Hacker News new | comments | ask | show | jobs | submit login
Comcast injects JavaScript into webpages to show copyright notices to customers (gist.github.com)
645 points by Jarred on Nov 19, 2015 | hide | past | web | favorite | 392 comments

What is there to say? This is an incredibly obnoxious theft of attention. Comcast has perfected the art of harassing its customers with unwelcome noise for what must be marginal profit. I know someone with a Comcast cable box whose channel menu forces the viewer to pass over a banner advertisement after every fourth channel. This combined with the horrible rubbery buttons on the remote means that to browse through twenty channel titles takes perhaps as many seconds. Add to this "actionable" banner advertisements displayed over the content and seemingly endless commercial "breaks" and I find it essentially unusable. On top of it all, I understand that people pay over a thousand dollars a year for this service. Comcast's flagrant disregard for customer satisfaction, or even their basic human dignity, is a striking testament to the failure of regulators to ensure adequate competition in this space.

FiOS does the same thing with its cable box. I'm not sure it's every fourth channel, but doing anything with the cable guide often involves dismissing an interstitial ad on the way to whatever you were trying to do, made all the more annoying by the slow UI.

TV service just keeps getting more and more obnoxious. I only got it because it came with 2 years of free HBO and was cheaper than Internet alone at the tier I wanted. There's hardly any reason to watch cable TV any more. (I know, sports. Not really my thing, but I get that a lot of people want to watch live sports)

I can't speak for Comcast, but my FiOS boxes allow for you to turn off the initial launch/guide ad popups in your box settings. It's not the easiest of settings to find, but it's there (and enabled by default, of course). Call support (fast and helpful...not kidding) or search the online support area, which is how I figured it out and was easy to find the answer. The only persistent ad, I believe, is a single ad bar (annoying, but doesn't obstruct view) at the bottom of the channel guide, used mostly (from what I recall...I don't pay much attention to it) for promos of new on-demand releases. Love LOVE FiOS.

If this is how Comcast treats its customers, I wonder why anyone would want to pay them to be their customer. Especially a thousand dollars a years. Is this because there's no real competition in the US?

In many areas of the country, the cable companies basically have localized monopolies on high speed internet. They claim they have competition in DSL and satellite (!!!) but these technologies just can't compete on speed in this day and age, leaving cable as the only viable alternative. From what I gather, this is one of the reasons why Google started Google Fiber.

Interesting. Over here, providers are offering VDSL2, advertised as 100/100Mbit. Given my experience with DSL, that probably means about half that for the average user who is 2-3km from the DSLAM box. That's still pretty respectable. Is noone offering modern DSL in the US?

Nope, sadly not. Even in San Francisco (which is pretty sad for being the heart of tech) it is cable or legacy DSL. If you are at a building that has an exclusivity agreement with AT&T, you might even end up paying them $50+ a month for 28mbit fiber. (yes, fiber terminates at my door but that's the max speed they offer)

Well, there is Webpass for some in SF. I pay $60/mo for 100mbits up & down, and some buildings go up to 500mbits. No contracts, and I just hook up to an ethernet jack in my apartment. It is a local startup that is expanding elsewhere.

Webpass is the best Internet service ever. I signed up as soon as our building got it, it was $50/mo then for the 100Mbs. Definitely worth it if you have the opportunity to live in a building that has it. Really straightforward website, billing, and setup. It looks like they're expanding to some other cities. I wish them luck.

Yep, webpass is greatest thing ever.. and there's also sonic.net and paxio.com and gowaveg.com depending on where you are too.

I love WebPass, and I used them exclusively in my previous apartment but this new building has this silly exclusivity agreement and Comcast can't make installations on this building as they somehow managed to make this residential building show up as a business address on Comcast's website.

I could get Sonic Fusion FTTN but that's just rebranded AT&T, and peaks at 28mbits. I get better LTE speeds than that.

I tried to bring in MonkeyBrains but the building administration refused, saying they would have to drill into load-bearing columns. Just an excuse.

To be fair, there is sonic does offer vdsl2 in many parts of the city, over 100Mbit down, albeit a bit less up. There's also webpass for larger buildings which offers almost a gigabit during non-peak times. So SF isn't as dire as you make it sound, though I agree it's behind many other cities.

What?! In Cincinnati I had CincyBell Fibre about three years ago. I think I paid around $60 ~ $70. I don't remember the advertised speed, but it was crazy super fast.

It varies. If you are in an area with actual competition, they try harder. Where I live, it's crappy TWC 20/5 or so for $60 a month, or a selection of DSL providers offering everything from 5/1 to 0.5 megabits per second for around $20 a month. Seriously, there is an ISP offering a 0.5 Mbps DSL for $20 a month, oh, and it bursts to 1 Mbps...

VDSL2+, which is rolling out next year, is even supposed to handle 500/200 – in some areas T-Online has been testing it, and supposedly it works (but it means you have to be less than 100m from the box).

I stay with Comcast because it is way cheaper then AT&T but with AT&T's VDSL I could get 45mbps (fiber to the neighborhood box, apparently).

I live in a small town in Georgia and literally my only internet access options are Comcast and AT&T. AT&T's service here is fairly slow compared to Comcast's offerings, and since I work from home remote for a company based in Florida I have to choose the fastest options available to me, and that's Comcast. I would love to have more options, but I just don't.

I only pay for internet access, I don't use their cable TV or telephone offerings. Internet alone is about $80/month. I just ran a speed test and I get 14.1Mbps down & 8.6Mbps up. I forget which speed tier I'm paying for, but I know I'm paying for much more than that! Ugh...

Same thing in my big town -- Chicago. Some parts of Chicago you get RCN competing, which is amazing. They have 100mb plans for $40 a month. But for most people, myself included, you pay $80/mo for "50mb" internet that really runs at about 20mb 80% of the time, 2-3mb 15% of the time, and totally not working at all 5% of the time.

Fellow Chicagoan here: In the suburbs the options are fewer, but the functional speeds are better - at least for Comcast delivered over coax. I get an average of about 120/15 for $80/mo at home and about the same speed at our suburban office for roughly double that price (business class).

AT&T DSL sucks no matter where you are though.

Also in Chicago, RCN was amazing. Now stuck in Comcast hell since they're not over in Logan Square. And the service starts shitting out every night around 7:30pm. Assuming they don't have enough cards in the box on the block.

In my different area of that small town, I pay $40 for 75 mbit, that actually gives me 95mbit (even at 7:00pm). And is rock solid. I don't mean to sound like a shill but I think "most people" is an incredible stretch.

Yeah, you're totally right. I just went to Comcast's website and it seems like we're basically just getting shafted. I wonder if they adjusted their prices now that RCN is selling 105mbps internet for ~$40-50/mo

Get their business plan. I always get exactly my paid for rate, and they claim business plan speeds are the same everywhere they provide service. you save money on land living in a small town, spend some of the savings on bandwidth... Or expense it to your company. Cheaper than office space in florida. Or try calling them, maybe there is a configuration issue with the router. What is the advertised rate ? You should be getting that speed.

You're a bit naive there. Business plans are not magical in any way. In fact, the past week we seem to be having a lot more issues with our business plan on Comcast than I am with my personal plan at home which seems to drop the connection roughly every other hour.

Still, Comcast shares their internet between customers in your area. If you're the only customer in your area, you can certainly get what you're paying for. If you're not, the best you can hope for is 1/4 of your promised connection speed during peak hours. It is something that Comcast has been doing for years, but it allows them to advertise higher speeds for lower prices than AT&T and people believe them because not everyone is familiar with the fine print.

Advantages of the business plan:

- I can usually get directly to someone clued on the phone, who doesn't make me jump through hoops or silly scripts to debug a problem; they realize I've already done everything possible on my end already before calling (spent years working for ISPs).

- No blocked ports, I host my own server and do my own email, web hosting, etc. Comcast even provides reverse dns for my five static IPs.

- No data caps. In fact, they don't even measure usage for business accounts.

Other than when I had a physical problem (short in the line from the pole to my house), I've always gotten the speeds that I pay for - in this case 50Mbps down, 10Mbps up.

Disadvantages to business class:

- I pay $150/month for 50/10 and five statics.

- It's Comcast.

I was an ATT UVerse customer (standard, not business) before switching to Comcast Business about 4-5 years ago, but their max speed offering was only around 18Mbps down, and their "business class" service required the same craptastic 2Wire gateway and static IPs required 1-to-1 NAT through that gateway... No thanks.

While I have no direct experience with the business side of Comcast business customer support, I noted that when we reported an issue yesterday at work, it took them over 6 hours to fix it at which point they might as well not have bothered. The operating hours were over.

- Don't care about blocked ports. I don't personally host anything, our company also has a separate hosting service. - I'm sorry, but... data caps? Is this a joke? In this day and age of services like Netflix and digital content distribution like Steam there's a place for data caps?

- $150/month is a ridiculous cost to put on a guaranteed 50/10 line. Don't care about the static IPs personally as I don't host anything. - Comcast, right.... you hit it on the nail there, it looks like. My experience with their customer service so far has been horrible. I'm usually empathetic when talking with technical support as I used to do the same job myself, but there's empathy and then there's people trying to intentionally annoy. So far I've felt like bashing my head against the wall after just three sentences from Comcast tech support. And they claim they spend millions on customer satisfaction? Please.

I was an UVerse customer too. I had only one issue with them for the two years I was their customer and I'm seriously considering going back. Better have a slower connection I can rely on than having a 'blazing fast' connection that craps out every 5 minutes.

My post meant that the business class service has no data caps or measuring of use, versus the "consumer" level Comcast service.

ATT business plan here... I have no issues only 20Mbit down and 2Mbit up but when I call customer service I have someone on site to fix things in 3 hrs or less

I wont ever use Comcast again... I had to get the local govt involved to get them to stop billing me for a place I hadnt lived in for 6 months. ( yes there is an agency here to deal with them they are that shitty )

The smaller speed with usable internet speeds and decent customer service is worth it.

Yeah, I'm definitely reconsidering ATT. I have coworkers that swear by Comcast and how great they are but my experience has been flaky at best. I work from home regularly, so I need my connection to be stable. I also do a fair bit of online gaming which also requires a stable connection.

It kind of tends to hurt not just me, but a fair bit of other people in the process when I, as a raid leader for our guild, cannot maintain a stable connection and get dropped several times over a 2-hour period. Never had those issues on my ATT connection and I've only had a single issue where a tree had fallen and severed a cable during 2 years of being their customer.

I wanted to start streaming our raids which was also the main reason to try the switch, but if it comes at the cost of being unable to take part in them, I might as well not bother.

Similar experience: our older house had AT&T - only 7.5 Mbit/s or so, but it pretty much never went down; our newer house has Comcast - supposed to be 30 Mbit/s, but often goes wonky or out.

It's a tough call: go 1/4 speed at 1/2 the price, reliably, or try to go 4 times faster at "only" twice the price (appx), but gamble from day to day :-(

Good to have another data point. I have not had issues in a year. I routinely download at 10 megabytes per second reading ct scans. If I wasnt getting what I was paying for, I would cancel the service and drive into work to read my cases. I am in a residential non techy area, I don't know if that helps.

I'm sorry, that sounds brutal. I live in Brooklyn and thankfully there is competition from TWC, RCN and Fios here. I have TWC cable at 300 megs down and about 50 up for about $60 a month. The cable television is still horrible and an enormous rip off.

God, I pay that much for a 20/5 from TWC...

I live in a large town (Boston) and the situation is not much different.

If you're in Boston proper, you can get NetBlazr: http://netblazr.com/ (wireless mesh network)

Unfortunately they don't even reach JP, so I'm stuck with Comcast.

What are your options for satellite internet? The pricing these days seems very competitive, and although latency is (much) higher it should be ideal for the vast majority of use cases.

Latency is pretty important for browsing the web. No matter how much bandwidth you have, making every request take two round-trips to geosync is going to make the connection feel very slow.

If low Earth orbit broadband internet ever happens, that could potentially be an excellent choice. But with the current offerings, it's always going to be the absolute last resort.

It looks like they charge the same price for ~1/10 the speed and 1/20 the transfer (Does Comcast still have a 300 GB limit? That compares favorably to 10.)

Nobody really wants to be a Comcast customer. Comcast thrives because they're mostly the only choice or the less bad choice of two.

I was a "happy" Comcast customer for years. I was in a condo where the choices were Comcast or Verizon DSL. Maybe. I called Verizon to see what they had to offer and they didn't know if I could get their DSL service or not. The best they could do was to place an order and see if it worked. Really!

Even if I could get service from them, their offer was 1.5Mbps for something like $50/month. Completely ridiculous.

It was like this when I moved out about three years ago, and as far as I know it's still like that today.

I wouldn't say there's no competition per se, but some areas are limited based on who has lines out there. For example, the area I live in at Augusta only offers Wow! as a cable provider; over priced reseller. But, I was fortunate enough to land a decent contract- more channels than Wow! and for 1/4 the price- with Dish. Satellite vs. Cable, but I'm willing to take that trade off for a better price point. Plus there's always NetFlix/Hulu.

To give you an idea, my internet options are in my area:

-Comcast (up to 100MB/s)

-Century Link DSL (up to 10MB/s)

-3G/4G modem (up to like 3MB/s)

Then 10 minutes south of where I live, that county has deals with a local ISP who behaves exactly like Comcast, but with terrible pricing and lower caps. Also no realistic alternatives.

While I could stomach the speeds of DSL (with some effort), I can't stomach the price. I'd end up paying just as much as comcast for much lower speeds. I really don't have a choice.

edit MB, not mb

Yes. Many markets have literally one option. My options for internet are comcast, or satellite probably? So really my only high speed option is comcast. I don't even think I can get DSL. I think a lot of markets the monopoly is even being protected by law.

It's like that in a lot of places. I live in extremely central Berlin and cannot find a provider that can deliver above 25mbps for less than hundreds per month.

It is a real shame that anything over 5-7mbps is considered "fast enough" by the vast majority of consumers.

Not across the entire US, but in many places there are few or zero practical competitors.

And where there are competitors, they're most likely AT&T or Time-Warner, which have similar shitty practices.

That's my understanding. (No competition that does it any better.)

The only reason I currently use Comcast, is my choices are ATT DSL at 6 mbps, or Comcast.

Not that I like ATT, but when (coming in the next 6 months) they roll out faster service, I will be happy to switch.

Don't like ATT either, but at least their service seems to be much more stable. I haven't had to speak with an AT&T customer support rep in over a year. Comcast, I've been doing their trial service run for two weeks now and I've already had to deal with their customer support 6+ times, 2 of which were during the installation. I think I'll probably just end up canceling before my month is up and going back to ATT. At least I knew I could rely on my connection to not crap out at random.

Where I am located, it is CenturyLink or Comcast. Neither are any good. AT&T is in the "area", but not MY area.

So, that would be 3 bad choices.

"I know someone with a Comcast cable box whose channel menu forces the viewer to pass over a banner advertisement after every fourth channel. This combined with the horrible rubbery buttons on the remote means that to browse through twenty channel titles takes perhaps as many seconds."

How weird is it that the equipment is still so slow? I mean, in 2005 I was grumpy about how slow cable TV gear is. Now it's 2015 and seems like it's exactly the same, whenever I see it.

What is so hard about using processors with clock speeds measured in megahertz and not kilohertz nowadays? I swear, Comcast is probably paying extra to some supplier holding the last supply of their specialized MegaSlowz chips with the SuperProprietaryFeature that you Can't Reimplement Anywhere Else.

What is so hard about using processors with clock speeds measured in megahertz and not kilohertz nowadays?

What's funny (maybe not ha-ha funny, but anyway) is that the provided equipment is usually energy in-efficient as well. Even while "off".

I'm not paying for cable now, and don't plan to in the future either. There's too much crap I don't want to watch, and I don't want to be stuck with their idea of a DVR either. And its too expensive.

X1 is finally a modern TV UI, but the boxes are sooooo slow.

Plus you can only get it (at least in my area) if you subscribe to extra services that I don't need like VOIP. CableCard could've been a viable alternative and spurred a market for DIY and third party cable tuner/decryptors but it was poorly implemented and support from cable providers is typically awful so for most people it's just not worth it.

I came close to ordering a Ceton CableCard tuner card several times so I could stick a small form factor PC in the entertainment system and get the nice setup I used to have before they killed off all of the unencrypted digital QAM channels. Unfortunately, the standard is so encumbered that hardly any software can support CableCard (one popular option was the now-deprecated Windows Media Center).

Back when QAM still came through unencrypted, I could pay for cable and hook it up to my cheapo Hauppauge card and use WMC as a great program guide and DVR setup. Even back in the Win Vista days it was vastly superior to anything on a cable box. Then they moved everything to encrypted and my tuner got repurposed for watching OTA stuff on my PC.

Now I just pay for cable/internet but watch everything streaming on legit sites or torrents. Yeah, I know...but it works better and I'm still paying for it so even if it's not legal, I don't feel that it's immoral.

My HTPC is still running Windows 7 only for Windows Media Center (using a HDHomerun Prime decoder box and CableCard). Once the program guide information is no longer updated or Microsoft somehow forces me to get rid of Windows 7, I will in turn get rid of cable TV.

The only reason I still have it is for basketball, but there are an increasing number of services (legal or otherwise) by which I can get all of that streaming online, so I may end up cancelling even sooner if given an excuse to do so (like if service goes down or they decide to jack prices again).

YMMV, but I also have TV service (U-Verse) only for basketball, and it saves me a ton of money to turn it off/sign up twice a year. Since it's only 5-6 months of the year (college basketball), I always get the "new customer" rate, and often there are enticements like gift cards. Something to consider.

When I had U-Verse I would call every 3 months and say I was cancelling. Then they would give me whatever latest "new customer offers" were currently available.

After 3 months those offers expired, I'd get a high dollar bill in the mail, so I'd call again... Wash rinse, repeat. I know multiple other people who did the same thing.

Now I only have data with TWC and receive letters 2-3 times a month from to tell me all about the great TV plans they are offering.

That's the number one reason I bought one of these HD Homerun cable tuner boxes[1]. Once I have a VLC playlist setup with the stream urls to each channel, switching channels is almost as fast as in the old days of analog cable TVs.

Maybe another 4 hours of work got me a little web application that shows the TV guide information pulled from an API, and is hooked in with the VLC web interface to switch channels with a click.


> Comcast's flagrant disregard for customer satisfaction, or even their basic human dignity, is a striking testament to the failure of regulators to ensure adequate competition in this space.

I'd argue that government regulations have done nothing in this space but reinforce coercive monopolies. I think you're taking the wrong approach, we need to deregulate this space and allow real competition to thrive.

No one's getting the capital to climb on to every telephone pole, dig up every street, etc. Deregulation just leaves Comcast to do whatever it wants.

I'd love to see massive consoldiation of the reserved-for-government portion of the EM spectrum so we could reasonably do this wirelessly.

Except for Comcast, at&t, and time warner, who have been getting massive subsidies to improve infrastructure to far beyond what it is today. I think the case could be made that this prohibits new players from entering.

I'd be interested in examples where deregulated utilities have worked out well.

To be fair the "X1" has a much better UI/UX and digital buttons. Plus the voice search (you talk into the remote) works exceptionally well. There is no lag. I might say I actually like it. I was shocked that it came from comcast.

They actually have some comcast lab product where you can play games using your smartphone as the controller. I think it's beta but it wasn't that bad when I tried NBA Jam.

Source: comcast is my only internet option so I bundle.

Actually using a Comcast cable box to watch things in 2015. I can't understand it. An Apple TV with a netflix and hulu account get you 95% of the way, with 100X better of a user experience.

Or if you don't have $100 to spare, you can always connect your laptop to your tv.

Will it solve wanting to see live sports and all the "good morning" shows I watch while prepping to go to work and do I get the new episodes of shows on their release day?

For sports it looks like there are some online, subscription type options. Still, I'd say that sports and morning shows would fall under the 5% not covered, but if those are super important to you then I could see that being an issue.

Hulu is pretty good about getting new shows up pretty quickly, usually the day after. I'm usually able to live with not seeing a show the minute it airs.

Comcast is on my list today for a different reason. We have Comcast Business Class service at one of our FL locations.

Tuesday we could not access VNC nor our remote database services from that location. All port 80 traffic was fine. I had one of the staff call, wait on hold for an hours.

Just as I suspected Comcast had implemented port blocking on a high priced business account. It took the guy a second to release it. It put our company down for two to three hours.

Also the speed of Comcast service drops to 15-20% of advertised from 2:30 to 5 PM when kids arrive home from school.

Once the contract is up we are moving the service to someone who understands "business class"

The same thing happened to us recently. I can't remember which port they blocked, but it took out rubygems, bitbucket and github in all of Utah.

It took a while before someone finally figured it out and word spread on Twitter. I'm sure hundreds of thousands if not millions of dollars of productivity were lost that day.

Future reference, github SSH can be used over 443: https://help.github.com/articles/using-ssh-over-the-https-po...

Helpful when 22 is blocked (train stations and such)

This is cool! Any open source proxy that can direct HTTP traffic to one port and SSH to another? OpenVPN supports this with the port-share option [0]

[0]: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

See this discussion of a lot of the options (sslh, haproxy, and a handful of other projects):



This change is also required when sbux moves to using Google internet. I was scratching my head when it worked one week and then stopped working the next.

I sincerely hope you can _find_ someone else to do business with.

And that is the root of the problem. Normally when a business has the kind of terrible customer service and can't-be-bothered attitude, I just take my business elsewhere. But in the last 15 years I've never had a real choice what to use for Internet service. A couple of places I've lived I've had one additional choice that was even worse. Lack of choice and diversity in Internet providers is the problem here. I'm not sure what the root of that problem is, but I suspect it's governmental corruption and lobbying to maintain status quo.

The root of the problem is the legal difference between POTS (Plain Old Telephone Service), which has been around a long time, and broadband, which came much later and had the POTS environment as an example of what to avoid (from the POV of Comcast and their ilk).

The old dialup ISPs were allowed to resell internet service on the local provider's POTS lines. There was quite a lot of competition, and the service was generally excellent, even generally better than the carrier's.

There is no requirement for broadband providers like Comcast to allow resellers. The barrier to entry for laying other broadband lines is huge; Google is one of the few who can do it. So unless there's a quantum leap in wireless to the curb, there will be no meaningful competition to amoral corporations like Comcast; we're stuck and it will continue to suck.

The real root of the problem is lack of regulation. A scarce resource like the last mile copper and cable, is owned by the oligopoly of Comcast, AT&T and a few others. This constitutes in essence a monopoly, which are illegal for obvious reasons and led to the breakup of the old AT&T. Other countries have a last-mile sharing requirement, like for example in Germany. This provides at least a modicum of competition and consumer choice in the ISP market.

[EDIT] Corrected wrong assumption that old AT&T was government owned.

Yep. I have the choice of Comcast or AT&T, the latter of which only recently got competitive in the speed category. I was with AT&T for many years, before my current 10+ year stint with Comcast. They are both horrible on customer service and IT (managing their own infrastructure). It's really a toss up as to which is worse.

I know Google fiber will never come to the East Bay (SF area). It would be so nice to have, though.

It's really a mix of over-regulation and under-regulation, with a lot of regulatory capture. In this case the monopolies are not illegal, they're actually protected by regulation.

The root problem is that telecommunications is similar to utilities in that it is a natural monopoly.

Basically imagine if someone owned the only bridge into San Francisco. They could charge whatever people were willing to pay. But you would think if they charge too much money or scream obscenities at everyone who drives through, then someone could build another bridge and steal their customers. The problem is that if anyone builds another bridge the bridge owner could stop screaming obscenities and lower his prices. Then the second bridge could not make the return on capital. The prospective business owner and current owner know this so the status quo of one expensive and crappy bridge remains.


Unfortunately I think this is the experience of most people in the U.S. At least in my adult life, the choice has mostly been between AT&T and Comcast. I was lucky to get 100Mbs for $50/mo for a while (obviously with a small ISP), but that was just a particular building that happened to have a point-to-point wireless setup on the roof. Now things are worse... I happen to live somewhere that actually has fiber in the ground (thanks to some federal grant the city received) but there is no service provider that uses it! I would be happy to ditch AT&T/Comcast for life if it were possible.

Can you email me about this? nathan (_) owens (@) cable (.) comcast.com

With all due respect, your customer service policy should be based on doing the right thing regardless of the forum, as opposed to simply responding to those who have an audience.

The data caps you've recently put into place in my market are going to effectively double my account price per month. I look forward to the day that I have other choices.

The employees are not to blame here. If he is browsing HN, he knows the pain points with Comcast and is just trying to help.

No one is blaming individual employees. Quite the opposite, in fact—they're blaming the organization for failing to address issues unless the right individual is reached.

That's been my experience, as well. In two instances (one business class, one residential), I had issues getting their construction department to actually do the work they promised until I was able to get through to the escalation department—once via Twitter, once (IIRC) on dslreports.com back when the Comcast direct forum was monitored. Once the escalation department was engaged, things moved very quickly, with them calling me almost daily with status updates.

There are clearly individuals at Comcast who care about customer service. Unfortunately, they don't seem to be the ones in charge of organizational policies and processes.

Agreed. I recently decided to give Comcast another go because my current provider has some horribly bad upstream speeds, but even with brand new service, I seem to be having issues where my connection drops 4-5 times a day. It is not too big a deal when you're trying to work from home, but it can be a massive pain in the neck when you're trying to play anything online. I've been trying to resolve this issue with their customer support but I've gotten nowhere so far and feel like I'll probably just go ahead and cancel out of the contract before my first month is up.

They do advertise that they spend millions of dollars on improving their customer support, but I've yet to see anything happen on their end. Amusingly, our Comcast business contract at work has at least a couple of issues every week, too. We only don't notice them if they are to happen over the weekend, but when CRON jobs that require internet connection haven't run over the weekend, it's easy to figure out who needs blamed.

I agree with you. I'm troubled though by this new era of customer service where the focus is on having a team of people who monitor social media for the loudest complaints and devote resources to solving those out of fear of bad PR.

I do my best (customer support is not my day job) - if you are having issues I'd encourage you to try out the tool I helped build here: https://speedexperience.xfinity.com/

Does it ever say anything but chat with an agent?

Some listing of what the actual issue is would be kinda useful, even if you shove it in a collapsible div to hide it away.

I (and most people) are more likely to rage-quit and go do something else than try to navigate three layers of outsourced customer service that is designed and optimized to deflect people, waste their time, and only if they are sufficiently insistent, and border-line belligerent, maybe give them an answer more involved than "unplug your modem and plug it back in"

Yes, it depends what the issue is. We check:

- If your modem is EOL

- If you modem's ethernet port is 100Mbps, and you have >100Mbps service

- If your modem is otherwise capable of providing your speed (i.e. number of DOCSIS channels)

- We check your signal levels to make sure they are in spec

- We check if you have been impacted by our Protocol Agnostic Congestion management system in the past 1 day or 30 days.

If any of these checks are triggered, we show it on the page. If nothing is triggered, we allow you to go straight to a chat.

We'll be adding more checks as time goes on, mostly around Wifi - MCS Index, Link rate, RSSI, etc.

Thanks for the response. If I can keep bothering you, is any of this specific to using Comcast-provided equipment?

Yes, all of the wifi stuff we add in the future will be only possible on comcast-provided wireless gateways (XB2/XB3). We have some other nifty ideas that would use our gateways too. Most of the existing stuff I mentioned is not specific to comcast-provided devices, or wireless gateways.

Ironically on that page the "highly recommended" link to https://speedtest.comcast.net/ times out.

Thanks for catching it! I'll fix it now! (We just did a revamp of the site text this week, must have slipped - we only 2 of us work on it :) )

EDIT: fixed! let me know if you see anything else out of place.

Thank you, it works now. FYI it took everything I had not to post something snarky ;)

At least one employee would be to blame, right? Comcast's network hasn't become sentient, and isn't actively rebelling against human businesses by shutting down random ports. At some point, someone either made an explicit decision to do this, or decided to skimp on training.

It could also be an endemic culture problem, where lots of people skimp on lots of tiny things to the point that the final performance goes down the drain. No one to blame, but everyone to blame.

> I look forward to the day that I have other choices.

Same here. They are very aware that we have no other choices. They will continue provide the least amount of service for the greatest cost until this changes.

The week after google fiber arrived in my neighborhood, my cable provider "spontaneously" decided to double my connection speed for the same price, "because we care about our customers and want them to have the best experience possible."

As usual, South Park absolutely skewered cable companies, and pretty much said all there is to be said


I had Comcast when I lived in Chicago. They basically run that city. You can't get any decent internet anywhere else. All the other providers for some reason in the city, didn't cover any neighborhood I was in.

The biggest thing I liked, moving back to Iowa was decent internet provider.

What is your default throttling algorithm?

You can read about it here: https://tools.ietf.org/html/rfc6057. It impacts an extremely small percentage of users for short periods of time.


>For a CMTS port to enter the Near Congestion State, traffic flowing to or from that CMTS port must exceed a specified level (the "Port Utilization Threshold") for a specific period of time (the "Port Utilization Duration").

>Given our experience as described above, we determined that a starting point for the upstream Port Utilization Threshold should be 70 percent and the downstream Port Utilization Threshold should be 80 percent. For the Port Utilization Duration, we determined that the starting point should be approximately 15 minutes

>Thus, over any 15-minute period, if an average of more than 70 percent of a port's upstream bandwidth capacity or more than 80 percent of a port's downstream bandwidth capacity is utilized, that port is determined to be in a Near Congestion State.

>For a user to enter an Extended High Consumption State, he or she must consume greater than a certain percentage of his or her provisioned upstream or downstream bandwidth(the "User Consumption Threshold") for a specific length of time (the "User Consumption Duration").

>we have determined that the appropriate starting point for the User Consumption Threshold is 70 percent of a subscriber's provisioned upstream or downstream bandwidth, and that the appropriate starting point for the User Consumption Duration is 15 minutes

> A user's traffic is released from a BE state when the user's bandwidth consumption drops below 50 percent of his or her provisioned upstream or downstream bandwidth for a period of approximately 15 minutes.

So, if I'm reading this right, if you use more than 80% of what you pay for, they throttle you to 50% of what you pay for?

hmm, actually i don't think i caught how much your speeds are actually reduced.

Its throttled until you've used less than 50% of what you pay for for at least 15 minutes.

That threshold is so low specifically so that a line doesn't end up cycling between throttled and not every interval if its 79% once then 81% the next, etc.

It seems obvious to me that Comcast et al are vastly overselling beyond their capacity.

They then market these strategies as methods to ensure quality to their customers, when their customers bought a service that was misadvertised as having enough capacity for them in the first place.

Just like airlines - they sell more tickets than they have seats, because they figure they can squeeze more profit out of the people who paid for a ticket but didnt show up, then when everyone shows up, someone has to get bumped.

I believe it is that if you use more than 80% and someone else is using 60%, IF throttling occurs on the network, the person using 60% will have priority over you.

Only if the CMTS is also over 80% utilization for over 15 minutes, and you are using your connection at >80% for over 15 minutes.

Just to add to this. From the document:

Question #1: Is the CMTS Upstream Port Utilization at an average of OVER 70% for OVER 15 minutes?

    Result #1: CMTS marked in a Near Congestion State, indicating
               congestion *may* occur soon.

    Action #1: Search most recent analysis timeframe (approx. 15 mins.)
               of IPDR usage data.

  Question #2: Are any users consuming an average of OVER 70% of
               provisioned upstream bandwidth for OVER 15 minutes?

    Result #2: No action taken.

    Result #3: Change user's upstream traffic from Priority Best Effort
               (PBE) to Best Effort (BE).

  Question #3: Is the user in Best Effort (BE) consuming an average
               of LESS THAN 50% of provisioned upstream bandwidth
               over a period of 15 minutes?

    Result #4: Change user's upstream traffic back to Priority Best
               Effort (PBE) from Best Effort (BE).

If they're blocking ports, they're not selling "Internet." They're selling something else.

I would hope that someone with the resources and knowledge to make them pay for these shenanigans will....

Only a tiny fraction of consumers actually believe that. For the vast majority of users, Internet == 80+443, and 25+983 for people with smartphones.

Systems do not change just because a sufficient mass of people believe otherwise.

Gamers would disagree.

Good point - Skype and FaceTime too.

As much as I hate Skype, it does seem to have a magical ability to connect in even the most restrictive networks.

Gamers are a tiny fraction of consumers.

Games made more then Hollywood last year, so I would suspect this is still a large audience.

Also the audience (after possibly developers) who are willing to pay for really high speed low latency connections.

He was talking about Business class Internet not home users.

What other provider choice do you have? Whoever they are, they all collude to inflict maximum pain for maximum gain - a hallmark of modern capitalism. Good luck though.

That's not my definition of modern capitalism, I call that corruption. A corruption enabled by government agencies that enforce monopolies that no consumers want to exist.

I agree that in lots of places there are franchise agreements and in others, there are specific laws that deter municipal networks.

That said, you could argue that data networks are mostly a natural monopoly because it's not feasible or efficient to roll out several redundant fiber/cable networks.

Even if there were no franchise agreements in place, very few companies (excepting ones that have other revenue streams) would roll out a second or third cable/fiber network in a city where there is already one in place. Even if you managed to split the market and get half of the potential customers, you'd need to account for the cost of digging trenches and laying cable (which cable TV companies have long since recouped). Makes it hard to stay solvent at such a disadvantage.

It's why a lot of people think the ideal situation is for a single physical network to be built and then service providers pay for access and compete on service to businesses and customers. With physical networks divorced from service providers, the company or municipality in charge of the actual cable/fiber makes their money from maintaining and improving capacity so they can sell access to more providers. Providers compete by offering the best services and customer support in order to profit and pay for more bandwidth on the physical network.

But yeah, it's more complicated (in terms of both business and networking tech) but it's an ideal that many would like to move toward.

What you describe is how the power grid where I live is handled. That's one solution I would be more interested in than these monopolies that only seem to create horrible customer service, high fees, and poor product.

But in the end, I'm not sure what's the best way to handle it. I just know that many would agree that the current methods are not optimum, and possibly detrimental.

How would an effective monopoly not exist in something with such a massive upfront capital requirement and vast land requirements?

By letting the government build and own the infrastructure, then lease the exploitation of it to private companies, and have other companies do the maintenance. This has its own challenges too, but at least the monopoly is in the hands of people who can be voted out.

This model was used regularly for rail and power networks in Europe, but these have all been privatised in the past few decades citing "cost reductions". The net result is that our infrastructure is deteriorating, consumer prices are rising way faster than inflation, and critical infrastructure is now in the hands of a few international power brokers (e.g. the Dutch national telephone grid is owned by Carlos Slim).

If that's how it came about then I would be more apt to accept that. But in the U.S., I find it doubtful any current telecommunications monopoly came to exist without government involvement. A good chunk of that upfront capital and land requirement was given away by the government for promises those companies didn't keep.

Yet, you need money from the beginning, so you are now back to issuing more bonds, and perhaps, raising capitals with venture investors. This is basically the model of the 19, 20th century railroad race. Of course the government wasn't directly building the railroad, but they were the one who gave the lands and even troops to open up the new frontiers.

The sad thing is, the government broke up AT&T before they had a chance to connect every home in America with fiber. The project end dat was 2000 :/

HTTPS Everywhere can't happen too soon.

This is abusive. Imagine if anyone else had access to pus you notifications by intercepting your communications. Imagine Uncle Sam interrupting your calls announcing you haven't submitted your tax returns yet. Because that's basically what's happening here.

HTTPS is good and all, but the real problem is ISPs which don't want to be nothing but a transport provider. Every IP packet I send into their network should end up at its destination, with best effort, completely unmodified, and vice-versa.

That said, in my experience datacenter and enterprise ISPs tend to be far more "pure", so if you want a truly unmolested connection a possible solution could be to use a VPN to a server that terminates in one of those.

> but the real problem is ISPs which don't want to be nothing but a transport provider.

This is very, very true. Anyone who has worked at a telco should've heard the "we don't want to be a dumb pipe" argument. The thing is: they can't be more than that! I don't want their applications, they are not very good at doing applications. I don't want their content, they don't seem to get content production at all. Even their research, it has become less and less relevant.

As a customer, I'd rather see all that money spent on efficient ways of transporting bytes, or even directly subsidizing the customer bill (so that they can support smaller ARPUs). But no; I have to pay extra to support the entertainment of their engineers, in order to get sub-optimal apps and content.

It's the other way round: the extra stuff is there as "market differentiation" in order to justify the high prices and prevent commoditisation. The problem is that if you're selling a commodity the price ends up close to the marginal cost of production. Whereas every company wants to have some unique IP they can charge monopoly rent prices for, like Apple.

Same with vendor crapware on phones and PCs. I call this stuff "value subtracted software".

Don't ISPs give up common-carrier protections for things like copyright when they interfere with the traffic? This should make them liable for contributory infringement on any copyright infringements by their customers that they don't take action against.

I like your thinking. So including ads/warnings/popups is effectively making a derivative work on material that Comcast doesn't own. They become liable for copyright infringement.

Frankly the whole "don't want to be dumb pipe" thing is a telco variant of "perpetual growth".

Frankly at one point or other every large company in every mature market has to contend with having reached their growth limit. There are only so many customers in this world for the products and services offered.

The only place that could grow forever is Wall Street, by piling derivatives upon derivatives and passing them round like hot potatoes. Everywhere else has to contend with us being on a physically finite planet.

They cant, because of debt. Capitalism is a never ending running forward, being pursued by debt. If you stop, you get eaten.

That's exactly the point. The reason they don't want to be a dumb pipe, is because they want to use that to justify increasing their ARPU.

A lot of ISPs are anything but, including business or datacenter connections.

I had to deal with one of them using transparent DNS proxies without disclosing the fact. Only found out when something broken on their end. The only way to have functional DNS is to tunnel it over another protocol because their equipment will intercept DNS queries to any server and reply with a bogus IP.

Why do you think that they won't intercept HTTPS traffic? They will just instruct user to install their root certificate. It must be illegal for them to interfere with traffic, no matter what this traffic is. Otherwise there's nothing that would stop them.

They'll never ask users to install a root certificate or I'll eat my hat.

* It will incur a lot of wrath because it gives them power over your bank account

* Only gullible / ignorant users will actually install the certificate

* If your internet access is working, why would you go through extra steps?

Most folks in the real world don't know or care what a root certificate is.

If their ISP posts a message telling them they have to install something to continue getting "the best internet possible" or, better yet, when the tech comes to install the modem they just do it as part of the installation service, so few people are going to even think about it, let alone know why they shouldn't want it.

Remember... we here aren't an accurate facsimile of the general population.

Ahh, but it isn't working. Every site you visit gives a certificate error.

Don't worry though, you just need to install the Comcast Connect app and all will be well.

Gullible / ignorant covers about 99.3% of the Internet population.

Source for that statistic?

85.7% of statistics are made up on the spot. 97.1% of people know that! </sarcasm> I don't think this note was intended to be taken literally.

You might want to try getting out of the HN/SV bubble more often.

Good point. I did make it up.

Let's take something like using the (now removed) + operator in Google search.


> However, we found that users typed the “+” operator in less than half a percent of all searches, and two thirds of the time, it was used incorrectly.

1 in 600 searches used it correctly, another 2 in 600 used it incorrectly.

Stuff like that.

Or have a look through /r/tipofmytongue for people looking for help to identify songs, tv shows, and films. You'd think they'd include details of roughly when they saw the film, or who any of the actors were (or even what other film they'd been in), and then the plot (with some details), or the name of some of the characters, any music, the genre of movie. But you frequently see people who give very vague information. I won't give examples, but it's really easy to find them.

But I do need to remember not to be a judgemental dick about it, and if I was I apologise.

I worked for a company where, as part of one product, users were giving us the user AND PASSWORD for their bank account. We had thousands of users before I left. As a programmer, I was sure that the product wasn't going to be viable... boy was I wrong.

Hah, we have a payment processor here in Germany called "Sofortüberweisung".

It works like this: When you want to pay for something you give them your login credentials to your bank account and a TAN and they send the money to the merchant for you.

The selling point of this service is that SEPA wire transfers usually take one day. But with their service the merchant gets an instant notification of money received and you can get your stuff one day earlier.

It's crazy but people use this and have no problem handling over the keys to their bank account.

>> It's crazy but people use this and have no problem handling over the keys to their bank account.

Part of the problem may be that people don't really understand where those keys are going. They put the information into their computer perhaps via keyboard. Beyond that they often don't know where it goes or where it gets stored. Perhaps they think it's stored locally in an app. For a while people didn't get the distinction between an app and a web site, but I think that's changing. People think Siri does voice recognition on their phone and freak out when you tell them all the recordings are sent to Apple and stored there.

It's crazy but people use this and have no problem handling over the keys to their bank account.

I wonder whether there's more to that story. It seems like a potentially useful payment service, but it also seems like something the banks would surely be aware of. Customers giving up their credentials like that is probably a blatant violation of the bank's normal terms of business, and asking for those credentials or failing to keep them secure seems legally risky for the payment processor as well, particularly if anything ever goes wrong. Are you sure there's no separate agreement or commercial arrangement to cover this, probably between the payment processor and the banks?

While it's against most bank TOS, that clause has been ruled uncompetitive and therefore void by courts. As far as I know there is only a single German bank (DKB) that officially cooperates and gives them API access. For the rest they use web scraping, the banks are not allowed to (intentionally) break it.

The banks don't like that payment processor and therefore just started a competitor where you only give your credentials to your bank. Hopefully it gains traction.

Nope. It's shady as it comes and to my knowledge works via normal HBCI/FinTS access [0] you usually would use for 3rd party online banking software.

But lacking wide spread of credit cards and the aversion of many merchants to PayPal here in Germany it's still pretty popular.

[0] https://en.wikipedia.org/wiki/FinTS

Nope – and most banks even publicly warn that using the service means you lose the money-back guarantee for transactions.

This is Yodlee, the USA's largest financial API for consumer products (Mint, etc), endorsed by all large banks and investment firms. They have millions of users.

I have bookmarked this comment and I'll happily remind you to eat your hat when they finally do ask users to do that.

I applaud your bravery and self-confidence though.

The Verizon DSL install package CD-ROM used to install a new system root certificate, and that was many years ago.

It may be enough if ISPs forfeit common carrier status as soon as they "manage" data and thus adopt full responsibility for every byte going to the customer.

But I thought they didn't even want common carrier status, because they wouldn't be able to throttle your Netflix traffic if they were a common carrier.

But the argument that if they mess with the content and the traffic, they carry responsibility for it that they don't if they're just a dumb pipe, is a good one.

I'm certain that Google, Apple, Microsoft, etc would be smart enough to step in and mark that certificate as revoked.

At least I pray so.

The moment this happens, browser vendors prevent non-power-users from installing certs outside their bundle.

The header and people's reactions makes it seem Comcast will just do this on a whim as if it's inspecting the page you visit and deciding on the page to display the warning or not. If you read the screenshot, it's just a notice that someone filed a complaint against your IP, and Comcast is alerting you via email, maybe phone, maybe even a letter, and now your web browser. One might argue whether it's better they redirect you to a Comcast Message Page on their own domain one time. One might argue that this is a "feature" on the level of Comcast DNS servers that "helpfully" forward your bad domains to a search engine instead of giving a proper server not found response.

Don't want to receive these messages from Comcast? Don't seed your torrents.

This is correct. It is only performed after you are sent emails, letters, phone calls, etc. We do the same for when you are about to exceed your 300GB of data. Most people don't give us a good email, don't login to check it, don't login to their comcast account, etc... This type of notification is to cover those people. We are working on better ways to do this, see: https://www.caida.org/workshops/aims/1503/slides/aims1503_ba...

This system is well documented: https://tools.ietf.org/html/rfc6108

I'll bring up the idea of an opt-out for users that DO check their mail, email, phone, comcast account, etc...

Alternatively, your company could choose not to act as a copyright cop.

Edit: Actually, reading the IETF link you posted, notifying users of a potential malware infection might be an example of how to use this technology in a non-shitty manner.

These companies aren't necessarily choosing to be copyright cops. I can't imagine that sounds very fun or beneficial to them. Systems were negotiated under legal pressure from the RIAA and MPAA.

Of course, Time Warner and Comcast are both also content creators, so they might have some motivation to concede.


Yes, when I wrote custom page tracking software for a custom forum I wrote and hosted, I was parsing out User-Agent information and would actually notice malware browser add-ons, and I'd gently post a notice at the top of my web page alerting them that they might want to run some malware scans. Security vs. privacy right there. That was a long time ago, and I don't track anything any more, but it was an interesting experiment.

Using a shitty technique to do something arguably "good" does not make the shitty technique "good"

Perhaps a captive portal and redirect would be a "nicer" way of doing this. At a bare minimum, it's less intrusive, and it's an accepted practice when using a provider's internet (especially wireless). Injecting JS into a page that I've requested from a third party server would erase my trust in that provider, and I would immediately cancel my service the first time my provider performed that action.

May I ask if your comments in this thread were made in an official/"on the clock" capacity?

Nada, I'm just an engineer. I try and help where possible on Reddit/DSLReports/HN.

Thank you.

(Though I'd caution you that working off the clock is an excellent way to get overworked.)

What's wrong with good old registered mail?

So, you work for Comcast? May I ask what it is you do there?

Internet Services engineering, mainly working on measurement, instrumentation, and customer experience. My group runs our Speed Test, SpeedExperience, Next-gen access trials, our RIPE Atlas probes/anchors, etc..

Thanks for responding. As frustrated as I get with the business side of Comcast, the engineering side has to be pretty interesting.

Whichever team is behind the account system needs work. Why do I have four Comcast accounts? I've only even lived at three different places. Why can I still login and "pay my bill" which still says I owe "$39.99" on my last account? I was paying into it accidentally for months before they killed my new service because I wasn't paying into the new account.

It seems to me it's just hacks on top of hacks written by hacks.

Yes! This happened to me too! I moved to a new house, they configured service and "transferred" my account.

Three months later, my service at the new house is disconnected for non-payment. I look at my bank statement - sure enough, AutoPay happily withdrawing the amount...

... and applying it to the old house's (disconnected) cable, the account for which is now several hundred dollars in "credit" (paying $200/mo for business service).

It was (relatively) easy to get resolved, thanks largely I think to the business support folks. But still... :|

Perhaps users that don't give you a good email don't want to hear from you.

If you've sent emails, letters, and phone calls already - just stop.

It's called consent, fuckers.

They require you to ack, its part of their copyright platform. Would you rather they just turn off your internet until you call in?

Maybe try a certified letter first? Also, they don't require YOU to ack, they require SOMEONE to ack, as I don't see anywhere where they actually have the "acker" verify that they are the account holder. I wonder if there is a legal loophole that the account holder could use as they can't prove that the account holder is the one that acked.

You're missing the point. Injecting scripts into HTML delivered through your ISP for any purpose is grossly abusive on the part of Comcast.

I would call the great firewall of china injecting a script into people visiting baidu, as a means to DDOS github, a gross abuse.

just for context.

I would call that an act of war.

This comment is the only real explanation of what's going on here. I'm not sure why it's buried. It seems people are just reading the headline and breaking out the pitchforks and torches. I understand the issues of privacy here, but it also seems the context in which this is taking place is an important thing to consider, as well.

You mean don't seed infringing torrents, right?


I think this is actually illegal. If you own the copyright for your content and they inject into it, they are creating a derived work without your permission.

I would hope not, because by a similar argument adblockers and userscripts would also be illegal. I don't agree with what Comcast is doing, but using this argument could end up with an even worse slippery slope that leads to users not being able to consume content/customise their computing environment in the way they choose to. On the other hand, if Comcast is your ISP, all your traffic does pass through equipment owned by Comcast, which --- if you believe in being able to have control over your devices --- they should likewise also have the right to control. All the traffic on my home network goes through an adblocking proxy, and I could do things like http://www.ex-parrot.com/pete/upside-down-ternet.html if I really wanted to. I certainly do want to maintain control over the traffic within my network.

That happens at the user's choice at the user's machine, and isn't being distributed any further. The ISP distributes this modified content to their "customers".

Pretty sure that Comcast's ToS allows this and more.

Doesn't matter. I strongly doubt Comcast allowing themselves to violate non-customers' copyright in their ToS can possibly hold up in court.

Are Comcast's ToS universally agreed on by every provider of internet services? If not, it's not allowed by its ToS.

Maybe, but that's a different argument than this thread, which is about copyright.

There's a difference of distribution.

I am free to take a copyrighted book, and tear out pages. But I can't distribute that book. The results of the adblocker are not distributed.

A lot of corporate networks block ads at the DNS level I assume. I don't have an ad blocker at this client but I never see ads. Just another point.

There may also be an interpretation in which you're not even modifying the work by using an adblocker.

If you define the work as the source code you're not actually modifying it. You're just declining to download subsequent works (iframes, flash, whatever).

(not a lawyer)

At least in the United States (and the UK), the copyright owner of the original work has the exclusive right to prepare derivative works, regardless of whether the derivative work is published, distributed or used in any other way.

Well, almost all bookstores puts stamps (sales sticker, discount info etc) on the books they sell. Is that a "derivative work" and thus "illegal"?

And this broad "distributed or used in any other way" doesn't seem very valid either.

Isn't it legal to write with a pen on your book copy if you're not the author?

"De minimis" (minimal) changes won't create a derivative work. What counts as "de minimis" has been debated extensively, but sales stickers certainly do.

Creating derivative work is only illegal if you do it without permission from the copyright owner of the original work.

I don't know what you mean by "doesn't seem very valid". It is the law [1].

Annotations normally create a derivative work. That being said, annotations often end up being covered by fair usage (fair dealing in the UK).

[1] 17 U.S. Code § 106 (2) https://www.law.cornell.edu/uscode/text/17/106

>I don't know what you mean by "doesn't seem very valid". It is the law

Apparently it's not the law, as the link doesn't contain the words "distributed or used in any other way" or anything to the effect of "any other way".

Plus, the "de minimis" thing and fair use exceptions mentioned in your second comment, already scale down the absolute "any other way" qualifier.

I think you may be misunderstanding something. The owner of the copyright has exclusive rights to prepare derivative works (or authorise someone else to do so). There are certain exceptions. What's unclear about this?

Maybe "used in any other way" confuses you? It's standard legal language and it means publishing, public performance, creating mechanical copies, etc. The possible uses of a copyrighted work are numerous and due to advances in technology that list grows constantly. This expression makes it unnecessary to list every known possible use, or yet-to-be-discovered futures uses.

>I think you may be misunderstanding something. The owner of the copyright has exclusive rights to prepare derivative works (or authorise someone else to do so). There are certain exceptions. What's unclear about this?

The fact that "certain exceptions" weren't mentioned in the first comment. I quote: "the copyright owner of the original work has the exclusive right to prepare derivative works, regardless of whether the derivative work is published, distributed or used in any other way."

There was no reference to "certain exceptions", "fair use" and the possibility of "minimal" (and thus allowed) changes.

That, plus the use of "used in any other way" (a "standard legal language" as you say) as part of a casual language comment, left the impression to the reader that only the copyright owner or someone with permission from them can create derivative works, period.

So while this is cleared out now after the extra explanations, the initial comment was quite unclear.

>I would hope not, because by a similar argument adblockers and userscripts would also be illegal.

Does not follow. Ad block is set up by the user to block connections. Your work doesn't change; the user just doesn't see the full work. Kinda if I gave you glasses that blocked the color red and then you went and looked at an art gallery wearing them. The art hasn't changed, but the item I gave you, which you willingly wore, just stops some part of the art from being displaying into your eye.

I don't think you understood the post (admittedly the title is unclear).

If the title were "Comcast injects ... to show notices of reported copyright infringement against their account," there would probably be less confusion in the comments here.

I wonder what the legal implication is if a site is sending the "Cache-Control: no-transform;" header with it's clear text content.

No legal implications are associated with such tags.

Are you a lawyer?

I'm sure a content publisher could argue that by stating that the transport layer does not transform the content, that any such transformation (that the end user perceives) constitutes harm to them.

Such is law. That header gives them a basis for constructing this argument.

Are you really proposing that protocol messages constitute binding contracts?

doesn't all music sampling rely on the fact that creating derived works without permission is completely legal?

To use a sample you have to get a license from the original artist:

>Today, most mainstream acts obtain prior authorization to use samples, a process known as "clearing" (gaining permission to use the sample and, usually, paying an up-front fee and/or a cut of the royalties to the original artist). Independent bands, lacking the funds and legal assistance to clear samples, are at a disadvantage - unless they seek the services of a professional sample replay company or producer.


Was that ironic?

All music sampling of commercial works is illegal without a license. Even a non-recognisable 2 second snippet, if spotted, can get you huge fines.

Sampling without permission of the author/copyright-holder(s) is not remotely legal.

A sample could fall under fair use.

It doesn't. Sampling is technically illegal. However the bootleg market is often too small to go noticed and larger artists get authorisation before sampling (or at the very least - releasing).

You do often see some artists turn a blind eye to sampling though. Particularly dance artists because many of them know their entire genre exists of the back of sampling. So it would be counterproductive / hypocritical for them to chase after royalties

It's not quite that clear-cut:

    Sample clearance is generally not required if:

    - You are just using the sampled music at home.

    - You are using the sample in live shows. This is because, 
      usually, you are not making copies and the owner of the venue
      pays the blanket license fees to performing rights organizations
      such as Broadcast Music Incorporated (BMI) or American Society of
      Composers, Authors, and Publishers (ASCAP).

    - You plan to distribute copies to the public but meet one of the
      following: (1) an average listener would not notice the similarities
      between your end product and the sample, or (2) your use of the
      sample falls under the "fair use" doctrine. For more information on
      these, see "Defending a Lack of Sample Clearance," below.

Sampling isn't legal anymore.

The `checkBrowser` function says it is from brainjar.com and used under their terms of service. On the brainjar.com terms of service, it seems to say the code is licensed under the GPLv2+.

Doesn't this make the Comcast script now under the GPL - since GPL code can only be included in compatibly licensed products. Or is Comcast violating the GPL?

This is a crappy move on Comcast's part, but as far as GPL they most likely are not in violation. You can use GPL code in a commercial product as long as you are not distributing it.

If they ever choose to sell or distribute their "content injection system" though, they would have to release it under the GPL or else negotiate another license from the copyright owner.

How are they not distributing it if they send this JavaScript to each user notified? Of course it's JavaScript so maybe that counts as distributing the source...

I think the FSF would consider this a distribution and require the backend to be released under the GPL.


Er, actually it may be more complicated than that. You'll have to read the discussion.

Backend? IANAL, but using a frontend JS library under the GPL doesn't have implications for your backend per-se; they can be entirely separate works.

You could argue about their frontend, though.

The AGPL was designed to fix this "loophole": https://en.wikipedia.org/wiki/Affero_General_Public_License

AGPL fixes this problem for backend code running on the web server, which is technically not distributed, so GPLv2 does not apply. For Javascript code, the code is distributed to the web browser, so even GPLv2 applies.

Isn't the whole point of this post that they are distributing it?

You can use and distribute GPL code in a commercial product too.

There's nothing in the GPL that says you can't sell/commercialise the software. The product just has to be GPL licenced too.

Exactly. Nothing prevents me from selling 100$ ubuntu copies.

This is certainly distribution.

If the `checkBrowser` function uses GPL'd code, then anything that calls `checkBrowser` in turn must be licensed under the GPL.

But that doesn't mean that this Comcast code _is_ licensed under the GPL. That means that the copyright owner (brainjar) can take action against Comcast, and tell them to either stop using their code, or change the license.

They'd just stop using the code.

If Brainjar had licensed this code AGPL then Comcast would have to release their code. But since it's GPL 2 then they have no legal right to require Comcast or anybody else to stop using their code. That's one of the great things about GPL (or horrible things, depending on your intention)

Read up on your licenses folks, make sure your code is used the way you intend.

This code is served to the client; the AGPL would not provide any benefit here.

Please see https://www.gnu.org/philosophy/javascript-trap.html

Yea, this is like what tivo did, it's allowable under the GPLv2

The terms of service facing the public are not necessarily the terms which Comcast may have negotiated with the copyright holder.

Always using VPN has really made using Internet a lot nicer place, I can use any Wifi without any fears, don't have to care about ISPs doing funny things with my traffic, and if I get country blocked content I can just quickly route my traffic to another exit node.

Of course then the VPN provider is the single point of failure, but if it's trustworthy enough only folks with proper court orders should have access to my traffic. And it's an extra ten bucks per month or so.

Aren't you then just effectively shifting your choice of trusted provider from ISP to VPN?

Is it possible to run your own VPN on a VPS host, digitil ocean or linode or similar?


" Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. "

It's effortless.

You're shifting your trust from

A.) a dumb-pipe retailer, who you may not have freely chosen, and who has no motivation to respect privacy, to

B.) a privacy provider who is easily replaceable and whose entire business is based on quality and integrity.

Seems rational to me.

>Is it possible to run your own VPN on a VPS host, digitil ocean or linode or similar?

Yes. I run several types of VPNs and shadowsocks on a VPS host. I mainly use it to bypass GFW though.

Of course, trusting the VPS provider and its ISP is no different than trusting a VPN provider and its ISP.

On the other hand, while your VPN or VPS provider may be no more trustworthy than your local ISP, it's _much_ easier to switch VPN providers - and you can arrange to have them in a different jurisdiction as well - If my net connection is through a proxy server in the Netherlands run by a company from Germany in a datacentre owned by a Japanese firm and I'm in Australia browsing websites in the US - there's a lot of legal hoopjumping needed to get to me.

> Is it possible to run your own VPN on a VPS host, digitil ocean or linode or similar?

It's possible and very easy: https://github.com/Nyr/openvpn-install

Disclaimer: I'm the script creator.

I know I'm being unfairly picky when I should be thanking you for building a helpful install script; but your install instructions seem very counterintuitive given the privacy argument of running a VPN:

    wget git.io/vpn --no-check-certificate -O openvpn-install.sh && bash openvpn-install.sh
Aside the lack of https scheme in the URL, you're also deliberately disabling the certificate authentication and then directly running the output into bash.

Granted the double ampersand offers some protection, sadly it's still little better than the often criticized:

    curl http://example.com/install.sh | bash
Plus the address you supplied is a shortened URL so the user has to trust that the file it redirects to is the same Github hosted file that's in the referenced repo.

I do appreciate the work you've done. But given the security and privacy expectations of VPN, it might be worth having a little more transparency in your install instructions - even if that means splitting your instructions into 2 lines.

As you can imagine, this has already been discussed many times. For example:

https://github.com/Nyr/openvpn-install/issues/24 https://github.com/Nyr/openvpn-install/issues/66

> given the security and privacy expectations of VPN

The security and privacy expectations are that the network for the server is not compromised. If that's not the case, why would you want the VPN hosted there in the first place?

You cannot control what happens beyond your own hosted infrastructure. Even the most trusted networks are still at the mercy of external DNS servers, web servers and routing equipment. Hence the entire point of trusted signed certificates.

Just because a persons hosted VPS might be trusted it doesn't mean that:

1. The git.io redirects to the expected location. Anyone could clone your git repo then put a malicious script in a different shortened URL

2. Nor that someone couldn't MITM between the the user and the git.io

3. Nor similar MITM attacks between git.io and github

Security is only as good as the strength of your weakest link.

Yeah, so? If the server network is MITMed, you are fucked at so many levels that it doesn't even matter anymore.

Not if you're running HTTPS you're not. You cannot have code injected into a HTTPS connection like you could with plain text HTTP. And even in the worst case scenario where the entire connection is re-routed to a rogue server: you would get a nice big warning that your connection isn't secure and the download would fail. Thus again preventing the malicious code from running on the users VPS.

You're also still ignoring my first point as well.

I really don't get your careless stance here. Github already comes with an SSL cert and you don't actually need a URL shortened for the type of link you're publishing. So all of these complaints people are making are so very easy to solve. But instead you are intentionally following bad practices. Frankly, if this is your attitude towards security then I really don't think you're the sort of person who should be writing installers for VPN servers to begin with.

> Not if you're running HTTPS you're not.

Yes, you are. If your adversary can MITM a datacenter, it's likely that a rouge cert can also be obtained from a trusted CA. If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.

> You're also still ignoring my first point as well.

What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script? I don't understand. I'm only using/listing git.io/vpn, so whatever someone does with other URLs is not my problem. There is some fork using git.io/ovpn for example.

> I really don't get your careless stance here.

I'm not careless. You can either run the one-liner which clearly states --no-check-certificate or download and examine the script as long as you want. The choice is on you.

> Github already comes with an SSL cert

But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.

> Yes, you are. If your adversary can MITM a datacenter, it's likely that a rouge cert can also be obtained from a trusted CA.

One cannot simply obtain a cert from a trusted CA. Hence how they become signing authorities. Granted it's not impossible to do, but it is very difficult. Certainly a far better assurance than not running HTTPS at all.

> If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.

We're not talking local network here - literally nobody can trust the internet. Hence why CA's exist in the first place. This isn't some weird edge case threat model, this is something that's well known and already handled. And it's something that is already supported by Github but you are intentionally breaking.

> What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script?

Do you really need that answered for you?

  1. Clone repo
  2. Publish their own shortened malicious URL in cloned repo
  3. ???
  4. Profit
It's called "social engineering" and actually quite a comment method of attack.

> I'm not careless.

Given this script is aimed at less-technical people, I'd say it's rather presumptuous to assume they'd even realise just how careless it is to run a script downloaded from an unverified source.

> But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.

That's an edge case. You can add a comment to disable the certs in that edge case - or better yet, instructions on how to install the CA certs.

Every excuse you make is really just a plea for your own laziness. "it's the users responsibility" - no it's not, you're providing instructions for them thus it's your responsibility to get those instructions right. "they might not have CA installed", so add a footnote about installing that. I mean seriously dude, Github have already handed you the tools you need securing the install - there's literally no good excuse for disabling them.

> One cannot simply obtain a cert from a trusted CA.

One can't simply MITM a datacenter.

> literally nobody can trust the internet. Hence why CA's exist


> it's something that is already supported by Github but you are intentionally breaking

I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).

> It's called "social engineering" and actually quite a comment method of attack.

I unfortunately can't fix user stupidity.

> That's an edge case.

That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.

Anyway, and to end this: you've already stated your points and I've given you my explanations. You can either accept them or not, but I don't want to waste more time on this - feel free to fork if you don't like it.

> One can't simply MITM a datacenter.

SSHing onto a Linux server in some secure datacentre doesn't magically mean that everything that server connects to outside of the datacentre is also going to be secure. I assume that you do actually understand how the internet works? :p

> I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).

Of course you're breaking things. You're breaking the security of HTTPS by disabling cert checking. And you're breaking readability of your install code by using URL shorteners.

As for HTTPS not being supported by many of your client machines by default, it's so very easy to rectify:

    $(which apt-get yum) install ca-certificates 
This will work on Debian and its derivatives as well as the usual Redhat derivatives too. So that one line and works on all your supported platforms. It really is that simple. :)

> I unfortunately can't fix user stupidity.

But you're forcing user stupidity by using stupid defaults. It's quite literally your fault that they're being stupid as you're recommending they do stupid things.

> That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.

I happen run a hosting as a side project and almost exclusively use OS containers for personal projects. So I'm well versed in these kinds of containers and the kind of users you're targeting. You're just making excuses for bad security practices.

> Anyway, and to end this: you've already stated your points and I've given you my explanations.

You've given excuses, not explanations. I've demonstrated how easy it is to work around the limitations you've put in place. You've just given lazy excuses as to why you couldn't be bothered.

The crux of the matter is when building gateways you should NEVER default to insecure settings like you are currently doing. Period.

> feel free to fork if you don't like it.

To be quite honest, it could benefit from a complete rewrite. The code is functional but messy, your OS detection could use a little fine tuning too. But the real problem is that there's more instances within your script of code getting pulled from the internet with certificate checking disabled, and that would also need to be fixed (but at least you're not using URL shorteners there).

Your intentions are noble, but sadly your execution is less so. Which is what happens when you never listen to advice. And looking at the comments on your repo, this has been an issue that has been raised a multitude of times before. So it's not just me being an elitist :)

> The code is functional but messy, your OS detection could use a little fine tuning too.

Feel free to submit a pull request if you can improve OS detection, it certainly is primitive.

> But the real problem is that there's more instances within your script of code getting pulled from the internet with certificate checking disabled

I have just pushed a commit with a better approach.

I find these points very valid.

But, I always feel a little annoyed when people complain about piping curl into bash. If you know enough to see the danger, you also know enough to avoid it. Just curl to a file and read it, or open the web page and read it. Take some responsibility.

I'm with you on the https and the short link, though.

Not just VPN, but it really becomes whatever ISP the exit node of the VPN is connected to.

Yeah, but at least there haven't been any (high-profile) abuses, yet. Meanwhile Verizon and now Comcast have been caught tampering with their customers' traffic, and those are probably just the well-publicized cases. Maybe I am just blissfully unaware of VPNs' shenanigans.

Cox injects HTML into your HTTP connections. I've recieved popups on pages saying they've spotted traffic from a botnet server over my connection, and that my computer may be infected. I talked to Cox support and they view it as a feature.

I saw that once, not sure how common it is because I surf without JS by default. http://www.cox.com/residential/support/internet/article.cox?...

Will happily cancel my service if it continues.

> Aren't you then just effectively shifting your choice of trusted provider from ISP to VPN?

Yes, but that's okay. Privacy is part of the VPN market's value prop; companies in that space compete on it, unlike ISPs.

Even the $10/month Linode plan has 2TB of data transfer. If you use it as a VPN you'll have to halve that since you are using it as a conduit. You still get 1TB which is 3x the Comcast data limit. I say VPN everything.

I tried doing the same with my mobile but it either eats my battery alive or kills instant notifications. I HATE that tracking tag that mobile carriers are adding.

Linode only counts download towards the data transfer, so you can pump 2TB through, as they only count the data one time, as it's heading out of the VPS.

yes it is. Then you trust DO as an ISP though. imo they are far far more trustable than any comcast.

> Aren't you then just effectively shifting your choice of trusted provider from ISP to VPN?

Sure, but the issue at hand is js/html injection, which a VPN more or less (generally more) obviates.

It is possible to run VPN on a host using a socks proxy. It is easy with something called "ssh tunneling".

If anyone is interested, you can get TigerVPN lifetime for 30$ (one connection slot) or find online (I found one on reddit) TorGuard 50% coupon for 2 years service, but 5 slots and more endpoints. I use both from UK, and Internet is clear over there.

You realize it is possible to just intercept the connection to the VPN over wifi right?

What? VPN connection is encrypted and (hopefully) authenticated. You can't inject data into that stream. Or you can, and completely break the connection.

You just middleman the vpn authentication via wifi - by spoofing the wifi router you THINK you are connecting to, but it's not really because its just emulated with a stronger signal so your device thinks everything is fine.

That's not how it works on a decent VPN system.

If you try to do that, the VPN client will notice that the spoofed server isn't presenting a valid certificate or doesn't use a valid key, and refuse to connect. Same reason you can't "just" middleman an HTTPS connection.

Besides, there's no need to spoof. The point of the VPN connection is to protect against the wifi router (even the legitimate one!) reading the traffic. By spoofing, you're just replacing a dodgy wifi router with another dodgy router.

It's extremely easy to middleman a HTTPS connection.

Many PC antivirus/firewall programs do it right now.

Programs running on your PC can do it because they have access to your certificate store, and can tell the system to trust their certificate.

Entities not in control of your PC can't MITM an HTTPS connection, barring a catastrophic bug. And it is catastrophic. If you have a way to do this, please tell everybody because it's going to be the next Heartbleed.

The entire point of HTTPS is to prevent stuff like you're describing. And it does work, for the most part. Bugs happen, but they get fixed as they're discovered. It's definitely not "extremely easy."

Please go read up on this stuff before speaking authoritatively:


That's only because the antivirus/firewall products have access to your machine and install a root certificate on them, or more likely, are just using a browser extension to rewrite the dom on the fly.

More succinctly, the phrase "man in the middle" kinda loses meaning when the man in question is your own computer.

Which wifi router you are connecting to is irrelevant. No secure VPN protocol will allow itself to be defeated just with its handshake observed.

I don't know about all VPN technologies, but OpenVPN does authentication with client and server certificates. Just spoofing the WiFi router is not going to let you spoof that.

That won't work if the encryption certificate is signed by a trusted authority.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact