Hacker News new | comments | show | ask | jobs | submit login
Comcast is injecting 400+ lines of JavaScript into web pages (xfinity.com)
999 points by CSDude 4 months ago | hide | past | web | favorite | 479 comments

I'm annoyed by this on several levels. The biggest issue is that I'm using an Arris SB 6121 and I'm getting notifications that my modem is EOL. However, the SB6121 is listed as a supported modem for my speed level on their supported modems page.

If I go to their supported modem page, I literally get a page where my current modem is shown as not supported, and the exact same modem is shown next to it as "supported."

I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud claim with the Illinois attorney general. This is the third or fourth time I've had a supported modem that Comcast has claimed isn't supported, and I'm sick of jumping through hoops getting this resolved.

Every time this happens their customer service reps tell me that the only way to avoid this is to use one of their modems. I'm sick of this. What a terrible company. Fix your shit before you start injecting garbage into the websites I visit.

edit: Proof https://imgur.com/lzKBkMs

There is a reason they are doing this. After signing up for Xfinity I noticed that the modem we were leasing was broadcasting a public access point with no way to disable it. I purchased my own modem immediately. Then some time later they rolled out their mobile services, which you guessed it, rely’s on those open access points and Sprint as a fall-back. So now customers are paying monthly to host Xfinity mobile services.

I will admit that it is clever, but this should be transparent and customers should not be subsidizing the cost.

So if they let themselves into your house while you were away and left a note in your dining table, you’d say there’s a reason they’re doing this?

There is not a reason to access and modify your private data. This is not some kind of out of band multiplexed signal, they are reaching into your applications and changing their behavior.

There are other ways to communicate with people you have a billing relationship with already in place.

My response to the parent comment was why they are forcing their modems on people, not regarding the JS injection, which I was equally horrified to see. There is a reason I keep JS disabled by default.

As far as I am aware, it is possible to disable the public 'xfinitywifi' hotspot on all Comcast modems which provide this feature (I had a stint as a TSR relatively recently). Further, I believe this is a user-configurable setting on all CC modems. I personally have this feature disabled on my Arris 1682G, and this should be their most common model in most regions.

I was told I could not disable their hotspot, nor could I set my own DNS servers. Since I kept having connectivity issues due to Comcast’s DNS being flaky, and not wanting to manually configire every client, I bought my own modem and wireless setup.

You can disable the hotspot and use your own DNS servers if you want. The ability to disable the hotspot is documented in the public FAQ (Google: "XFINITY WiFi Home Hotspots FAQs").

I've used my own DNS servers before. I have no problem making DNS queries to, and in fact I switched my PC to use it one time when Comcast DNS was down.

What's the point of giving Google instructions instead of just linking https://www.xfinity.com/support/articles/disable-xfinity-wif... ?

As the other person has said, they have a FAQ for disabling the hotspot. I additionally set my modem to bridge mode in order to use a more capable router. It does look like Comcast mandates the use of their DNS whenever possible, and I'm sure that I bothered to configure an alternative because of reliability issues as well.

The DNS issue was the clincher for me, but I followed their instructions for disabling it and it reappeared when the router was rebooted (not reset).

Overall, I’m rather happy with my current setup. I bought the most recent SB modem available at he time, got an Edgerouter and a Unifi AP. Took a few minutes longer to set up than a netgear or whatnot, but was able to use POE to put the AP in a far better location (it’s actually under my sofa instead of the closet where all my wiring goes) and have had a far more reliable and customizable experience.

That's not enough. Defaults are a powerful thing -- the vast majority of customers won't go through the process to disable it.

Times ... change.

It took a moment to realise you didn't terminate and stay resident.

Apologies; I never used DOS enough to retain that acronym.

Apologies, I have ;-)

Tinfoil makes a great Faraday cage

This is where tin foil is a great tool. Comcast sees the wifi activated but no one can connect though the layers of metal.

this is where you should buy your own DOCSIS3.0 modem which is a dumb L2 bridge with no NAT, routing or wifi functionality:


I would actually be fine with it - I'm pretty sure I am not using full bandwidth supported by my cable and I'd be fine for Comcast to use it for whatever they like, in exchange for free Wifi and stuff. But when they also want to charge me a fee for that, that's where it doesn't work for me. If you want to host your infrastructure, which you sell, in my home - why I should be the one paying for it?

Xfinity/Comcast deal is with Verizon, not Sprint. The deal to allow Xfinity Mobile to use Verizon happened years ago. Doesn't change much or any reasoning, but VeriOn is a lot better in terms of service area [and strength] vs Sprint.

Verizon has poor service in many places, eg Hawaii or when roaming up near the Canadian border. They still haven't figured out how to support international roaming reliably, half my family was w/o service for our few hours in Canada. Service in SoCal seems to be one of their last strongholds, but even then voice calls sound like a robot.

Verizon is far and away the market leader in international roaming and it isn't even remotely close. At least in my experience.

Source: Tried to get away from VZW for a decade now - international roaming always being the ultimate decider.

Curious who you've found to be better.

Verizon has always been that shit-tier company ran by borderline criminals which happens to have the far superior network and hard product.

Took multiple support calls and 2 hours of our time to get their phones to roam in Canada, whereas the rest of us were up and running when we landed. Nevermind, once we got their phones working, outbound calls still didn't work on iPhone or Android, it'd ring outbound and the other person would get the call, but the call would collapse on answering it.

Comcast using Verizon doesn't have that problem in Canada at least the two times so far I've been there with their phones. Worked instantly and the prices are rock solid. Hate still having Att as my main provider when going anywhere outside America.

With the highest priced international sprint service i had terrible connection in Paris several months ago. I would go 30 mins to an hour with no connection frequently.

At home (Boston Ma) sprint is good enough to online game and stream at the same time. I lost my comcast connection for several hours recently, and tethering to my phone resulted in less latency...

Edit: This is on Sprint's unlimited plan (around $50 a month for 1 line, $25 per line for 4 lines)

If RCN is available near you (I'm in Watertown), I highly recommend them. I was used to very frequent Comcast outages but haven't had a single issue with RCN after subscribing for almost two years.

Have you tried t-mobile? They seem to have excellent coverage everywhere I go, which is mainly Europe. /And/ free (but slow) data.

T-Mobile works very well where I live (Uruguay), we have some company-issued US-based cell phones and they have very good connectivity.

Their voice quality on VoLTE is perfect.

> customers should not be subsidizing the cost.

Can you please explain to me how you think this is a thing? Are you really that concerned about the extra watt or so of power usage a virtual SSID uses?

Or are you operating under the misconception that this somehow impacts your bandwidth allocation?

It's by far the most innovative and awesome thing Comcast has ever done. And they get ultra-hate from people who should absolutely know better.

The single and sole complaint you could have here is spectrum utilization.

Except comcast has datacaps for total transfer per month.

I don't use comcast so I do not personally know if they charge for excessive data usage, but I know cox does.

Besides the point of potential cost, why should a user who is paying for the service subsidize comcast. They are not getting a discount for offering the wifi to customers.

Funny enough, I tend to avoid these type of discussions because surprise surprise, I got downvoted and they didn't even answer the core question.

Why should a customer pay to add value to comcast? They aren't getting a discount if they enable the service.

Do you know the public access point data is being attributed to customers' usage totals? Or does that just seem like the sort of thing they'd do?

Well, if it weren't I would connect everything I own to that guest access point and bypass my cap completely. Or perhaps the speed of that connection is very slow. But then it wouldn't be much use to other customers either.

When you connect to an 'xfinitywifi' SSID, you have to authenticate with your comcast credentials. The usage is then tracked as yours, not whose-ever hotspot you hit.

Last I saw, this wasn't actually being counted vs. datacaps for either the roaming user or the host.

This works and you can do it today. You actually can get faster than your current service plan (assuming you aren't at the top-tier already) if you have a linux router you can set up for dual-wan.

Last I played with it, I could get an additional 35-40mbps or so out of a typical 100/25 comcast connection in my area.

The data used by other customers on Xfinity wifi does not count against your data cap

> Except comcast has datacaps for total transfer per month.

For you. Not the public wifi network that is served before it hits your LAN. This is what I meant by my original post - there are tons of misconceptions on this.

Your ratelimit is not effected either, at least not any more than your neighbors do who exist on the same headend as you.

> why should a user who is paying for the service subsidize comcast.

How is it subsidizing Comcast again? I just don't see this point - the only possible way you are subsidizing it is with increased spectrum usage (which is a valid point) and perhaps additional power usage - but we're talking pennies per year if it's even measureable.

Tower space? This sort of product wouldn't exist without it.

I think it's confusion on where customers think or feel the demarc is. The ethernet port on the modem is your demarc, not the cable entering your house. If Comcast did something to alter and/or impact traffic after

> They are not getting a discount for offering the wifi to customers.

Of course they are? You get access to everyone else running the same AP in their homes, so when I travel I don't have to worry much about broadband access. It's especially great at airbnbs with broken internet - I can simply use the neighbors xfinity AP. It's actually an incredibly consumer-friendly thing we used to speculate on in the late 90's and early 00's when wifi was just starting to become a thing.

I do agree it should be something you can toggle in a user interface, but turning it off should remove your access from the xfinity wifi pool. I also completely understand why it's not optional - due to the ignorance shown in the thread. Most consumers think that me torrenting on the Xfinititywifi AP is somehow impacting their data cap and/or throughput. It's not, and even highly technical people continue to perpetuate this myth.

I'm about as anti comcast as they come - but this is one of the better more consumer friendly things any ISP has done, much less Comcast.

> Except comcast has datacaps for total transfer per month.

The extra access point doesn't count towards your data cap.

What are the odds the extra Javascript / altered data packets are going towards a person's data cap?

jlivingood seems to be a Comcast employee, and he/she is saying that the leased one is no longer compatible.

FCC complaints are usually more effective, never dealt with one in the current shitty administration, but legally the FCC requires resolution within 7 business days, or at least a plan of action if resolution isn't possible for completion. I used to receive the emails and all the people on an FCC chain put pressure on the lower levels.

I'll file a complaint with the FCC as well then. I'll probably file one with the City of Chicago too. Might as well put as much pressure as I can on them, because this is ridiculous.

I don't care if the issue is bureaucracy, incompetence, or greed, but I know filing lots of complaints with regulatory bodies generally solves the first and the third issue well, and motivates companies to fix the second issue too.

I'll second the FCC complaint route. A friend has a HD tv with a cable-card.

Getting support after a while wasn't working (to be polite he was getting the runaround), but the FCC complaint got their attention and got the issue resolved. This was with the previous administration, which was was more sympathetic, but still worth a try.

I can confirm that Comcast responds to FCC complaints effectively. I used that route when they were my provider after a series of unhelpful technical support requests.

I'm skepitcal that the current FCC would give a shit about this complaint since it reflects poorly on their supporter (an ISP.)

> I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud claim with the Illinois attorney general. This is the third or fourth time I've had a supported modem that Comcast has claimed isn't supported, and I'm sick of jumping through hoops getting this resolved.

You should talk less and file more.

Philadelphia, one of the most corrupt cities in the United States, had a very interesting character - at the time he was the Inspector General. Looked like Robbie Lewis from Inspector Morse. Quiet. Really nice guy. Bar none, he was the most feared person the city. His motto was "It is never an overkill to use a nuclear weapon to kill a mosquito - it is an insurance policy. Mosquito dies"

Instead of going to the AG, I would recommend contacting the FCC. This prompts quick action and even just telling a Comcast rep that you're going to contact the FCC can be helpful.

Comcast makes it very difficult to get support if you don't lease one of their modems. Literally every time I call they insist that the problem is my modem, and of course it never is. All of my issues have been either outages or congestion-related, but Comcast reps can't fix the former and will never admit to the latter. So instead they blame your modem and ask for 10 bucks a month to lease a modem from them.

> edit: Proof https://imgur.com/lzKBkMs

If you look at the far right device you see a non-EOL SB6121. The one on the left that is EOL is the leased one, and the retail one is still allowed. I'm not sure if you have a leased device or retail device.

I had a purchased SB6121 that they wouldn’t let me move with 2 months ago. It’s not just leased ones. They will support it until you need to make any changes, then will make you use a “supported” one.

Is there any technical difference between the two?

Technically, one makes money for Comcast.

I own it, but Comcast often thinks it's one of theirs. It annoys me to no end. Obviously their inventory management stinks.

I had Comcast for a few years at my old house and bought my own modem. It was a no brainer, $80 for a modem vs $10/month to rent theirs. Well after about 2 years I got a bill saying that I owed them for rental of the modem. I called and fought with them. Even when I cancelled my service they kept asking for their modem back. Luckily, my new house is in an area that has Metronet fiber internet. I've switched and use them for internet and TV and love it. I've had zero issues so far (though it has only been 7 months)

Switch isps?

J. Livingood (a Comcast VP) responded to the OP:

> [JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.

Incidentally, Livingood is a co-author of IETF RFC 6108, which he has conveniently linked. From the RFC's general requirements numero uno:

> R3.1.1. Must Only Be Used for Critical Service Notifications. Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.

As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical. To be sure, Comcast is scheduled to increase speeds by 12/19 (at least in my region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.

It would also be interesting to learn if the OP received this message on multiple instances. If yes, it would be in violation of its own requirement--in particular, R3.1.8. User Notification Acknowledgement Must Stop Further Immediate Notifications, which itself is contradictory in its use of must and should:

> Additional Background: Once a user acknowledges a critical notification, the notification should immediately stop.

EDIT: Apparently, Livingood is an executive.

> Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.

We start telling customers that a modem needs to be upgraded when one of two things happen: either they are about to or just had a speed upgrade that their modem cannot support or the modem has gone end-of-life (EOL) from the vendor.

In the former case, if the device is leased, you are send a new one to replace the device and just have to basically say ok. In the latter case, it is a customer-owned device so the customer is asked to go buy a new one someplace (e.g. Amazon, BestBuy).

And in the EOL case, the vendor may have gone out of business or shut their cable modem business down, or otherwise decided to no longer support the device due to its age. That of course means that if a security issue came up, as they do, that the vendor would not be able or willing to provide a software fix for the device. So it's best to get the ball rolling to get those devices replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0 devices (10+ years old), which can only do a single upstream and downstream channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8 years old).

First, thanks for participating.

Second, I am a Comcast customer who will never see these messages precisely because you do things like MITM unprotected traffic. Because I can't trust you to leave my traffic alone, all my traffic is tunneled.

So at the very least, if you feel this is a critical service you are offering (as implied by the RFC), you need an alternative communications channel for people like me who don't permit this one. Snailmail is fine; you try to upsell me constantly through that channel already.

I second this, in addition, the injection is not only related to EOS/EOL for modems it is also for when you are approaching your data cap. Which is rather annoying because it actually can halt your gaming or netflix experience oddly. I have had both happen, one I was playing PlayerUnknown's Battlegrounds and the game crashed. Since the game itself uses web based tools, for its menu system, upon restarting the client a Comcast injected message popped up warning me I have used 90% of my data cap.

The same thing happened on Netflix ...

I think it’s funny you’re approaching your data cap and they add 400 lines to the size of each web page you visit. I hope pages they tamper with are subtracted from your cap.

This is exactly why Comcast is still the most hated company in America [1], and the only reason you have any customers is due to the monopoly deals of dubious legality you or your acquisitions bribed local officials to create back during the infancy of cable. We hate you, but we don’t have any choice.

It’s worth noting that government regulation created Comcast by allowing long-term monopoly contracts with municipalities. Remove the regulations which prevent competition in local internet and TV services; don’t add more regulations.

