
Comcast injecting JS - brokentone
https://gist.github.com/ryankearney/4146814
======
RKearney
I thought this code looked familiar!

Here's my writeup on it for whoever is interested

[http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/)

~~~
brokentone
Hey man, this thread really took off! Nice writeup here, if I saw that, I
would have submitted that instead. I submitted this right before I left work,
after noticing the requests on my server and a quick Google search (on the
UUID) turned up your gist and not much else. As a web server, I was kind of
trying to start some discussion to see if I was alone in seeing this and
didn't expect it to get to #2.

~~~
augustl
Interesting side effect of not serving the entire blog post on the blog itself
- the code in your posts won't be indexed by Google on your site, only on
gist.github.hom?

~~~
RKearney
I had just moved my blog to a new host. I had done an import of my blog using
the Wordpress plugin instead of just exporting the entire database to help
clean things up.

I forgot to install the gist plugin so my blog post no longer contained the
code. I also had 3 different domains serving the same blog due to a
misconfiguration with Nginx which caused my blog to take a temporary hit on
Google.

I've since addressed those things so hopefully those will make my post
actually appear in a google search.

------
DanielBMarkham
Wonder how the folks back at Comcast HQ would feel if the rest of the internet
started adding messages to their web browsing telling them this kind of thing
is unsatisfactory? Hey, this content injection game is a game that we all can
play.

This is the old "windows alert" nonsense. Everybody and their brother that
touched the windows system thought the user would want a popup when their
program did something. So the user experience was/is full of annoying popups,
warnings, and information messages. Log onto a heavily-customized windows
machine that hasn't been used in a month or two and it's like visiting Los
Vegas. Good luck trying to get anything done.

Comcast. All kinds of other internet providers manage to communicate these
things to their subscribers without this nonsense. Take a hint.

~~~
lessnonymous
Interestingly it would be easy to write some code that detected THIS code. Get
web developers to add it to their sites and make it show a message that
comcast are charging them for traffic they're causing. And then link to the
class action.

inject.ly isn't registered (yet) so let's presume some enterprising HN reader
uses that.

As a web dev, all I need to do is <script
src="//inject.ly/detect.js"></script> and it will detect this (and any future
variant) ISP injected content.

Extra points for someone implementing this to have it optionally make a JS
call to another function or inject a customisable HTML widget on the page.

~~~
namuol
Or just make it a browser extension.

~~~
Tuna-Fish
Browser extension would require action from end-users, making educating them
using it rather redundant. Doing detection in JS can easily be deployed on
servers with minimal work needed, and can potentially reach a very wide
audience.

~~~
namuol
I was suggesting a browser extension to undo the mangling once users _are_
educated. I must have misunderstood the original idea.

------
brokentone
I'm getting a lot of requests on our servers for
"/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do" so I can confirm this
is in production. I can also confirm they suck at JS.

~~~
networked
How about creating /e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do on
your server to notify Comcast users about what their internet service provider
is doing? If people started doing that en masse it could bring attention to
the problem and with enough publicity get Comcast to reconsider JS injection.

I don't really understand the point of this, either. Couldn't they starting
redirecting users to a static page somewhere if there were a real need for a
"critical and time sensitive" alert? If the supposed alerts aren't critical
enough to justify doing that, use email, IM, RSS or twitter, or even build a
custom notification notification app.

~~~
TheOsiris
Best idea ever! But, they'll probably prosecute who ever does it for some BS
reason and sentence them to a term of 500 years

~~~
thomasvendetta
Dont forget a $70,000 fine.

~~~
SwellJoe
Per "violation". So, $70,000 times a a few million pageviews.

~~~
fnordfnordfnord
every 5000ms

~~~
anigbrowl
Of course the alternative is for comcast users to get together and sue the
company for running malicious code on their machines.

~~~
film42
Considering the way the handle their customers (myself being one of them),
they honestly wouldn't care.

------
sbarre
This is nothing new..

Rogers has been doing this for years in Canada already..

They use it to notify subscribers when they are approaching their bandwidth
quota (75%) and then again when they hit 100%. You actually have to click a "I
understand" button to have it not show up over and over.

~~~
rescripting
Rogers also used to serve ads in place of an error message when a bad URL was
requested. That was the final straw causing me to cancel my service with them
and switch to Teksavvy.

~~~
rocky1138
For me it was their really low bandwidth caps. Acanac ftw!

~~~
rescripting
That was reason #2. Going from a 60gb cap (which I'd often go over by about
20gb) to a 300gb cap actually saved me a lot of money because of overage
charges.

------
mrb
This is just one more reason for using HTTPS _everywhere_. Doing so prevents
ISPs from intercepting and rewriting HTTP traffic.

Shame on you, Comcast.

~~~
ben0x539
If some interns running a corporate intranet can get a transparent htts proxy,
what's stopping an ISP from rewriting your https traffic?

~~~
sjwright
Your browser, for one. What you describe is the very definition of a MITM
attack, regardless of proxy structure.

Your bank, for another. Indeed there are far too many parties with an interest
in keeping https secure, that you needn't worry about it.

------
dangrossman
So if you were proxying some other protocol over port 80, Comcast might just
inject some JavaScript into the stream and corrupt your data?

I don't even like the thought that they're running some kind of hardware that
makes this possible. They're sending packets impersonating a web server you
actually want to talk to, pretending to be part of a response you requested?

~~~
chadscira
I'm sure they are checking content-type headers...

Just because you can do this doesn't mean you should (i will stay away from
comcast xfinity).

~~~
Total_Meltdown
I wouldn't be so sure. They're barely even checking what browser you're
running.

~~~
chadscira
if they weren't then all JS and CSS files loaded through them would have their
script tags in it.

i have had these types of issues a while back at coffee shops that try to
inject ads, it was breaking my XML.

~~~
Total_Meltdown
Oh, good point, I guess there's got to be some kind of semi-intelligent HTTP
parsing going on in the background.

~~~
dthunt
The point is that it is impossible to do this right. This system breaks
software.

------
bigiain
So, If I'm reading their javascript right, we all need to put a file on every
website we can at "/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do" with
the text "43a1028c-7d11-11de-b687-1f15c5ad6a13" in it, and any unfortunate
comcast user in their bandwidth-cap-limited areas will have Comcast's stupid
alert box stay on.

For example:
[http://iainchalmers.org/e8f6b078-0f35-11de-85c5-efc5ef23aa1f...](http://iainchalmers.org/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin)

;-)

------
STRML
This code is beyond awful - it fails to display, makes endless AJAX requests,
and more; here are a few fun tidbits:

1\. The code is not encapsulated in an IIFE, so it clobbers any global
variables (like 'image_url') in the page, breaking any scripts relying on
those variables.

2\. The code spends an inordinate time checking if you're running Netscape
Navigator 6.

3\. Strangely, they include a whole bunch of code allowing the message to be
dragged around the window (which is nice) but they don't allow it to be
closed. Of course, it closes itself after making a single AJAX request into a
black hole, so there's that. Bugs piled on top of each other make this entire
message mostly harmless, if it weren't for the variable clobbering & bandwidth
usage (see the next item...)

4\. Upon load, checkBulletin() is immediately invoked. This does an AJAX call
to
'/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin'.
I assume this is to check if the bulletin has changed, to see if there are new
messages, or maybe to check if the user has acknowledged the message yet.
Unfortunately:

* This URL is relative, which means it will never actually reach its intended target (instead filling your web logs with this request)

* Upon xmlhttp.readystate=4 (request finished, successful or not, so this will change to 4 even on a 404 error), the comcast message is hidden. This means that the entire 'bandwidth exceeded' message will actually be hidden _as soon as this request completes_ , which may be in <500ms, giving the user absolutely no time to see or acknowledge it.

* The author makes an attempt to not continue sending AJAX requests to this URL after a successful attempt, but botches it, so __this request is actually sent indefinitely, every 5000ms __, while every any page is open. This means every single tab on your system is popping AJAX requests every 5 seconds for the whole month that your account is nearing its quota. This likely brings you over quota pretty quickly if you leave your computer on all day.

That's right, _this code causes every page served on your system to pop an
AJAX request to the wrong URL every 5 seconds, as long as the tabs are open._

We can sit and argue all day whether or not it's ethical to display messages
by injecting code into the DOM, but it is certainly unethical to write such
awful javascript that clobbers global variables and drives up bandwidth costs
by making AJAX requests to the _wrong url_ every 5 seconds until the cows come
home. Whoever wrote this script should be fired.

EDIT: Similarly, back in the dialup days, some ISPs would inject ads into
their content. One way this was stopped was to argue that it was not legal for
the ISP to charge you for data, then artificially inflate the size of that
data by injecting ads. This script is doing just the same in a measurable way
by causing these AJAX requests to be run every 5 seconds on every tab in your
system.

~~~
ancarda
Ethical stuff aside, I can't imagine hiring someone to actually produce code
THIS bad. Where the hell did they find the coder to make this?

~~~
bphogan
They're all over the place. People just starting out. It could've been an
intern fresh out of college. It could've been someone who just never graduated
beyond copy-and-paste-from-StackOverflow. It could've been written by a person
who never did web development before and was just told to make it work.

The little HN/Twitter/Reddit "awesome programmer" bubble is just that... a
bubble. It's easy for us to forget that lots of people write lots of bad,
untested code all day long. As much as it frustrates me, lots of people code
who don't care about code - it's just their job.

~~~
Phlarp
>They're all over the place. People just starting out. It could've been an
intern fresh out of college. It could've been someone who just never graduated
beyond copy-and-paste-from-StackOverflow. It could've been written by a person
who never did web development before and was just told to make it work.

I'm an intern, just moving past S.O. copy-pasta jobs and generally get scared
at what the hacker news crowd might say about my code... seeing this caliber
of shit get pushed live by a major ISP is almost comical, if an admitted
novice such as myself can see that it should be a sign as to the ineptitude of
our current crop of ISPs.

~~~
ancarda
The code on your GitHub, for the most part, seems fine.

One thing I can say is don't use exec[1] if you can avoid it:

    
    
        $string = 'rm /var/www/Giftest/*.gif';
        exec($string);
    

While there's nothing * technically* wrong, it's platform specific and I think
it would be better to use PHP's unlink[2] function. Also, sorry if this is
wrong, I haven't looked at the regex but it seems your parsing YouTube URLs?
Have you looked at oEmbed[3] - it may be an easier way to accomplish what your
doing? You can use it with json_decode[4] to get an object.

[1]
[https://github.com/Machtap/GiffyTube/blob/master/download.ph...](https://github.com/Machtap/GiffyTube/blob/master/download.php)

[2] <http://php.net/manual/en/function.unlink.php>

[3] <http://apiblog.youtube.com/2009/10/oembed-support.html>

[4] <http://php.net/manual/en/function.json-decode.php>

~~~
Phlarp
would you be willing to discuss this further? No contact in your profile.

~~~
ancarda
Sorry for the delay in getting back to you. Check your emails.

------
tonyb
This is probably part of their "Web Notifcation System". They have a published
RFC talking about how it works (RFC6108).

Using that system they can selectively notify customers. Like if they detect
your system is infected with a virus. Or warn you your service will be
discontinued if you don't pay your bill.

<http://tools.ietf.org/html/rfc6108>

~~~
STRML
Look at all the work that went into that RFC. Unbelievable that they couldn't
get a half-decent developer to verify that the notification is coded well
enough to _even show properly_.

~~~
tonyb
I agree. The entire concept is about trying to be less invasive in the web
browsing experience (by adding a popup instead of redirect the entire web
session) but that all falls apart because of crappy JavaScript.

------
metageek
Isn't JS injection a copyright violation, since it creates a derived work? Or
has that idea been shot down before?

~~~
jerf
This remains an untested field of copyright law, as far as I know. I've been
waiting for literally over a decade for some test case on this matter to come
up, and it never does. Perhaps by 2023.

~~~
jmcqk6
Isn't this just a matter of

1) building a webpage where you own the copright

2) Have someone in one of the cities where this is happening browse to your
page.

3) Copyright violated, and _you_ get to be the test case!

~~~
jacques_chester
Courts will generally refuse to take on manufactured cases. Their job is
resolve real disputes.

A lower court would probably just throw the case out.

And if it didn't, the higher courts, which would set a widely binding
precedent, would exercise their discretion simply not to hear the case. Yes:
they get to pick and choose what appeals to hear.

~~~
andrewflnr
It doesn't have to be manufactured, someone just has to notice it already
happening.

------
pmorici
Comcast is such an incompetent company. I tried to sign up for service once
and they charged me ten bucks to ship me two coax cables yet I was never able
to get my service activated because I mistakenly thought my place was hooked
up to cable when it wasn't and when I tried to call to correct this and
schedule an installation I kept getting put on hold for a half hour before
being given a message saying there was an error with their phone system and to
call back. I mean seriously wtf.

~~~
nano111
after 2 weeks, 3 techs coming to my house,5 chat conversations and multiple
phone calls I finally have service... I don't really like this legal monopoly
for cable companies... I would switch to ATT but right now they are about
twice the cost...

~~~
mbreese
As a different point, my place was already pre-wired. I bought a cable modem
from Best Buy, and plugged it in. It synced immediately. Then I went online
and ordered service. They charged me $10 to send a self-install kit, but it
wasn't needed I was actually online within minutes.

So sometimes their systems work...

I was very sad about switching from my other carrier (Sonic.net), but they
ultimately couldn't deliver very much bandwidth. And Comcast was actually
cheaper.

~~~
juiceandjuice
> And Comcast was actually cheaper.

At least for the first 6/12 months. Then you get to haggle and threaten
disconnection for a day, then you are good for another 6/12 months.

~~~
mbreese
In my case, their published (non-promotional) rates were cheaper than the
bonded DSL I was using. I really didn't want to switch, but I just couldn't
justify the amount I was spending for the bandwidth I got.

------
yellowbkpk
Has anyone other than OP actually seen this in the wild? None of the systems I
know about on Comcast here in Chicago have had HTTP manipulated at all today.
Maybe they're not doing it here because the 250GB bandwidth cap is
"temporarily suspended"?

~~~
mbreese
This is the real question. We can laugh all we want to a out their crappy
code, but what I want to know is where this code is actually in the wild. If I
see this coming down my Comcast connection, I'm likely to cancel my service
that day.

~~~
RKearney
If you search for the GIUD that's part of one of the URL's in the code, you
can find other places online including someones "Top 404 pages" log. While not
widespread (yet), it is indeed happening. This post was from last year, but
this month Comcast bumped me up to 100Mbps so I will be purposefully reaching
my 300GB limit to test if it's still in production.

------
jacques_chester
I'd be interested in hearing from a lawyer whether this would constitute
interception of or tampering with telecommunications. In a lot of places
that's highly illegal except for installation/maintenance/repair, law
enforcement or where it's been invited and approved.

~~~
rbanffy
> where it's been invited and approved.

I bet the permission to do it is part of the ToS agreement.

~~~
jacques_chester
I suspect so. But depending on jurisdiction it may not be waivable. Or the ToS
may be drafted in a way that doesn't cover this.

~~~
sounds
Not to mention violation of the copyright of the website (and other
rightsholders):

• derivative works

• public performance

• willful infringement

• GPL violation

• patent infringement

------
Merrack
Cox is doing something very similar. It's somewhat disconcerting to see JS
like this ending up in pages, especially since they didn't get the URL right
and a future version of this script could conceivably allow someone to serve
malicious content to every Comcast subscriber, injected directly into your
page.

------
krichman
This is felony computer tampering on a worse level than accessing a URL that
is accidentally public but nobody will be fined or imprisoned for it.

------
awj
Has this been confirmed to still be happening? The guys blog post[1] states
that this was on Nov 20th 2012. Anyone currently using a comcast account want
to put down their pitchfork for a second and help verify this?

[1] [http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/)

~~~
RKearney
Hi awj, I'm the author of the blog post. As dangrossman said, Comcast only
enforces the limit in 2 cities. I live in the Nashville area, so I'm affected.
They just doubled my 50Mbps connection to 100Mbps so I will go over my limit
this month as I have 2 more grace periods left. If it happens again I'll
update my blog post.

~~~
davorak
Are there down sides to contacting the FBI about this? They in part exist to
document and keep track of potential crimes(potentially correlate them over
long time frames that may not be worth while to keep track of for an
individual but can add great benefit to society at large when the burden and
information is centralized.) This seems like it would fall under their
definition of internet crime found on:<http://www.ic3.gov/faq/default.aspx>.

If there are not major down sides please file a complaint with the FBI, I
believe the url is:<http://www.ic3.gov/default.aspx>.

I encourage you to explain

* your evidence that when accessing various websites they appear to be tampered with between the server and your computer.

* Your worry that it impacts your bill with Comcast as it seems to be eating up you bandwidth. An estimate of the amount of money being eaten up if you have reason to suspect it is a city wide occurrence how much money is lost for everyone across the city?

* If you have packet logs of these occurrences I encourage you to include them.

* Unless you have hard evidence that points to Comcast that is doing the tampering I would not accuse any party of responsibility.

* If you have concerned friends who can independently verify similar conditions, it would probably be valuable to have them file similar complaints, referencing each other where applicable.

------
wyck
It would be nice if there was an easier way to find out ISP injections for the
layperson who can't really use wireshark/proxy and data comparisons, or for
technical people that just don't have the time.

This project had potential ( it detected torrent traffic shaping) but it seems
to no longer be under dev. <http://broadband.mpi-
sws.org/transparency/results/>

Also this is a good read and contains comcast traffic shaping info:
<https://www.eff.org/wp/detecting-packet-injection>

ps. Who cares about the shit JavaScript, this discussion should be about
detecting packet injection and shaping.

~~~
spmurrayzzz
There is validity in scrutinizing the code quality as well.

I agree that the ethical discussion is likely the paramount concern here and
should be discussed, but the code they're using floods the global namespace
which in theory could actually degrade service for end-users (by potentially
breaking commonly visited JS-powered sites that happen to use globals of the
same name).

Its worth pointing out that it would take minimal effort to make this code not
suck as much (wrapping it in a closure for a start). IMO it gives more context
to the initiative on Comcast's part. No time, effort, or care was put into
considering the ethical implications of this practice nor its practical effect
on the end-user.

------
iguana
They're also violating this patent:

<http://www.google.com/patents/US20110264729>

Which I can tell you for certain that they don't own. Bastards.

~~~
trhtrsh

        Inventors	 Denis Kulgavin
        Applicant	 Kulgavin Denis
    
    

Which one are you?

------
fiatmoney
If visiting a public URL is "accessing a protected computer without
authorization" if the owner didn't mean to make it public, I would suppose
that hacking my communications with a website in order to inject code into my
web browser should be too.

------
brianjyee
Comcast is an awful awful awful company. Yet I pay them over $100/month. I
hate them with a passion. I've never experienced worse customer service. If I
could pay double the price with a different company for internet/cable, I
would do it in an instant but I unfortunately have no other options.

~~~
smacktoward
Yeah, me neither.

The worst part is that once I was griping about the horribleness of Comcast on
Twitter, and a Verizon representative chimed in cheerily to tell me to check
out FIOS. Only thing being, it's been ten years since they first announced
FIOS was "coming soon" to my neighborhood and _it still isn't here yet._

Sometimes you don't know whether to laugh or cry, you know?

------
fosap
And this is why you should just encrypt everything (even Hacker News) with ssl
and install ssl-everywhere.

------
_conehead
My ISP does something similar, but it's meant to inject ads: one ad that
scrolls in from the bottom every two-three minutes (for ten seconds or so, and
that can't be dismissed), as well as another ad that _covers up_ ads that
other websites serve up.[0]

I've now resorted to using a remote VPN for all of my traffic.

[0]: A reddit post in which I discuss it:
[http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injec...](http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injecting_advertisements_into_my/)

~~~
davorak
I will encourage you like I have in several other posts, example
<https://news.ycombinator.com/item?id=5484850>, at this point to contact the
FBI. If this was happening over a 56k modem on a phone line it would clearly
be wire tapping.

I do not currently see a downside, if you see one let me know.

------
aswanson
The hilarious thing about this is comcasts ridiculously buzz worded job ads
for engineers. It's like they just cut and pasted everything any manager read
in a blog or magazine and pasted it to dice:
[http://www.dice.com/jobsearch/servlet/JobSearch?op=302&d...](http://www.dice.com/jobsearch/servlet/JobSearch?op=302&dockey=xml/a/7/a7dd8fbbd6dddc796dc4ed71eaae455b@endecaindex&source=19&FREE_TEXT=&rating=)

~~~
AndyKelley
\- Regular, consistent and punctual attendance. Must be able to work nights
and weekends, variable schedule(s) as necessary.

WOW.

\- Other duties and responsibilities as assigned.

No developer in their right mind would apply for this job.

~~~
h2s

        > Tasks
        > Consistent exercise of independent judgment and
        > discretion in matters of significance.
    

This one literally stipulates that you will be expected to think for yourself
on a regular basis. Why on earth is this in there?

~~~
polymatter
as a catch all. if they want to get rid of you, they can always cite this as a
reason.

------
markdown
This is the js my ISP (VodafoneFJ) injects into all web pages:
<https://gist.github.com/mark-up/5297830>

It basically optimizes images and replaces all image alt text with text saying
to hit CTRL+R to load full-versions of images.

I know that VodafoneUK and VodafoneAU do the same.

On the bright side, at least they respect the no-transform cache-control
header directive.

~~~
dangrossman
I believe T-Mobile does this in the US as well.

------
nthitz
Better hope you aren't naming any of your javascript variables similarly..

------
audiodude
They're probably just desperate because for some strange reason, people don't
seem to be getting the alerts sent to their @comcast.net email addresses...

------
brokentone
edit: I'm OP, not the content author. I serve a media website, which is where
I noticed and from where my concern stems. Comcast users should also be
concerned about this.

Just scanned my logs more fully and have serious concerns. As people have
noted, this really does make requests every 5 seconds. My 404 page is
currently 18KB, which means these users (who are being warned about their
bandwidth) are being forced by their ISP to download extra web traffic from
the site they're sitting on. For me that number is 1/3MB / minute and I'm
seing users who sit around a very long time.

Also, this isn't restricted to the two metros Tuscon and Nashville people have
mentioned. Here is a sample of hits I'm seeing (removing final octet from
IP/hostname):

c-75-65-181-xxx.hsd1.la.comcast.net West Monroe, LA

c-174-52-141-xxx.hsd1.ut.comcast.net Provo, UT

c-69-137-179-xxx.hsd1.az.comcast.net Tuscon, AZ

c-76-109-127-xxx.hsd1.fl.comcast.net Miami, FL

cpe-72-225-230-xxx.nyc.res.rr.com New York, NY

c-68-48-154-xxx.hsd1.md.comcast.net Washington, DC

c-98-224-83-xxx.hsd1.ca.comcast.net Fresno, CA

c-66-41-214-xxx.hsd1.mn.comcast.net Minneapolis, MN

So what do we do about this?

~~~
betterunix
"So what do we do about this?"

Use TLS, warn customers about a malicious ISP attacker their connection, set
up an encrypted proxy/VPN service for people to use, etc.

------
intr1nsic
So this sucks, but its not as bad as many are making it out to be. In a
previous role, I was forced to deploy an appliance that did this exact same
thing. Its not a man in the middle, or traffic intercept with forged
responses.

Most of the time these appliances act as a 'cache' device. They will sit some
where in the network ( inline, out of band, or as a WCCP device ) that will
answer common router cache lookups.

In the case of WCCP, User behind cable modem X requests www.google.com ( HTTP
Non Secure Traffic ONLY! ) and the router asks the appliance, "Hey, do you
have a cache record for this request from this user behind modem X?". At this
point, the appliance will do a DHCP Lease Query for that IP and get Option 82
from the lease record. Most of the time this is the mac address of the Modem.
Then it takes this Mac address and either looks up in an internal database or
an external one to check if this user has a message 'waiting', IE: Over
allotted bandwidth, billing note, spam or just BS. If there is a message
waiting, the appliance will tell the router, "YUP, i've got it. Let me send
back this small .JS response". From my experience, this small JS ( Even if it
is horribly written ) will be returned to the user with some code in it that
does another request to the website originally requested in a frame of some
sort. Request is made again, but this time the "message" waiting for the user
has already been delivered, so the initial process returns "Nope, nothing for
that user" and the content originally requested is loaded upon the 2nd round
trip. Its still your PC with a fake original response. I won't pretend to know
how Comcast or Rogers does this, but I know one Vendor I have used did it this
way. I fought it till I was told to put it in production or find other
employment. It sucks, but if done correctly on HTTP Non Secure traffic only in
a manner that is described above, I think its a better idea than products like
procera or sandvine do which IS MITM forged responses. Hope this helps explain
a little better what maybe going on in this situation.

~~~
intr1nsic
It looks like based on the code and reference to 'bulletins' this is a product
from PerfTech ... <http://www.perftech.com/bulletin_system.html>

------
hunvreus
Something that we're used to see in China (China Telecom is regularly pissing
me off with injected ads), but that I would not expect to see in the US.
Though I seem to remember seeing such kind of practice once in San Francisco.

What are the legal recourses you have with regards to this type of forced
advertisement?

------
kevinburke
Not only that but it appears people are using Comcast as a DOS proxy
[http://blog.ryankearney.com/2013/01/comcast-caught-
intercept...](http://blog.ryankearney.com/2013/01/comcast-caught-intercepting-
and-altering-your-web-traffic/#comment-776514886)

------
jdavid
This is either a bad april fools joke, or it might be related one of the
following:

* ISP - 'six strikes' of content abuse

[http://www.techradar.com/us/news/internet/broadband/six-
stri...](http://www.techradar.com/us/news/internet/broadband/six-strikes-us-
copyright-warning-system-to-launch-this-year-1096822)

* EBS - Emergency Broadcast System

[http://www.washingtonpost.com/blogs/blogpost/post/wheres-
an-...](http://www.washingtonpost.com/blogs/blogpost/post/wheres-an-emergency-
alert-system-for-the-internet-and-the-phone/2011/11/09/gIQAlYGR5M_blog.html)

[http://news.cnet.com/8301-19882_3-57321623-250/wheres-the-
em...](http://news.cnet.com/8301-19882_3-57321623-250/wheres-the-emergency-
alert-system-for-the-web/)

------
vetrom
To add to the old news litany: Saw this on Vodafone over in Germany a few
years back. To add to the security litany: SSL. EVERYWHERE. Firesheep ends up
useful again :)

That said, this was probably only noticed as quickly as it was due to its
stupidity and intrusiveness.

IMO what should be championed for is good decentralized end-to-end security,
something like opportunistic IPSEC / anonymous SSL everywhere by default.

Sure, there are holes in it you can fly planes through, but it's a world
better than it being cost effective for whoever to inject and MITM everything.

I'm not even going to touch on the pros/cons of over-subscription and business
models which rely on it. (IMO most do, at least implicitly, and I'm not sure
how to normalize analysis of that.)

~~~
caf
Any opportunistic encryption would simply be blocked by the ISP that wanted to
do this kind of thing, so the clients fall back to plaintext.

------
jms703
Comcast does this for good reason.

<https://amibotted.comcast.net>

Yes, the javascript is crappy, but no reason for their customers to be
outraged. I don't know any other ISP that is helping out with the botnet
problem.

------
readme
Um, is this something that is always injected? I have comcast and I don't see
it in any pages.

I'm guessing this is their clever way of reminding you to pay the bill when
you're late?

Pay your bill or they'll stuff ugly JavaScript in your browser, you've been
warned!

~~~
fletchowns
It's right there near the top....

 _You have reached 90% of your <b>monthly data usage allowance</b>._

~~~
readme
Nope, I don't have it. Are you Canadian? Maybe it's a Canada thing? Doing it
to tell you about your data allowance is a bit excessive, for sure.

~~~
dangrossman
You don't have what? Comcast had a data cap nationwide (250GB/mo) even if you
weren't aware of it. They temporarily stopped enforcing it outside of two test
markets (Nashville and Tucson) where they're working out exactly what limits
people will put up with. You wouldn't see this popup unless you live there and
you've used over 225GB this month.

~~~
readme
Thanks for the explanation.

------
teeja
I don't grok why they'd even try to inject their code into a webpage you
requested. Why not simply create a separate page that you see BEFORE, that you
read and acknowledge receiving, and then finish sending the requested page?

------
gcr
The easiest way to combat this is to use SSL. You should be doing that on your
website anyway.

Another effective way of combatting this is to detect what's happening and add
a "This ad was sponsored by Comcast:" message.

I can sort of see the intent behind this. I just wish they'd tell their
customers about their service usage out-of-band, like sending them a text
message or an email.

One part of me realized "OMG they're going to track which websites I visit by
looking at the HTTP Referer!" But then I quickly realised that as my ISP, they
already have access to that information anyway...

------
dspillett
Do comcast users come from a recognisable range of addresses? If so I might
have to add a warning to everything I output along the lines of:

"Your ISP (Comcast) adds terrible Javascript to the code of this page without
our knowledge or permission, therefore if you have any problems with this
application please contact their support line in the first instance and not
us. While your ISP is modifying our code, especially while they are modifying
it by adding such terrible code of their own, we simply cannot support you,
sorry."

~~~
brokentone
No but their hostnames generally call out "comcast" somewhere therein. I've
called out some affected clients elsewhere.

------
philip1209
This is why I run an always-on VPN

------
tokenadult
Ladies and gentlemen, this is why if you are hiring a programmer, you always
ask for a work-sample test before making the hiring decision final.

<https://news.ycombinator.com/item?id=5227923>

Yes, the code sample suggests someone clueless about programming in general,
even more than being clueless about the particular language of this program.
So on what basis was the coder hired?

------
jakub_g
I live in France and I'm a customer of Orange. I was really surprised to see
on my mobile, on Facebook (m.facebook.com - I've noticed it only there, but
perhaps there are more pages like that) they're injecting a HTML with "Return
to Orange World" link in the footer directing to orange.fr. Not sure if
anything more though - I have a plain old mobile with Opera Mini.

I'm curious if they have some deal with FB to do it.

~~~
testtata
It could be the fact that you have a strange combination of both an old phone
and (what could be a customized) Opera Mini.

I have an iPhone at Orange and never saw this.

~~~
jakub_g
I've installed Opera Mini on my own, so it's not customized.

------
api
Major web sites should sue for theft of service. They are modifying someone
else's copyrighted content to steal their advertising revenue.

Also: https everywhere, now.

------
miles_matthias
I'm glad I'm not on Comcast anymore. Terrible customer service combined with
anti-customer practices like this, in addition to the lowest cost/service
value on the planet and I'm glad to be done.

We switched to CenturyLink and we're really happy. I'm regularly getting 35-40
Mbps for half the price of 6 Mbps on Comcast. It is a little unnerving to know
that 40 is literally the limit of their DSL technology though.

------
shuzchen
I'm pretty sure Comcast aren't the only ones doing this. I had mobipcs for a
while (when I just got new house, had to wait for DLS to get installed) and
they injected js that tracked your browsing and replaced certain ads it found
(as well as caused various errors because it wasn't written properly). I
wouldn't be surprised if other companies did the same.

------
mweinbergPK
Non-quality of code question, and sorry I haven't been able to parse this from
the comments so far. Am I reading this correctly to mean that Comcast's method
of alerting customers that they are close to their cap drives them closer to
their cap?

------
DigitalSea
Some of the worse Javascript I have ever laid my eyes upon. Polluting the
global namespace, checks for Netscape Navigator 6... It burns my eyes reading
this. Did they actually hire a programmer who wrote this?

------
shahar2k
I see a lot of discussion on the quality of the code, but not much about the
fact that Comcast is modifying the content they are serving without informing
their customers AKA the legality of the situation...

------
marshray
The image_url variable references "constantguard/BotAssistance", which turns
up in search results as a system used to alert customers of DNS changer
malware.

------
minimaxir
Wait, does the Detect Browser script actually work for browsers made after
2001? I'd hope that Comcast's customers aren't using Netscape 6...

------
mikeryan
I'm torn.

This seems bad, but the warning (exceeding your bandwidth quota) seems
valuable. I can't think of another, better way to message this.

~~~
passionfruit
Here are some other ways.

1\. They could email you. 2\. They could send you a SMS. 3\. They could let
you view your bandwidth usage by logging into their site. 4\. They could
provide an application (desktop or mobile) to keep track of your bandwidth and
alert you at certain points.

~~~
DanBC
My provider (T-Mobile in the UK, using a mobile 3g dongle) send me an SMS, and
the connection software has lots of graphs and numbers.

They still send interstitial content warning me that I've exceeded my fair-use
limit. It's a bit annoying because I very carefully checked what the limits
were before I signed up.

What's worse is that they use weird, broken, IP addresses and horrible proxies
for image mangling.

EDIT: Here's a pastebin.

(<http://pastebin.com/k6ddD0sJ>)

EDIT: Here's a Security \\\\\stack Exchange question about it:
([http://security.stackexchange.com/questions/9368/mobile-
carr...](http://security.stackexchange.com/questions/9368/mobile-carrier-
javascript-injection))

------
jstalin
Another reason to use an SSH tunnel or VPN for all traffic, combined with
HTTPS Everywhere.

------
gohwell
brainjar! My go to resource for DIV positioning back in 1999.

------
tantalor
Where is the Chrome extension to block this?

~~~
bdisraeli
HTTPS Everywhere[1]. Using SSL certificates helps prevent man-in-the-middle
attacks[2], such as this. Comcast wouldn't be able to read any of your traffic
and insert js without spoofing SSL certificates.

[1] [https://chrome.google.com/webstore/detail/https-
everywhere/g...](https://chrome.google.com/webstore/detail/https-
everywhere/gcbommkclmclpchllfjekcdonpmejbdp?hl=en)

[2] [http://security.stackexchange.com/questions/8145/does-
https-...](http://security.stackexchange.com/questions/8145/does-https-
prevent-man-in-the-middle-attacks-by-proxy-server)

------
antihero
Another reason to use SSL everywhere.

------
thisone
if they just went to unlimited internet, they wouldn't need this thing.

------
IheartApplesDix
Mobile carriers do this too. I see the exact same feature being provided on my
Sprint line.

~~~
davorak
If this was happening on a 56k modem over a phone line it would clearly be
wire tapping. I encouraged the op in another post,
<https://news.ycombinator.com/item?id=5484850>, to contact the FBI. If you see
a downside to this let me know, but until I realize one, or have one pointed
out I encourage you to do so.

~~~
IheartApplesDix
I was just blocking 1.2.3.4, which the inserted js used to download the rest
of the "features". I have no reason not to report this to the FBI accept I
don't really understand whats going on here so I wouldn't be a good contact.

If you would like to see the content of the script, I can show it to you, it's
bit different than the one posted here.

------
mschuster91
OMG LOL. Have they never heard about jQuery? Christ, they could have made the
code so much more elegant.

~~~
jarek-foksa
Their jQuery code would probably look like <http://enterprise-js.com/23>, with
_aggressive_ caching methods used on all jQuery selectors: <http://enterprise-
js.com/27>

~~~
spoiler
Wait, what? Why didn't I know about this website before? I am writing all
these down!!!11oneoneone EOSarcasm

