
Indian Programmer Exposes Code Injection, Gets a Cease and Desist from Injectors - sandeepmzr
http://techcrunch.com/2015/06/10/indian-programmer-exposes-code-injection-gets-a-cease-and-desist-from-the-injectors/
======
dang
This has been posted a few times, most notably
[https://news.ycombinator.com/item?id=9683108](https://news.ycombinator.com/item?id=9683108).

~~~
nightpool
are these automated? this story has 6x the comments and 3x the upvotes then
that one.

------
jimrandomh
Brief summary:

Thejesh has accused Indian Airtel and Flash Networks Layer8 of something that
may be a crime (depending on the particulars of Indian law) and is definitely
a scandal. Specifically, the accusation is that Flash Networks Layer8 wrote a
piece of malicious software and that Airtel injected it into customers'
network connections. Thejesh republished the injected script on GitHub.

Flash Networks sent a nasty letter to GitHub asking them to take down the
evidence, claiming that their malicious software is copyrighted. GitHub
complied.

~~~
wvenable
Just because code/webpages are delivered to you over the web doesn't mean you
can take them and republish them somewhere else.

~~~
shmerl
Is illegal code (i.e. malware) protected by the copyright to begin with? If it
is, then all antiviruses blatantly violate copyright. But something tells me
they don't need to ask any permission from malware authors.

~~~
wvenable
It seems like illegal works should be protected by copyright[1]

But that begs the question, as ad injectors are probably not illegal.

[1]
[http://www.cardozo.yu.edu/sites/default/files/Eldar%20Haber,...](http://www.cardozo.yu.edu/sites/default/files/Eldar%20Haber,%20Wrong%20Copyright.pdf)

~~~
shmerl
I'm not sure they are not illegal. At least they shouldn't be any less illegal
than many other types of malware. But I'm not familiar what laws that falls
under.

~~~
wvenable
Injecting ads into content has been what television stations have been doing
for decades. Users of the network service may even have agreed to this in the
terms of service for using the network. It's a crappy thing to do but not all
crappy things are illegal.

~~~
shmerl
This example was not about injecting ads. It was about collecting data about
users which is violating their privacy (i.e. it's malware).

~~~
wvenable
What are you basing this on? Flash Networks said "The javascript mentioned
does not collect or store any user data but is used to deliver user messages."
and I haven't heard anything to contrary.

In fact, it doesn't sound like it was even going to be used to inject ads
except for offering users to upgrade to larger plan when they were near their
data expiration.

I agree that any code injection is shady and unwanted but you're just making
stuff up.

~~~
shmerl
On the article:

 _> “This is a standard solution deployed by telcos globally to help their
customers keep track of their data usage in terms of mega bytes used. It is
therefore meant to improve customer experience and empower them to manage
their usage. One of our network vendor partners has piloted this solution
through a third party to help customers understand their data consumption in
terms of volume of data used.”_

The same thing was claimed about various malware in the past, which was found
capable of doing all kind of weird things way beyond "improving customer
experience".

~~~
wvenable
You are not stating any facts and so this doesn't add anything to the
discussion.

------
nish1500
Wow!

I was using the WiFi at the Bangalore or Mumbai airport one day when I
realised that half of the websites appeared broken in some way. I looked into
the code and realised that the WiFi provider was injecting JavaScript ad codes
in all the web pages I was visiting.

I talked to some people about it, but no one seemed perturbed. Such invasions
of privacy are a hallmark of Indian companies. Even more perturbing is the
lackadaisical attitude of consumers towards such breaches; most them don't
think it's wrong.

On a slightly un-related note: India has a national DND registry, for
preventing marketers from spamming users' phones. I have filed over a dozen
DND complaints and appeals over the last year, with Airtel and Vodafone,
against major e-commerce Indian companies. It's amazing the extent to which
these operators would go to suppress the issue. None of my complaints were
resolved, and I still get spammed. People tell me - It's just a bunch of
messages. Ignore them.

~~~
pskocik
Well, you should always be able to tell if you limit yourself to HTTPS sites.
If they offered their own devices and had hacked them to make middle-manned
HTTPS sites appear safe, that would be crossing the line for me.

------
eridius
> _and Github, for their part, cravenly pulled the code as part of DMCA
> request._

That's a very weirdly-opinionated statement. Isn't GitHub legally _required_
to obey the DMCA request?

~~~
sp332
Not required exactly, but if they refuse to take down the content, then they
can be sued for copyright infringement themselves. The DMCA removes their
liability and makes the fight between the uploader and the copyright holder.
But if they step outside of the "safe harbor" they become potential targets.

~~~
poizan42
IANAL, but can't github still be sued in India where the DMCA doesn't apply?
GitHub is doing business in India as well, so wouldn't they be subject to the
jurisdiction of an indian court?

~~~
mikecb
They may be able to, depending on Indian Court's jurisprudence on personal
jurisdiction, but unless they have assets in India, the Indian judgement would
have to be brought to the United States for enforcement. The U.S. has laws and
procedures outlining what sorts of foreign judgements will and will not be
honored and enforced by U.S. Courts. For example, a U.S. Court will not
enforce a libel judgement from a UK court, because of the SPEECH Act. See
more:
[http://en.wikipedia.org/wiki/Enforcement_of_foreign_judgment...](http://en.wikipedia.org/wiki/Enforcement_of_foreign_judgments#Enforcement_of_foreign_judgments_in_the_U.S).

