infoworld.com/article/2925839/net-
neutrality/cod...](https://www.infoworld.com/article/2925839/net-
neutrality/code-injection-new-low-isps.html)

[https://techcrunch.com/2012/04/06/now-you-know-hotels-
inject...](https://techcrunch.com/2012/04/06/now-you-know-hotels-inject-
banner-ads-into-the-wi-fi-they-charge-you-for/)

~~~
userbinator
_It 's copyright violation to modify copyrighted content before delivery
without permission, especially when it's commercial content (ads) that is
being injected._

Ironically, a similar argument is being used against adblockers, the other
"benevolent MITM" application for modifying content:
[https://news.ycombinator.com/item?id=14978228](https://news.ycombinator.com/item?id=14978228)
[https://news.ycombinator.com/item?id=14990137](https://news.ycombinator.com/item?id=14990137)

In other words, if those lawsuits succeed, they could set an unfortunate
precedent against even _personal_ "modification of content".

~~~
saurik
An ad blocker does not modify copyrighted content before delivery. The legal
precedent set by when Nintendo tried to sue Game Genie made it pretty clear
that you can use tools to modify content you already have in your possession,
particularly if those modifications are in memory only and never create a
modified copy on disk. Meanwhile, those two links are to something entirely
unrelated: an attempt to use the DMCA to remove someone's domain name from a
file (which isn't even a copyright issue, and so I have not heard anyone think
that was remotely legitimate).

------
daniel-levin
Telkom has been injecting kak [0] into pages for _years_ [1], [2]. A former
employee of theirs told me that at one stage they were replacing ad content
with their own adverts - I would dismiss this as hearsay had I not seen it
myself.

[0] South Africanism for 'shit'

[1] [https://mybroadband.co.za/vb/showthread.php/704472-Telkom-
In...](https://mybroadband.co.za/vb/showthread.php/704472-Telkom-Internet-ISP-
Injecting-Code-into-HTML)

[2] [https://www.sadev.co.za/content/telkom-using-man-middle-
atta...](https://www.sadev.co.za/content/telkom-using-man-middle-attack-
change-your-websites)

~~~
toomanybeersies
Off topic re: kak. I don't know where exactly it came from, but it's also a
word in New Zealand English (and possibly other dialects). If I told someone I
kacked my pants, they'd understand that I shat myself. It's not super common,
but it's understood.

I wonder if maybe it's because there's a lot of South African expats in New
Zealand.

~~~
nerdponx
Probably related to "caca" which usually means something related to fecal
matter in Romance languages.

~~~
saimiam
And Tamil which is not a Romance language.

~~~
YouKnowBetter
Since Tamil has borrowed more Dutch words (and uses at least one from Tamil,
being katamaran), I expect your kak to come from the dutch kak, as kak always
rolls down hill.

------
jchw
Didn't Comcast publish a standard for injecting HTML into unencrypted traffic?

[https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

------
SideburnsOfDoom
Telkom is not just "an ISP", it's formerly _The_ Telephone Company, the state-
owned monopoly.

So more like "British Telecom" or "AT&T"

~~~
Synaesthesia
Yes they are, but they are also an ISP here in SA, among many.

~~~
SideburnsOfDoom
BT is also "an ISP among many" now.

------
Havoc
It's been know for years that they run transparent proxies.

And while this isn't great this is a bit overplayed. They're more the kind of
company that does something incompetently than one that does stuff
maliciously.

~~~
rcthompson
When you're dealing with a person, you can apply the saying "never ascribe to
malice that which can be explained by incompetence". However, when you're
dealing with a large organization or other group of people, it doesn't matter
whether the act was originally driven by malice or incompetence, someone in
the organization is going to exploit it with malicious intent.

------
Eek
How did this get on the home page?

Bigger companies also do that, Vodafone was compressing all images that went
through their 3G service, and a ton of ISP inject / redirect HTTP traffic to
tell you to pay the bills

~~~
chirau
What gets on the homepage is up to the community. Just because you know it
does not mean everyone else does or is not interested in it.

------
NinjaKitten
This is also the case in Namibia. Telecom Namibia is also running a
transparent proxy. If you ever make an HTTP request followed by an invalid
HTTP request over an un-encrypted connection the invalid request (Say GET /
HTTP/NKD instead of GET / HTTP/1.1) will get filtered before reaching my
server.

I have however as of yet not seen them injecting JS or other content into HTTP
pages.

~~~
NinjaKitten
It's worth mentioning that MTC Namibia (A mobile provider) does not do this.

------
xir78
Comcast does this too for letting you know you’re connected to Comcast’s
network and if you go over your data limit. Pretty terrible.

------
Synaesthesia
Wow that’s a great discovery. Telkom is a major service provider, and I use
them! Any other way to prevent this?

~~~
NikolaeVarius
Says right at the bottom

Pro-Tip: their injection can only work on HTTP and not HTTPS so there is some
relief from this inconvenient and dangerous code injection. Installing the
HTTPS Everywhere plugin will help mitigate the injection and is a recommended
plugin to run regardless. Alternatively install the Tor browser.

~~~
Synaesthesia
Yes I saw that, I meant to say no way to block it other than browsing through
TOR? Luckily many websites use HTTPS these days.

~~~
NikolaeVarius
Are you able to use this?

[https://protonvpn.com/](https://protonvpn.com/)

~~~
Synaesthesia
Yeah should work

------
jakub_g
TL;DR Telkom does HTML injection on all unencrypted traffic of its customers,
whereas the author of the linked blog uses #444444 text color on #000000
background (which gives contrast ratio 2.2 on
[http://leaverou.github.io/contrast-
ratio/](http://leaverou.github.io/contrast-ratio/)). I call it almost a draw
;)

Sorry I had to be that guy. Please improve contrast on your blog.

~~~
singularity2001
workaround: press contrl+a

~~~
wavefunction
on a mobile device? ;)

~~~
knolan
Reader mode.