  [1]: http://finance.yahoo.com/news/america-most-hated-companies-110032495.html

TBH what kind of game doesn't use https...

HTTPS is not free. Game developers are usually very performance-sensitive. If you're not transmitting any sensitive data, it may seem appealing to forgo the seemingly-needless HTTPS overhead.

Please cite your sources on the speed comparison. See: https://istlsfastyet.com/

Also, most games I have played seem to use HTTPS. The only time it is used is when the game does not need an instant result, in which case they use HTTP or HTTPs. Most of the times, this is in the main menu or similar. Doing this makes it even harder (assuming they use certificate pinning) for users to change the values returns to gain any advantage on their client.

Any part of the game that needs speed should be using a UDP based protocol.

If your game is executing js (as for the example given by the GP), you are transmitting sensitive data. In that scenario not only confidentiality but even more integrity of the data is important.

They do say they try to email you a bunch of times first... Email seems like a decent enough alternate channel.

They emailed my Comcast.net address, which I didn't even know I had.

> They emailed my Comcast.net address, which I didn't even know I had.

I recommend you add your primary email address. You can do this via the self-service portal.

Go to https://customer.xfinity.com/#/settings/account under Account / Settings / Contact Information. IIRC you are sent a confirmation email you have to act on before it takes effect.

You should mark this day. This is probably the most positive customer experience you're going to ever have with a Comcast employee. I had a choice between Verizon and Comcast. Comcast was cheaper and I still went with Verizon.

Edit: typo.

OT question: Do you roll your own tunnel or use a service?

> Snailmail is fine; you try to upsell me constantly through that channel already.

Implying you’d probably miss it and, if not you, the customers they’re trying to reach.

Then they ought to stop abusing the communication channels they have. If they send so much email and snail mail spam that the customer automatically ignores it, that's the choice they have made.

What happens when a customer who really does have a modem that is vulnerable or outmoded runs into related issues? Is that customer going to accept "Well, we included it with our junk mail" as an explanation? As for email, does anyone use their ISP-provided email address anymore? Everyone has a third party provider (mostly Gmail).

I don't think there's any fault in logic in presuming that the best way to make sure a customer receives a notification is to insert as near to their known-active stream as possible. I don't condone altering that stream, but I think it would be nice if they could send a page, potentially at the browser or OS level, exclusive for system control and status messages (no sales, marketing, billing, or collection messages allowed).

I am so sick and tired of xfinity mailings addressed to me or my wife or former residents of the home address asking us to switch to them for a two year discount that I know they won’t give us because we’re already a customer. They even just jacked my rates yet again.

As a Comcast customer until ~6 months ago, I brought in a cable box they forced upon me as part of a packaged rate (cheaper than internet alone) once my contract ended.

I had tried calling customer service to see if they'd give me a new bundle but they told me they were only for new customers, so I switched ISPs.

Anyways, when I went in store to return the equipment, the guy I spoke to told me to not bother with phone support but to instead come in store or call him directly (he gave me a business card) since he can get existing customers bundled rates that the phone reps can't.

While I had the choice of ISP many don't, I'd definitely recommend going to a store location where you can talk face to face with someone in your area and see if you can't get a contract at a better rate than you pay month to month.

That is worth a try! Thanks. There is an XFinity Store less than 2 miles away from me. Never thought to set foot there.

Along the lines of this. Anyone in the industry, why do they not cross reference the street addresses of their current subscribers and reduce the promotional mailing list or mail relevant promotions? Maybe it seems cheaper to do it this way, but it's actually quite antagonistic to current customers.

Why would they not maintain a clean marketing list!?

downvoting because of snarkyness. Your suggestion of alt cmu channel is good however.

Downvoting because they weren't that snarky and because of your smugness. Your willingness to tell some one straight up why you downvoted them was good however.

why am I smug? I totally agree with the premise and personally hate comcast, but if _jal wants to be taken seriously by jlivingood, snarkyness isn't the way to go.

I don't mind the anon downvotes though, it's par for the course anywhere.

The ARRIS SB6141 [1] is a DOCSIS 3.0 modem which is considered EOL by Comcast. This device is still being actively sold by the manufacturer. It handles the maximum throughput of most Comcast plans. It's not 5-8 years old.

However, the supported device list [2] shows that it's still an allowed modem to use for a e.g. 200mbit connection. A user that's looking to purchase a modem isn't discouraged from getting one from Amazon.

Since Comcast considers it EOL, any interaction with Comcast support includes the stipulation that it's likely the modem that's causing the problem, and the customer will be liable for a surcharge if a technician decides it's the modem causing a problem.

For a brand new modem, purchased from Amazon right now.

There seems to be a disconnect between EOL for the purpose of leasing a modem and EOL from the vendor.

[1] https://www.arris.com/surfboard/products/cable-modems/sb6141... [2] https://mydeviceinfo.xfinity.com/device/arris-sb6141-336

Thank you so much for participating in this discussion! Frequently having people like you who actually involved in what's being discussed is part of what makes HN special to me and many others.

As another comment points out though, I'd also like to understand why it was decided to comminate by injecting JS into pages people are visiting rather than following a more traditional communication channel like snail mail. I assume that this solution scales better and has get immediate $ attached. However, it also seems obvious to me that it reenforces brand image and political issues people have with your company.

I mean, I get calls on my cell phone from them. That would be a good thing to call about I would think.

Yup, you may get a better attach rate at the cost of absolutely destroying any customer trust.

As an (unwilling) Comcast user, I purchased my own modem because your rental rates are preposterous. However, I wish I didn't have to think about this at all. If you force me to upgrade a modem I've purchased, I'll be very annoyed by the unanticipated cost.

I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment. I understand that non-cable competitors don't have this cost to shuffle around, and that this will mean you are forced to either A) raise prices publicly or B) have lower margins. That's your problem because of your technology legacy; don't pass the misery on to the customer.

While you're at it, offer two hardware choices: one with, and one without routing/wireless. I refuse to run a wifi network in my household for your other customers and expect complete control over my LAN configuration.

On the topic of injection: I get that you don't think it's immoral, but hey, 1) most people who understand it think it is totally unacceptable. And 2) the window for this approach is rapidly closing for you as the web moves to SSL everywhere. Give up on this approach now and save face.

> I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment.

I love how it's in the interests of public companies to brag about how successful they are. When I see a comment like this, I like to checkout the most recent 10K. According to Comcast's stated figures, they made $8.7 BILLION last year. So, they're doing pretty well. Now, obviously, they can't just give the modems away, but if they would at least STOP BILLING THE CUSTOMER for a leased modem after their costs have been recouped, that would be a HUGE public-relations win.

If we all could buy the modem of our choice, over time, say, amortized over the length of your contract, and then RELIABLY stop getting billed for it, I'd LOVE to just buy it through them. I'd argue that the reduced support costs for NOT BEING RENT-A-CENTER JERKS about the modems would save them a lot of money in the long run.

As a web developer this feels like an absolutely terrible practice. I have to support contracts for website performance, quality and behavior with clients and you could be putting us in breach. If I got a bug report of unexpected ads popping up, we'd probably waste thousands trying to figure this out.

Exactly. The first thing I thought about when I saw this was the implications of having JavaScript that has not been tested in the context of a website running. You have no clue how it will conflict.

As a website owner you should have the right to verify all code that will run on your website to be sure that it won’t cause issues since only you have the context needed to make that call. What if there’s a global DIV selector that hides the close button, the website visitor is screwed! And they’ll just think it’s a problem with your website.

One more note, there are way better ways to do what they’re trying to do. Even with how terrible IFrames are, they prevent CSS and JavaScript conflicts. A simple position fixed div at the bottom of the screen containing an iframe seems more appropriate. If you are going to run code on my site, make sure it’s as small as possible. This could have been accomplished in 2 lines of code (excluding iframe host).

I’ve had to patch against this in the past when it turned out my system was breaking for a set of users whose company was installing a browser extension that injected JS that broke the app. Never did find out exactly what it did, but I worked around it but fixing the progressive enhancement to work properly in the context of broken JS as well as no JS.

You can avoid this by using HTTPS.

So many tickets with status "unable to reproduce" ugh

You should not interfere with a customer's traffic they are paying for. If you need to contact them for a critical issue, then call, email, or snail mail. You risk disrupting their experience, and in some cases the customer may not even be able to receive your critical message. Does your JS injection work for customers who have JS disabled?

You have our phone number. You have our address. Use them! Do not MITM our connections, that's a huge violation of trust. This is NOT okay. Any response other than "we're terribly sorry, our engineering team is rolling this back on Monday" is the wrong response.

Can you discuss why DOCSIS 3.0 users get this notice? I have a 3.0 modem, and received the notice, but it looks like my modem will still support my speed tier (75mbps in Chicago)

A 4x4 channel 3.0 modem should really only be used for ~75-100Mbps tiers, and is capable of at best 150Mbps. The more channels you have available the more capacity you can pull from — higher peak speeds and potentially better speeds at peak time.

It usually means you are about to get a speed upgrade that will go beyond what your modem is capable of delivering. In that case it is possible you could have a 1st generation 4x4 modem (so it can bond 4 downstream and 4 upstream channels).

Comcast does not provide any speed on residential lines that DOCIS 3.x cannot accommodate. It is like requiring Formula car to drive on a gravel road in Alaska.

Different modems can use different numbers of DOCSIS channels. A 4x4 DOCSIS 3 modem is only capable of, at most, 150Mbps and on average 75-100Mbps. A new DOCSIS 3.1 model can do >1.2Gbps.

Yeah, no.


3.0 spec does up to 1.2Gbit/sec, just like Comcast. You know up to 200Mbit/sec, which is more like 20 because of all the "extreme complexities of the internet service".

DOCSIS 3.0 supports 38Mbps per channel, which is in the table on wikipedia. Not every modem is capable of 1.2Gbps - The fanciest modem out there is 32 channels, which gets to your theoretical 1.2Gbps. If you have a 4 channel modem and expect consistent speeds of more than 100Mbps, you are SOL.

I wonder if your customers would be happy enough without the speed upgrade if they weren’t wasting bandwidth downloading code they never wanted to run in the first place

Does Comcast's implementation of this system respect Cache-Control: no-transform as specified in RFC 2616?

You explain why it is important to notify about their EOL modems, but you fail to explain why this, of all options, is the appropriate communication channel.

At the very least, you have customer addresses. You should also have phone numbers and email addresses. If you have a way to bill customers, you have a way to contact them.

Injecting JS into HTTP sites is disgusting. It violates both the user's and the site's expectations and is entirely unnecessary.

All that may be true.

There is no ethical excuse to ever inject code into a webpage.

Your own argument about it being critical is false or sophistry. If there were wildfires coming to burn someone's house down..that might qualify as critical. Not this, and deep down you know it.

You should be embarrassed to attach your name to such an obviously poor decision.

Treating anyone this rudely is a bannable offence on Hacker News. Please take the civility requirement more deeply to heart (https://news.ycombinator.com/newsguidelines.html), and please don't do this again.

If a fellow community member has a first-hand involvement with a situation under discussion, such as working for a company that some people are mad at or does some wrong thing, we're all responsible for reacting responsibly. Otherwise bad things happen, such as first-hand observers being scared to post because they'll get lashed out at, and the already-weak community bonds we have here getting weaker. We all know what the culture of online shaming has led to and it's all our job not to do it on HN.

Ok. You're right, that last line was not necessary.

> We all know what the culture of online shaming has led to and it's all our job not to do it on HN.

This is, in and of itself, a blaming statement. Blaming statements, such as the one contained in the comment you replied to, are a result of a) dissonance and b) inability to resolve the dissonance.

It is, in fact, unknown what the culture of online shaming has led to in our society. In fact, I'd hazard "shaming" online is actually just raw blame provided by some rationalized thought process driven by Internet interactions themselves, not the people reacting. See This Video Will Make You Angry on YouTube for context. Screwing with people's Internet in contextually what could be considered "wrong" behavior becomes highly polarizing. In as much as someone coughs because they smoke, people blaming is a result of a larger problem, perhaps related to the fitness of memes and some people's weakness in being hacked emotionally by memes with higher sophistication. Again, that problem is noted by the dissonance and inability to resolve it, but the behaviors emerging from those who are "infected" by the thoughts are not exactly theirs to bear alone. We blamed the tobacco industry for smoking. Why can we not blame the employees who are providing the rationalizations for bad behavior? One might argue that they shouldn't be blamed because they have no choice in the matter. It may be their job to argue otherwise for the company.

The irony here is that vast majority of the denizens of HN are likely responsible for creating most of the "mess" we're in today by writing software without considering the long term effects on consciousness and perception of reality. That "mess" would be defined as means, by algorithms or neural networks, to attempt to exploit weaknesses in human nature to spread other's beliefs in a unnatural way. Growth hacking. In some cases, like Comcast, those beliefs are rooted in sophisticated rationalizations which sound good when limited in scope. But! I don't care what anyone says about it, changing the content of a page which, when requested from one place returns one thing and when requested from another (which ones pay for I might add) returns another thing entirely is a violation of TRUST. At least it is to me. I like consistency in my data.

If one of the "members" of this group we call HN wants to make a blaming statement against someone who is defending this irrational logic, then I say let them blame! How else are we to uncover the dissonance and solve it? Or, perhaps, that dissonance is desired to be left in place by our complicit behaviors trying to be "nice" to each other.

I've suggested before social media sites could benefit from a "this is a blaming statement" flag on articles or comments. I stand by that assertion today. Logging back out again. Thank you for all the hard work that goes into running this place.

Indeed. Whoever thinks this is fine would probably also be okay with the telephone company injecting jingles into your phone conversations every 30 seconds.

Don't give them ideas... this comment was brought to you by by Inject-o-Matic Marketing services

Oh, how I do wish there were a WP:BEANS equivalent for reality. Thing is, you know it's already a thing somewhere.

I think the mindset is that at least he’ll be embarrassed on his yacht. Short of that thinking, you’d have to assume a few solid layers of cognitive dissonance.

There is no ethical excuse to ever inject code into a webpage.

...unless it's for adblocking...

Although I do that with a MITM proxy locally (and thus filters everything on my LAN), it would certainly lead to a very interesting situation if an ISP decided to do it...

I mean, the end-user who requested the page certainly has a right to voluntarily inject script into the page they requested as it is rendered in their own browser running on a machine they own connected to an upstream internet provider they pay for access? Nice try at false equivalence however.

What "false equivalence"? I was just pointing out an exception to the statement "There is no ethical excuse to ever inject code into a webpage".

It's false equivalence because you (and everyone else) knows that the case of an end user injecting script into a page on the receiving end of the connection is not the scenario under discussion, and is not the behavior that the rule implied by the earlier comment would be intended to prohibit. If the comment was tongue in cheek then I have misunderstood you and withdraw my objection :).

If only there were some way to notify your users that wasn't so scummy... like via email or regular mail

Regular mail, yes. Email, though, is largely just a waste of time.

Way too much non-spam disappears down overeager spam filters, which most people only check if they are specifically expecting some particular mail and it does not show up as expected--and even then many won't check their filters.

An ISP could white list their own mail in their spam filters but that would only help with the customers who use their ISP provided email. A lot of people use third party email providers instead and never use their ISP email.

I find the reverse is true. My USPS mailbox receives daily credit card application forms, electoral flyers, catalogues, etc. I also get frequent mail from Comcast but they are _all_ bullshit ads, trying to hoodwink me into cable TV. I don't open them anymore, they just go in the bin.

I will at least _glance_ at my email.

They could sign their messages? Also needs users to have easy to use mua that handles signing and shows "this is genuinely from your ISP unless they/you've been hacked".

For critical service info I'd want SMS personally, from a verified number with a link on the company main domain to verify the info.

In the spirit of efficacy, browser injection may have a better response rate than email. Taking this to its next logical step, surely showing up in-person at your door is even more effective.

Is that the idea here?

Or does this efficacy come at some cost (namely, the sentiment behind this thread)?

With all the junk mail I get from my cable company about "upgrading" my service to include some crap I don't want, I would think they could find a way to slip in a "hey, your modem's busted" notice.

So they print Important Plan Information on the envelope.

Time-Sensitive, Open Immediately

You know it's actually an important piece of mail when the envelope isn't imploring you to open it.

The most serious snail mail correspondence is utterly and completely plain.

On the from line - Office of Legal Counsel...that’s getting opened.

But you probably wouldn't read it, because lots of people don't read their email (at least partially because of the junk).

Yes, but if you don’t get the speed Comcast promises you, and you paid attention to that, then you’d call them up, and find out that way.

More work, but way less scummy.

regional monopolies have never cared about scummy behavior.

And I'm more likely to read a pop-up?

Maybe in the bill? Or online bill notification?

I don't know what's worse: the straw man attempt at arguing efficacy while focusing on the weaker of two suggested options, or the (presumably) unscalable slippery slope of dispatching personnel to a customer's front door.

In either case, the argument does not address the fact that customers recognize unsolicited packet injection as unacceptable ISP behavior. Without support metrics, we can argue all day about the efficacy of one method of delivery over another, but the fact remains that no sensible user would perceive e-mail and/or post of official notice from their ISP as overtly intrusive. With as much internal advertising as Comcast distributes amongst its existing customers, it blows my mind that official notice generated from boilerplate and delivered via snail mail would fail to achieve the intended goal.

To be sure, your pre-edited comment: > Surely showing up in-person at their door must be an even more effective "reminder" than the browser injection! Is that next?

Time Warner did show up at my door when they updated their speeds. I thought it was strange,and asked him to have Time Warner call and schedule a time, but it worked. He was going door to door.

It was noted in the thread that other attempts are made first.

Stop trying to rationalize it; this is not OK, period. If you can't reach your customer via his contact information, too bad, consider him a lost cause. And if it was something critical resulting in the customer's loss of Internet access, you can bet he will contact you then, if he cares.

Off topic to this post but can you confirm any details on your company's intentions following the dismantling of net neutrality?

Wait wait WHAT?

This standard seems like a terrible mistake. Isn't this exactly what malware creators want? To condition users to click the browser pop up that says "YOUR COMPUTER IS INFECTED WITH MALWARE, CALL THIS NUMBER/INSTALL THIS HORRIBLE THING TO FIX IT?"

Why on Earth would anyone issue a standard that says that ISPs should deliver that kind of notification, thus training consumers to believe them?

IETF RFCs are not "standards" in the sense that you are thinking. The RFC process is deliberately designed to be open to submission from anyone, and there is no particular vetting or consensus forming that happens.

When used by practicing engineers as a low-overhead way to document interoperability requirements for working software, it's been fantastically successful. But it also lends itself to this kind of pseudo-fraud "standardization" by less ethical players.

Bottom line: an "RFC" means nothing per se. What matters is whether the community wants to support it. So RFC7540 is an important standard everyone agrees to support. RFC6108 is garbage.

They're the ones who issued the standard. https://tools.ietf.org/html/rfc6108

Just to be clear. This is not an IETF Standard that has gone through the standards process. It is an "individual submission" published as an informational document. The IETF does not endorse documents classified as "informational."

I don't care of it's critical or not, I don't care what the issue is, a carrier should not inject code into a webpage it serves, PERIOD. I didn't knowingly opt into this, and I don't have a feasible alternative where I live. This should NOT be allowed, it's a security and privacy risk, and who knows what that JavaScript is actually doing or what vulnerabilities it opens up for malicious advertisers whose scripts are also on the page.

This should be ILLEGAL, I don't give a crap about "getting the government out of our lives", well guess what, they need to step in and prevent these slimy "business" practices from happening or punish the corporations trying to exploit their captive audience.

I think it's amazing Comcast documented their MITM attack as an RFC. Are those still literally Requests for Comments? Are the comments collected anywhere?

Just because they have an RFC doesn't make it a standard, or socially acceptable. Anyone can submit an independent RFC.

unfortunately the word 'RFC' has been corrupted from meaning exactly that, a publishing forum for ideas, into a pretty asinine form of technical marketing whereby you can publish an informational outside any normal consensus process and assume the sheen of standardization. that started happening 2 decades ago.

RFC 6108 is from 2011, last revised 2015, and marked as informational, which I think means there's no review & comment... But I'm not sure about that.


Huh? Not even close to wildly OT. The RFC was mentioned above.

"What is a RFC?", "What happens to the comments?", OK a specific RFC is the topic but it's like asking "What is the internet?". https://en.wikipedia.org/wiki/Request_for_Comments is much more appropriate resource for that level of question IMO.

Right, ok so we're in a discussion about what "wildly" means :). Imo the rfc was mentioned, so a simple link to the wiki article would have been a polite reply.

>As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical.

Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.

> And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one"

Making up quotes like this is against HN guidelines (and common decency).

My "quote" isn't significantly different from what was actually said, in fact hews extremely closely to it, and is designed for rhetorical purpose of making clear how small a distinction is being relied upon in order to claim the statement is something other than a request for you to buy a new modem.

Moreover there's nothing in the guidelines about "making up quotes" (which again isn't a reasonable interpretation of what that is), whereas there are actual, explicit guidelines against addressing yourself to unreasonably interpreted versions of other people's comments.

Making up a weaponized quote that's close to what was originally said is actually worse, because then it's harder for passers-by to tell apart and more injurious to the original statement. By 'weaponized' I mean altering it to sharpen the point for indignation or snark purposes. It's a harmful internet practice that we've asked to users to abstain from.

You're right that it isn't explicitly mentioned in the site guidelines, but those aren't a list of proscribed behaviors but a set of values to internalize. I'd say "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize" covers this case pretty squarely.

How about to sharpen the point for brevity and clarity in order to convey a perfectly legitimate point? Arguing against something doesn't mean that you interpreted it uncharitably and doesn't merit the exaggerated description of being weaponized (and the comfort level with such exaggerations as "injurious" and "weaponized" is amusing in the context where the concern is about insufficient proximity between a statement and how that statement is subsequently characterized. There's a lot more distance between those adjectives and what I did than between the statement and my paraphrase of it.)

And virtually anyone in any argument could insist, tediously, that those disagreeing with them have failed to interpret with sufficient charity.

But it's one thing to note that as a hypothetical possibility, and another entirely to point to something that's actually a clear cut offense. I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented or misinterpreted so much as they're using this occasion as a jumping off point to litigate the abstract principle. Which I don't think is a constructive use of anybody's time, which is why this is a bad norm that shouldn't be observed.

> I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented

No, that is what I'm suggesting. Your comment reads as a quote. After reading it, I went to the linked page and looked around for the context. Turns out, there was no context for that quote, because it's not a quote, because those words aren't actually in the original text.

You're talking about something slightly different than what I asked. You clearly were able to check and conclude that this wasn't a literal quote. There was no difficulty there. You apparently got stuck there, and were unable to proceed from that information to the conclusion that I was restating the position in an extremely similar but more concise form, which would have been a way of interpreting my statement in its most reasonable form.

I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position. Is there a significant difference between the way I phrased Comcast's position on whether or not they were exhorting their customers to purchase a new modem, and the way they actually phrased it? Because I don't think there is.

I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position.

You're spending a lot of time prosecuting this point, and requiring time to be spent by others who care about HN being better than other online communities.

Whether or not some hypothetical person not making a "reasonable interpretation" would have been misled, or whether it's reasonable that a reader had to spend time searching for the quote to verify it to realize that it was not actually a quote (and how many others would have bothered to do that), are matters that we could spend many more hours debating.

Or, you could just accept that it's better to refrain from misquoting people in future and we could all get on with our lives.

All it would have taken you was to preface the "quote" with something like "the response, which effectively amounts to saying...", and it would have saved everyone the bother.

C'mon, is this really a hill you want to die on? Maybe let it go :)

If you're rewording something someone else said, even if you're keeping it very close to the original words, don't use quotation marks. Quotes say "this is literally what was said".

I got bit by this a bunch when I first got on HN; it was surprising to me how seriously it was taken. But it is, and it's not hard to work around.

This rule is too idiosyncratic, annoying, not found anywhere in the guidelines, and is not offering any net benefit in this context that I can see.

If the object of the rule is to produce derails like this, it's doing more harm than good. So unless someone wants to explain how it's invocation in this thread improved the quality of conversation about Comcast's javascript injection policy, I would encourage others to join me in not observing the norm.

That's a weird HN-ism, though, not how writing or paraphrasing works anywhere else. The goal is understandable and laudable but 'redefining the meaning of quotes' is a thing only hardcore lispers can love.

I think you're missing an important distinction. When paraphrasing a group of people or stating a cultural zeitgeist, quotes are acceptable:

> The gist of the HN community's opinion is, "don't use quotation marks when paraphrasing."

> Lately the Democrats approach has been, "oppose Trump at every turn."

However, when paraphrasing a specific individual, it is frowned upon at best[1][2], and considered intentionally misleading at worst[3], to put paraphrases in quotes.

> pvg said, "I don't care what HN thinks, I'll do what I want."

> pvg continued with, "no one else cares what HN thinks either."

Contrast that with,

> pvg said that "only harcore lispers" care about how paraphrasing works.

In the last example, you can clearly tell the direct quote from the paraphrase. This is very important when communicating someone else's ideas.

Regardless of hard and fast "rules" of punctuation and grammar, you have a large number of people calling your writing misleading, confusing, and inaccurate. Clear communications should be the goal of any writing; wouldn't you be best served by hearing and incorporating this feedback?

[1] MLA: "Paraphrases and summaries do not use quotation marks" - http://www.lmu.edu/Assets/Academic+Affairs+Division/Academic...

[2] Purdue: "Indirect quotations are not exact wordings but rather rephrasings or summaries of another person's words. In this case, it is not necessary to use quotation marks" (note that no example of indirect quotations include quotation marks) - https://owl.english.purdue.edu/owl/resource/577/01/

[3] "But then there's a long slide through confusion and bias into intentionally misleading quote-mangling and outright fabrication" - http://www.slate.com/blogs/lexicon_valley/2013/10/17/gay_tal...

Do you feel that my paraphrase was intentionally misleading, or even confusing, or innacurrate? Even unintentionally? Does anybody? Does anybody think the norm currently being debated yielded any actual tangible value in this thread? Did it save someone from misunderstanding Comcast's position?

A lot of zeros and ones are being spilled on behalf of the abstract principle how quotes can be hypothetically used abused and interpreted, but none of the 40+ comments beneath my now-flagged paraphrase of Comcast's statement is actually arguing that my paraphrase was in any way distorting or misleading.

So I question the value of this norm, if the practical way it tangibly cashes out is in the form of extremely long derailments substantively unrelated to the the comment that caused the rule to be invoked.

That exhaustingly (if not exhaustively) describes a number of important distinctions that never come up when some hapless commenter gets told off they're using quotes wrong. It's a Talmudic absurdity to apply to a message board. We don't have 70 comment threads about the proper use of "it's" vs "its", with MLA citations (which, it's worth recalling, "specifies guidelines for formatting manuscripts and using the English language in writing")

It's just a dumb, arbitrary rule. It serves no purpose beyond facilitating righteous rebuke. You can make a better rule dealing with the underlying behaviour while oxygen deprived from screaming at dang about HN's political bias.

This is not an "HN-ism". It is not proper to use quotation marks when paraphrasing. Doing so is explicitly attributing words to someone that they did not say.

> not how writing or paraphrasing works anywhere else

That's simply false. If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it. But you can't reasonably expect every other forum to use that lowest common denominator. Railing against simple, longstanding house rules like this is just pointless contrarianism.

>If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it.

In terms of what contexts one should keep in mind when interpreting comments with good faith to come to a most reasonable interpretation of what they are saying, the way language is used on reddit is probably a much more reasonable benchmark than MLA style guides.

That's simply false.

No, it isn't. I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech. The fact that they didn't actually say it comes from context. Punctuation is not semantic markup.

This doesn't come from reddit, it comes from, you know, the way people actually write. The fact that it requires repeated and lengthy explanations is a pretty decent indication it's not how anyone else writes.

Writing style guides are a thing & a thing that have been around for a long time. All 3 of the style guides I’ve had reason to use (AP, MLA & CMS) all require that quoted material be direct quotes.

Now, I think that it’s a fair argument that a web forum needn’t have the same formality as other written word, but your assertion that “it’s not how anyone writes” is clearly untrue.

And just as a single data point, I expect when someone uses quotes even on the web that they are asserting a verbatim quote.

I agree with pvg. The notion that a comment on HN is, in some sense, in poor form because it doesn't adhere to AP/MLA/CMS specifications is ridiculous. Nobody agreed to that, and I doubt anyone would even agree that that's accepted informally as a norm.

I didn’t mean to imply that the web should follow those style guides (and said as much). I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.

I certainly default to assuming it does and in many contexts it is an explicit rule.

So you don't think that a comment thread like this one is a context where MLA guidelines would yield the most reasonable interpretation of what someone is saying?

I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.

I don't understand how you've refuted that while also saying they sometimes don't. Are we arguing about contexts here? My claim is almost trivial - nobody reasonably familiar with English thinks quotes imply a verbatim quote. That's just not what quotes are for.

You said no one expects that and he pointed out the style guides do. So some people do. In addition to the style guides, a couple people here have said that they do as well (which is why we're arguing). I'm another. Regardless of whether the majority think this way, we can safely say that some people do.

Getting back to the actual point, in formal writing, quotation marks are definitely considered to delimit actual quotes. That's where their name comes from and that's their purpose. If you want to paraphrase or otherwise interpret what was said you just work it in without quotes.

Personally, I relax my expectations in informal contexts if I don't know the person or their writing habits, but I'm just being pragmatic. In other words, the rule doesn't change, it's just not always followed.

I guess I’m far out of the mainstream then. If you put quotes around something and attribute it to someone or some text, I assume you are asserting a verbatim quote, either in the context of web forums, business communications or more formal writing covered by a style guide. In the context of fiction, if you put quotes around something I assume it is to declare that the character is saying exactly what is quoted.

That your position is that I’m in the minority on this is doubly surprising to me given that’s what all the style guides and my high school English teachers taught me.

I appreciate your good nature in taking the time to engage in this silliness but I have a hard time believing your high school teacher or anyone else taught you that. The wikipedia page on it:

"In English writing, quotation marks are placed in pairs around a word or phrase to indicate:

Quotation or direct speech: Carol said "Go ahead" when I asked her if the launcher was ready. Mention in another work of a title of a short or subsidiary work, like a chapter or episode: "Encounter at Farpoint" was the pilot episode of Star Trek: The Next Generation. Scare quotes used to mean "so-called" or to express irony: The "fresh" apples were full of worms."

Even 'direct speech' is at odds with 'verbatim quote' and that's the first thing there. Direct speech can be completely made up.

Respectfully, I think you should read the Wikipedia entry for 'direct speech'.


kasey_junk said "I'm a stupid moron with an ugly face and a big butt and a my butt smells and I like to kiss my own butt". Should this not include quotes, even though you didn't say it?

"AP, MLA & CMS" are an absurd counterpoint that falls well within 'that's not how anyone writes'. They are, if anything, lengthy exceptions to how anyone writes.

It's a deeply silly argument and my point is 'an internet messageboard should not be regulating punctuation'. It should, as this one usually does, try to regulate behaviour.

It should include those quotes if you are asserting that I said it.

The HN rule is never use quotes to say something someone didn't say. It seems, unless I'm misunderstanding you, you agree this is a silly rule.

I don't think that's the rule? I think the rule is if you're using quotes and it's ambiguous as to whether the person the quotes are attributed to actually said it, then the person better have actually said it.

(For what it's worth: this little subthread is about 10x more interesting than the story and the rest of the thread it's attached to).

That's as generous an interpretation of the rule as mine is overly literal. But it's worth comparing it to some of the other rules:

Don't be an ass.

Don't call other people asses.

Don't complain about votes.

And then:

Some weird thing about quotes we can't even sort out as well-intentioned nerds who love to talk about rules.

I don't think that's a good rule. I think what it's trying to address is probably a good rule. But it's addressing it in the dumbest possible way.

It is also the case that this was something Paul Graham was idiosyncratically peevish about; at one point, he attempted a unified definition of trolling that amounted to "forcing one to rebut something they hadn't said" --- which obviously isn't the definition of trolling.

Yep, 'idiosyncratic' is a good way to summarize it. At the end of the day, it's just another dumb thing to yell at people about - it doesn't improve discourse or 'stimulate intellectual curiosity'. As an inveterate rule-yeller myself, the fewer of these the better.

Yes, but then you should include something like "might as well have said". Or "like".

> I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech.

That's fine, when you're writing fiction. But in most online forums, fiction is frowned upon.

I don't think paraphrasing is limited to fiction any more than metaphor or hyperbole or idiom are. And those are in online forums all the durned time!

Sure, but it's polite to say when you're not quoting literally. Because that's the default expectation.

You don't need to fall back to a "default expectation" when usage is adequately indicated by context and by good faith efforts to interpret a statement in it's most reasonable form. Nobody confused it for a literal quote, nor did anybody feel it caused any misunderstanding, and those realities preempt any need to appeal to a default expectation.

In your case, I do agree that it was obviously not a literal quote. However, by the time I joined the thread, the topic had become more generalized.

Still, it would have been clearer to say something like "Exactly. And the response, which amounts to 'we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one', is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system."

Also, for what it's worth, I do agree 100% with your argument there :)

@mirmir: Point taken. In the context of this as a more general subject, I think your observation is perfectly reasonable.

However, I think (1) few are as lucid as you on that particular point and (2) whatever the merits of this as a general debate, and I think there is some merit, I think the question is whether this norm improves conversation in a thread like this. I think it was invoked frivolously, spawned a long, 50+ comment chain, and it didn't clear up any of the confusion that it seems like the norm is supposed to be designed for.

Yeah, they should probably put it in the guidelines. I just remember getting sniped by PG for using quotes that way.

What I'm getting at is, no, they shouldn't, nor should they expect anyone to adopt some weird made-up usage of standard punctuation. Perhaps they should put 'avoid paraphrasing as a rhetorical device' or something like it in the guidelines - that would make sense and be reasonably enforceable. "Don't use quotes the way everyone uses quotes" (like I just did) is just silly and ridiculous. You might as well put "don't call anyone a butthead without using the Oxford comma" in the guidelines.

This is just about the worst possible way to notify a customer of any issue anyway, because it legitimizes those stupid ad-based malware popups that have become so prevalent.

As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.

As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.

To be a devil's advocate, Comcast customers have been phished before via email too:


...and then there's the various phone and even door-to-door scams, but I'd consider the latter to be much harder to do.

...unless the upgrade actually means loss of service due to incompatibility, in which case I would agree that is critical, but nonetheless "go buy a new modem" is something no customer wants to hear, especially if they're already paying $$$ every month for the service.

> Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.

Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.

Ultimately the objective is to ensure a customer is on a device that can (1) deliver the performance for which they pay and (2) is up to date technically (i.e. supports IPv6 and channel bonding) and is supported by the vendor (i.e. software updates & bug fixes).

One of the big risks we have to help mitigate is when a device goes EOL, which means no more software updates, and a security or significant performance issue arises in the future. By proactively beginning the replacement process this helps minimize any future impact when it is a major issue like that. So taking action gradually on a proactive basis prevents a more severe impact later on. In many cases, these are DOCSIS 2.0 devices and that technology and often the software is from 2001, the same year as the 1st gen iPod and when Windows XP was released.

Eventually a modem will go into End-of-Service (EOS) status. At that point there is a definite date/time limit for the device, after which it is de-provisioned from the network and the customer must replace it to continue service. This has been the case in the past with DOCSIS 1.0 and 1.1 devices for example, after years of work to encourage customers to replace them.

See also https://www.xfinity.com/support/articles/end-of-life-devices and the start of the EOL/EOS process for DOCSIS 1.1 devices https://www.dslreports.com/forum/r27473499-Speed-Heads-Up-Ti... and https://www.dslreports.com/forum/r28497383-Speed-Upgrade-You... and https://www.dslreports.com/forum/r30524429-Equip-Reminder-Pl... and https://www.dslreports.com/forum/r30450278-Speed-Heads-Up-Ti...

If his modem is actively interfering with your network I could see that this is critical. If he has been hacked and is actively DDOSing sites, that’s critical. We can debate the correct response in those cases (getting on the phone and calling seems to work really well when you want people to pay you, as does turning off service).

Unless I’m misunderstanding, this was not causing such a problem. Casting it as a customer good is rhetorically amusing, and probably holds water with people who are predisposed to agree with you, but I can make any number of morally bankrupt decisions using exactly the same logic. You have simpler ways to deliver this message, that do not cause nearly as much harm to your customer and do not require you to intercept and modify their traffic.

It's true that if there's a vulnerability discovered, and you have 50000 modems with the vulnerability, you cannot wait for the modems "to be hacked" to act. It is reasonable to try to replace EOL modems ASAP.

In this scenario do you honestly believe the best course of action is to insert a popup on web pages? If you are truly concerned you will act to preserve your network for all customers by blocking traffic from the problematic modem and then call the person. This is legally less risky than doing traffic inspection. (Losing common carrier status would be a very big deal.)

Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know. And if Comcast can afford to send that much junk mail, I should tend to think Comcast can afford to send one or two, or five, mail pieces that carry a warning like ACTION REQUIRED TO MAINTAIN SERVICE on the envelope, to those of whom action is indeed required to maintain service. You guys shipped me a whole new unsolicited modem! (One which I'll put into service, too, just as soon as I've worked out how to disable all the routing and wireless smarts I don't want, don't need, and won't suffer messing with my network.) Surely you can afford bulk rate.

And mail pieces don't produce the potentially rather widespread indignation that traffic injection does. Granted, I don't see the harm in it that a lot of people here do. Unencrypted traffic is unencrypted traffic - open to tampering by anyone, not just Comcast, and for many less innocuous reasons than the one for which you've chosen to do so. But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology. Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.

All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.

> Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know.

Lots of reasons, including years of experience with response rates for particular types of messages / calls to action. Clearly one particular communications channel won't work for everyone - each person has their own preferences. One of the things we're working on is to better enable you to control just that - basically one person may ask for SMS messages, another alerts via their mobile app, another via email, another via phone call, etc. You can see the beginnings of that in MyAccount / Settings / Communication & Ad Preferences.

> But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology.

Agree. And more TLS is better IMHO. I also like the work that Let's Encrypt has been doing - they've had a really big impact on the adoption of TLS. (See also http://labs.comcast.com/innovation-fund-spotlight-lets-encry...)

> Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.

You bet - totally agree! One of the places we're engaging to try to do that is in the IETF's CAPPORT working group and I think the charter describes reiterates all the points you made: https://datatracker.ietf.org/wg/capport/about/

> All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.

My pleasure & thanks for being a customer that's willing to offer constructive criticism. :-)

People don't want your crap injected into their pages and working with the IETF aint gonna change that.

The fact that Comcast has and abuses its monopoly is bad enough. That you would try to standardize your abusive behavior is appaling.

And then there's this guy. I suppose someone has to be.

As was mentioned in the original thread, other means of attempting to contact the individual occurred. This was apparently not the first attempt or method used to contact individuals.

Perhaps the user read those emails and simply doesn't care to upgrade the modem. Unless those emails created an opportunity for the user to acknowledge receipt, then there will probably be numerous people who receive these popups despite receiving the emails, deliberating, and choosing to take no action.

because traffic injection is free, postal mail costs money.

They have no problem snail mailing other adverts. There is also e-mail, so no excuse.

>Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us.

This reminds me of the part in Romeo & Juliet where Sampson says "I do not bite my thumb at thee, but I do bite my thumb."

As other commenters have mentioned, these are such small distinctions to legitimize something as fundamentally troubling as javascript injections.

Like most on this thread, I think that injecting code is a step too far, but I definitely appreciate that you took the time to explain the motivations behind this.

> Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.

Here's what a customer should do:

Just file a complain. Via snail mail. To the FCC. Include screenshots of VP explaining how this is all ok.

After that the customer should enjoy the show. I'm sure at least the customer is going to be provided a top tier service for the rest of his life in any comcast service region. Most likely for free.

This is how one teaches companies to behave. He or she finds a pressure point and exploits it. It does not matter that the opponent is 350lb gorilla. Small joint manipulation by a 95lb girl puts that gorilla on its back. For Comcast, VZ, etc that pressure point is a snail mail complain to the FCC. For national banks, it is the OCC. It works every time it is tried. What does not work is bitching about it on HN.

When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.

I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without constraints. I used to have Free which was great but did not offer fibre when fiber was installed. I switched to Orange in 5 min via a web page. I have another possibility (SFR) but they are despicable liars and for this reason alone I scraped them.

This is France, where competition is not a national sport so I was expecting the US to have 5 other companies banging on the door.

In a natural monopoly regulation /increases/ competition and freedom for the consumer.

The BBC had an article about this a few years ago [0]. Basically the highly regulated countries had cheaper and faster internet.

> Rick Karr, who made a PBS documentary in which he travelled to the UK to find out why prices were lower, says that the critical moment came when the British regulator Ofcom forced British Telecom to allow other companies to use its copper telephone wires going to and from homes.

> But US regulators took a different approach. Rather than encouraging competition between operators using the same network, the US encouraged competition between different infrastructure owners - big companies that could afford to build their own networks.

> Some believe that UK-style regulation is bad for competition and innovation, however, and suggest that the US is already one of the world leaders in broadband.

[0] http://www.bbc.co.uk/news/magazine-24528383

It might be easier to convince me ISPs were a natural monopoly if they weren't also a legally protected monopoly where they are, and generally have plenty of competition where they aren't.

I’m not sure that’s evidence against their natural monopoly position. It might be that we’re in a world where in some places, it’s plausible to have two ISPs, and in many it’s not—but if two try, they’ll both fail to get enough people to be profitable. Then any sane provider wants to demand exclusivity as the cost of pulling fiber through a community, and unhappily acknowledges that they’ll have to cover all of their exclusive territory. If we’re in that world, and the service is nearly essential, we’ll see legal monopolies in lots of places, and some places with no legal monopoly and no service—they can’t agree on a price.

I’m prone to suspicion of their business practices too, but every one of the Comcast technical staff I’ve met, from Jason down, has been an excellent person deeply committed to the best mission of a telecoms company, enabling human communication. Is that a marketing campaign? Yes, but as far as I can tell it’s an honest campaign of showing the world who they are and what they care about.

This is laughable in light of Comcast warring against net neutrality and lying about it to customers and everyone else.


Do you personally have the ability to create large-scale broadband networks, using only the financial means available to the average citizen? An estimate by Goldman Sachs put the cost of nationwide Google Fiber at $140 billion. Personally, I'm not sure if I could come up with that kind of money, in a pinch.

This UK model is closely related to how roads are funded, as mostly govt funded monopoly on infrastructure (with occasional public private financing, which comes with its own issues, toll roads etc) and common access paid for by users (fuel tax, road tax, etc).

The US model is closer to US railroads model, although not entirely accurate, analogy; largely privately owned with some govt owned, funded by large infrastructure companies that charge customers for usage and also due to infrastructure costs are rarely duplicated in close proximity. It's had issues with off and on regulation, profitability, localised monopolies that have a tendency to over charge when they can get away with it.

> When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.

Suppose you were a major company with big dollars to spend on offering internet service... someone like Google, for example. Then suppose you wanted to provide service in Louisville, Kentucky. How many years do you think it would take to get permission to attach your lines to the existing telephone poles (owned by the city) if the local telephone and cable providers try to tie you up in lawsuits? What if the city's mayor was enthusiastically supportive, and willing to pass new laws and spend hundreds of thousands of dollars of the city's money going to court to permit Google to start offering service. It would still take years to get permission. Fortunately, this isn't one of the many cases where state or local laws prohibit other companies from competing with the one local cable company, or it couldn't happen at all.

Now imagine it is anyone OTHER than Google with their huge warchest, legal department, public support, and local government support. It wouldn't get anywhere at all. If it did, the cable company would drop rates for a few years until the competitor went out of business, then raise them afterward.

The United States pays lip service to the idea of competition, but most of our politicians have gotten "competition" confused with "supporting big corporations". This is why internet service providing is a monopoly or oligopoly in nearly all US locations.

I think this is really a critical thing to get integrated into the American public dialogue. Pro-business and pro-competition does not mean zero governmental oversight or regulation. My opinion is that if there isn't substantial churn or upheaval in the market at least a couple of times per decade, there is something broken in the market, and we should be looking at what kind of actions would be useful to allow fresh, new entrants to make an impact (without explicitly picking winners or issuing subsidies).

Example: the online marketplace for social, search, and email is stagnant for obscure legal reasons. We should identify these (copyright and the CFAA) and remove the barriers.

Megacorps have exploited core conservative values to guilt people into believing that they're commies if they refuse to write a blank check for any big company that wants one. We can make real progress, and it's important progress, by highlighting to Republican/conservative-leaning voters that selling their country to corporate raiders is not a pre-requisite for being pro-business or pro-small-government.

You correctly call out "copyright" as a problem in the free market, then go on to blame Republicans for the status quo, when it was the entertainment industry and THEIR captured legislators -- the Democrats -- which gave us the DMCA, which has been used as one of the biggest hammers to prevent competition ever conceived. So please don't single out conservatives for giving us the monopolized internet we have now. Both sides are to blame, in their own ways. Unless we, as a country, stop making these sorts of issues tribal, we're never going to fix them.

I'm not trying to blame anyone specifically. This is just a major rhetorical exploit that works on Republican-leaning voters. I know because I and many of my associates are Republican-leaning and very conservative, at least by HN standards. We need to call out these divisive rhetorical exploits because they're used by nefarious groups to subvert actual dialogue and keep people at the extremes.

By no means do I believe that Democrats or liberals have clean hands on this. All sides deliberately ignore and subvert intellectual property matters because it is so dang profitable, and this affects "liberal" industries much more deeply than "conservative" ones. Copyright is fundamentally "big government", which more conservatives would recognize if the narrative around this issue wasn't so tightly controlled. And that's not to say that copyright doesn't serve a useful purpose at all, just that we should be cautious and wary about it.

Since bad political actors and profiteers actively and successfully cultivate tribal dynamics for their benefit, the tribal context and instinct can't be ignored. It must be worked within. Approaching a tribe as an outsider just causes them to raise their shields and ignore anything you say.

Good principles and values drive most actors on both sides of the aisle. Political alignment basically seems to just come down to which principles we prefer to favor/bias. Under that context, the need for balanced, inclusive dialogue is clear, and we should all be grateful for the diversity of opinion that keeps everything in balance.

