Hacker News new | past | comments | ask | show | jobs | submit login
Comcast is injecting 400+ lines of JavaScript into web pages (xfinity.com)
999 points by CSDude on Dec 10, 2017 | hide | past | favorite | 479 comments

I'm annoyed by this on several levels. The biggest issue is that I'm using an Arris SB 6121 and I'm getting notifications that my modem is EOL. However, the SB6121 is listed as a supported modem for my speed level on their supported modems page.

If I go to their supported modem page, I literally get a page where my current modem is shown as not supported, and the exact same modem is shown next to it as "supported."

I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud claim with the Illinois attorney general. This is the third or fourth time I've had a supported modem that Comcast has claimed isn't supported, and I'm sick of jumping through hoops getting this resolved.

Every time this happens their customer service reps tell me that the only way to avoid this is to use one of their modems. I'm sick of this. What a terrible company. Fix your shit before you start injecting garbage into the websites I visit.

edit: Proof https://imgur.com/lzKBkMs

There is a reason they are doing this. After signing up for Xfinity I noticed that the modem we were leasing was broadcasting a public access point with no way to disable it. I purchased my own modem immediately. Then some time later they rolled out their mobile services, which you guessed it, rely’s on those open access points and Sprint as a fall-back. So now customers are paying monthly to host Xfinity mobile services.

I will admit that it is clever, but this should be transparent and customers should not be subsidizing the cost.

So if they let themselves into your house while you were away and left a note in your dining table, you’d say there’s a reason they’re doing this?

There is not a reason to access and modify your private data. This is not some kind of out of band multiplexed signal, they are reaching into your applications and changing their behavior.

There are other ways to communicate with people you have a billing relationship with already in place.

My response to the parent comment was why they are forcing their modems on people, not regarding the JS injection, which I was equally horrified to see. There is a reason I keep JS disabled by default.

As far as I am aware, it is possible to disable the public 'xfinitywifi' hotspot on all Comcast modems which provide this feature (I had a stint as a TSR relatively recently). Further, I believe this is a user-configurable setting on all CC modems. I personally have this feature disabled on my Arris 1682G, and this should be their most common model in most regions.

I was told I could not disable their hotspot, nor could I set my own DNS servers. Since I kept having connectivity issues due to Comcast’s DNS being flaky, and not wanting to manually configire every client, I bought my own modem and wireless setup.

You can disable the hotspot and use your own DNS servers if you want. The ability to disable the hotspot is documented in the public FAQ (Google: "XFINITY WiFi Home Hotspots FAQs").

I've used my own DNS servers before. I have no problem making DNS queries to, and in fact I switched my PC to use it one time when Comcast DNS was down.

What's the point of giving Google instructions instead of just linking https://www.xfinity.com/support/articles/disable-xfinity-wif... ?

As the other person has said, they have a FAQ for disabling the hotspot. I additionally set my modem to bridge mode in order to use a more capable router. It does look like Comcast mandates the use of their DNS whenever possible, and I'm sure that I bothered to configure an alternative because of reliability issues as well.

The DNS issue was the clincher for me, but I followed their instructions for disabling it and it reappeared when the router was rebooted (not reset).

Overall, I’m rather happy with my current setup. I bought the most recent SB modem available at he time, got an Edgerouter and a Unifi AP. Took a few minutes longer to set up than a netgear or whatnot, but was able to use POE to put the AP in a far better location (it’s actually under my sofa instead of the closet where all my wiring goes) and have had a far more reliable and customizable experience.

That's not enough. Defaults are a powerful thing -- the vast majority of customers won't go through the process to disable it.

Times ... change.

It took a moment to realise you didn't terminate and stay resident.

Apologies; I never used DOS enough to retain that acronym.

Apologies, I have ;-)

Tinfoil makes a great Faraday cage

This is where tin foil is a great tool. Comcast sees the wifi activated but no one can connect though the layers of metal.

this is where you should buy your own DOCSIS3.0 modem which is a dumb L2 bridge with no NAT, routing or wifi functionality:


I would actually be fine with it - I'm pretty sure I am not using full bandwidth supported by my cable and I'd be fine for Comcast to use it for whatever they like, in exchange for free Wifi and stuff. But when they also want to charge me a fee for that, that's where it doesn't work for me. If you want to host your infrastructure, which you sell, in my home - why I should be the one paying for it?

Xfinity/Comcast deal is with Verizon, not Sprint. The deal to allow Xfinity Mobile to use Verizon happened years ago. Doesn't change much or any reasoning, but VeriOn is a lot better in terms of service area [and strength] vs Sprint.

Verizon has poor service in many places, eg Hawaii or when roaming up near the Canadian border. They still haven't figured out how to support international roaming reliably, half my family was w/o service for our few hours in Canada. Service in SoCal seems to be one of their last strongholds, but even then voice calls sound like a robot.

Verizon is far and away the market leader in international roaming and it isn't even remotely close. At least in my experience.

Source: Tried to get away from VZW for a decade now - international roaming always being the ultimate decider.

Curious who you've found to be better.

Verizon has always been that shit-tier company ran by borderline criminals which happens to have the far superior network and hard product.

Took multiple support calls and 2 hours of our time to get their phones to roam in Canada, whereas the rest of us were up and running when we landed. Nevermind, once we got their phones working, outbound calls still didn't work on iPhone or Android, it'd ring outbound and the other person would get the call, but the call would collapse on answering it.

Comcast using Verizon doesn't have that problem in Canada at least the two times so far I've been there with their phones. Worked instantly and the prices are rock solid. Hate still having Att as my main provider when going anywhere outside America.

With the highest priced international sprint service i had terrible connection in Paris several months ago. I would go 30 mins to an hour with no connection frequently.

At home (Boston Ma) sprint is good enough to online game and stream at the same time. I lost my comcast connection for several hours recently, and tethering to my phone resulted in less latency...

Edit: This is on Sprint's unlimited plan (around $50 a month for 1 line, $25 per line for 4 lines)

If RCN is available near you (I'm in Watertown), I highly recommend them. I was used to very frequent Comcast outages but haven't had a single issue with RCN after subscribing for almost two years.

Have you tried t-mobile? They seem to have excellent coverage everywhere I go, which is mainly Europe. /And/ free (but slow) data.

T-Mobile works very well where I live (Uruguay), we have some company-issued US-based cell phones and they have very good connectivity.

Their voice quality on VoLTE is perfect.

> customers should not be subsidizing the cost.

Can you please explain to me how you think this is a thing? Are you really that concerned about the extra watt or so of power usage a virtual SSID uses?

Or are you operating under the misconception that this somehow impacts your bandwidth allocation?

It's by far the most innovative and awesome thing Comcast has ever done. And they get ultra-hate from people who should absolutely know better.

The single and sole complaint you could have here is spectrum utilization.

Except comcast has datacaps for total transfer per month.

I don't use comcast so I do not personally know if they charge for excessive data usage, but I know cox does.

Besides the point of potential cost, why should a user who is paying for the service subsidize comcast. They are not getting a discount for offering the wifi to customers.

Funny enough, I tend to avoid these type of discussions because surprise surprise, I got downvoted and they didn't even answer the core question.

Why should a customer pay to add value to comcast? They aren't getting a discount if they enable the service.

Do you know the public access point data is being attributed to customers' usage totals? Or does that just seem like the sort of thing they'd do?

Well, if it weren't I would connect everything I own to that guest access point and bypass my cap completely. Or perhaps the speed of that connection is very slow. But then it wouldn't be much use to other customers either.

When you connect to an 'xfinitywifi' SSID, you have to authenticate with your comcast credentials. The usage is then tracked as yours, not whose-ever hotspot you hit.

Last I saw, this wasn't actually being counted vs. datacaps for either the roaming user or the host.

This works and you can do it today. You actually can get faster than your current service plan (assuming you aren't at the top-tier already) if you have a linux router you can set up for dual-wan.

Last I played with it, I could get an additional 35-40mbps or so out of a typical 100/25 comcast connection in my area.

The data used by other customers on Xfinity wifi does not count against your data cap

> Except comcast has datacaps for total transfer per month.

For you. Not the public wifi network that is served before it hits your LAN. This is what I meant by my original post - there are tons of misconceptions on this.

Your ratelimit is not effected either, at least not any more than your neighbors do who exist on the same headend as you.

> why should a user who is paying for the service subsidize comcast.

How is it subsidizing Comcast again? I just don't see this point - the only possible way you are subsidizing it is with increased spectrum usage (which is a valid point) and perhaps additional power usage - but we're talking pennies per year if it's even measureable.

Tower space? This sort of product wouldn't exist without it.

I think it's confusion on where customers think or feel the demarc is. The ethernet port on the modem is your demarc, not the cable entering your house. If Comcast did something to alter and/or impact traffic after

> They are not getting a discount for offering the wifi to customers.

Of course they are? You get access to everyone else running the same AP in their homes, so when I travel I don't have to worry much about broadband access. It's especially great at airbnbs with broken internet - I can simply use the neighbors xfinity AP. It's actually an incredibly consumer-friendly thing we used to speculate on in the late 90's and early 00's when wifi was just starting to become a thing.