------
jamra
He got a cease and desist letter from the copyright holders, not the
injectors. I believe his ISP was injecting.

~~~
shkkmo
Why is this downvoted? The statement appears to be correct based on the
article linked.

>an Indian Airtel customer, Thejesh GN, discovered that the carrier had begun
using Flash Networks Layer8 “monetization” (read “ad injection”) solutions.

>However, like so many ridiculous cease and desist letters, that hasn’t
stopped Flash Networks lawyer Ameet Metha at Solicis Lex from trying to scare
Thejesh

>Airtel, for their part, told Storypick that they have nothing to do with the
C&D:

~~~
jamra
I think we should do a research project on comments like mine that get
initially downvoted, but then receive statements like yours clarifying the
authenticity of the original comment. I have more upvotes on this comment than
on most of my other comments.

~~~
shkkmo
Funnily enough, my clarification got 1 up vote...

------
webkike
I wonder, if I write some HTML/JS code and deny the write to modify, can I
send Flash a cease and desist for violation?

~~~
TheDong
You don't have to do that; there are plenty of webpages with GPL'd html and
injecting such code into that html without also providing the code under GPL
on request to any user is a violation of the GPL.

I'm curious if the above copyright infringement would stand in court or not...
Copyright infringement normally does need intent and I'm not sure if this is
really intent or not.

~~~
GhotiFish
I'd never considered that angle before, that's a good thought! If they intend
to modify the source of a page then that would be considered a derivation, and
obfuscated code is not considered a source code release.

I'd love to hear a more professional analysis on this angle.

------
madez
This happens in Brazil, too. It is outrageous but the public in Brazil is
horribly unenducated and they couldn't care less.

~~~
rroriz
I'm from Brazil. Which carrier do you use that has this same behaviour? I
really want to check what they are doing...

~~~
madez
I had a sim card from VIVO and they regularly used DNS-hijacking to show me
captive portals which tried to convince to pay for more traffic. One thing at
least as annoying as that is that Firefox caches that site so that when I
close the portal and try to reaccess the original website Firefox shows me
again the captive portal.

------
ashishchaudhary
There was a question about it on the stackexchange network as early as 30
April: [http://superuser.com/questions/908092/my-isp-is-
inserting-a-...](http://superuser.com/questions/908092/my-isp-is-inserting-a-
javascript-file-into-all-the-pages-i-browse)

------
anandpdoshi
Doesn't using HTTPS prevent such an injection?

~~~
acomjean
I would hope so, unless there is some monkey business with the SSL Certs like
the "superfish".

A lot of pages aren't https yet though.

~~~
Leon
Superfish was because the laptop manufacturer bundled adware which added its
own root certificate that was broken, they aren't able to add root
certificates in this case.

~~~
nightpool
Unless its something they require on their phones as a carrier ¯\\_(ツ)_/¯

------
shubhamjain
Privacy is never a serious issue in India and even in this case, it only
caught an eye when C&D letter was sent. In fact, code and advertisement
injection is something broadband providers like MTNL have been doing since
ages. Sadly, business malpractices rarely get punished in India and have
become more of norm that comes with running it.

The only way I see out is to hurt these companies as much as possible.
Boycotting their services on a large scale, so they get to know that they are
not the king here.

------
paraxisi
For those of you who are interested, here is the code:
[http://pastebin.com/shcMPTHc](http://pastebin.com/shcMPTHc)

~~~
caioariede
Unminified version:
[http://pastebin.com/Zgjaksng](http://pastebin.com/Zgjaksng)

------
ejcx
I had a similar thing happen to me in the USA actually but had a different
outcome.

I got on instagram.com (when it was still served over HTTP) one day and
noticed an alignment issue. I believe reddit also had the issue. It was caused
by a rogue iframe that was being injected into the page.

After some investigating the iframe domain was owned by my ISP. I sent emails
to some of the higher ups telling them they should stop and the problem
disappeared after about a month, and wrote a chrome extension to block the
domains in the meantime. Not really sure what their idea was but it goes to
show that you can't trust your ISP anywhere in the world (or anyone on the
internet for that matter).

------
Rudism
Comcast uses code injection like this in markets where they implement the
300gb/mo bandwidth cap. Not for injecting ads or anything outwardly malicious,
but to display a javascript overlay telling you when you're approaching or
over your bandwidth limit for the current month. It's a piece of javascript
that they'll inject right on whatever page you're browsing (HN, Reddit,
whatever).

------
mahouse
How weird, an israeli company doing this.

------
currentoor
It's not really a big deal but why do they need to say _Indian_ programmer as
apposed to just a programmer?

~~~
jimrandomh
Because the story takes place in India, and since TechCrunch is an American
publication, people would otherwise assume the story was taking place in the
US.

~~~
poizan42
That and the DMCA does not apply in India, they are just abusing the system.

~~~
jimrandomh
No, the DMCA does apply because GitHub is an American company.

(I mean, they are abusing the system, but not in that particular way.)

------
mkagenius
I have never heard the term "American" programmer. Why?

~~~
smeyer
Are you in the US and/or consuming primarily American media sources? I'd
imagine the term might be more common in articles written in India and the
term Indian programmer more common in articles written in the US.

~~~
mkagenius
I am in India. Never heard American programmer. Maybe Indian media doesn't
cover much tech.

~~~
duaneb
I felt it was more about the situation of the person (being an Indian ISP and
in India) rather than a defining characteristic of the person. I would expect
them to call a programmer American if it's an Indian newspaper and the piece
of news happened in the US.