Maintaining that diversity means working within the structures of human association to create authentic, grateful alliances built on that recognized need, instead of allowing others to abuse those same structures to provoke destructive animosities.

Not to disagree with any of the other points, but it's always worth remembering that any physical utility in the US has approximately 16x more land to cover than France. Not to mention the greater variety in climates (which do impact utilities).

Some cities only have one existing fiber line even coming into them, usually owned by one of the local duopolies (typically phone, since they originally were required to offer phone service to everybody).

This gives incumbents an immediate advantage in terms of reaching customers with physical infrastructure, before counting any of the (admittedly fucked) politics involved.

Then why do Americans in large urban centers not have greater choice of ISPs? If it's all about physical distance, why is there still no competition in dense areas?

I live in Washington DC, in the city, and I only really have one choice where I live, Comcast.

Cities grant franchise rights and determine rates charged for access to city poles and cable vaults.

Let's not sugar coat the language by referring to them as franchise rights, they're state-sanctioned monopolies.

Well, sure if they decide to only grant a single franchise which is what happens in a lot of cases. There is no reason they can't allow several competing operators in a given city though.

Incumbent ISPs lobby local govermment and sue would-be competitors to ensure the competition are only offered access on less favourable terms.

Back in my day, we rented Ricochet modems and shared the bandwidth between 4 users.

It's spotty. I know in DC they have RCN in some areas, which is a high-quality option.

In NYC, in one apartment I had 3 or 4 differennt ISPs to choose from, RCN included. In my current place, I only have one.

The solution to this problem in France was to say "if you put some infrastructure to provide a service you have to share it with others, and get some costback". The costback is regulated.

The idea is to make it better for people, not corporations (which are not starving either)

In the US, two infrastructures evolved into internet infrastructure, one was the phone service (pretty much AT&T's long distance network and Ma Bell's local infrastructure). The other was the local Cable Companies, Cox, Bright house, Comcast et. al. So in most locations you have one of two choices, go with DSL and the phone company or Cable which in many areas is Comcast. AT&T just installed fiber here in the Florida Key's so alternatives are starting to pop up in more remote locations in the US, but it's still pretty much a go with the local phone company or local cable company monopoly decision.

You were able to switch in 5 minutes because nothing actually changed except who sent you the bill. In the US this isn't possible because whoever owns the physical wire/fiber into your place gets to bill you, exclusively.

Yes, there is one cable and everyone has to share it, by law.

I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?

>I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?

So called unbundling was done, but in exchange, the backbone provider got a legal monopoly. Almost everywhere AT&T or Verizon lies fiber has competition, usually with a local cable company.

Probably because the fox is guarding the henhouse now.

A lot of cities grant exclusive agreements to these companies. Lately they are more competitive but historically one cable company would be granted the right to serve an entire city.

For an example, here's the page for Portland's agreements:


Regulations can limit new entries in other ways as well.

A former coworker was telling me the difficulty of getting a DSLAM installed in a high-rental area, like a Seattle neighborhood. The DSLAM install requires approval from 40% of the property owners, so you might write each landlord a letter, but the landlords aren't opening letters unless there is rent money inside. So installing a DSLAM becomes a political game of convincing the several hundred "rental-transient"[0] people in the neighborhood to talk to their landlord. One of the reasons behind the "Ask your Landlord about Wave Internet" signs you see around.

[0] Renters often only plan to stay in a location through their current lease, and thus have less long-term concern over the area. In this way, transience destroys community.

> everyone who comments is complaining

"Those who comment" are far from a random sampling of the user base. It's entirely possible that 95% of users are satisfied "enough" with the service and yet nearly 100% of comments to be strongly negative.

I know, this is the reason I added "who comment". This is not good enough, I know too, but in no comment have I seen praise of Comcast.

Comcast is not alone in this. Cox Communications has been injecting code into HTTP traffic for years.

I think sometime around 2008 I first saw them do it (I noticed NoScript blocking a script on a page that it wouldn't normally). If I remember correctly, following it to its source hinted that it was a test for some alert system.

In 2012 I saw them injecting a script to notify people that their email servers were down ( https://www.dslreports.com/forum/remark,27826161 ) though the paranoid in me thinks that was an innocuous way to test how acceptable altering traffic would be.

The escalation I've seen in the last couple of years is the ability being used for Cox customer surveys.

As far as I know they haven't injected anything into my SSL/TLS traffic... yet.

> As far as I know they haven't injected anything into my SSL/TLS traffic... yet.

You say that as if it were even possible. Or are you referring to the use of SSL stripping?

HSTS preloading (or visiting a site with HSTS headers that you've previously visit) will protect you from even that.

They did that to me a few months ago. I called up and canceled my decade old ~$90/mo acct on the spot. Tethered to 4G, works fine.

Can confirm. I didn't even notice until they started using their script to inject popups telling me I had "exceeded my data allowance". I literally canceled my Cox Communications account on the spot.

Comcast forced me to upgrade a perfectly acceptable modem so I would have to option to have higher speed service (which I do not want)! Here's what they did: 1. asked me to upgrade the modem (emails and letters) 2. Inserted a filter on my line so I lost my connection 3. I bought a new modem (not realizing they stuck a filter there) 4. They removed the filter

I guess this approach does not scale as well as the 400 lines of Javascript!

What spec of DOCSIS was your old modem? If it was 1.0, 1.1, or 2.0, sorry you lose all support, the older specs had hard bonded channels that HD TV on them after the swap that they informed people of for 2 years before it happened. And they put TV on them since they were degrading channels due to overuse across the entire network (as in across the country).

The later specs allowed for floating channels based on channel maps, which allowed Comcast to bypass those degraded channels.

Note: I'm not an apologist, but I worked for Comcast and for a subcontractor. Comcast treated (at least in my opinion) their customers like wallets that called and complained, but under the subcontractor I saw that since they didn't rewire 100% of all networks purchased, it was common that the older lines were causing the degradation and also reflection on other RF channels sometimes on the other side of an area even. Now if Comcast invested in their network as opposed to buying other companies and calling it investment, this might have been fixed, but that would be decades vs. having every modem that wasn't compliant to the new spec swapped.

The SB6121 is a DOCSIS 3.0 4x4 modem rated for 174mbps, SB6141 is a 8x4 rated for 343mbps, and SB6181 is a 16x4 rated for 686mbps. Outside of their capabilities, the hardware on them are nearly identical. There is nothing "EOL" about the SB6121 except for the idea that it's unable to support 200mbps. It's a perfectly good entry-level modem capable of offering speeds that are over 7 times the minimum definition of "high speed internet".

I don't understand the general attitude against forced modem upgrades. If you lease your modem it's as easy as walking into a Comcast store and swapping it for a new one. If you own your modem, pick the newest model of modem that fits your needs.

The newer modems support more channels and newer modulation/technology. This isn't just about supporting newer speeds. In order for them to support those newer speeds for other customers they have to upgrade their equipment to support more channels and newer modulation/technologies.

At some point these older technologies are not just wasting resources by being less efficient, but are preventing the company from upgrading their equipment.

The reason I don't understand, is because it's common to see people complaining about the state of broadband in America compared to other countries. Yet Comcast is probably the most progressive as far as pushing the technology goes. Don't misunderstand me, I believe Comcast holds a near/total monopoly in many locations around America but at least they're progressive with their network and technology despite the lack of meaningful competition.

  it's as easy as walking into a Comcast store and swapping it
If you have an Xfinity store nearby, and if they don't have lines over an hour long much of the day, and if you get a rep who knows what s/he is doing.

I live about 6 minutes from one, and it can still be a multi-hour adventure.

I thought HTTPS was supposed to prevent this sort of man in the middle attack? (Or at least make it harder) -- and I thought that most websites used HTTPS these days...

or am I misunderstanding?

If they are able to do this, and are injecting JavaScript for something as low-return as online ads, then what is to prevent them from changing the news headlines on <insert your news website of choice here>, or the stock ticker feed... How do we know that they aren't?

Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?

The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

What will happen is someone at Comcast will notice that their injections aren't happening often enough anymore due to HTTPS adoption. Someone at Comcast will suggest implementing a MITM TLS proxy service to get things working again. Someone else at Comcast will note that wouldn't actually work because they can't install fake root certs on every client device...

Then Comcast will basically switch to a model where the HTTPS interception is "optional" (requiring the client-side use the proxy explicitly), but they'll start shipping some kind of "Comcast Setup" executable (or mobile app) users are supposed to run on their client laptops/phones so that they can get these important service notices, which turns on the client-side use of the proxy and installs the fake root certs. Geeks may not install it, but the bulk of their customers will, and everyone loses. I don't think broadband consumers are aware of the fact that they shouldn't trust software provided by their ISP...

Chrome and all other browsers would quickly put an end to that.

> The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

That's my fear too. This has to be handled by other means and has to stop. If everything is HTTPS you can be sure it gets very unsecure by design, as everyone will upgrade its capabilities and inject you certs, than we would need a new more secure protocol.

Why is email still unsecure and sent in plain text? Why is there hype for HTTPS but everyone is fine with sending mail in plain text yet we have SMIME, etc and no one is using or supporting it.

As the other comment said, HTTPS does prevent this, and this only happens on HTTP pages.

> Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?

Yes, Caddy can detect whether a connection is being MITM'ed: https://caddyserver.com/docs/mitm-detection

As that page describes, Caddy's detection only works on SSL-served pages, by comparing the TLS Handshake, to the expected TLS Handshake pattern of the advertised User-Agent.

Ironically, if you're using Caddy, I struggle to think why you wouldn't already be pure HTTPS.

Yes, and it is fair to assume that a page served over HTTP is not trustworthy in any case.

Yup, but "these attacks" in your first post was specifically HTTP modification, which is the only thing Comcast is capable of doing.

HTTPS does prevent this. This can only be injected on non-secure connections.

Use HTTPSEverywhere on your browsers, and then enjoy the "You're close to your monthly limit!" pop-up on the Steam Store!

Um, I assume the code for that pop-up is rendered into the page on the web server that produced the page, before being returned to the browser.

That is precisely the problem. If the notification were rendered as part of the page by the web server, no one would have issue with it (though it would likely be blocked by adblockers anyway).

It's the fact that the ISP is modifying traffic in-route, to inject something that was never intended to be part of the page, that is the problem.

I expect my ISP to be a neutral carrier of messages, not meddling and altering my mail to add whatever they happen to feel like adding today.


I think the intent was to comment that extensions don't protect programs with embedded web views, like the steam store. I'd hope the steam store is using https though...

Only on checkout pages. For the rest of the storefront they actually redirect you from HTTPS to HTTP.

That's especially bad, because you can't actually see the origin or whether TLS is in use from the store's interface...

Assuming Comcast adheres to their RFC[1], this injection method would only affect unsecure HTTP per general requirement R3.1.2.

[1] https://tools.ietf.org/html/rfc6108#section-3.1

A VPN will prevent this.

I'm curious if there's a way to hash your code, so... I guess this can be overwritten as well. But like a check sum to make sure your client code is the same as you made it.

HTTPs is good, got it.

Subresource integrity checking. Most CDNs provide <script> tags with these hashes.

But the MITM can just remove/change those hashes.

Yes, if the index.html is not HTTPS or otherwise compromised.

Thanks I will look into that.

The thing that's so irritating about large telco's is not just that they're evil, but the casual stupidity of their actions, including their evil actions.

I mean, look at the code. Look at the function of this code. Look at the business purpose of this code. Look at the security aspects of using this code. Look at the legal ramifications (why the hell is that LGPL thing up top there ?). Look at their internal communication. Look at how easy it is to see exactly what they're doing ...

All of it screams "no double digit IQs anywhere near this thing".

And yes, I mean, I know that's not true. Their people are not this stupid (though some must be). But they do this anyway. The organisation does business analysis at the level of a 5 year old, codes like a 10 year old, obviously this has not passed legal review, ...

How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.

I have a few years of experience inside Comcast and I've concluded that Comcast's executive management are the ones at fault here. Across several divisions, their engineers have been fantastic and a pleasure to work with. This all goes to shit when the businesspeople around the engineers are making terrible, selfish decisions and optimizing their hourly employees for numbers (call center I'm looking at YOU)

Almost every big company that has a call center is looking to optimize their hourly employees. In most cases they are the largest staffs and are highly sensitive to census tolerances. It’s definitely not just Comcast.

If more people blew up the call center like the guy in the posted forum.. they would notice. But very few people notice

Good engineers don't do evil things, even if their bosses tell them to.

A mortgage and tuition for kids is a powerful motivator.

To be fair, I'd say "good engineers" especially where Comcast is, probably choose their employer not the other way around. Not to say whether they are right or wrong for working there, but we shouldn't pretend "good engineers" are otherwise destitute.

The yuppy nuremberg defense. From the excellent movie "thank you for smoking"

Evil is often banal.

You guys sound like you're 20.

You think things in the world are so "obviously" black and white.

Comcast making shitty business decisions is not burning Jews in ovens. And the fact your not immediately laughed out of the room when you make such comparisons is the real sad reflection of society in this thread.

There are other companies doing much more evil things.

A good person doesnt blindly follow orders period. You dont get to call yourself a good person just because you signed a mortgauge or had a kid. If your actions are bad, then you are bad.

Reality forces a choice between lesser evils at times.

"Good" as in morally upright? (in which case true).


"Good" as in technically competent? (in which case untrue).

These are not separate concerns. Morality is a necessary part of competence.

[citation needed]

In any case, here the intended meaning was clearly "technical ability", which doesn't require morality

If there's one belief I think needs to be more widespread in technical circles, it's this. Good engineers recognize the impact of their engineering, and engineer for social good. We don't remember programmers because of how good their programming was, we remember them because of how good the programs they made were.

it's the engineer part that suggests the moral uprightness. without that, it's more "developer"

"good" as in having the qualities required for a particular role, as per Google.

I don’t think it is just telcos. It is amazing how scale, inertia, lack of accountability and bureaucracy dumbs down large corporations that mostly consist of smart educated people.

A million Shakespeares typing on typewriters write no better than a monkey!

> A million Shakespeares typing on typewriters write no better than a monkey!

I like it, although I think the analogy fails here. How about "An infinite amount of Shakespeares typing on the same typewriter will inevitably produce garbage"? :)

I wonder what Shakespeare would have thought of typewriters?

Would we have gotten twice as many plays out of him?

He was clearly slacking.

It's not just telcos. The second-hand details I hear from a major bank makes me cringe everyday. And the main issues tend to be laziness and selfishness.

> I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.

Eh, telco infrastructure is a natural monopoly. No government needed for that.

No, but government could easily have opted for a regulatory regime that prevented it from being a problem, instead of allowing them to continue milking their situation.

The EU member states implementation of deregulation of the telecoms sector is far from perfect, but most of them have ended with something that works reasonably well.

E.g. in the UK, while the cable operator (there's only one of note left standing) has mostly escaped regulation, but BT had it's last-mile infrastructure subjected to heavy regulation to the point where it's been split out into its own company (OpenReach) that maintains the network and is legally obliged to resell access to anyone at the same terms.

You can even get the prices to terminate an IP connection with a subscriber on their website.

ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.

I know the US also has a form of local-loop unbundling, but it's clearly not working very well given the level of complaints people have about these services in the US. Possibly because of the price-setting mechanism?

As a result there's a lot of competition in the ISP space in the UK (as there is elsewhere in the EU).

(Where it's not perfect is that the way the regulations have been set up gives too few incentives for BT to invest and innovate in the last mile network and is often accused of milking OpenReach for profit; two ways of improving on that would be to restrict how much profit they could take out as dividends to a proportion of how much they reinvest in network improvements and/or split maintenance/operation into regional franchises and force companies like OpenReach to bid for it on a franchise basis; though the latter is hard to get the evaluation-criteria right for)

> ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.