I do agree it should be something you can toggle in a user interface, but turning it off should remove your access from the xfinity wifi pool. I also completely understand why it's not optional - due to the ignorance shown in the thread. Most consumers think that me torrenting on the Xfinititywifi AP is somehow impacting their data cap and/or throughput. It's not, and even highly technical people continue to perpetuate this myth.

I'm about as anti comcast as they come - but this is one of the better more consumer friendly things any ISP has done, much less Comcast.

> Except comcast has datacaps for total transfer per month.

The extra access point doesn't count towards your data cap.

What are the odds the extra Javascript / altered data packets are going towards a person's data cap?

jlivingood seems to be a Comcast employee, and he/she is saying that the leased one is no longer compatible.

FCC complaints are usually more effective, never dealt with one in the current shitty administration, but legally the FCC requires resolution within 7 business days, or at least a plan of action if resolution isn't possible for completion. I used to receive the emails and all the people on an FCC chain put pressure on the lower levels.

I'll file a complaint with the FCC as well then. I'll probably file one with the City of Chicago too. Might as well put as much pressure as I can on them, because this is ridiculous.

I don't care if the issue is bureaucracy, incompetence, or greed, but I know filing lots of complaints with regulatory bodies generally solves the first and the third issue well, and motivates companies to fix the second issue too.

I'll second the FCC complaint route. A friend has a HD tv with a cable-card.

Getting support after a while wasn't working (to be polite he was getting the runaround), but the FCC complaint got their attention and got the issue resolved. This was with the previous administration, which was was more sympathetic, but still worth a try.

I can confirm that Comcast responds to FCC complaints effectively. I used that route when they were my provider after a series of unhelpful technical support requests.

I'm skepitcal that the current FCC would give a shit about this complaint since it reflects poorly on their supporter (an ISP.)

> I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud claim with the Illinois attorney general. This is the third or fourth time I've had a supported modem that Comcast has claimed isn't supported, and I'm sick of jumping through hoops getting this resolved.

You should talk less and file more.

Philadelphia, one of the most corrupt cities in the United States, had a very interesting character - at the time he was the Inspector General. Looked like Robbie Lewis from Inspector Morse. Quiet. Really nice guy. Bar none, he was the most feared person the city. His motto was "It is never an overkill to use a nuclear weapon to kill a mosquito - it is an insurance policy. Mosquito dies"

Instead of going to the AG, I would recommend contacting the FCC. This prompts quick action and even just telling a Comcast rep that you're going to contact the FCC can be helpful.

Comcast makes it very difficult to get support if you don't lease one of their modems. Literally every time I call they insist that the problem is my modem, and of course it never is. All of my issues have been either outages or congestion-related, but Comcast reps can't fix the former and will never admit to the latter. So instead they blame your modem and ask for 10 bucks a month to lease a modem from them.

> edit: Proof https://imgur.com/lzKBkMs

If you look at the far right device you see a non-EOL SB6121. The one on the left that is EOL is the leased one, and the retail one is still allowed. I'm not sure if you have a leased device or retail device.

I had a purchased SB6121 that they wouldn’t let me move with 2 months ago. It’s not just leased ones. They will support it until you need to make any changes, then will make you use a “supported” one.

Is there any technical difference between the two?

Technically, one makes money for Comcast.

I own it, but Comcast often thinks it's one of theirs. It annoys me to no end. Obviously their inventory management stinks.

I had Comcast for a few years at my old house and bought my own modem. It was a no brainer, $80 for a modem vs $10/month to rent theirs. Well after about 2 years I got a bill saying that I owed them for rental of the modem. I called and fought with them. Even when I cancelled my service they kept asking for their modem back. Luckily, my new house is in an area that has Metronet fiber internet. I've switched and use them for internet and TV and love it. I've had zero issues so far (though it has only been 7 months)

Switch isps?

J. Livingood (a Comcast VP) responded to the OP:

> [JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.

Incidentally, Livingood is a co-author of IETF RFC 6108, which he has conveniently linked. From the RFC's general requirements numero uno:

> R3.1.1. Must Only Be Used for Critical Service Notifications. Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.

As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical. To be sure, Comcast is scheduled to increase speeds by 12/19 (at least in my region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.

It would also be interesting to learn if the OP received this message on multiple instances. If yes, it would be in violation of its own requirement--in particular, R3.1.8. User Notification Acknowledgement Must Stop Further Immediate Notifications, which itself is contradictory in its use of must and should:

> Additional Background: Once a user acknowledges a critical notification, the notification should immediately stop.

EDIT: Apparently, Livingood is an executive.

> Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.

We start telling customers that a modem needs to be upgraded when one of two things happen: either they are about to or just had a speed upgrade that their modem cannot support or the modem has gone end-of-life (EOL) from the vendor.

In the former case, if the device is leased, you are send a new one to replace the device and just have to basically say ok. In the latter case, it is a customer-owned device so the customer is asked to go buy a new one someplace (e.g. Amazon, BestBuy).

And in the EOL case, the vendor may have gone out of business or shut their cable modem business down, or otherwise decided to no longer support the device due to its age. That of course means that if a security issue came up, as they do, that the vendor would not be able or willing to provide a software fix for the device. So it's best to get the ball rolling to get those devices replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0 devices (10+ years old), which can only do a single upstream and downstream channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8 years old).

First, thanks for participating.

Second, I am a Comcast customer who will never see these messages precisely because you do things like MITM unprotected traffic. Because I can't trust you to leave my traffic alone, all my traffic is tunneled.

So at the very least, if you feel this is a critical service you are offering (as implied by the RFC), you need an alternative communications channel for people like me who don't permit this one. Snailmail is fine; you try to upsell me constantly through that channel already.

I second this, in addition, the injection is not only related to EOS/EOL for modems it is also for when you are approaching your data cap. Which is rather annoying because it actually can halt your gaming or netflix experience oddly. I have had both happen, one I was playing PlayerUnknown's Battlegrounds and the game crashed. Since the game itself uses web based tools, for its menu system, upon restarting the client a Comcast injected message popped up warning me I have used 90% of my data cap.

The same thing happened on Netflix ...

I think it’s funny you’re approaching your data cap and they add 400 lines to the size of each web page you visit. I hope pages they tamper with are subtracted from your cap.

This is exactly why Comcast is still the most hated company in America [1], and the only reason you have any customers is due to the monopoly deals of dubious legality you or your acquisitions bribed local officials to create back during the infancy of cable. We hate you, but we don’t have any choice.

It’s worth noting that government regulation created Comcast by allowing long-term monopoly contracts with municipalities. Remove the regulations which prevent competition in local internet and TV services; don’t add more regulations.

  [1]: http://finance.yahoo.com/news/america-most-hated-companies-110032495.html

TBH what kind of game doesn't use https...

HTTPS is not free. Game developers are usually very performance-sensitive. If you're not transmitting any sensitive data, it may seem appealing to forgo the seemingly-needless HTTPS overhead.

Please cite your sources on the speed comparison. See: https://istlsfastyet.com/

Also, most games I have played seem to use HTTPS. The only time it is used is when the game does not need an instant result, in which case they use HTTP or HTTPs. Most of the times, this is in the main menu or similar. Doing this makes it even harder (assuming they use certificate pinning) for users to change the values returns to gain any advantage on their client.

Any part of the game that needs speed should be using a UDP based protocol.

If your game is executing js (as for the example given by the GP), you are transmitting sensitive data. In that scenario not only confidentiality but even more integrity of the data is important.

They do say they try to email you a bunch of times first... Email seems like a decent enough alternate channel.

They emailed my Comcast.net address, which I didn't even know I had.

> They emailed my Comcast.net address, which I didn't even know I had.

I recommend you add your primary email address. You can do this via the self-service portal.

Go to https://customer.xfinity.com/#/settings/account under Account / Settings / Contact Information. IIRC you are sent a confirmation email you have to act on before it takes effect.

You should mark this day. This is probably the most positive customer experience you're going to ever have with a Comcast employee. I had a choice between Verizon and Comcast. Comcast was cheaper and I still went with Verizon.

Edit: typo.

OT question: Do you roll your own tunnel or use a service?

> Snailmail is fine; you try to upsell me constantly through that channel already.

Implying you’d probably miss it and, if not you, the customers they’re trying to reach.

Then they ought to stop abusing the communication channels they have. If they send so much email and snail mail spam that the customer automatically ignores it, that's the choice they have made.

What happens when a customer who really does have a modem that is vulnerable or outmoded runs into related issues? Is that customer going to accept "Well, we included it with our junk mail" as an explanation? As for email, does anyone use their ISP-provided email address anymore? Everyone has a third party provider (mostly Gmail).

I don't think there's any fault in logic in presuming that the best way to make sure a customer receives a notification is to insert as near to their known-active stream as possible. I don't condone altering that stream, but I think it would be nice if they could send a page, potentially at the browser or OS level, exclusive for system control and status messages (no sales, marketing, billing, or collection messages allowed).

I am so sick and tired of xfinity mailings addressed to me or my wife or former residents of the home address asking us to switch to them for a two year discount that I know they won’t give us because we’re already a customer. They even just jacked my rates yet again.

As a Comcast customer until ~6 months ago, I brought in a cable box they forced upon me as part of a packaged rate (cheaper than internet alone) once my contract ended.

I had tried calling customer service to see if they'd give me a new bundle but they told me they were only for new customers, so I switched ISPs.

Anyways, when I went in store to return the equipment, the guy I spoke to told me to not bother with phone support but to instead come in store or call him directly (he gave me a business card) since he can get existing customers bundled rates that the phone reps can't.

While I had the choice of ISP many don't, I'd definitely recommend going to a store location where you can talk face to face with someone in your area and see if you can't get a contract at a better rate than you pay month to month.

That is worth a try! Thanks. There is an XFinity Store less than 2 miles away from me. Never thought to set foot there.

Along the lines of this. Anyone in the industry, why do they not cross reference the street addresses of their current subscribers and reduce the promotional mailing list or mail relevant promotions? Maybe it seems cheaper to do it this way, but it's actually quite antagonistic to current customers.

Why would they not maintain a clean marketing list!?

downvoting because of snarkyness. Your suggestion of alt cmu channel is good however.

Downvoting because they weren't that snarky and because of your smugness. Your willingness to tell some one straight up why you downvoted them was good however.

why am I smug? I totally agree with the premise and personally hate comcast, but if _jal wants to be taken seriously by jlivingood, snarkyness isn't the way to go.

I don't mind the anon downvotes though, it's par for the course anywhere.

The ARRIS SB6141 [1] is a DOCSIS 3.0 modem which is considered EOL by Comcast. This device is still being actively sold by the manufacturer. It handles the maximum throughput of most Comcast plans. It's not 5-8 years old.

However, the supported device list [2] shows that it's still an allowed modem to use for a e.g. 200mbit connection. A user that's looking to purchase a modem isn't discouraged from getting one from Amazon.

Since Comcast considers it EOL, any interaction with Comcast support includes the stipulation that it's likely the modem that's causing the problem, and the customer will be liable for a surcharge if a technician decides it's the modem causing a problem.

For a brand new modem, purchased from Amazon right now.

There seems to be a disconnect between EOL for the purpose of leasing a modem and EOL from the vendor.

[1] https://www.arris.com/surfboard/products/cable-modems/sb6141... [2] https://mydeviceinfo.xfinity.com/device/arris-sb6141-336

Thank you so much for participating in this discussion! Frequently having people like you who actually involved in what's being discussed is part of what makes HN special to me and many others.

As another comment points out though, I'd also like to understand why it was decided to comminate by injecting JS into pages people are visiting rather than following a more traditional communication channel like snail mail. I assume that this solution scales better and has get immediate $ attached. However, it also seems obvious to me that it reenforces brand image and political issues people have with your company.

I mean, I get calls on my cell phone from them. That would be a good thing to call about I would think.

Yup, you may get a better attach rate at the cost of absolutely destroying any customer trust.

As an (unwilling) Comcast user, I purchased my own modem because your rental rates are preposterous. However, I wish I didn't have to think about this at all. If you force me to upgrade a modem I've purchased, I'll be very annoyed by the unanticipated cost.

I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment. I understand that non-cable competitors don't have this cost to shuffle around, and that this will mean you are forced to either A) raise prices publicly or B) have lower margins. That's your problem because of your technology legacy; don't pass the misery on to the customer.

While you're at it, offer two hardware choices: one with, and one without routing/wireless. I refuse to run a wifi network in my household for your other customers and expect complete control over my LAN configuration.

On the topic of injection: I get that you don't think it's immoral, but hey, 1) most people who understand it think it is totally unacceptable. And 2) the window for this approach is rapidly closing for you as the web moves to SSL everywhere. Give up on this approach now and save face.

> I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment.

I love how it's in the interests of public companies to brag about how successful they are. When I see a comment like this, I like to checkout the most recent 10K. According to Comcast's stated figures, they made $8.7 BILLION last year. So, they're doing pretty well. Now, obviously, they can't just give the modems away, but if they would at least STOP BILLING THE CUSTOMER for a leased modem after their costs have been recouped, that would be a HUGE public-relations win.

If we all could buy the modem of our choice, over time, say, amortized over the length of your contract, and then RELIABLY stop getting billed for it, I'd LOVE to just buy it through them. I'd argue that the reduced support costs for NOT BEING RENT-A-CENTER JERKS about the modems would save them a lot of money in the long run.

As a web developer this feels like an absolutely terrible practice. I have to support contracts for website performance, quality and behavior with clients and you could be putting us in breach. If I got a bug report of unexpected ads popping up, we'd probably waste thousands trying to figure this out.

Exactly. The first thing I thought about when I saw this was the implications of having JavaScript that has not been tested in the context of a website running. You have no clue how it will conflict.

As a website owner you should have the right to verify all code that will run on your website to be sure that it won’t cause issues since only you have the context needed to make that call. What if there’s a global DIV selector that hides the close button, the website visitor is screwed! And they’ll just think it’s a problem with your website.

One more note, there are way better ways to do what they’re trying to do. Even with how terrible IFrames are, they prevent CSS and JavaScript conflicts. A simple position fixed div at the bottom of the screen containing an iframe seems more appropriate. If you are going to run code on my site, make sure it’s as small as possible. This could have been accomplished in 2 lines of code (excluding iframe host).

I’ve had to patch against this in the past when it turned out my system was breaking for a set of users whose company was installing a browser extension that injected JS that broke the app. Never did find out exactly what it did, but I worked around it but fixing the progressive enhancement to work properly in the context of broken JS as well as no JS.

You can avoid this by using HTTPS.

So many tickets with status "unable to reproduce" ugh

You should not interfere with a customer's traffic they are paying for. If you need to contact them for a critical issue, then call, email, or snail mail. You risk disrupting their experience, and in some cases the customer may not even be able to receive your critical message. Does your JS injection work for customers who have JS disabled?

You have our phone number. You have our address. Use them! Do not MITM our connections, that's a huge violation of trust. This is NOT okay. Any response other than "we're terribly sorry, our engineering team is rolling this back on Monday" is the wrong response.

Can you discuss why DOCSIS 3.0 users get this notice? I have a 3.0 modem, and received the notice, but it looks like my modem will still support my speed tier (75mbps in Chicago)

A 4x4 channel 3.0 modem should really only be used for ~75-100Mbps tiers, and is capable of at best 150Mbps. The more channels you have available the more capacity you can pull from — higher peak speeds and potentially better speeds at peak time.

It usually means you are about to get a speed upgrade that will go beyond what your modem is capable of delivering. In that case it is possible you could have a 1st generation 4x4 modem (so it can bond 4 downstream and 4 upstream channels).

Comcast does not provide any speed on residential lines that DOCIS 3.x cannot accommodate. It is like requiring Formula car to drive on a gravel road in Alaska.

Different modems can use different numbers of DOCSIS channels. A 4x4 DOCSIS 3 modem is only capable of, at most, 150Mbps and on average 75-100Mbps. A new DOCSIS 3.1 model can do >1.2Gbps.

Yeah, no.


3.0 spec does up to 1.2Gbit/sec, just like Comcast. You know up to 200Mbit/sec, which is more like 20 because of all the "extreme complexities of the internet service".

DOCSIS 3.0 supports 38Mbps per channel, which is in the table on wikipedia. Not every modem is capable of 1.2Gbps - The fanciest modem out there is 32 channels, which gets to your theoretical 1.2Gbps. If you have a 4 channel modem and expect consistent speeds of more than 100Mbps, you are SOL.

I wonder if your customers would be happy enough without the speed upgrade if they weren’t wasting bandwidth downloading code they never wanted to run in the first place

Does Comcast's implementation of this system respect Cache-Control: no-transform as specified in RFC 2616?

You explain why it is important to notify about their EOL modems, but you fail to explain why this, of all options, is the appropriate communication channel.

At the very least, you have customer addresses. You should also have phone numbers and email addresses. If you have a way to bill customers, you have a way to contact them.

Injecting JS into HTTP sites is disgusting. It violates both the user's and the site's expectations and is entirely unnecessary.

All that may be true.

There is no ethical excuse to ever inject code into a webpage.

Your own argument about it being critical is false or sophistry. If there were wildfires coming to burn someone's house down..that might qualify as critical. Not this, and deep down you know it.

You should be embarrassed to attach your name to such an obviously poor decision.

Treating anyone this rudely is a bannable offence on Hacker News. Please take the civility requirement more deeply to heart (https://news.ycombinator.com/newsguidelines.html), and please don't do this again.

If a fellow community member has a first-hand involvement with a situation under discussion, such as working for a company that some people are mad at or does some wrong thing, we're all responsible for reacting responsibly. Otherwise bad things happen, such as first-hand observers being scared to post because they'll get lashed out at, and the already-weak community bonds we have here getting weaker. We all know what the culture of online shaming has led to and it's all our job not to do it on HN.

Ok. You're right, that last line was not necessary.

> We all know what the culture of online shaming has led to and it's all our job not to do it on HN.

This is, in and of itself, a blaming statement. Blaming statements, such as the one contained in the comment you replied to, are a result of a) dissonance and b) inability to resolve the dissonance.

It is, in fact, unknown what the culture of online shaming has led to in our society. In fact, I'd hazard "shaming" online is actually just raw blame provided by some rationalized thought process driven by Internet interactions themselves, not the people reacting. See This Video Will Make You Angry on YouTube for context. Screwing with people's Internet in contextually what could be considered "wrong" behavior becomes highly polarizing. In as much as someone coughs because they smoke, people blaming is a result of a larger problem, perhaps related to the fitness of memes and some people's weakness in being hacked emotionally by memes with higher sophistication. Again, that problem is noted by the dissonance and inability to resolve it, but the behaviors emerging from those who are "infected" by the thoughts are not exactly theirs to bear alone. We blamed the tobacco industry for smoking. Why can we not blame the employees who are providing the rationalizations for bad behavior? One might argue that they shouldn't be blamed because they have no choice in the matter. It may be their job to argue otherwise for the company.

The irony here is that vast majority of the denizens of HN are likely responsible for creating most of the "mess" we're in today by writing software without considering the long term effects on consciousness and perception of reality. That "mess" would be defined as means, by algorithms or neural networks, to attempt to exploit weaknesses in human nature to spread other's beliefs in a unnatural way. Growth hacking. In some cases, like Comcast, those beliefs are rooted in sophisticated rationalizations which sound good when limited in scope. But! I don't care what anyone says about it, changing the content of a page which, when requested from one place returns one thing and when requested from another (which ones pay for I might add) returns another thing entirely is a violation of TRUST. At least it is to me. I like consistency in my data.

If one of the "members" of this group we call HN wants to make a blaming statement against someone who is defending this irrational logic, then I say let them blame! How else are we to uncover the dissonance and solve it? Or, perhaps, that dissonance is desired to be left in place by our complicit behaviors trying to be "nice" to each other.

I've suggested before social media sites could benefit from a "this is a blaming statement" flag on articles or comments. I stand by that assertion today. Logging back out again. Thank you for all the hard work that goes into running this place.

Indeed. Whoever thinks this is fine would probably also be okay with the telephone company injecting jingles into your phone conversations every 30 seconds.

Don't give them ideas... this comment was brought to you by by Inject-o-Matic Marketing services

Oh, how I do wish there were a WP:BEANS equivalent for reality. Thing is, you know it's already a thing somewhere.

I think the mindset is that at least he’ll be embarrassed on his yacht. Short of that thinking, you’d have to assume a few solid layers of cognitive dissonance.

There is no ethical excuse to ever inject code into a webpage.

...unless it's for adblocking...

Although I do that with a MITM proxy locally (and thus filters everything on my LAN), it would certainly lead to a very interesting situation if an ISP decided to do it...

I mean, the end-user who requested the page certainly has a right to voluntarily inject script into the page they requested as it is rendered in their own browser running on a machine they own connected to an upstream internet provider they pay for access? Nice try at false equivalence however.

What "false equivalence"? I was just pointing out an exception to the statement "There is no ethical excuse to ever inject code into a webpage".

It's false equivalence because you (and everyone else) knows that the case of an end user injecting script into a page on the receiving end of the connection is not the scenario under discussion, and is not the behavior that the rule implied by the earlier comment would be intended to prohibit. If the comment was tongue in cheek then I have misunderstood you and withdraw my objection :).

If only there were some way to notify your users that wasn't so scummy... like via email or regular mail

Regular mail, yes. Email, though, is largely just a waste of time.

Way too much non-spam disappears down overeager spam filters, which most people only check if they are specifically expecting some particular mail and it does not show up as expected--and even then many won't check their filters.

An ISP could white list their own mail in their spam filters but that would only help with the customers who use their ISP provided email. A lot of people use third party email providers instead and never use their ISP email.

I find the reverse is true. My USPS mailbox receives daily credit card application forms, electoral flyers, catalogues, etc. I also get frequent mail from Comcast but they are _all_ bullshit ads, trying to hoodwink me into cable TV. I don't open them anymore, they just go in the bin.

I will at least _glance_ at my email.

They could sign their messages? Also needs users to have easy to use mua that handles signing and shows "this is genuinely from your ISP unless they/you've been hacked".

For critical service info I'd want SMS personally, from a verified number with a link on the company main domain to verify the info.

In the spirit of efficacy, browser injection may have a better response rate than email. Taking this to its next logical step, surely showing up in-person at your door is even more effective.

Is that the idea here?

Or does this efficacy come at some cost (namely, the sentiment behind this thread)?

With all the junk mail I get from my cable company about "upgrading" my service to include some crap I don't want, I would think they could find a way to slip in a "hey, your modem's busted" notice.

So they print Important Plan Information on the envelope.

Time-Sensitive, Open Immediately

You know it's actually an important piece of mail when the envelope isn't imploring you to open it.

The most serious snail mail correspondence is utterly and completely plain.

On the from line - Office of Legal Counsel...that’s getting opened.

But you probably wouldn't read it, because lots of people don't read their email (at least partially because of the junk).

Yes, but if you don’t get the speed Comcast promises you, and you paid attention to that, then you’d call them up, and find out that way.

More work, but way less scummy.

regional monopolies have never cared about scummy behavior.

And I'm more likely to read a pop-up?

Maybe in the bill? Or online bill notification?

I don't know what's worse: the straw man attempt at arguing efficacy while focusing on the weaker of two suggested options, or the (presumably) unscalable slippery slope of dispatching personnel to a customer's front door.

In either case, the argument does not address the fact that customers recognize unsolicited packet injection as unacceptable ISP behavior. Without support metrics, we can argue all day about the efficacy of one method of delivery over another, but the fact remains that no sensible user would perceive e-mail and/or post of official notice from their ISP as overtly intrusive. With as much internal advertising as Comcast distributes amongst its existing customers, it blows my mind that official notice generated from boilerplate and delivered via snail mail would fail to achieve the intended goal.

To be sure, your pre-edited comment: > Surely showing up in-person at their door must be an even more effective "reminder" than the browser injection! Is that next?

Time Warner did show up at my door when they updated their speeds. I thought it was strange,and asked him to have Time Warner call and schedule a time, but it worked. He was going door to door.

It was noted in the thread that other attempts are made first.

Stop trying to rationalize it; this is not OK, period. If you can't reach your customer via his contact information, too bad, consider him a lost cause. And if it was something critical resulting in the customer's loss of Internet access, you can bet he will contact you then, if he cares.

Off topic to this post but can you confirm any details on your company's intentions following the dismantling of net neutrality?

Wait wait WHAT?

This standard seems like a terrible mistake. Isn't this exactly what malware creators want? To condition users to click the browser pop up that says "YOUR COMPUTER IS INFECTED WITH MALWARE, CALL THIS NUMBER/INSTALL THIS HORRIBLE THING TO FIX IT?"

Why on Earth would anyone issue a standard that says that ISPs should deliver that kind of notification, thus training consumers to believe them?

IETF RFCs are not "standards" in the sense that you are thinking. The RFC process is deliberately designed to be open to submission from anyone, and there is no particular vetting or consensus forming that happens.

When used by practicing engineers as a low-overhead way to document interoperability requirements for working software, it's been fantastically successful. But it also lends itself to this kind of pseudo-fraud "standardization" by less ethical players.

Bottom line: an "RFC" means nothing per se. What matters is whether the community wants to support it. So RFC7540 is an important standard everyone agrees to support. RFC6108 is garbage.

They're the ones who issued the standard. https://tools.ietf.org/html/rfc6108

Just to be clear. This is not an IETF Standard that has gone through the standards process. It is an "individual submission" published as an informational document. The IETF does not endorse documents classified as "informational."

I don't care of it's critical or not, I don't care what the issue is, a carrier should not inject code into a webpage it serves, PERIOD. I didn't knowingly opt into this, and I don't have a feasible alternative where I live. This should NOT be allowed, it's a security and privacy risk, and who knows what that JavaScript is actually doing or what vulnerabilities it opens up for malicious advertisers whose scripts are also on the page.

This should be ILLEGAL, I don't give a crap about "getting the government out of our lives", well guess what, they need to step in and prevent these slimy "business" practices from happening or punish the corporations trying to exploit their captive audience.

I think it's amazing Comcast documented their MITM attack as an RFC. Are those still literally Requests for Comments? Are the comments collected anywhere?

Just because they have an RFC doesn't make it a standard, or socially acceptable. Anyone can submit an independent RFC.

unfortunately the word 'RFC' has been corrupted from meaning exactly that, a publishing forum for ideas, into a pretty asinine form of technical marketing whereby you can publish an informational outside any normal consensus process and assume the sheen of standardization. that started happening 2 decades ago.

RFC 6108 is from 2011, last revised 2015, and marked as informational, which I think means there's no review & comment... But I'm not sure about that.


Huh? Not even close to wildly OT. The RFC was mentioned above.

"What is a RFC?", "What happens to the comments?", OK a specific RFC is the topic but it's like asking "What is the internet?". https://en.wikipedia.org/wiki/Request_for_Comments is much more appropriate resource for that level of question IMO.

Right, ok so we're in a discussion about what "wildly" means :). Imo the rfc was mentioned, so a simple link to the wiki article would have been a polite reply.

>As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical.

Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.

> And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one"

Making up quotes like this is against HN guidelines (and common decency).

My "quote" isn't significantly different from what was actually said, in fact hews extremely closely to it, and is designed for rhetorical purpose of making clear how small a distinction is being relied upon in order to claim the statement is something other than a request for you to buy a new modem.

Moreover there's nothing in the guidelines about "making up quotes" (which again isn't a reasonable interpretation of what that is), whereas there are actual, explicit guidelines against addressing yourself to unreasonably interpreted versions of other people's comments.

Making up a weaponized quote that's close to what was originally said is actually worse, because then it's harder for passers-by to tell apart and more injurious to the original statement. By 'weaponized' I mean altering it to sharpen the point for indignation or snark purposes. It's a harmful internet practice that we've asked to users to abstain from.

You're right that it isn't explicitly mentioned in the site guidelines, but those aren't a list of proscribed behaviors but a set of values to internalize. I'd say "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize" covers this case pretty squarely.

How about to sharpen the point for brevity and clarity in order to convey a perfectly legitimate point? Arguing against something doesn't mean that you interpreted it uncharitably and doesn't merit the exaggerated description of being weaponized (and the comfort level with such exaggerations as "injurious" and "weaponized" is amusing in the context where the concern is about insufficient proximity between a statement and how that statement is subsequently characterized. There's a lot more distance between those adjectives and what I did than between the statement and my paraphrase of it.)

And virtually anyone in any argument could insist, tediously, that those disagreeing with them have failed to interpret with sufficient charity.

But it's one thing to note that as a hypothetical possibility, and another entirely to point to something that's actually a clear cut offense. I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented or misinterpreted so much as they're using this occasion as a jumping off point to litigate the abstract principle. Which I don't think is a constructive use of anybody's time, which is why this is a bad norm that shouldn't be observed.

> I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented

No, that is what I'm suggesting. Your comment reads as a quote. After reading it, I went to the linked page and looked around for the context. Turns out, there was no context for that quote, because it's not a quote, because those words aren't actually in the original text.

You're talking about something slightly different than what I asked. You clearly were able to check and conclude that this wasn't a literal quote. There was no difficulty there. You apparently got stuck there, and were unable to proceed from that information to the conclusion that I was restating the position in an extremely similar but more concise form, which would have been a way of interpreting my statement in its most reasonable form.

I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position. Is there a significant difference between the way I phrased Comcast's position on whether or not they were exhorting their customers to purchase a new modem, and the way they actually phrased it? Because I don't think there is.

I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position.

You're spending a lot of time prosecuting this point, and requiring time to be spent by others who care about HN being better than other online communities.

Whether or not some hypothetical person not making a "reasonable interpretation" would have been misled, or whether it's reasonable that a reader had to spend time searching for the quote to verify it to realize that it was not actually a quote (and how many others would have bothered to do that), are matters that we could spend many more hours debating.

Or, you could just accept that it's better to refrain from misquoting people in future and we could all get on with our lives.

All it would have taken you was to preface the "quote" with something like "the response, which effectively amounts to saying...", and it would have saved everyone the bother.

C'mon, is this really a hill you want to die on? Maybe let it go :)

If you're rewording something someone else said, even if you're keeping it very close to the original words, don't use quotation marks. Quotes say "this is literally what was said".

I got bit by this a bunch when I first got on HN; it was surprising to me how seriously it was taken. But it is, and it's not hard to work around.

This rule is too idiosyncratic, annoying, not found anywhere in the guidelines, and is not offering any net benefit in this context that I can see.

If the object of the rule is to produce derails like this, it's doing more harm than good. So unless someone wants to explain how it's invocation in this thread improved the quality of conversation about Comcast's javascript injection policy, I would encourage others to join me in not observing the norm.

That's a weird HN-ism, though, not how writing or paraphrasing works anywhere else. The goal is understandable and laudable but 'redefining the meaning of quotes' is a thing only hardcore lispers can love.

I think you're missing an important distinction. When paraphrasing a group of people or stating a cultural zeitgeist, quotes are acceptable:

> The gist of the HN community's opinion is, "don't use quotation marks when paraphrasing."

> Lately the Democrats approach has been, "oppose Trump at every turn."

However, when paraphrasing a specific individual, it is frowned upon at best[1][2], and considered intentionally misleading at worst[3], to put paraphrases in quotes.

> pvg said, "I don't care what HN thinks, I'll do what I want."

> pvg continued with, "no one else cares what HN thinks either."

Contrast that with,

> pvg said that "only harcore lispers" care about how paraphrasing works.

In the last example, you can clearly tell the direct quote from the paraphrase. This is very important when communicating someone else's ideas.

Regardless of hard and fast "rules" of punctuation and grammar, you have a large number of people calling your writing misleading, confusing, and inaccurate. Clear communications should be the goal of any writing; wouldn't you be best served by hearing and incorporating this feedback?

[1] MLA: "Paraphrases and summaries do not use quotation marks" - http://www.lmu.edu/Assets/Academic+Affairs+Division/Academic...

[2] Purdue: "Indirect quotations are not exact wordings but rather rephrasings or summaries of another person's words. In this case, it is not necessary to use quotation marks" (note that no example of indirect quotations include quotation marks) - https://owl.english.purdue.edu/owl/resource/577/01/

[3] "But then there's a long slide through confusion and bias into intentionally misleading quote-mangling and outright fabrication" - http://www.slate.com/blogs/lexicon_valley/2013/10/17/gay_tal...

Do you feel that my paraphrase was intentionally misleading, or even confusing, or innacurrate? Even unintentionally? Does anybody? Does anybody think the norm currently being debated yielded any actual tangible value in this thread? Did it save someone from misunderstanding Comcast's position?

A lot of zeros and ones are being spilled on behalf of the abstract principle how quotes can be hypothetically used abused and interpreted, but none of the 40+ comments beneath my now-flagged paraphrase of Comcast's statement is actually arguing that my paraphrase was in any way distorting or misleading.

So I question the value of this norm, if the practical way it tangibly cashes out is in the form of extremely long derailments substantively unrelated to the the comment that caused the rule to be invoked.

That exhaustingly (if not exhaustively) describes a number of important distinctions that never come up when some hapless commenter gets told off they're using quotes wrong. It's a Talmudic absurdity to apply to a message board. We don't have 70 comment threads about the proper use of "it's" vs "its", with MLA citations (which, it's worth recalling, "specifies guidelines for formatting manuscripts and using the English language in writing")

It's just a dumb, arbitrary rule. It serves no purpose beyond facilitating righteous rebuke. You can make a better rule dealing with the underlying behaviour while oxygen deprived from screaming at dang about HN's political bias.

This is not an "HN-ism". It is not proper to use quotation marks when paraphrasing. Doing so is explicitly attributing words to someone that they did not say.

> not how writing or paraphrasing works anywhere else

That's simply false. If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it. But you can't reasonably expect every other forum to use that lowest common denominator. Railing against simple, longstanding house rules like this is just pointless contrarianism.

>If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it.

In terms of what contexts one should keep in mind when interpreting comments with good faith to come to a most reasonable interpretation of what they are saying, the way language is used on reddit is probably a much more reasonable benchmark than MLA style guides.

That's simply false.

No, it isn't. I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech. The fact that they didn't actually say it comes from context. Punctuation is not semantic markup.

This doesn't come from reddit, it comes from, you know, the way people actually write. The fact that it requires repeated and lengthy explanations is a pretty decent indication it's not how anyone else writes.

Writing style guides are a thing & a thing that have been around for a long time. All 3 of the style guides I’ve had reason to use (AP, MLA & CMS) all require that quoted material be direct quotes.

Now, I think that it’s a fair argument that a web forum needn’t have the same formality as other written word, but your assertion that “it’s not how anyone writes” is clearly untrue.

And just as a single data point, I expect when someone uses quotes even on the web that they are asserting a verbatim quote.

I agree with pvg. The notion that a comment on HN is, in some sense, in poor form because it doesn't adhere to AP/MLA/CMS specifications is ridiculous. Nobody agreed to that, and I doubt anyone would even agree that that's accepted informally as a norm.

I didn’t mean to imply that the web should follow those style guides (and said as much). I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.

I certainly default to assuming it does and in many contexts it is an explicit rule.

So you don't think that a comment thread like this one is a context where MLA guidelines would yield the most reasonable interpretation of what someone is saying?

I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.

I don't understand how you've refuted that while also saying they sometimes don't. Are we arguing about contexts here? My claim is almost trivial - nobody reasonably familiar with English thinks quotes imply a verbatim quote. That's just not what quotes are for.

You said no one expects that and he pointed out the style guides do. So some people do. In addition to the style guides, a couple people here have said that they do as well (which is why we're arguing). I'm another. Regardless of whether the majority think this way, we can safely say that some people do.

Getting back to the actual point, in formal writing, quotation marks are definitely considered to delimit actual quotes. That's where their name comes from and that's their purpose. If you want to paraphrase or otherwise interpret what was said you just work it in without quotes.

Personally, I relax my expectations in informal contexts if I don't know the person or their writing habits, but I'm just being pragmatic. In other words, the rule doesn't change, it's just not always followed.

I guess I’m far out of the mainstream then. If you put quotes around something and attribute it to someone or some text, I assume you are asserting a verbatim quote, either in the context of web forums, business communications or more formal writing covered by a style guide. In the context of fiction, if you put quotes around something I assume it is to declare that the character is saying exactly what is quoted.

That your position is that I’m in the minority on this is doubly surprising to me given that’s what all the style guides and my high school English teachers taught me.

I appreciate your good nature in taking the time to engage in this silliness but I have a hard time believing your high school teacher or anyone else taught you that. The wikipedia page on it:

"In English writing, quotation marks are placed in pairs around a word or phrase to indicate:

Quotation or direct speech: Carol said "Go ahead" when I asked her if the launcher was ready. Mention in another work of a title of a short or subsidiary work, like a chapter or episode: "Encounter at Farpoint" was the pilot episode of Star Trek: The Next Generation. Scare quotes used to mean "so-called" or to express irony: The "fresh" apples were full of worms."

Even 'direct speech' is at odds with 'verbatim quote' and that's the first thing there. Direct speech can be completely made up.

Respectfully, I think you should read the Wikipedia entry for 'direct speech'.


kasey_junk said "I'm a stupid moron with an ugly face and a big butt and a my butt smells and I like to kiss my own butt". Should this not include quotes, even though you didn't say it?

"AP, MLA & CMS" are an absurd counterpoint that falls well within 'that's not how anyone writes'. They are, if anything, lengthy exceptions to how anyone writes.

It's a deeply silly argument and my point is 'an internet messageboard should not be regulating punctuation'. It should, as this one usually does, try to regulate behaviour.

It should include those quotes if you are asserting that I said it.

The HN rule is never use quotes to say something someone didn't say. It seems, unless I'm misunderstanding you, you agree this is a silly rule.

I don't think that's the rule? I think the rule is if you're using quotes and it's ambiguous as to whether the person the quotes are attributed to actually said it, then the person better have actually said it.

(For what it's worth: this little subthread is about 10x more interesting than the story and the rest of the thread it's attached to).

That's as generous an interpretation of the rule as mine is overly literal. But it's worth comparing it to some of the other rules:

Don't be an ass.

Don't call other people asses.

Don't complain about votes.

And then:

Some weird thing about quotes we can't even sort out as well-intentioned nerds who love to talk about rules.

I don't think that's a good rule. I think what it's trying to address is probably a good rule. But it's addressing it in the dumbest possible way.

It is also the case that this was something Paul Graham was idiosyncratically peevish about; at one point, he attempted a unified definition of trolling that amounted to "forcing one to rebut something they hadn't said" --- which obviously isn't the definition of trolling.

Yep, 'idiosyncratic' is a good way to summarize it. At the end of the day, it's just another dumb thing to yell at people about - it doesn't improve discourse or 'stimulate intellectual curiosity'. As an inveterate rule-yeller myself, the fewer of these the better.

Yes, but then you should include something like "might as well have said". Or "like".

> I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech.

That's fine, when you're writing fiction. But in most online forums, fiction is frowned upon.

I don't think paraphrasing is limited to fiction any more than metaphor or hyperbole or idiom are. And those are in online forums all the durned time!

Sure, but it's polite to say when you're not quoting literally. Because that's the default expectation.

You don't need to fall back to a "default expectation" when usage is adequately indicated by context and by good faith efforts to interpret a statement in it's most reasonable form. Nobody confused it for a literal quote, nor did anybody feel it caused any misunderstanding, and those realities preempt any need to appeal to a default expectation.

In your case, I do agree that it was obviously not a literal quote. However, by the time I joined the thread, the topic had become more generalized.

Still, it would have been clearer to say something like "Exactly. And the response, which amounts to 'we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one', is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system."

Also, for what it's worth, I do agree 100% with your argument there :)

@mirmir: Point taken. In the context of this as a more general subject, I think your observation is perfectly reasonable.

However, I think (1) few are as lucid as you on that particular point and (2) whatever the merits of this as a general debate, and I think there is some merit, I think the question is whether this norm improves conversation in a thread like this. I think it was invoked frivolously, spawned a long, 50+ comment chain, and it didn't clear up any of the confusion that it seems like the norm is supposed to be designed for.

Yeah, they should probably put it in the guidelines. I just remember getting sniped by PG for using quotes that way.

What I'm getting at is, no, they shouldn't, nor should they expect anyone to adopt some weird made-up usage of standard punctuation. Perhaps they should put 'avoid paraphrasing as a rhetorical device' or something like it in the guidelines - that would make sense and be reasonably enforceable. "Don't use quotes the way everyone uses quotes" (like I just did) is just silly and ridiculous. You might as well put "don't call anyone a butthead without using the Oxford comma" in the guidelines.

This is just about the worst possible way to notify a customer of any issue anyway, because it legitimizes those stupid ad-based malware popups that have become so prevalent.

As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.

As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.

To be a devil's advocate, Comcast customers have been phished before via email too:


...and then there's the various phone and even door-to-door scams, but I'd consider the latter to be much harder to do.

...unless the upgrade actually means loss of service due to incompatibility, in which case I would agree that is critical, but nonetheless "go buy a new modem" is something no customer wants to hear, especially if they're already paying $$$ every month for the service.

> Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.

Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.

Ultimately the objective is to ensure a customer is on a device that can (1) deliver the performance for which they pay and (2) is up to date technically (i.e. supports IPv6 and channel bonding) and is supported by the vendor (i.e. software updates & bug fixes).

One of the big risks we have to help mitigate is when a device goes EOL, which means no more software updates, and a security or significant performance issue arises in the future. By proactively beginning the replacement process this helps minimize any future impact when it is a major issue like that. So taking action gradually on a proactive basis prevents a more severe impact later on. In many cases, these are DOCSIS 2.0 devices and that technology and often the software is from 2001, the same year as the 1st gen iPod and when Windows XP was released.

Eventually a modem will go into End-of-Service (EOS) status. At that point there is a definite date/time limit for the device, after which it is de-provisioned from the network and the customer must replace it to continue service. This has been the case in the past with DOCSIS 1.0 and 1.1 devices for example, after years of work to encourage customers to replace them.

See also https://www.xfinity.com/support/articles/end-of-life-devices and the start of the EOL/EOS process for DOCSIS 1.1 devices https://www.dslreports.com/forum/r27473499-Speed-Heads-Up-Ti... and https://www.dslreports.com/forum/r28497383-Speed-Upgrade-You... and https://www.dslreports.com/forum/r30524429-Equip-Reminder-Pl... and https://www.dslreports.com/forum/r30450278-Speed-Heads-Up-Ti...

If his modem is actively interfering with your network I could see that this is critical. If he has been hacked and is actively DDOSing sites, that’s critical. We can debate the correct response in those cases (getting on the phone and calling seems to work really well when you want people to pay you, as does turning off service).

Unless I’m misunderstanding, this was not causing such a problem. Casting it as a customer good is rhetorically amusing, and probably holds water with people who are predisposed to agree with you, but I can make any number of morally bankrupt decisions using exactly the same logic. You have simpler ways to deliver this message, that do not cause nearly as much harm to your customer and do not require you to intercept and modify their traffic.

It's true that if there's a vulnerability discovered, and you have 50000 modems with the vulnerability, you cannot wait for the modems "to be hacked" to act. It is reasonable to try to replace EOL modems ASAP.

In this scenario do you honestly believe the best course of action is to insert a popup on web pages? If you are truly concerned you will act to preserve your network for all customers by blocking traffic from the problematic modem and then call the person. This is legally less risky than doing traffic inspection. (Losing common carrier status would be a very big deal.)

Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know. And if Comcast can afford to send that much junk mail, I should tend to think Comcast can afford to send one or two, or five, mail pieces that carry a warning like ACTION REQUIRED TO MAINTAIN SERVICE on the envelope, to those of whom action is indeed required to maintain service. You guys shipped me a whole new unsolicited modem! (One which I'll put into service, too, just as soon as I've worked out how to disable all the routing and wireless smarts I don't want, don't need, and won't suffer messing with my network.) Surely you can afford bulk rate.

And mail pieces don't produce the potentially rather widespread indignation that traffic injection does. Granted, I don't see the harm in it that a lot of people here do. Unencrypted traffic is unencrypted traffic - open to tampering by anyone, not just Comcast, and for many less innocuous reasons than the one for which you've chosen to do so. But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology. Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.

All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.

> Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know.

Lots of reasons, including years of experience with response rates for particular types of messages / calls to action. Clearly one particular communications channel won't work for everyone - each person has their own preferences. One of the things we're working on is to better enable you to control just that - basically one person may ask for SMS messages, another alerts via their mobile app, another via email, another via phone call, etc. You can see the beginnings of that in MyAccount / Settings / Communication & Ad Preferences.

> But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology.

Agree. And more TLS is better IMHO. I also like the work that Let's Encrypt has been doing - they've had a really big impact on the adoption of TLS. (See also http://labs.comcast.com/innovation-fund-spotlight-lets-encry...)

> Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.

You bet - totally agree! One of the places we're engaging to try to do that is in the IETF's CAPPORT working group and I think the charter describes reiterates all the points you made: https://datatracker.ietf.org/wg/capport/about/

> All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.

My pleasure & thanks for being a customer that's willing to offer constructive criticism. :-)

People don't want your crap injected into their pages and working with the IETF aint gonna change that.

The fact that Comcast has and abuses its monopoly is bad enough. That you would try to standardize your abusive behavior is appaling.

And then there's this guy. I suppose someone has to be.

As was mentioned in the original thread, other means of attempting to contact the individual occurred. This was apparently not the first attempt or method used to contact individuals.

Perhaps the user read those emails and simply doesn't care to upgrade the modem. Unless those emails created an opportunity for the user to acknowledge receipt, then there will probably be numerous people who receive these popups despite receiving the emails, deliberating, and choosing to take no action.

because traffic injection is free, postal mail costs money.

They have no problem snail mailing other adverts. There is also e-mail, so no excuse.

>Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us.

This reminds me of the part in Romeo & Juliet where Sampson says "I do not bite my thumb at thee, but I do bite my thumb."

As other commenters have mentioned, these are such small distinctions to legitimize something as fundamentally troubling as javascript injections.

Like most on this thread, I think that injecting code is a step too far, but I definitely appreciate that you took the time to explain the motivations behind this.

> Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.

Here's what a customer should do:

Just file a complain. Via snail mail. To the FCC. Include screenshots of VP explaining how this is all ok.

After that the customer should enjoy the show. I'm sure at least the customer is going to be provided a top tier service for the rest of his life in any comcast service region. Most likely for free.

This is how one teaches companies to behave. He or she finds a pressure point and exploits it. It does not matter that the opponent is 350lb gorilla. Small joint manipulation by a 95lb girl puts that gorilla on its back. For Comcast, VZ, etc that pressure point is a snail mail complain to the FCC. For national banks, it is the OCC. It works every time it is tried. What does not work is bitching about it on HN.

When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.

I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without constraints. I used to have Free which was great but did not offer fibre when fiber was installed. I switched to Orange in 5 min via a web page. I have another possibility (SFR) but they are despicable liars and for this reason alone I scraped them.

This is France, where competition is not a national sport so I was expecting the US to have 5 other companies banging on the door.

In a natural monopoly regulation /increases/ competition and freedom for the consumer.

The BBC had an article about this a few years ago [0]. Basically the highly regulated countries had cheaper and faster internet.

> Rick Karr, who made a PBS documentary in which he travelled to the UK to find out why prices were lower, says that the critical moment came when the British regulator Ofcom forced British Telecom to allow other companies to use its copper telephone wires going to and from homes.

> But US regulators took a different approach. Rather than encouraging competition between operators using the same network, the US encouraged competition between different infrastructure owners - big companies that could afford to build their own networks.

> Some believe that UK-style regulation is bad for competition and innovation, however, and suggest that the US is already one of the world leaders in broadband.

[0] http://www.bbc.co.uk/news/magazine-24528383

It might be easier to convince me ISPs were a natural monopoly if they weren't also a legally protected monopoly where they are, and generally have plenty of competition where they aren't.

I’m not sure that’s evidence against their natural monopoly position. It might be that we’re in a world where in some places, it’s plausible to have two ISPs, and in many it’s not—but if two try, they’ll both fail to get enough people to be profitable. Then any sane provider wants to demand exclusivity as the cost of pulling fiber through a community, and unhappily acknowledges that they’ll have to cover all of their exclusive territory. If we’re in that world, and the service is nearly essential, we’ll see legal monopolies in lots of places, and some places with no legal monopoly and no service—they can’t agree on a price.

I’m prone to suspicion of their business practices too, but every one of the Comcast technical staff I’ve met, from Jason down, has been an excellent person deeply committed to the best mission of a telecoms company, enabling human communication. Is that a marketing campaign? Yes, but as far as I can tell it’s an honest campaign of showing the world who they are and what they care about.

This is laughable in light of Comcast warring against net neutrality and lying about it to customers and everyone else.


Do you personally have the ability to create large-scale broadband networks, using only the financial means available to the average citizen? An estimate by Goldman Sachs put the cost of nationwide Google Fiber at $140 billion. Personally, I'm not sure if I could come up with that kind of money, in a pinch.

This UK model is closely related to how roads are funded, as mostly govt funded monopoly on infrastructure (with occasional public private financing, which comes with its own issues, toll roads etc) and common access paid for by users (fuel tax, road tax, etc).

The US model is closer to US railroads model, although not entirely accurate, analogy; largely privately owned with some govt owned, funded by large infrastructure companies that charge customers for usage and also due to infrastructure costs are rarely duplicated in close proximity. It's had issues with off and on regulation, profitability, localised monopolies that have a tendency to over charge when they can get away with it.

> When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.

Suppose you were a major company with big dollars to spend on offering internet service... someone like Google, for example. Then suppose you wanted to provide service in Louisville, Kentucky. How many years do you think it would take to get permission to attach your lines to the existing telephone poles (owned by the city) if the local telephone and cable providers try to tie you up in lawsuits? What if the city's mayor was enthusiastically supportive, and willing to pass new laws and spend hundreds of thousands of dollars of the city's money going to court to permit Google to start offering service. It would still take years to get permission. Fortunately, this isn't one of the many cases where state or local laws prohibit other companies from competing with the one local cable company, or it couldn't happen at all.

Now imagine it is anyone OTHER than Google with their huge warchest, legal department, public support, and local government support. It wouldn't get anywhere at all. If it did, the cable company would drop rates for a few years until the competitor went out of business, then raise them afterward.

The United States pays lip service to the idea of competition, but most of our politicians have gotten "competition" confused with "supporting big corporations". This is why internet service providing is a monopoly or oligopoly in nearly all US locations.

I think this is really a critical thing to get integrated into the American public dialogue. Pro-business and pro-competition does not mean zero governmental oversight or regulation. My opinion is that if there isn't substantial churn or upheaval in the market at least a couple of times per decade, there is something broken in the market, and we should be looking at what kind of actions would be useful to allow fresh, new entrants to make an impact (without explicitly picking winners or issuing subsidies).

Example: the online marketplace for social, search, and email is stagnant for obscure legal reasons. We should identify these (copyright and the CFAA) and remove the barriers.

Megacorps have exploited core conservative values to guilt people into believing that they're commies if they refuse to write a blank check for any big company that wants one. We can make real progress, and it's important progress, by highlighting to Republican/conservative-leaning voters that selling their country to corporate raiders is not a pre-requisite for being pro-business or pro-small-government.

You correctly call out "copyright" as a problem in the free market, then go on to blame Republicans for the status quo, when it was the entertainment industry and THEIR captured legislators -- the Democrats -- which gave us the DMCA, which has been used as one of the biggest hammers to prevent competition ever conceived. So please don't single out conservatives for giving us the monopolized internet we have now. Both sides are to blame, in their own ways. Unless we, as a country, stop making these sorts of issues tribal, we're never going to fix them.

I'm not trying to blame anyone specifically. This is just a major rhetorical exploit that works on Republican-leaning voters. I know because I and many of my associates are Republican-leaning and very conservative, at least by HN standards. We need to call out these divisive rhetorical exploits because they're used by nefarious groups to subvert actual dialogue and keep people at the extremes.

By no means do I believe that Democrats or liberals have clean hands on this. All sides deliberately ignore and subvert intellectual property matters because it is so dang profitable, and this affects "liberal" industries much more deeply than "conservative" ones. Copyright is fundamentally "big government", which more conservatives would recognize if the narrative around this issue wasn't so tightly controlled. And that's not to say that copyright doesn't serve a useful purpose at all, just that we should be cautious and wary about it.

Since bad political actors and profiteers actively and successfully cultivate tribal dynamics for their benefit, the tribal context and instinct can't be ignored. It must be worked within. Approaching a tribe as an outsider just causes them to raise their shields and ignore anything you say.

Good principles and values drive most actors on both sides of the aisle. Political alignment basically seems to just come down to which principles we prefer to favor/bias. Under that context, the need for balanced, inclusive dialogue is clear, and we should all be grateful for the diversity of opinion that keeps everything in balance.

Maintaining that diversity means working within the structures of human association to create authentic, grateful alliances built on that recognized need, instead of allowing others to abuse those same structures to provoke destructive animosities.

Not to disagree with any of the other points, but it's always worth remembering that any physical utility in the US has approximately 16x more land to cover than France. Not to mention the greater variety in climates (which do impact utilities).

Some cities only have one existing fiber line even coming into them, usually owned by one of the local duopolies (typically phone, since they originally were required to offer phone service to everybody).

This gives incumbents an immediate advantage in terms of reaching customers with physical infrastructure, before counting any of the (admittedly fucked) politics involved.

Then why do Americans in large urban centers not have greater choice of ISPs? If it's all about physical distance, why is there still no competition in dense areas?

I live in Washington DC, in the city, and I only really have one choice where I live, Comcast.

Cities grant franchise rights and determine rates charged for access to city poles and cable vaults.

Let's not sugar coat the language by referring to them as franchise rights, they're state-sanctioned monopolies.

Well, sure if they decide to only grant a single franchise which is what happens in a lot of cases. There is no reason they can't allow several competing operators in a given city though.

Incumbent ISPs lobby local govermment and sue would-be competitors to ensure the competition are only offered access on less favourable terms.

Back in my day, we rented Ricochet modems and shared the bandwidth between 4 users.

It's spotty. I know in DC they have RCN in some areas, which is a high-quality option.

In NYC, in one apartment I had 3 or 4 differennt ISPs to choose from, RCN included. In my current place, I only have one.

The solution to this problem in France was to say "if you put some infrastructure to provide a service you have to share it with others, and get some costback". The costback is regulated.

The idea is to make it better for people, not corporations (which are not starving either)

In the US, two infrastructures evolved into internet infrastructure, one was the phone service (pretty much AT&T's long distance network and Ma Bell's local infrastructure). The other was the local Cable Companies, Cox, Bright house, Comcast et. al. So in most locations you have one of two choices, go with DSL and the phone company or Cable which in many areas is Comcast. AT&T just installed fiber here in the Florida Key's so alternatives are starting to pop up in more remote locations in the US, but it's still pretty much a go with the local phone company or local cable company monopoly decision.

You were able to switch in 5 minutes because nothing actually changed except who sent you the bill. In the US this isn't possible because whoever owns the physical wire/fiber into your place gets to bill you, exclusively.

Yes, there is one cable and everyone has to share it, by law.

I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?

>I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?

So called unbundling was done, but in exchange, the backbone provider got a legal monopoly. Almost everywhere AT&T or Verizon lies fiber has competition, usually with a local cable company.

Probably because the fox is guarding the henhouse now.

A lot of cities grant exclusive agreements to these companies. Lately they are more competitive but historically one cable company would be granted the right to serve an entire city.

For an example, here's the page for Portland's agreements:


Regulations can limit new entries in other ways as well.

A former coworker was telling me the difficulty of getting a DSLAM installed in a high-rental area, like a Seattle neighborhood. The DSLAM install requires approval from 40% of the property owners, so you might write each landlord a letter, but the landlords aren't opening letters unless there is rent money inside. So installing a DSLAM becomes a political game of convincing the several hundred "rental-transient"[0] people in the neighborhood to talk to their landlord. One of the reasons behind the "Ask your Landlord about Wave Internet" signs you see around.

[0] Renters often only plan to stay in a location through their current lease, and thus have less long-term concern over the area. In this way, transience destroys community.

> everyone who comments is complaining

"Those who comment" are far from a random sampling of the user base. It's entirely possible that 95% of users are satisfied "enough" with the service and yet nearly 100% of comments to be strongly negative.

I know, this is the reason I added "who comment". This is not good enough, I know too, but in no comment have I seen praise of Comcast.

Comcast is not alone in this. Cox Communications has been injecting code into HTTP traffic for years.

I think sometime around 2008 I first saw them do it (I noticed NoScript blocking a script on a page that it wouldn't normally). If I remember correctly, following it to its source hinted that it was a test for some alert system.

In 2012 I saw them injecting a script to notify people that their email servers were down ( https://www.dslreports.com/forum/remark,27826161 ) though the paranoid in me thinks that was an innocuous way to test how acceptable altering traffic would be.

The escalation I've seen in the last couple of years is the ability being used for Cox customer surveys.

As far as I know they haven't injected anything into my SSL/TLS traffic... yet.

> As far as I know they haven't injected anything into my SSL/TLS traffic... yet.

You say that as if it were even possible. Or are you referring to the use of SSL stripping?

HSTS preloading (or visiting a site with HSTS headers that you've previously visit) will protect you from even that.

They did that to me a few months ago. I called up and canceled my decade old ~$90/mo acct on the spot. Tethered to 4G, works fine.

Can confirm. I didn't even notice until they started using their script to inject popups telling me I had "exceeded my data allowance". I literally canceled my Cox Communications account on the spot.

Comcast forced me to upgrade a perfectly acceptable modem so I would have to option to have higher speed service (which I do not want)! Here's what they did: 1. asked me to upgrade the modem (emails and letters) 2. Inserted a filter on my line so I lost my connection 3. I bought a new modem (not realizing they stuck a filter there) 4. They removed the filter

I guess this approach does not scale as well as the 400 lines of Javascript!

What spec of DOCSIS was your old modem? If it was 1.0, 1.1, or 2.0, sorry you lose all support, the older specs had hard bonded channels that HD TV on them after the swap that they informed people of for 2 years before it happened. And they put TV on them since they were degrading channels due to overuse across the entire network (as in across the country).

The later specs allowed for floating channels based on channel maps, which allowed Comcast to bypass those degraded channels.

Note: I'm not an apologist, but I worked for Comcast and for a subcontractor. Comcast treated (at least in my opinion) their customers like wallets that called and complained, but under the subcontractor I saw that since they didn't rewire 100% of all networks purchased, it was common that the older lines were causing the degradation and also reflection on other RF channels sometimes on the other side of an area even. Now if Comcast invested in their network as opposed to buying other companies and calling it investment, this might have been fixed, but that would be decades vs. having every modem that wasn't compliant to the new spec swapped.

The SB6121 is a DOCSIS 3.0 4x4 modem rated for 174mbps, SB6141 is a 8x4 rated for 343mbps, and SB6181 is a 16x4 rated for 686mbps. Outside of their capabilities, the hardware on them are nearly identical. There is nothing "EOL" about the SB6121 except for the idea that it's unable to support 200mbps. It's a perfectly good entry-level modem capable of offering speeds that are over 7 times the minimum definition of "high speed internet".

I don't understand the general attitude against forced modem upgrades. If you lease your modem it's as easy as walking into a Comcast store and swapping it for a new one. If you own your modem, pick the newest model of modem that fits your needs.

The newer modems support more channels and newer modulation/technology. This isn't just about supporting newer speeds. In order for them to support those newer speeds for other customers they have to upgrade their equipment to support more channels and newer modulation/technologies.

At some point these older technologies are not just wasting resources by being less efficient, but are preventing the company from upgrading their equipment.

The reason I don't understand, is because it's common to see people complaining about the state of broadband in America compared to other countries. Yet Comcast is probably the most progressive as far as pushing the technology goes. Don't misunderstand me, I believe Comcast holds a near/total monopoly in many locations around America but at least they're progressive with their network and technology despite the lack of meaningful competition.

  it's as easy as walking into a Comcast store and swapping it
If you have an Xfinity store nearby, and if they don't have lines over an hour long much of the day, and if you get a rep who knows what s/he is doing.

I live about 6 minutes from one, and it can still be a multi-hour adventure.

I thought HTTPS was supposed to prevent this sort of man in the middle attack? (Or at least make it harder) -- and I thought that most websites used HTTPS these days...

or am I misunderstanding?

If they are able to do this, and are injecting JavaScript for something as low-return as online ads, then what is to prevent them from changing the news headlines on <insert your news website of choice here>, or the stock ticker feed... How do we know that they aren't?

Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?

The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

What will happen is someone at Comcast will notice that their injections aren't happening often enough anymore due to HTTPS adoption. Someone at Comcast will suggest implementing a MITM TLS proxy service to get things working again. Someone else at Comcast will note that wouldn't actually work because they can't install fake root certs on every client device...

Then Comcast will basically switch to a model where the HTTPS interception is "optional" (requiring the client-side use the proxy explicitly), but they'll start shipping some kind of "Comcast Setup" executable (or mobile app) users are supposed to run on their client laptops/phones so that they can get these important service notices, which turns on the client-side use of the proxy and installs the fake root certs. Geeks may not install it, but the bulk of their customers will, and everyone loses. I don't think broadband consumers are aware of the fact that they shouldn't trust software provided by their ISP...

Chrome and all other browsers would quickly put an end to that.

> The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

That's my fear too. This has to be handled by other means and has to stop. If everything is HTTPS you can be sure it gets very unsecure by design, as everyone will upgrade its capabilities and inject you certs, than we would need a new more secure protocol.

Why is email still unsecure and sent in plain text? Why is there hype for HTTPS but everyone is fine with sending mail in plain text yet we have SMIME, etc and no one is using or supporting it.

As the other comment said, HTTPS does prevent this, and this only happens on HTTP pages.

> Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?

Yes, Caddy can detect whether a connection is being MITM'ed: https://caddyserver.com/docs/mitm-detection

As that page describes, Caddy's detection only works on SSL-served pages, by comparing the TLS Handshake, to the expected TLS Handshake pattern of the advertised User-Agent.

Ironically, if you're using Caddy, I struggle to think why you wouldn't already be pure HTTPS.

Yes, and it is fair to assume that a page served over HTTP is not trustworthy in any case.

Yup, but "these attacks" in your first post was specifically HTTP modification, which is the only thing Comcast is capable of doing.

HTTPS does prevent this. This can only be injected on non-secure connections.

Use HTTPSEverywhere on your browsers, and then enjoy the "You're close to your monthly limit!" pop-up on the Steam Store!

Um, I assume the code for that pop-up is rendered into the page on the web server that produced the page, before being returned to the browser.

That is precisely the problem. If the notification were rendered as part of the page by the web server, no one would have issue with it (though it would likely be blocked by adblockers anyway).

It's the fact that the ISP is modifying traffic in-route, to inject something that was never intended to be part of the page, that is the problem.

I expect my ISP to be a neutral carrier of messages, not meddling and altering my mail to add whatever they happen to feel like adding today.


I think the intent was to comment that extensions don't protect programs with embedded web views, like the steam store. I'd hope the steam store is using https though...

Only on checkout pages. For the rest of the storefront they actually redirect you from HTTPS to HTTP.

That's especially bad, because you can't actually see the origin or whether TLS is in use from the store's interface...

Assuming Comcast adheres to their RFC[1], this injection method would only affect unsecure HTTP per general requirement R3.1.2.

[1] https://tools.ietf.org/html/rfc6108#section-3.1

A VPN will prevent this.

I'm curious if there's a way to hash your code, so... I guess this can be overwritten as well. But like a check sum to make sure your client code is the same as you made it.

HTTPs is good, got it.

Subresource integrity checking. Most CDNs provide <script> tags with these hashes.

But the MITM can just remove/change those hashes.

Yes, if the index.html is not HTTPS or otherwise compromised.

Thanks I will look into that.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact