TV service just keeps getting more and more obnoxious. I only got it because it came with 2 years of free HBO and was cheaper than Internet alone at the tier I wanted. There's hardly any reason to watch cable TV any more. (I know, sports. Not really my thing, but I get that a lot of people want to watch live sports)
I could get Sonic Fusion FTTN but that's just rebranded AT&T, and peaks at 28mbits. I get better LTE speeds than that.
I tried to bring in MonkeyBrains but the building administration refused, saying they would have to drill into load-bearing columns. Just an excuse.
I only pay for internet access, I don't use their cable TV or telephone offerings. Internet alone is about $80/month. I just ran a speed test and I get 14.1Mbps down & 8.6Mbps up. I forget which speed tier I'm paying for, but I know I'm paying for much more than that! Ugh...
AT&T DSL sucks no matter where you are though.
Still, Comcast shares their internet between customers in your area. If you're the only customer in your area, you can certainly get what you're paying for. If you're not, the best you can hope for is 1/4 of your promised connection speed during peak hours. It is something that Comcast has been doing for years, but it allows them to advertise higher speeds for lower prices than AT&T and people believe them because not everyone is familiar with the fine print.
- I can usually get directly to someone clued on the phone, who doesn't make me jump through hoops or silly scripts to debug a problem; they realize I've already done everything possible on my end already before calling (spent years working for ISPs).
- No blocked ports, I host my own server and do my own email, web hosting, etc. Comcast even provides reverse dns for my five static IPs.
- No data caps. In fact, they don't even measure usage for business accounts.
Other than when I had a physical problem (short in the line from the pole to my house), I've always gotten the speeds that I pay for - in this case 50Mbps down, 10Mbps up.
Disadvantages to business class:
- I pay $150/month for 50/10 and five statics.
- It's Comcast.
I was an ATT UVerse customer (standard, not business) before switching to Comcast Business about 4-5 years ago, but their max speed offering was only around 18Mbps down, and their "business class" service required the same craptastic 2Wire gateway and static IPs required 1-to-1 NAT through that gateway... No thanks.
- Don't care about blocked ports. I don't personally host anything, our company also has a separate hosting service.
- I'm sorry, but... data caps? Is this a joke? In this day and age of services like Netflix and digital content distribution like Steam there's a place for data caps?
- $150/month is a ridiculous cost to put on a guaranteed 50/10 line. Don't care about the static IPs personally as I don't host anything.
- Comcast, right.... you hit it on the nail there, it looks like. My experience with their customer service so far has been horrible. I'm usually empathetic when talking with technical support as I used to do the same job myself, but there's empathy and then there's people trying to intentionally annoy. So far I've felt like bashing my head against the wall after just three sentences from Comcast tech support. And they claim they spend millions on customer satisfaction? Please.
I was an UVerse customer too. I had only one issue with them for the two years I was their customer and I'm seriously considering going back. Better have a slower connection I can rely on than having a 'blazing fast' connection that craps out every 5 minutes.
I wont ever use Comcast again... I had to get the local govt involved to get them to stop billing me for a place I hadnt lived in for 6 months. ( yes there is an agency here to deal with them they are that shitty )
The smaller speed with usable internet speeds and decent customer service is worth it.
It kind of tends to hurt not just me, but a fair bit of other people in the process when I, as a raid leader for our guild, cannot maintain a stable connection and get dropped several times over a 2-hour period. Never had those issues on my ATT connection and I've only had a single issue where a tree had fallen and severed a cable during 2 years of being their customer.
I wanted to start streaming our raids which was also the main reason to try the switch, but if it comes at the cost of being unable to take part in them, I might as well not bother.
It's a tough call: go 1/4 speed at 1/2 the price, reliably, or try to go 4 times faster at "only" twice the price (appx), but gamble from day to day :-(
Unfortunately they don't even reach JP, so I'm stuck with Comcast.
If low Earth orbit broadband internet ever happens, that could potentially be an excellent choice. But with the current offerings, it's always going to be the absolute last resort.
I was a "happy" Comcast customer for years. I was in a condo where the choices were Comcast or Verizon DSL. Maybe. I called Verizon to see what they had to offer and they didn't know if I could get their DSL service or not. The best they could do was to place an order and see if it worked. Really!
Even if I could get service from them, their offer was 1.5Mbps for something like $50/month. Completely ridiculous.
It was like this when I moved out about three years ago, and as far as I know it's still like that today.
-Comcast (up to 100MB/s)
-Century Link DSL (up to 10MB/s)
-3G/4G modem (up to like 3MB/s)
Then 10 minutes south of where I live, that county has deals with a local ISP who behaves exactly like Comcast, but with terrible pricing and lower caps. Also no realistic alternatives.
While I could stomach the speeds of DSL (with some effort), I can't stomach the price. I'd end up paying just as much as comcast for much lower speeds. I really don't have a choice.
edit MB, not mb
It is a real shame that anything over 5-7mbps is considered "fast enough" by the vast majority of consumers.
And where there are competitors, they're most likely AT&T or Time-Warner, which have similar shitty practices.
Not that I like ATT, but when (coming in the next 6 months) they roll out faster service, I will be happy to switch.
So, that would be 3 bad choices.
How weird is it that the equipment is still so slow? I mean, in 2005 I was grumpy about how slow cable TV gear is. Now it's 2015 and seems like it's exactly the same, whenever I see it.
What is so hard about using processors with clock speeds measured in megahertz and not kilohertz nowadays? I swear, Comcast is probably paying extra to some supplier holding the last supply of their specialized MegaSlowz chips with the SuperProprietaryFeature that you Can't Reimplement Anywhere Else.
What's funny (maybe not ha-ha funny, but anyway) is that the provided equipment is usually energy in-efficient as well. Even while "off".
I'm not paying for cable now, and don't plan to in the future either. There's too much crap I don't want to watch, and I don't want to be stuck with their idea of a DVR either. And its too expensive.
I came close to ordering a Ceton CableCard tuner card several times so I could stick a small form factor PC in the entertainment system and get the nice setup I used to have before they killed off all of the unencrypted digital QAM channels. Unfortunately, the standard is so encumbered that hardly any software can support CableCard (one popular option was the now-deprecated Windows Media Center).
Back when QAM still came through unencrypted, I could pay for cable and hook it up to my cheapo Hauppauge card and use WMC as a great program guide and DVR setup. Even back in the Win Vista days it was vastly superior to anything on a cable box. Then they moved everything to encrypted and my tuner got repurposed for watching OTA stuff on my PC.
Now I just pay for cable/internet but watch everything streaming on legit sites or torrents. Yeah, I know...but it works better and I'm still paying for it so even if it's not legal, I don't feel that it's immoral.
The only reason I still have it is for basketball, but there are an increasing number of services (legal or otherwise) by which I can get all of that streaming online, so I may end up cancelling even sooner if given an excuse to do so (like if service goes down or they decide to jack prices again).
After 3 months those offers expired, I'd get a high dollar bill in the mail, so I'd call again... Wash rinse, repeat. I know multiple other people who did the same thing.
Now I only have data with TWC and receive letters 2-3 times a month from to tell me all about the great TV plans they are offering.
Maybe another 4 hours of work got me a little web application that shows the TV guide information pulled from an API, and is hooked in with the VLC web interface to switch channels with a click.
I'd argue that government regulations have done nothing in this space but reinforce coercive monopolies. I think you're taking the wrong approach, we need to deregulate this space and allow real competition to thrive.
I'd love to see massive consoldiation of the reserved-for-government portion of the EM spectrum so we could reasonably do this wirelessly.
They actually have some comcast lab product where you can play games using your smartphone as the controller. I think it's beta but it wasn't that bad when I tried NBA Jam.
Source: comcast is my only internet option so I bundle.
Or if you don't have $100 to spare, you can always connect your laptop to your tv.
Hulu is pretty good about getting new shows up pretty quickly, usually the day after. I'm usually able to live with not seeing a show the minute it airs.
Tuesday we could not access VNC nor our remote database services from that location. All port 80 traffic was fine. I had one of the staff call, wait on hold for an hours.
Just as I suspected Comcast had implemented port blocking on a high priced business account. It took the guy a second to release it. It put our company down for two to three hours.
Also the speed of Comcast service drops to 15-20% of advertised from 2:30 to 5 PM when kids arrive home from school.
Once the contract is up we are moving the service to someone who understands "business class"
It took a while before someone finally figured it out and word spread on Twitter. I'm sure hundreds of thousands if not millions of dollars of productivity were lost that day.
Helpful when 22 is blocked (train stations and such)
The old dialup ISPs were allowed to resell internet service on the local provider's POTS lines. There was quite a lot of competition, and the service was generally excellent, even generally better than the carrier's.
There is no requirement for broadband providers like Comcast to allow resellers. The barrier to entry for laying other broadband lines is huge; Google is one of the few who can do it. So unless there's a quantum leap in wireless to the curb, there will be no meaningful competition to amoral corporations like Comcast; we're stuck and it will continue to suck.
[EDIT] Corrected wrong assumption that old AT&T was government owned.
I know Google fiber will never come to the East Bay (SF area). It would be so nice to have, though.
Basically imagine if someone owned the only bridge into San Francisco. They could charge whatever people were willing to pay. But you would think if they charge too much money or scream obscenities at everyone who drives through, then someone could build another bridge and steal their customers. The problem is that if anyone builds another bridge the bridge owner could stop screaming obscenities and lower his prices. Then the second bridge could not make the return on capital. The prospective business owner and current owner know this so the status quo of one expensive and crappy bridge
The data caps you've recently put into place in my market are going to effectively double my account price per month. I look forward to the day that I have other choices.
That's been my experience, as well. In two instances (one business class, one residential), I had issues getting their construction department to actually do the work they promised until I was able to get through to the escalation department—once via Twitter, once (IIRC) on dslreports.com back when the Comcast direct forum was monitored. Once the escalation department was engaged, things moved very quickly, with them calling me almost daily with status updates.
There are clearly individuals at Comcast who care about customer service. Unfortunately, they don't seem to be the ones in charge of organizational policies and processes.
They do advertise that they spend millions of dollars on improving their customer support, but I've yet to see anything happen on their end. Amusingly, our Comcast business contract at work has at least a couple of issues every week, too. We only don't notice them if they are to happen over the weekend, but when CRON jobs that require internet connection haven't run over the weekend, it's easy to figure out who needs blamed.
Some listing of what the actual issue is would be kinda useful, even if you shove it in a collapsible div to hide it away.
I (and most people) are more likely to rage-quit and go do something else than try to navigate three layers of outsourced customer service that is designed and optimized to deflect people, waste their time, and only if they are sufficiently insistent, and border-line belligerent, maybe give them an answer more involved than "unplug your modem and plug it back in"
- If your modem is EOL
- If you modem's ethernet port is 100Mbps, and you have >100Mbps service
- If your modem is otherwise capable of providing your speed (i.e. number of DOCSIS channels)
- We check your signal levels to make sure they are in spec
- We check if you have been impacted by our Protocol Agnostic Congestion management system in the past 1 day or 30 days.
If any of these checks are triggered, we show it on the page. If nothing is triggered, we allow you to go straight to a chat.
We'll be adding more checks as time goes on, mostly around Wifi - MCS Index, Link rate, RSSI, etc.
EDIT: fixed! let me know if you see anything else out of place.
Same here. They are very aware that we have no other choices. They will continue provide the least amount of service for the greatest cost until this changes.
The biggest thing I liked, moving back to Iowa was decent internet provider.
>For a CMTS port to enter the Near Congestion State, traffic flowing to or from that CMTS port must exceed a specified level (the "Port Utilization Threshold") for a specific period of time (the "Port Utilization Duration").
>Given our experience as described above, we determined that a starting point for the upstream Port Utilization Threshold should be 70 percent and the downstream Port Utilization Threshold should be 80 percent. For the Port Utilization Duration, we determined that the starting point should be approximately 15 minutes
>Thus, over any 15-minute period, if an average of more than 70 percent of a port's upstream bandwidth capacity or more than 80 percent of a port's downstream bandwidth capacity is utilized, that port is determined to be in a Near Congestion State.
>For a user to enter an Extended High Consumption State, he or she must consume greater than a certain percentage of his or her provisioned upstream or downstream bandwidth(the "User Consumption Threshold") for a specific length of time (the "User Consumption Duration").
>we have determined that the appropriate starting point for the User Consumption Threshold is 70 percent of a subscriber's provisioned upstream or downstream bandwidth, and that the appropriate starting point for the User Consumption Duration is 15 minutes
> A user's traffic is released from a BE state when the user's bandwidth consumption drops below 50 percent of his or her provisioned upstream or downstream bandwidth for a period of approximately 15 minutes.
Its throttled until you've used less than 50% of what you pay for for at least 15 minutes.
That threshold is so low specifically so that a line doesn't end up cycling between throttled and not every interval if its 79% once then 81% the next, etc.
It seems obvious to me that Comcast et al are vastly overselling beyond their capacity.
They then market these strategies as methods to ensure quality to their customers, when their customers bought a service that was misadvertised as having enough capacity for them in the first place.
Just like airlines - they sell more tickets than they have seats, because they figure they can squeeze more profit out of the people who paid for a ticket but didnt show up, then when everyone shows up, someone has to get bumped.
Question #1: Is the CMTS Upstream Port Utilization at an average
of OVER 70% for OVER 15 minutes?
Result #1: CMTS marked in a Near Congestion State, indicating
congestion *may* occur soon.
Action #1: Search most recent analysis timeframe (approx. 15 mins.)
of IPDR usage data.
Question #2: Are any users consuming an average of OVER 70% of
provisioned upstream bandwidth for OVER 15 minutes?
Result #2: No action taken.
Result #3: Change user's upstream traffic from Priority Best Effort
(PBE) to Best Effort (BE).
Question #3: Is the user in Best Effort (BE) consuming an average
of LESS THAN 50% of provisioned upstream bandwidth
over a period of 15 minutes?
Result #4: Change user's upstream traffic back to Priority Best
Effort (PBE) from Best Effort (BE).
I would hope that someone with the resources and knowledge to make them pay for these shenanigans will....
That said, you could argue that data networks are mostly a natural monopoly because it's not feasible or efficient to roll out several redundant fiber/cable networks.
Even if there were no franchise agreements in place, very few companies (excepting ones that have other revenue streams) would roll out a second or third cable/fiber network in a city where there is already one in place. Even if you managed to split the market and get half of the potential customers, you'd need to account for the cost of digging trenches and laying cable (which cable TV companies have long since recouped). Makes it hard to stay solvent at such a disadvantage.
It's why a lot of people think the ideal situation is for a single physical network to be built and then service providers pay for access and compete on service to businesses and customers. With physical networks divorced from service providers, the company or municipality in charge of the actual cable/fiber makes their money from maintaining and improving capacity so they can sell access to more providers. Providers compete by offering the best services and customer support in order to profit and pay for more bandwidth on the physical network.
But yeah, it's more complicated (in terms of both business and networking tech) but it's an ideal that many would like to move toward.
But in the end, I'm not sure what's the best way to handle it. I just know that many would agree that the current methods are not optimum, and possibly detrimental.
This model was used regularly for rail and power networks in Europe, but these have all been privatised in the past few decades citing "cost reductions". The net result is that our infrastructure is deteriorating, consumer prices are rising way faster than inflation, and critical infrastructure is now in the hands of a few international power brokers (e.g. the Dutch national telephone grid is owned by Carlos Slim).
This is abusive. Imagine if anyone else had access to pus you notifications by intercepting your communications. Imagine Uncle Sam interrupting your calls announcing you haven't submitted your tax returns yet. Because that's basically what's happening here.
That said, in my experience datacenter and enterprise ISPs tend to be far more "pure", so if you want a truly unmolested connection a possible solution could be to use a VPN to a server that terminates in one of those.
This is very, very true. Anyone who has worked at a telco should've heard the "we don't want to be a dumb pipe" argument. The thing is: they can't be more than that! I don't want their applications, they are not very good at doing applications. I don't want their content, they don't seem to get content production at all. Even their research, it has become less and less relevant.
As a customer, I'd rather see all that money spent on efficient ways of transporting bytes, or even directly subsidizing the customer bill (so that they can support smaller ARPUs). But no; I have to pay extra to support the entertainment of their engineers, in order to get sub-optimal apps and content.
Same with vendor crapware on phones and PCs. I call this stuff "value subtracted software".
Frankly at one point or other every large company in every mature market has to contend with having reached their growth limit. There are only so many customers in this world for the products and services offered.
The only place that could grow forever is Wall Street, by piling derivatives upon derivatives and passing them round like hot potatoes. Everywhere else has to contend with us being on a physically finite planet.
I had to deal with one of them using transparent DNS proxies without disclosing the fact. Only found out when something broken on their end. The only way to have functional DNS is to tunnel it over another protocol because their equipment will intercept DNS queries to any server and reply with a bogus IP.
* It will incur a lot of wrath because it gives them power over your bank account
* Only gullible / ignorant users will actually install the certificate
* If your internet access is working, why would you go through extra steps?
If their ISP posts a message telling them they have to install something to continue getting "the best internet possible" or, better yet, when the tech comes to install the modem they just do it as part of the installation service, so few people are going to even think about it, let alone know why they shouldn't want it.
Remember... we here aren't an accurate facsimile of the general population.
Don't worry though, you just need to install the Comcast Connect app and all will be well.
Let's take something like using the (now removed) + operator in Google search.
> However, we found that users typed the “+” operator in less than half a percent of all searches, and two thirds of the time, it was used incorrectly.
1 in 600 searches used it correctly, another 2 in 600 used it incorrectly.
Stuff like that.
Or have a look through /r/tipofmytongue for people looking for help to identify songs, tv shows, and films. You'd think they'd include details of roughly when they saw the film, or who any of the actors were (or even what other film they'd been in), and then the plot (with some details), or the name of some of the characters, any music, the genre of movie. But you frequently see people who give very vague information. I won't give examples, but it's really easy to find them.
But I do need to remember not to be a judgemental dick about it, and if I was I apologise.
It works like this: When you want to pay for something you give them your login credentials to your bank account and a TAN and they send the money to the merchant for you.
The selling point of this service is that SEPA wire transfers usually take one day. But with their service the merchant gets an instant notification of money received and you can get your stuff one day earlier.
It's crazy but people use this and have no problem handling over the keys to their bank account.
Part of the problem may be that people don't really understand where those keys are going. They put the information into their computer perhaps via keyboard. Beyond that they often don't know where it goes or where it gets stored. Perhaps they think it's stored locally in an app. For a while people didn't get the distinction between an app and a web site, but I think that's changing. People think Siri does voice recognition on their phone and freak out when you tell them all the recordings are sent to Apple and stored there.
I wonder whether there's more to that story. It seems like a potentially useful payment service, but it also seems like something the banks would surely be aware of. Customers giving up their credentials like that is probably a blatant violation of the bank's normal terms of business, and asking for those credentials or failing to keep them secure seems legally risky for the payment processor as well, particularly if anything ever goes wrong. Are you sure there's no separate agreement or commercial arrangement to cover this, probably between the payment processor and the banks?
The banks don't like that payment processor and therefore just started a competitor where you only give your credentials to your bank. Hopefully it gains traction.
But lacking wide spread of credit cards and the aversion of many merchants to PayPal here in Germany it's still pretty popular.
I applaud your bravery and self-confidence though.
But the argument that if they mess with the content and the traffic, they carry responsibility for it that they don't if they're just a dumb pipe, is a good one.
At least I pray so.
Don't want to receive these messages from Comcast? Don't seed your torrents.
This system is well documented: https://tools.ietf.org/html/rfc6108
I'll bring up the idea of an opt-out for users that DO check their mail, email, phone, comcast account, etc...
Edit: Actually, reading the IETF link you posted, notifying users of a potential malware infection might be an example of how to use this technology in a non-shitty manner.
Of course, Time Warner and Comcast are both also content creators, so they might have some motivation to concede.
(Though I'd caution you that working off the clock is an excellent way to get overworked.)
It seems to me it's just hacks on top of hacks written by hacks.
Three months later, my service at the new house is disconnected for non-payment. I look at my bank statement - sure enough, AutoPay happily withdrawing the amount...
... and applying it to the old house's (disconnected) cable, the account for which is now several hundred dollars in "credit" (paying $200/mo for business service).
It was (relatively) easy to get resolved, thanks largely I think to the business support folks. But still... :|
If you've sent emails, letters, and phone calls already - just stop.
It's called consent, fuckers.
just for context.
I am free to take a copyrighted book, and tear out pages. But I can't distribute that book. The results of the adblocker are not distributed.
If you define the work as the source code you're not actually modifying it. You're just declining to download subsequent works (iframes, flash, whatever).
(not a lawyer)
And this broad "distributed or used in any other way" doesn't seem very valid either.
Isn't it legal to write with a pen on your book copy if you're not the author?
Creating derivative work is only illegal if you do it without permission from the copyright owner of the original work.
I don't know what you mean by "doesn't seem very valid". It is the law .
Annotations normally create a derivative work. That being said, annotations often end up being covered by fair usage (fair dealing in the UK).
 17 U.S. Code § 106 (2) https://www.law.cornell.edu/uscode/text/17/106
Apparently it's not the law, as the link doesn't contain the words "distributed or used in any other way" or anything to the effect of "any other way".
Plus, the "de minimis" thing and fair use exceptions mentioned in your second comment, already scale down the absolute "any other way" qualifier.
Maybe "used in any other way" confuses you? It's standard legal language and it means publishing, public performance, creating mechanical copies, etc. The possible uses of a copyrighted work are numerous and due to advances in technology that list grows constantly. This expression makes it unnecessary to list every known possible use, or yet-to-be-discovered futures uses.
The fact that "certain exceptions" weren't mentioned in the first comment. I quote: "the copyright owner of the original work has the exclusive right to prepare derivative works, regardless of whether the derivative work is published, distributed or used in any other way."
There was no reference to "certain exceptions", "fair use" and the possibility of "minimal" (and thus allowed) changes.
That, plus the use of "used in any other way" (a "standard legal language" as you say) as part of a casual language comment, left the impression to the reader that only the copyright owner or someone with permission from them can create derivative works, period.
So while this is cleared out now after the extra explanations, the initial comment was quite unclear.
Does not follow. Ad block is set up by the user to block connections. Your work doesn't change; the user just doesn't see the full work. Kinda if I gave you glasses that blocked the color red and then you went and looked at an art gallery wearing them. The art hasn't changed, but the item I gave you, which you willingly wore, just stops some part of the art from being displaying into your eye.
If the title were "Comcast injects ... to show notices of reported copyright infringement against their account," there would probably be less confusion in the comments here.
I'm sure a content publisher could argue that by stating that the transport layer does not transform the content, that any such transformation (that the end user perceives) constitutes harm to them.
Such is law. That header gives them a basis for constructing this argument.
>Today, most mainstream acts obtain prior authorization to use samples, a process known as "clearing" (gaining permission to use the sample and, usually, paying an up-front fee and/or a cut of the royalties to the original artist). Independent bands, lacking the funds and legal assistance to clear samples, are at a disadvantage - unless they seek the services of a professional sample replay company or producer.
All music sampling of commercial works is illegal without a license. Even a non-recognisable 2 second snippet, if spotted, can get you huge fines.
You do often see some artists turn a blind eye to sampling though. Particularly dance artists because many of them know their entire genre exists of the back of sampling. So it would be counterproductive / hypocritical for them to chase after royalties
Sample clearance is generally not required if:
- You are just using the sampled music at home.
- You are using the sample in live shows. This is because,
usually, you are not making copies and the owner of the venue
pays the blanket license fees to performing rights organizations
such as Broadcast Music Incorporated (BMI) or American Society of
Composers, Authors, and Publishers (ASCAP).
- You plan to distribute copies to the public but meet one of the
following: (1) an average listener would not notice the similarities
between your end product and the sample, or (2) your use of the
sample falls under the "fair use" doctrine. For more information on
these, see "Defending a Lack of Sample Clearance," below.
Doesn't this make the Comcast script now under the GPL - since GPL code can only be included in compatibly licensed products. Or is Comcast violating the GPL?
If they ever choose to sell or distribute their "content injection system" though, they would have to release it under the GPL or else negotiate another license from the copyright owner.
Er, actually it may be more complicated than that. You'll have to read the discussion.
You could argue about their frontend, though.
There's nothing in the GPL that says you can't sell/commercialise the software. The product just has to be GPL licenced too.
If the `checkBrowser` function uses GPL'd code, then anything that calls `checkBrowser` in turn must be licensed under the GPL.
But that doesn't mean that this Comcast code _is_ licensed under the GPL. That means that the copyright owner (brainjar) can take action against Comcast, and tell them to either stop using their code, or change the license.
They'd just stop using the code.
Read up on your licenses folks, make sure your code is used the way you intend.
Of course then the VPN provider is the single point of failure, but if it's trustworthy enough only folks with proper court orders should have access to my traffic. And it's an extra ten bucks per month or so.
Is it possible to run your own VPN on a VPS host, digitil ocean or linode or similar?
" Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. "
A.) a dumb-pipe retailer, who you may not have freely chosen, and who has no motivation to respect privacy, to
B.) a privacy provider who is easily replaceable and whose entire business is based on quality and integrity.
Seems rational to me.
Yes. I run several types of VPNs and shadowsocks on a VPS host. I mainly use it to bypass GFW though.
Of course, trusting the VPS provider and its ISP is no different than trusting a VPN provider and its ISP.
It's possible and very easy: https://github.com/Nyr/openvpn-install
Disclaimer: I'm the script creator.
wget git.io/vpn --no-check-certificate -O openvpn-install.sh && bash openvpn-install.sh
Granted the double ampersand offers some protection, sadly it's still little better than the often criticized:
curl http://example.com/install.sh | bash
I do appreciate the work you've done. But given the security and privacy expectations of VPN, it might be worth having a little more transparency in your install instructions - even if that means splitting your instructions into 2 lines.
> given the security and privacy expectations of VPN
The security and privacy expectations are that the network for the server is not compromised. If that's not the case, why would you want the VPN hosted there in the first place?
Just because a persons hosted VPS might be trusted it doesn't mean that:
1. The git.io redirects to the expected location. Anyone could clone your git repo then put a malicious script in a different shortened URL
2. Nor that someone couldn't MITM between the the user and the git.io
3. Nor similar MITM attacks between git.io and github
Security is only as good as the strength of your weakest link.
You're also still ignoring my first point as well.
I really don't get your careless stance here. Github already comes with an SSL cert and you don't actually need a URL shortened for the type of link you're publishing. So all of these complaints people are making are so very easy to solve. But instead you are intentionally following bad practices. Frankly, if this is your attitude towards security then I really don't think you're the sort of person who should be writing installers for VPN servers to begin with.
Yes, you are. If your adversary can MITM a datacenter, it's likely that a rouge cert can also be obtained from a trusted CA. If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.
> You're also still ignoring my first point as well.
What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script? I don't understand. I'm only using/listing git.io/vpn, so whatever someone does with other URLs is not my problem. There is some fork using git.io/ovpn for example.
> I really don't get your careless stance here.
I'm not careless. You can either run the one-liner which clearly states --no-check-certificate or download and examine the script as long as you want. The choice is on you.
> Github already comes with an SSL cert
But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.
One cannot simply obtain a cert from a trusted CA. Hence how they become signing authorities. Granted it's not impossible to do, but it is very difficult. Certainly a far better assurance than not running HTTPS at all.
> If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.
We're not talking local network here - literally nobody can trust the internet. Hence why CA's exist in the first place. This isn't some weird edge case threat model, this is something that's well known and already handled. And it's something that is already supported by Github but you are intentionally breaking.
> What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script?
Do you really need that answered for you?
1. Clone repo
2. Publish their own shortened malicious URL in cloned repo
> I'm not careless.
Given this script is aimed at less-technical people, I'd say it's rather presumptuous to assume they'd even realise just how careless it is to run a script downloaded from an unverified source.
> But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.
That's an edge case. You can add a comment to disable the certs in that edge case - or better yet, instructions on how to install the CA certs.
Every excuse you make is really just a plea for your own laziness. "it's the users responsibility" - no it's not, you're providing instructions for them thus it's your responsibility to get those instructions right. "they might not have CA installed", so add a footnote about installing that. I mean seriously dude, Github have already handed you the tools you need securing the install - there's literally no good excuse for disabling them.
One can't simply MITM a datacenter.
> literally nobody can trust the internet. Hence why CA's exist
> it's something that is already supported by Github but you are intentionally breaking
I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).
> It's called "social engineering" and actually quite a comment method of attack.
I unfortunately can't fix user stupidity.
> That's an edge case.
That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.
Anyway, and to end this: you've already stated your points and I've given you my explanations. You can either accept them or not, but I don't want to waste more time on this - feel free to fork if you don't like it.
SSHing onto a Linux server in some secure datacentre doesn't magically mean that everything that server connects to outside of the datacentre is also going to be secure. I assume that you do actually understand how the internet works? :p
> I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).
Of course you're breaking things. You're breaking the security of HTTPS by disabling cert checking. And you're breaking readability of your install code by using URL shorteners.
As for HTTPS not being supported by many of your client machines by default, it's so very easy to rectify:
$(which apt-get yum) install ca-certificates
> I unfortunately can't fix user stupidity.
But you're forcing user stupidity by using stupid defaults. It's quite literally your fault that they're being stupid as you're recommending they do stupid things.
> That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.
I happen run a hosting as a side project and almost exclusively use OS containers for personal projects. So I'm well versed in these kinds of containers and the kind of users you're targeting. You're just making excuses for bad security practices.
> Anyway, and to end this: you've already stated your points and I've given you my explanations.
You've given excuses, not explanations. I've demonstrated how easy it is to work around the limitations you've put in place. You've just given lazy excuses as to why you couldn't be bothered.
The crux of the matter is when building gateways you should NEVER default to insecure settings like you are currently doing. Period.
> feel free to fork if you don't like it.
To be quite honest, it could benefit from a complete rewrite. The code is functional but messy, your OS detection could use a little fine tuning too. But the real problem is that there's more instances within your script of code getting pulled from the internet with certificate checking disabled, and that would also need to be fixed (but at least you're not using URL shorteners there).
Your intentions are noble, but sadly your execution is less so. Which is what happens when you never listen to advice. And looking at the comments on your repo, this has been an issue that has been raised a multitude of times before. So it's not just me being an elitist :)
Feel free to submit a pull request if you can improve OS detection, it certainly is primitive.
> But the real problem is that there's more instances within your script of code getting pulled from the internet with certificate checking disabled
I have just pushed a commit with a better approach.
But, I always feel a little annoyed when people complain about piping curl into bash. If you know enough to see the danger, you also know enough to avoid it. Just curl to a file and read it, or open the web page and read it. Take some responsibility.
I'm with you on the https and the short link, though.
Will happily cancel my service if it continues.
Yes, but that's okay. Privacy is part of the VPN market's value prop; companies in that space compete on it, unlike ISPs.
I tried doing the same with my mobile but it either eats my battery alive or kills instant notifications. I HATE that tracking tag that mobile carriers are adding.
Sure, but the issue at hand is js/html injection, which a VPN more or less (generally more) obviates.
If you try to do that, the VPN client will notice that the spoofed server isn't presenting a valid certificate or doesn't use a valid key, and refuse to connect. Same reason you can't "just" middleman an HTTPS connection.
Besides, there's no need to spoof. The point of the VPN connection is to protect against the wifi router (even the legitimate one!) reading the traffic. By spoofing, you're just replacing a dodgy wifi router with another dodgy router.
Many PC antivirus/firewall programs do it right now.
Entities not in control of your PC can't MITM an HTTPS connection, barring a catastrophic bug. And it is catastrophic. If you have a way to do this, please tell everybody because it's going to be the next Heartbleed.
The entire point of HTTPS is to prevent stuff like you're describing. And it does work, for the most part. Bugs happen, but they get fixed as they're discovered. It's definitely not "extremely easy."
Please go read up on this stuff before speaking authoritatively:
More succinctly, the phrase "man in the middle" kinda loses meaning when the man in question is your own computer.