It's worth noting this involves two different layers of regulatory separation.

Most ISPs don't run their own LLU operation. They buy access from one of BT Wholesale or TalkTalk Wholesale (who are technically LLUers and both, in turn, use the last-mile network run by Openreach). As you say, the prices which both of the BT Group companies are allowed to charge are regulated and published and companies can "innovate" at quality of service or features offered.

The relevant part here is that the US has never AFAIK had the same wholesale access model. With that, an upstart ISP could have the same coverage as Verizon/Comcast/etc but have the option of not doing these scummy things and/or being as network-neutral as they pleased, within the limits of their business model, without having to spend boatloads of money building a network to access those customers. LLU, on the other hand, requires way more investment so it's not surprising that it never really took off in the US where DSL always seemed like the poor relation compared to the cable networks.

There’s a lot to dislike about the UK government, but the way they regulated the ISP market is perfect. We have one of the most competitive ISP markets in the world.

In my time in the US several years ago I was horrified at the cost and quality of internet (and mobile) service compared to the UK.

Any strong libertarian ideals I once had were crushed by the reality of things like this. (Healthcare too but that’s another discussion).

I don't really think it's perfect - it lets BT milk OpenReach rather than reinvest more. But it's decent.

It's worth noting, though, that this is the EU's doing, through the Telecoms Directive, not something the UK government did of its own accord.

No, it's not a "natural monopoly." The primary issue right now is getting the legal right to use this infrastructure, which is protected by local city and county governments. Most of these local governments simply choose to not allow other companies to move in.



Bs. Heard about the 1996 telecommunicatins act? The government payed for their monopoly, and now it lets them keep it and not share it.

They have to share the last mile infrastructure with new entrants. And the FCC can preempt local and state level requirements to help new entrants.

The current problems are that a) since Trump the FCC is shit, b) local municipalities "vowing" to not enter the market (and others have no incentive).

See these for b: - https://arstechnica.com/tech-policy/2017/11/voters-reject-ca... - https://www.wired.com/2013/07/we-need-to-stop-focusing-on-ju...

> The current problems are that a) since Trump the FCC is $#\¥

Oh please, he’s been in office less than a year - none of this amazing ‘sharing’ happened under the previous administration either. It’s totally understandable to have (in my case many) disagreements with the Presidents and their policies, but this knee-jerk habit of blaming whoever is currently in office for everything because he’s not on our team is counterproductive.

The FCC under Trump has been very friendly to the large enterprises at the expense of small businesses and customers. Trump himself has approved many regulatory changes which are hostile to small businesses, employees and customers across many different industries.

It's safe to say at this point that we have a clear idea of what decisions Trump and his FCC will make in the future, and that there would little to no hope for decisions which will increase competition. A year is plenty of time for assessing the character of an adminstration, and Trump's has been remarkably consistent in this regard.

> blaming ... for everything

Not for everything.

I blamed O'dog for the fucking shady counterproductive NSA practices that he allowed to continue.

The Obama DoJ took a dump regularly on whistleblowers.

And the infamous CIA kill-by-drone program.

And those are just the obvious big ticket items.

Is that when they subsidized the ISPs with billions to build out infrastructure, which they never did?

The problem with anti-government rhetoric in the US is it creates a self-fulfilling prophecy. Government is not inherently as incompetent and weak as yours often is.

There is no reason why a regulatory solution cannot work in the US when they work well in many other countries of greatly varying size and population density.

If your government fails you, that is not a failure of government: it is a failure of your government.

You're assuming it was written any time in the last, oh, decade or more? That's surprising. Perhaps you've never spent time in a cost center far outside the profit centers of a large enterprise, where things that work are left alone to do so, because you're not going to get investment in replacing them or bringing them up to date with modern best practices, because they work.

I mean, there are weekend hacks of similar age and quality, with my name on them, that I know are still in active service. Because, for all their myriad other faults, they mostly work, and everyone who works with them is used to using them and to dealing with the occasional cases in which they misbehave. These are not things which anyone rebuilds just for the sake of it. So they go on being used until they stop working entirely, and the the business replaces them with something else.

Whether or not that's a sensible way to go about things is an open question, if you like. I don't think it is, because these aren't the sorts of things which cripple a business if they misfire - or make much impact even if they don't. So investing heavily in them would seem like a waste of money, though perhaps you disagree. But the world need not be mad for this to be the way of things.

Under Ajit Pai's reasoning, by doing this, Comcast is adding to the evidence that it is an "information service" rather than a "communication service."


The random classList polyfill at the bottom was a nice touch. As I scrolled to this bit I was initially like "oh this'll be nice they encrypted some of--oh. :("

My favorite bit was the "this detects the browser type and version" snippet that was copyrighted 2001. Nice!

I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.

I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.

I don't get it, how does that work?

He is mistaken, it has nothing to do with it. My code is included in Comcast's injected code, but that doesn't mean any of Comcast's liability has shifted to me.

> How can an organisation that executes this badly become this big ?

Lots of ads, undercut your competition by something like $1 and "new customer deals" and then shaft your customers after a while

The average customer just go to the store with the flashier lights (or the one which is more convenient)


"A natural monopoly is a monopoly in an industry in which high infrastructural costs and other barriers to entry relative to the size of the market give the largest supplier in an industry, often the first supplier in a market, an overwhelming advantage over potential competitors."

> "undercut your competition"

When there even is any competition. Where I live, it's literally Comcast or else tether my mobile phone. Satellite is technically an option, but realistically between the cost and my tree coverage there's no way to make it work.


The average customer just goes to their cable company (coax cable) or their telephone company (DSL).

(And the kicker is... they both suck!)

i look at some companies and I just shake my head.

Microsoft in the last 10 years, and consider how much talent and budget they have access to.

i remember when zynga had to lay off programmers by the thousands. I was thinking, they had THOUSANDS of programmers and the best they came up with was skins over top of farmville?

it is my experiance the more smart people you add to a team the lower the collective IQ becomes

Once you get up to around 20+ people on the team, the collective IQ of that teams drops to level where stupid things like this happen...

Nothing good from development by committee, this appears to be a project that was developed by committee

I'm not sure it's about developers. Just consider - a pointy haired boss returns from a meeting and says "it's decided - make it show our sales-boosting popup here".

Rather than arguing, I guess, many (who haven't left for one reason or another) would just go with "uh, whatever" attitude and slap something together just enough for PHB to see that popup (and let customer complaints do the rest).

True evil isn't of the calculating kind. It's the incredibly stupid kind.

>obviously this has not passed legal review //

What makes that obvious to you - appears to pass the "we're unlikely to be fined and any fine will be too small to bother us" legal review.

> How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.

Because "National Security".

TFA mentions a Comcast tech referencing RFC 6108:

"[JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now."

However, RFC 6108 requirement for use R3.1.1 states:

   R3.1.1.   Must Only Be Used for Critical Service Notifications
             Additional Background: The system must only provide
             critical notifications, rather than trivial notifications.
             An example of a critical, non-trivial notification, which
             is also the primary motivation of this system, is to advise
             the user that their computer is infected with malware, that
             their security is at severe risk and/or has already been
             compromised, and that it is recommended that they take
             immediate, corrective action NOW.
RFC 6108:


I'm sure the comcast "tech" knows what's in the RFC. Look in the top-right corner; he's one of its authors. He's also replying in this thread.

Do you consider upselling subscribers on modems a critical service notification? I don't.

Yea they don't really follow that RFC, they just use that RFC as an all-justification for their action.

That is one reason why HTTPS is must for all sites.

Would HTTPS help at all in this case, though..?

Yes. You can’t inject code in a TLS-secured connection unless you can MITM TLS and if they can do that, all is lost anyways.

There are several corporate firewall products that can do just that. Comcast can just start demanding that their customers install their root cert and that's that.

Remember they are the only venue to access the internet for a lot of people, what are they going to do? Stop using the pretty much mandatory communication and information platform?

I'm always surprised just how many people here on this site think you can fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.

They could, but they don't. Until they do, or imply in any way that they might, let's stick to the facts and leave wild, flailing speculation to reddit.

Regardless of what an ISP might do, HTTPS everywhere is excellent advice.

After all the horrible consumer practices Comcast does regularly you'll still give them the benefit of the doubt? How many times do they have to prove themselves as untrustworthy and consumer hostile that you'll stop sitting there and just hoping that next magical tech will make them stop trying to extract maximum money and inject ads into your stream?

Yes, HTTPS is great and should be deployed everywhere. But thinking that they'll just give up on injecting ads into your stream when a large chunk of people use it is hopelessly naive - especially when off-the-shelf enterprise solutions that MITM HTTPS traffic already exist.

The technical capability to MiTM TLS exists since the very moment TLS was designed. It all hinges on the ability to get a trusted certificate for the domain you want to MiTM. You can do TLS MiTM with Apache if you choose to. Acquiring the Cert has always been the problem and nothing changed in that regard. Strictly speaking, things on that front have become harder since browsers are becoming more and more strict about enforcing TLS security. If Comcast moved to distributing a CA cert to their customers I could quite well imagine that all Browser vendors block that root, as they’ve done with CA that fell out of trust.

Not to mention the Certificate Transparency efforts..

Breaking TLS is considerably harder. And forcing a cert upon your customers would be hard to scale... It would be similar to implementing a firewall forbidding TLS and VPNs. That's a hard sell.

Comcast and their telco friends just managed to lobby legislation away while completely ignoring complaints and good business. It doesn't look like Americans have any power to fight against these companies so trust into other for-profit companies which are reliant to Comcast & Co. for their profits seems a bit optimistic to me :/

That post wasn't about legislation. It was about the fact that if Comcast started trying to install root certs on the machines of customers using them for their ISP (which itself is unlikely because of the extra cost both to install, and to troublehsoot, i.e., "why can't I browse anything when I am on my new phone"), Google, Apple, and Microsoft could, and likely would, decide to reject them in their respective browsers as being untrusted. Because they have seen fit to do that in other instances where user security was compromised, and an ISP MITM every bit of your traffic is no less alarming.

> HTTPS everywhere is excellent advice

I couldn't agree more! That's one of the reasons for example we have supported groups like Let's Encrypt (http://labs.comcast.com/innovation-fund-spotlight-lets-encry...) and CrypTech (https://cryptech.is/).

Please dont let "support" become "influence". The web needs less influence from Comcast and ISPs. Your business practices are cancer of the internet.

Not HTTPS Everywhere, the extension, which has ridiculous system demands.

Perhaps you might like to suggest a replacement and or reasons for your statement?

I stated the reason, and I don't have a replacement. It's a great idea, but for now I'll have to wait for websites to enforce https on their users. But of course it can work for you if you have the resources to spare.

All of these products require that a corporate root certificate is installed on the devices initiating the connection. This would require that all users install the cert on all devices, some of which do not allow such an install. I don’t think you can install certs of your choice on a PlayStation, an Amazon Echo, an Apple TV or any of the home automation systems. This would break all of those devices. It would also break any app that uses cert pinning. All of this is manageable in a corporate setting where you can remotely configure all devices and have a suitable IT support operation, but it would be an absolute support nightmare for comcast if random stuff just breaks when on their network. Think about what happens when Apple TVs or tivio boxes come with a sticker explaining that they don’t work on Comcast networks because Comcast does not allow secure communication. Banks would require their customers not to do internet banking while on Comcast networks since secure connections cannot be established.

So they'll be whitelisted. They just need to make use of FB/Google/Amazon/etc. websites impossible without the root cert and they can continue injecting ads into any website content. It's not like they care about injecting ads into PS4 API calls (yet).

Also how hard do you think it would be for American telcos to push for inclusion of their MITM certificates? Especially if other companies like Verizon come aboard the profit train?

Browser vendors distrusted whole CAs for less than full interception. In the end, all of this would require control over the device and Comcast can’t achieve that (unless legislated, but that’s a whole different ballpark)

> Comcast can just start demanding that their customers install their root cert and that's that.

Comcast can demand all they want but they are going to have to hand hold a lot of people though the process. Sure Windows/Mac could offer a nice executable to install it for you but you still have to get people to install it and that’s not something there while customer base will be able to do.

The process of installing CA’s on iOS devices involves even more steps. And this is a process that will have to be completed every time an new device is put on their network.

What about even more “locked down” systems? Your IoT doorbell? Your networked cctv camera? Your Smart TV?

Is it possible? Sure. Is it practical? If kazakhstan couldn’t do it I’m going to struggle to see Comcast pull it off (though if anyone can, it’s prob them). See in a Corp environment where they own all the devices it’s fairly easy to do as most of your deployed hardware if going to be able to remote install what IT asks of them, your mobile devices are going to be enrolled into MDM’s and you will have IT staff on hand to help staff enroll their devices. None of which Comcast have.

We are not talking about your avg hacker news reader configuring their devices to get online, we are talking about people like my mother who can just about browse the web and play games on her iPad and struggles to set the alarm on it. How you going to get her to install the rootca without having some do it for her? Sure get the installer to do it? But what about all your existing customers? You going to schedule a call out for each of them? And what about when she gets a new device? You going to make her take the device to the local Comcast store to get it installed?

Oh and Chrome and or Firefox could throw a massive spanner into the works by refusing to accept their root cert half way though deployment meaning all those “updated devices’ need to be updated again before they even had a chance to use it at any major scale.

Sure it’s possible, I just don’t see it as practical as of today.

I remember Kazakhstan announcing that policy, but I never saw the fallout. Did anyone write it up in English?

They tried a couple of times (not been keeping tabs on them too closely) to get a root cert into Mozilla - https://bugzilla.mozilla.org/show_bug.cgi?id=1232689 but were denied until they get a valid BR audit, https://bugzilla.mozilla.org/show_bug.cgi?id=1331364 But has yet to answer the follow up questions so the request hasn't progressed.

They published a response to the backlash - http://mic.gov.kz/en/news/matters-using-registration-certifi... saying that it would only be used to improve the security when accessing foreign resources, battle porn terrorism and transnational crime.

Dunno what the adoption rate of the cert was or if they do force the use of the cert when accessing foreign https sites

They quietly removed the notice off the telecom's websites saying that people will need to install the cert or may lose access to foreign https sites (not from kazakhstan) but I would expect someone would of gotten word out if they had (Maybe they did and i've just not come across it).

You're way overthinking this. Go look at how exactly the automated deployment of MITM HTTPS corporate firewall works - it's a few steps affair and gets them 90% there.

All they need to do is block YouTube/Google/Facebook until you run the "Comcast internet setup wizard" (remember? those were a thing!) which makes most customer connections MITMable. Then charge extra for all non-MITMed connections ;)

Declare Firefox as unsupported, Google will have to cave in to the biggest telco and that's that. This article (and all others about Comcast) clearly proves that Americans have zero leverage over companies like Comcast. The customers are peacfully accepting modification of their network traffic now, why do you think you'll suddenly get any more leverage over a natural monopoly you're forced to use in the future? Especially after dismantling net neutrality?

The internet setup wizard is a pain to even get to these days esp if you are trying to run it on a “dirty” device that has already been used online and is enforcing HSTS.

You can only redirect them to the wizard if they try and connect to a non https site or the non http site of a https site they have yet to visit.

Same mother. She has a 4g sim in her iPad cheapest deal for her usage level is prepaid sims. When the prepaid credit is gone it’s cheaper to use an new sim than top up the exisiting sim. Except you have to go though a activation portal to enable the sim. It’s easy. Pop in the new sim, visit telcos website or any non https valid domain press the active button and away you go.

She still can’t do it. And in a world where more and more people are using apps instead of browsers where preinstalled apps will just fail you are gonna not to cause even more issues.

BTs Smart Setup captive portal on their routers was one of the most annoying things they did. And when searching for it the top results are for turning the thing off. Why? Because it interferes with devices that can not display the portal, Smart TVs, Amazon TV sticks, Settop boxes, webcams, IoT toasters, etc.

While they haven’t removed it from their latest router they have had to make disabling it much easier than in previous versions.

With the number of end user devices on the market, I just don’t see them managing to pull it off by getting end users to install their cert.

But you touch on a point. You say that Chrome would have to just suck it up from Comcast. Now I’m not saying I disagree, but why would Comcast go though all that pain to get end users to install a root ca if they held so much power over Chrome (the largest browser my customers use) then why not just get the browser to install the cert anyway and save all that hassle with your end users. Think of the savings they would make not having to handle all those support calls.

Like I said. Possible? sure, practical today? I don’t believe so.

> I'm always surprised just how many people here on this site think you have fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.

I don't understand. Your second sentence seems to contradict your first; Comcast bribing legislators is a social/political attack. What did you mean?

I currently see more hope in tech solutions than political solutions to the problems of privacy, net neutrality, and script injection. We have the option to use content and routing encryption technology that looks something like TOR or I2P. Instead, we're asking politicians who don't understand the tech to protect us from ISPs who will never stop trying to leverage anything they can find in our traffic. Allowing Comcast to see the traffic at all is the problem, and politics will never prevent that.

If it's apparent to you that the political fight is more winnable, or that technical approaches to privacy are doomed, then what is the social/political solution to internet privacy? Because we don't have any right now, and it looks like we're losing the political war.

It would make it harder, perhaps.

Yes, they couldn’t modify the webpage without breaking the cert signing giving the user an error, installing a ca cert on your devices and doing a mitm on your traffic (which would be hard to predict if your device has their cert installed) or getting a already trust CA to forge Certs for them which once recovered would get that trusted CA dragged though the mud by the major browsers.

In my humble opinion, there is no situation that would merit javascript injection that would not rise to the importance of fully disabling someone's internet connection, if only temporarily.

Case #1: Malware. Full disconnect, redirect to explanation.

Case #2: EOL hardware causing interference. Full disconnect, redirect to explanation, method to rectify.

Case #3: Consumer not getting what they paid for: email me/snailmail.

I think the RFC makes it clear: this should not be for trivial notifications, only critical notifications, and if it is truly critical, it should disable the entirety of the connectivity until the user acknowledges/remedies/whatever.

I call shenanigans.

Could this legally be construed as creating a derivative work under copyright law?

As a site owner, could I prosecute Comcast for infringing on my rights by altering the content of my pages?

That was my first thought - the web page is copyrighted code.

Unfortunately, expect to see more of this happening with the useful idiot Pai running the FCC.

The gigantic image: https://i.imgur.com/kN2rMhK.jpg (source: http://comcastsupport.i.lithium.com/t5/image/serverpage/imag... - URL manually edited to display largest possible size)

I paged through the JS curiously, and found the URL bnpsa.g.comcast.net/images/mydevicealert/browser/. I wondered what would happen if I hit that from my ISP in Australia. I was surprised: I got an NXDOMAIN back.

But I discovered that googling the above URL as a quoted string finds a bunch of copies of the JS scattered around the Internet. Might be useful.

So then I tried hitting bnp-service-alerts.gslb2.comcast.com/images/. This actually resolved, and Chrome hung at "Connecting...". After rechecking the URLs I noticed this one was referenced in the JS as HTTPS, so I added that, and promptly got 403 Forbidden.

Question to anyone on Comcast [edit: which has been answered]: does http://bnpsa.g.comcast.net/images/mydevicealert/browser/ resolve for you?

Doesn’t look like much has changed over the last 5 years.


When you run code on a website you don’t own you have to be extremely careful. You’ll learn this quick building WordPress themes and plugins. They’re pretty careful not to directly affect the website by running their JavaScript in a scoped context and using IDs in the CSS selectors, but there is nothing to prevent the website front modifying their pop up. For example if my website had the .closebn class with display: none !important, a visitor would not be able to close the pop up. That’s a pretty common class name. To prevent this you should use dynamically generated class names that get swapped out at build time, or in this case even inline styles. Something like the close button of an injected pop up is pretty critical and inline styles would guarantee that it wouldn’t be messed with.

(I haven’t tested any of this, this is based on a quick glance at the code)

This is indeed true, and IIUC using Shadow DOM would be a workable mitigation.

Btw, ignore caniuse etc - Firefox _technically_ does support Shadow DOM, just version 0, which it has apparently supported for a little while now. It's better than nothing in a pinch.

Chrome et al are at Shadow DOM v1, which is what caniuse tests its support/no-support metrics against.

> Question to anyone on Comcast: does http://bnpsa.g.comcast.net/images/mydevicealert/browser/ resolve for you?

Nope, it does not for me. Non-existent domain.

That's the sort of domain I could very well see only resolving from comcast DNS, and them not propagating it anywhere else.


Server not found.

Ah, okay then.

This is the bit I find amazing:

> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code.

[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?

So ignoring spam entitles you to this behaviour?

What he is saying is that they exhausted all other contact methods. If they stopped after the email and let the persons modem stop working, they would have likely been livid about that as well. Look, I don’t like Comcast any more than you do. But at some point, you need to recognize your biases when evaluating your enemy. I thought this was some nefarious attack based on the headline, but it’s just a critical system message that was thoroughly explained by an executive and you all are freaking out...

I sincerely disagree, especially as per the report Comcast's own second level confirmed there was no need to replace the modem. It was an automated advertisement done in a very not good way; Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?

The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered, especially not in an automated way without some oversight. If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.

And no, I don't think people would be as livid as you suggest if the modem just broke; ISP modems are fragile little things, and it's not uncommon to go through them. I don't think I've had a single ISP where I didn't have to eventually, and the natural progression for each one (Comcast included) was:

1. I called the ISP

2. We did some test with support

3. Once we did the Speedtest / reboot song and dance, a new modem was issued that day.

This is expected; if I had asked for such a service from Comcast, this would be a different discussion entirely (an Opt-In service), but as it is, it's a pretty lame reason to suggest that Comcast needs to be able to inject data into pages I load.

And I rather liked Comcast for the year I had it - I wasn't keen on being on them since I would rather have been with our Municipal, but the place I was at was not yet in a service area for the municipal. More or less, even with my support and canceling experience, I was fine with the service I received. This would have upset me considerably.

> I sincerely disagree, especially as per the report Comcast's own second level confirmed there was no need to replace the modem.

I am skeptical of this - maybe we made a mistake in telling the customer that. The people that are sent notifications are carefully checked to match the EOL/EOS modem criteria or speed mismatch criteria and would not be sent otherwise. It is sometimes the case that a customer has recently upgraded their device but their old device remains provisioned and on their account (and needs to be removed), which sometimes explains this.

> It was an automated advertisement done in a very not good way;

It was not an ad - it was a request that the customer replace/upgrade their device. They can buy that anywhere, whether used on eBay or new on Amazon, etc.

> Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?

We've been working to greatly simplify billing, as customers have told us for some time that we were packing too much info into those statements and it was sort of information overload.

> The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered,

Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers. As noted elsewhere, we're working on better methods and part of that might depend on Internet-wide standards rather than something Comcast-specific (which is always my personal preference).

> If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.

It's not basic maintenance - that should always be transparent to customers. This is about moving to new technology from outmoded technology. A good example of a key concern for modem upgrades is that the vendor does not support it any longer and the software/hardware is 8 - 10 years old.

Well, thank you for the response, but I am not very satisfied with the answers.

The crux of disagreement is the method of delivery and the importance of the upgrade requiring this sort of injection. You write:

> Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers.

I'm still not convinced as to why a phone call or an email would not suffice. What information is specifically being cited by customers as "information overload"? Why can this not simply be a notification as a part of the Xfinity main page? Why isn't an email that only has information on the EOL of a modem is less obstructive than yet another pop-up for users who are trained to ignore pop-ups?

The case for an injection isn't really made simply because other intrusive methods are more intrusive; the presentation of the message itself is just more information in a sea of information, and the criticality of the issue isn't sufficiently justified either. This is not the appropriate way of communicating information that has no such urgency. It's a very nice thing to phase out modems that are EOL, sure, I will grant that. But the information is not so urgent that it needs to be delivered right now or injected into the webpage. That is not something the ISP should be doing, which I suspect is another point of contention that will be had.

The arrogance is unreal. Your difficulty communicating with your customers is not my problem. Keep it out of my website.

This is a perfect example of the culture problem at Comcast. You seem to have worked yourselves into believing that you're something other than a dumb pipeline. Now you feel entitled to stick your fingers into the content.

I suspect this mass-psychosis is coming from the top, and the need to move into higher-margin businesses. Keep your messages on xfinity.com.

> Available alternatives are not great

You admit alternatives exist, but decided to modify webpages anyway? Adding your own modifications to a copyright protected work (e.g. any web page) creates a derivative work. Generally only the copyright holder of the original work can create or authorize derivative works. Unless you have a license the copyright holder for each webpage you are modifying, this is copyright infringement. Why did your legal department approve a plant that might make the company liable for up to $150,000 per work infringed?

> It was not an ad - it was a request

As a Comcast customer, I request you discontinue this injecting of javascript into webpages for ANY reason, unreasonably limiting an INFINITE RESOURCE and monopolizing localities so you are the only viable choice. This should not be the behavior of the largest telecom provider in the continental US. We deserve better.

Just a small note that as a customer I would prefer to be redirected to a notice hosted on your website so there is no confusion about the source of the notification. If I saw this pop up on a website I visited daily I would probably think it was spam and ignore it.

The problem here is that I've had the exact same thing happen, and zero attempt was given. The stupid part? My modem was not EOL, was a BYOM (bring your own modem) that had many years left before EOL. I'm pretty damn sure they're using this as a "first line of contact," not final.

(a) It's not critical, it's a marketing message.

(b) Pretty sure if the person's modem were to actually stop working, they would get in touch with their ISP.

Man-in-the-middle attacks by an internet provider are hacking and a breach of trust, and should be criminal in my opinion.

I hate to be too cynical, but in today's 'regulatory framework' it's easy to interpret this method of "notification" as merely a test to use for future notifications.

Not getting fast enough Netflix? Here's your message, injected every time you go to their site. Not getting the best search results? Try the new Xfinity search, it's faster and won't cost you the $.002 that Google search will cost.

This is a very slippery slope, and one that we're already sliding down thanks to Ajit Pai's FCC.

Expect to see more of this behavior from Comcast, as no amount of customer outcry can now prevent it.

From Comcast's RFC that's linked in the thread:

> R3.1.1. Must Only Be Used for Critical Service Notifications

> Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.

Not only is Comcast trying to justify this awful practice, they picked one of the worst possible examples to do so. There is no set of circumstances under which a 'You have malware!' popup should be taken seriously.

"Comcast's Web Notification System Design" https://tools.ietf.org/html/rfc6108

"Must Only Be Used for Critical Service Notifications." [0]


> and is instead based in open IETF standards and open source applications.

Why did the IETF ever agree to standardize this? It reminds me of their standardization of Cisco's "lawful intercept" router backdoor protocol.



I guess this is what you get when the IETF literally has NSA agents as chairs of its groups.


You can publish any old crap. Microsoft's crappy file sharing protocol has an RFC. At least one of the ludicrous "IPv6 is crap, we should just use IPv4 but with bigger numbers" proposals has an RFC. [This can't work, the numbers in IPv4 are in defined bit-level structures, "just" having bigger numbers is nonsense without a new protocol]

From the IETF's point of view all this does is use up a few kB of storage in the RFC Editor servers, and hey, maybe someone will find it useful. It usually makes cranks or corporate types go away and stop wasting everybody's time.

If you're thinking "Wait, so how do I know if RFCs matter and I should care?" I have two answers

1. The pragmatic answer. If you're reading about an RFC because everybody does this and you need to do it too, then I guess it mattered after all. You can decide you don't care about RFC 822 and you'll use email headers starting with an exclamation mark and they'll be in the form of a list of headings and then a separate list of values. But your method won't interoperate with anybody else's, so you'll be talking to yourself.

2. The textbook answer. The IETF marks its Standards Track documents with their Standards Track status, e.g. "Internet Standard" or "Proposed Standard" (there are some legacy "Draft Standard" documents too).

These are only informational RFCs, which can be published by anyone.

>This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose

RFC stands for "Request For Comments". Some of them get turned into standards, but most are just the IETF equivalent of a forum thread. They're a way to start a discussion about a network engineering design.

Missed opportunity to call it "Comcast User Notification Technology".

I mentioned my reaction when I found this elsewhere in this thread: https://news.ycombinator.com/item?id=15890746

I've worked at comcast too for a while as a consultant, and I think the problem is that they take people that were working in customer service and promote them to senior engineer roles and management roles. This is why they hire consultants when everything goes upside down. Alot of telco's do this, I've seen this in many datacenter environments with ISP's and telcos. You got guys making decisions that don't really have the background to be making those decisions.

>Why did you vandalize my car!? >>Well you weren't responding to my emails, so... >But you can't just do that! >>No, no, it's fine. I've been doing it for years, and I've documented the practice right here.

Unfortunately, in the US and Europe at least most people will care about this and even get a response. I think 4-5 years back when I was in one of the cities in which MTNL is there in India, ads were being served in the same way on MTNL. They were injecting an ad serving pop-up on every page served on HTTP. The worst thing was it sometimes used to show some sketchy virus ads also. I complained about it multiple times, never even heard back from them.

It strikes me that the best way to combat this might be in the browser itself - intercept and remove the offending javascript (or better, redirect its execution into a walled sandbox where it thinks it's setting cookies and downloading code) and remove it from the main page viewing stream.

You just needed to change to google DNS, which you would have to do anyway - AWS CloudFront doesn't resolve at all in some circles.

I had this happen to me recently when I hit 90% of my data cap from Comcast for the first time.

At first I noticed that all traffic was being hijacked to show me a full page message that I was at 90% of my data limit and to contact the Comcast Security Assurance team. It looks really scammy like those alerts from "Microsoft" that my computer is infected.

After clicking on the acknowledge link multiple times it wouldn't stop so I called the security assurance team.

While waiting on hold for 30 minutes it finally stopped but I was already irate. I had to argued with the rep because he told me that I could disable the web notifications and he finally found out that Comcast removed that option and he apologized that there was nothing he could do.

As a big ISP that stands to profit from the current FCC standpoint, Comcast is in the crosshairs of the internet community.

But if what has been said by all parties is true, I can't find significant fault with Comcast.

Here is the text of the "ad" (typed from viewing the attached image in the OP):

  Get ready, we're increasing Internet speeds in your area.

  Our records show that the modem you currently have connected to our network won't be able to handle these faster speeds, so we recommend updating your equipment.

  <b>Buy from a Retailer</b>

  Before you make your purchase, visit https://mydeviceinfo.xfinity.com to view a list of modems certified to work on our network with your speed tier.

  <b>Lease and XFINITY Modem</b>

  Call 1-855-242-2876 and we will send you a Self Install Kit

  <b>Equipment Update</b>
Seems appropriate and to the point. They tell the customer they can either go buy a modem from a retail store, or lease one from XFINITY. Hardly a high-pressure ad.

Injecting anything into a website makes me feel a bit dirty, but nobody has refuted Comcast's claim that other communication methods were tried first and that this was more of a last resort.

Speaking in general terms because I'm not involved deeply with DOCSIS, older devices are less efficient and generally use more spectrum(even in a cable, there are RF spectrum limitations) to deliver the same speeds. Customers using old devices that don't support the newer and faster standards reduce the total bandwidth available to all customers, increasing costs for both Comcast and its customers.

edit: fix formatting. HN needs a preview button.

It's most likely Comcast's own fault the other messages were ignored. They pollute every communication channel with marketing spam.

The Boy who Cried Wolf didn't have man-in-the-middle technology available but the lesson remains the same: if you want to be heard, shut the fuck up until you've got something to say.

I recall having this occur a while back. I do not recall receiving any email to my actual email address (maybe they used the comcast one?) nor my physical address, nor seeing any notification in the billing portal.

Let me just drop Comcast like a bad habit. Oh wait. I can’t. There’s not another provider in my area with similar speeds. So I’m screwed.

For my part, I'm quite happy with the not-Comcast I have at home, compared to the Comcast at my coworking space.

The nominal speed is 1/10 as much, but the actual difference in actual experience is much smaller, because the not-Comcast provider does a much better job of actually delivering on the speeds they claim to be selling me. It's really only a noticeable difference when I want to do something like download an OS install image. Which happens infrequently enough that, for me, going with Comcast would have worked out to something on the order of getting that image an hour faster for $200 per time I do it.

More importantly, not-Comcast stays up. The coworking space's Internet service is maddeningly intermittent.

I know and 90% of the web wants to give Comcast even more power to keep out competition by turning the Internet over to lobbyists.

90% of the web? Who specifically are you talking about? Is this big-startup-co or...?

Ignore their spammy emails? Per their VP, they are totally going to up their game and inject their "notifications" in your everyday Web traffic. https://twitter.com/jlivingood/status/939848009386549248

What I meant in the context of that exchange was that the notifications come only after for example multiple emails have not resulted in the device being replaced.

If it is truly critical, disconnect the device and use the disconnected landing page as your means of communication.

Anything else fails to meet the criteria of "critical".

If I buy a crappy 802.11b wifi dongle, are you going to inject JS too?

Most interesting part was the reply from the Comcast employee.

Yes, indeed it was. It's a fairly standard, unsurprising response for this situation; doesn't try to be defensive, doesn't try to provoke. [Edit: I'm horribly under-perceptive, after reading other comments I see I'm a bit off.]

But... this bit.

> ... [JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. ...

Oh, interesting, what Internet technology are they using?

> "RFC 6108: Comcast's Web Notification System Design"

> February 2011

Cue jawdrop. My instinctive response was to WAT and think "this is not what RFCs were for..."

But then I read this part,

> Status of This Memo

> This document is not an Internet Standards Track specification; it is published for informational purposes.

> This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; ...


Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.

Initially when I read this my brain was sort of going in the direction of "this kind of thing is where the net neutrality repeal thing started..." but now I've spent a bit of time reading it I don't actually think my snap response was particularly on point.

This is a bit of a stream-of-consciousness but I wanted to draw attention to that RFC.

An RFC is not always a standard - often they are simply 'informational'. For us, when we wrote the document, it was a way to document as transparently as possible how the system worked so that folks would not need to speculate about it and for us to explain the rationale and alternatives considered. This seemed to me at the time far better than being evasive about it. And a request for comment is often a way to solicit exactly that - good comments (e.g. suggestions on alternatives). In this case, it has led in part to things like the IETF's new(ish) CAPPORT working group being created to develop a better Internet-wide standard for how to interact with so-called captive portals. See https://datatracker.ietf.org/wg/capport/about/ for more details and feel free to join the mailing list and contribute!


We've already asked you not to post snark or unsubstantive dismissals. We ban accounts that refuse to follow the guidelines, so could you please improve?


>Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.

Huh? It sure seems to be using deep packet inspection to me. If it's looking at the data section of your packet, that's deep packet inspection. And Squid and Tomcat do that. They're not just inspecting the packets, they're altering them, creating new packets, splitting packets, etc. The "RFC" seems to be outright lying by claiming they don't do DPI.


> Pre-established TCP sessions on port 80 are identified by the SMB and forwarded with no impact.

(SMB = Session Management Broker)

How does the system identify a "pre-established session"?

This seems to corroborate what you're saying

That part just requires looking at the TCP header. So I guess the answer is "no deep packet inspection until it picks a connection to inject, and then it inspects everything in that connection". Which simplifies to "yes deep packet inspection".

Specifically the last sentence!

For those that haven't seen it:

Customer: "Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code."

Comcast Response: "The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?"

To me this sounds like a crazy ex-lover. "You didn't respond to my texts so I came to your house." No, Comcast, don't do that. They ignore your emails because you're trying to sell them something they don't want.

Here is the Twitter of the Comcast rep for anybody interested: https://twitter.com/jlivingood

And I bet that by "ignore" they mean "didn't allow remote tracking images in emails to be loaded therefore stopping us from knowing if, when and where the email was viewed".

I'm struggling to find it, but there was a article a couple of weeks ago about communities forming their own isps. It's beginning to seem very sensible

Anybody want to sue them for copyright infringement? I doubt they acquired authorization to make derivative versions of your website.

You have really pathetic law in the US. After something like that in Europe, the company managers would have really huge problems.

And in US people seem to be happy about that. If they wouldn't, it would be changed.

No one is happy, but we have almost zero opportunity to affect change. Look at the FCC's deliberately crappy email campaign for responses on eliminating net neutrality. They won't even release the data to a state DA. Between gerrymandered districts and lock step Republicans controlling everything currently, not to mention local monopolies by the biggest ISPs, our ability to affect change is virtually zero.

In the US, we have cities with higher populations than your countries. Lots of people care but their opinions are rendered meaningless by the millions of people who don't.

I wonder if a website could sue Comcast for copyright violation.

Unfortunately if this were to happen and it succeeded, the precedent would kill the Web Archive.


Not necessarily. Comcast derives from your work in order to exploit it for commercial purposes. Archive does not. A significant difference.

The Internet Archive is undoubtedly claiming fair use, even if you suppose the works they create aren't derivative works they are still creating copies of and distributing copyrighted material, which violates copyright law absent fair use.

How is it copyright violation?

If this is copyright violation, is it copyright violation of Comcast allowing you to download a file off the internet?

The argument is that it creates a derivative work. The right to create derivative works is separate to the right to distribute or reproduce the content, which is how Comcast is allowed to get the original website into customers' browsers.

Comcast are playing into this interpretation by adding their own license to the code they're adding.

Yeah, IMO this would be equivalent to a pass-through web-proxy that removed content (such as ads).

It would open a whole can of worms. What about adding MPLS headers to packets, or performing MSS clamping? Or what about the numerous physical layer protocols that add error correction? Or the consumer routers that have parental filters, ad blocking, etc.?

Putting a book into an envelope is not a copyright violation, and consumer routers don't redistribute to third parties.

Copyright is "all rights reserved" unless otherwise stated. By publishing a website, you don't give me the right to alter and re-publish it. Whether injecting ads into a website means a derived work was created would have to be found out in court I assume.

Or just enable HTTPS.

If my ISP were to try this i would sue them for

§ 303a Datenveränderung

I love the Comcast representative's comment basically saying "we've been doing this for years, too late to complain now"

Vote with your feet if you can. Meanwhile, use a VPN.

https://github.com/jawj/IKEv2-setup https://github.com/trailofbits/algo etc.

How fucked up are we when we live in a society where this not only dreamed up but actually believed to make sense and implemented.

Yes, it speaks volumes about comcast but i also speaks about the culture where comcast exist. And even IF there is backlash from this the whole idea that they might have gotten away with it is just absurd.

Comcast has been doing this for years and not just to push modem upgrades. They do it for their stupid WiFi app, too:

Scroll down this link slightly for a screenshot:


Imagine that you get a letter from a friend. In the middle of the letter is a strange paragraph praising the postal service's new product. You later learn that this was inserted by the postal service.

I'd argue that both you and your friend have been harmed by this and that the postal service should be punished. Their job is to deliver messages unmodified and uninspected.

Here, the friend is a web page and the postal service is the ISP. Same deal. Injecting content into a page defames (and possibly breaks) the site and deceives the requester.

(Yes, the site should use HTTPS to prevent this. And you should lock your house's door. But that doesn't excuse dishonest ISPs or burglars who take advantage when you don't.)

So how exactly is this not criminal?

They are not blocking, throttling, or interfering (in any way that harms functionality) with legal applications; in a nutshell that is 2015 requirement.

Now, if that Javascript happens to interact badly with some particular web page, then you could complain to the FCC as long as the 2015 rules remain in effect (which is more than a week, for what that's worth).

In a way it throttles.. lets pretend they included 4,000 lines of code in each website, or a 1gig of data. It also throttles the experience by taking up processor cycles to render the data. It harms functionality because the popup covers usable website area, and what was meant to function without closing a popup does not. It blocks screen real estate. I really hope someone makes a case.

I think I've sent an envelope. Digital envelop. They're the mail service. And they secretly mingle with it. That's illegal in my book.

I guess the EFF has tried this defense of our freedoms...

It's arguably a copyright infringement.

They’ve been doing this for at least 5 years.


Apparently the internet is too important to let Americans have it unfiltered. Let's face it - there are people who don't want to let us access the net directly, even though its importance for the public is incalculable.

Cox is also trying to sell new modems to its customers. Last year when I called cox in California complaining about slow speed at prime time (6-9p) the customer rep told me getting a newer modem will make it faster; I told her my modem is only 3 years old; and asked her how a newer modem would make it faster, she could not answer that

I think we should have a regulation that forces ISP to post the average speed of their networks at peek time everytime they advertise their theoretical network.

They’re just business people trying make a profit and the market will work to collectively accept or reject this practice, is that what they would say?

Would you make this decision if it doubled your salary?

I love making money, helathy forms of capitalism, fierce competition, and benefiting as a consumer from other companies competing.

But I’ll not be a part of this for any job, not in a free country where there are so many opportunities to do better that this. No sir, I respectfully decline your offer.

Do they modify the CSP, or is it not an issue since sites that bother with a strict CSP probably use HTTPS anyway? https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

When folks are getting a new modem via this process, are they signing up for a new contract? What does that contract say, in reference to the issues that going on with NN? Might this perhaps be a way to get people to sign new contracts in preparation for a change to NN being more favorable to the ISPs?

Mediacom does a little injection too. Mostly to warn you about something. Get a big red banner now and then. But that's the just the visible stuff, so who knows?

I thought that was illegal. Like, it's editing somebody else's copyrighted work or something.

I'm concerned about inviting the Comcast evildoers to here for discourse. It feels like it normalizes what they're doing and sets a bad precedent. Guys like that should be blacklisted from tech, not invited in for tea and crumpets.

I dropped Comcast for a provider that doesn't do this, but given Comcast is a monopoly in many areas, I know this isn't a good option for everyone. But frankly, the only leverage we have over these people is how we spend our money.

This is (one of the reasons) why you should use HTTPS Everywhere and enable blocking of all unencrypted requests. This isn't new.

You're susceptible to even worse MITM attacks if you allow unencrypted traffic when using public wifi.

A family member got a letter asking them to change their modem but they are also saying that their connection speed slowed down... are they throttling older modems? (I didn't get a chance to do speed tests yet)

All the more reason for ISP competition. The government will be slow to (or just won't) police this behavior so the ideal is to enable customers to quickly replace awful service providers with alternatives.

  All the more reason for ISP competition
Agreed, and decreasing competition is one negative impact if pure net neutrality is enforced. Nobody is going to build out (or improve) an ISP infrastructure only to have Netflix/Hulu/Youtube suck up most of your bandwidth from 5PM to midnight local time, forcing you to continually expand your infrastructure on your own dime.

Google foresaw this, hence Google Fiber / Alphabet build-outs being stopped 14 months ago.

Does Comcast inject this code in https urls or just http urls? Since https transfer is encrypted I suspect the code injection can't be done. Can someone please tell if my reasoning is correct?

Yeah that's correct, they can't do it in https unless they did something with root certs, which would be 1000x more messed up (And that's saying a lot because this is already pretty despicable). At any rate if they were doing that browsers would revoke the CA.

Thank you, Derimagia.

BSNL- The state-owned broadband provider here in India does this regularly. They intercept HTTP traffic and redirect it to their plans page. The saddest part is no one really cares about this here.

Could Comcast hijack DNS and redirect https requests to a page explaining the issue with a button that lets the user go back to the site they wanted to visit?

Or do modern browsers mitigate that?

They could but because of HSTS (https://blog.stackpath.com/glossary/hsts/) which would largely mitigate it. They have a preload list in browsers too. But if a site wasn't using HSTS then yeah they could do that. I don't think that's better per-se.

This behavior is the reason why I’m short on Comcast. They are creating space for an ethically centered company to compete on concerns having nothing to do with internet speeds.

FWIW, looks like this may be a service comcast uses: http://www.frontporch.com/

I was greeted with this injected advertising a few weeks ago and was floored. And yet here I am stuck in a contract, with no good alternatives even if I weren’t.

My friend has Comcast and I was absolutely floored when a bandwitch notification popped up on stack overflow.

We need to burn these monsers at the stake.

Comcast VP suit isn't helping his cause much on Twitter https://twitter.com/jlivingood/status/939248407562080261

Oh and of course he's also retweeting a lovely Net Neutrality tweet... https://twitter.com/feamster/status/938236691126636546

Jason Livingood: "This is a web notification system that presents an overlay service message for non-TLS sessions. Documented in RFC 6108 & in place for many years - https://tools.ietf.org/html/rfc6108 . In this case the alert informs customer of need to upgrade an end of life device."

https://tools.ietf.org/html/rfc6108 Comcast's Web Notification System Design

Yeah, cuz we're all supposed to know about rfc6108.. Guess I have some catching up to do on "Internet Engineering".

I am not fan of Comcast, but this is a bit of a tempest in a tea kettle. In over a decade of having their service, I have only seen them use this once, when my cable modem was nearing EOL and upgrading to a new modem that supported DOCSIS 3 (I think?) gave me a big speed boost. I probably wouldn't have looked at snail mail or email from them, so I appreciated it.

I guess their is a "slippery slope" argument to be made here, but in the current incarnation, this is innocuous.

Umm.. You should not be using http to begin with. Everything else is the results of not using ssl for everything.

How can an ISP seriously do this? Is the random domain even aware than comcast is injecting JS into their site?

Can someone tell us if this is legal?

I wonder if this violates the CFAA if/when this gets run on a businesses machine.

... And that is why you open https.

Crapcast. If only we in the US had more options, this kind of shit wouldn't fly to well.

Rogers and Cogeco both do this in Canada, as far as I remember.

Ya, I believe CA is in a worst position than US (in terms of a competitive market).

Does the injected code count towards the data cap? If so there may be a legal case there.

Why are Comcast, Uber like companies trying to be evil? I really hate these.

Our local ISP Shentel does this as well, mostly for data cap alerts.

Let's encrypt adoption will end this for once and for all.

Why don't they use the Chrome Extension - uBlock origin?

Ads from website owners are not new, what is new is ISPs injecting into other people's pages, this sets a new precedent. Its a fundamental principle that was violated, so saying "just block it" is like saying people in China should just use a VPN... while a valid point, its still an outrage to some people that a government/ISP would tamper/block your traffic. Not trying to equate Comcast to China by the way, just using a metaphor

Isn't this against the CFAA? Like Comcast is acting without / exceeding authorization?

This is why we need to get everyone to move to HTTPS ASAP.

WTF America continues to be an example to us all... of what not to do ;)

I shall keep up my vigilance against the telecom industry.

You take one packet from web server, you deliver a different one to the client. That's the definition of fraud.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact