If I go to their supported modem page, I literally get a page where my current modem is shown as not supported, and the exact same modem is shown next to it as "supported."
I'm calling Comcast, and if this isn't immediately resolved I'm filing a fraud claim with the Illinois attorney general. This is the third or fourth time I've had a supported modem that Comcast has claimed isn't supported, and I'm sick of jumping through hoops getting this resolved.
Every time this happens their customer service reps tell me that the only way to avoid this is to use one of their modems. I'm sick of this. What a terrible company. Fix your shit before you start injecting garbage into the websites I visit.
edit: Proof https://imgur.com/lzKBkMs
I will admit that it is clever, but this should be transparent and customers should not be subsidizing the cost.
There is not a reason to access and modify your private data. This is not some kind of out of band multiplexed signal, they are reaching into your applications and changing their behavior.
There are other ways to communicate with people you have a billing relationship with already in place.
I've used my own DNS servers before. I have no problem making DNS queries to 188.8.131.52, and in fact I switched my PC to use it one time when Comcast DNS was down.
Overall, I’m rather happy with my current setup. I bought the most recent SB modem available at he time, got an Edgerouter and a Unifi AP. Took a few minutes longer to set up than a netgear or whatnot, but was able to use POE to put the AP in a far better location (it’s actually under my sofa instead of the closet where all my wiring goes) and have had a far more reliable and customizable experience.
It took a moment to realise you didn't terminate and stay resident.
Source: Tried to get away from VZW for a decade now - international roaming always being the ultimate decider.
Curious who you've found to be better.
Verizon has always been that shit-tier company ran by borderline criminals which happens to have the far superior network and hard product.
At home (Boston Ma) sprint is good enough to online game and stream at the same time. I lost my comcast connection for several hours recently, and tethering to my phone resulted in less latency...
Edit: This is on Sprint's unlimited plan (around $50 a month for 1 line, $25 per line for 4 lines)
Can you please explain to me how you think this is a thing? Are you really that concerned about the extra watt or so of power usage a virtual SSID uses?
Or are you operating under the misconception that this somehow impacts your bandwidth allocation?
It's by far the most innovative and awesome thing Comcast has ever done. And they get ultra-hate from people who should absolutely know better.
The single and sole complaint you could have here is spectrum utilization.
I don't use comcast so I do not personally know if they charge for excessive data usage, but I know cox does.
Besides the point of potential cost, why should a user who is paying for the service subsidize comcast. They are not getting a discount for offering the wifi to customers.
Why should a customer pay to add value to comcast? They aren't getting a discount if they enable the service.
Last I played with it, I could get an additional 35-40mbps or so out of a typical 100/25 comcast connection in my area.
For you. Not the public wifi network that is served before it hits your LAN. This is what I meant by my original post - there are tons of misconceptions on this.
Your ratelimit is not effected either, at least not any more than your neighbors do who exist on the same headend as you.
> why should a user who is paying for the service subsidize comcast.
How is it subsidizing Comcast again? I just don't see this point - the only possible way you are subsidizing it is with increased spectrum usage (which is a valid point) and perhaps additional power usage - but we're talking pennies per year if it's even measureable.
Tower space? This sort of product wouldn't exist without it.
I think it's confusion on where customers think or feel the demarc is. The ethernet port on the modem is your demarc, not the cable entering your house. If Comcast did something to alter and/or impact traffic after
> They are not getting a discount for offering the wifi to customers.
Of course they are? You get access to everyone else running the same AP in their homes, so when I travel I don't have to worry much about broadband access. It's especially great at airbnbs with broken internet - I can simply use the neighbors xfinity AP. It's actually an incredibly consumer-friendly thing we used to speculate on in the late 90's and early 00's when wifi was just starting to become a thing.
I do agree it should be something you can toggle in a user interface, but turning it off should remove your access from the xfinity wifi pool. I also completely understand why it's not optional - due to the ignorance shown in the thread. Most consumers think that me torrenting on the Xfinititywifi AP is somehow impacting their data cap and/or throughput. It's not, and even highly technical people continue to perpetuate this myth.
I'm about as anti comcast as they come - but this is one of the better more consumer friendly things any ISP has done, much less Comcast.
The extra access point doesn't count towards your data cap.
I don't care if the issue is bureaucracy, incompetence, or greed, but I know filing lots of complaints with regulatory bodies generally solves the first and the third issue well, and motivates companies to fix the second issue too.
Getting support after a while wasn't working (to be polite he was getting the runaround), but the FCC complaint got their attention and got the issue resolved. This was with the previous administration, which was was more sympathetic, but still worth a try.
You should talk less and file more.
Philadelphia, one of the most corrupt cities in the United States, had a very interesting character - at the time he was the Inspector General. Looked like Robbie Lewis from Inspector Morse. Quiet. Really nice guy. Bar none, he was the most feared person the city. His motto was "It is never an overkill to use a nuclear weapon to kill a mosquito - it is an insurance policy. Mosquito dies"
Comcast makes it very difficult to get support if you don't lease one of their modems. Literally every time I call they insist that the problem is my modem, and of course it never is. All of my issues have been either outages or congestion-related, but Comcast reps can't fix the former and will never admit to the latter. So instead they blame your modem and ask for 10 bucks a month to lease a modem from them.
If you look at the far right device you see a non-EOL SB6121. The one on the left that is EOL is the leased one, and the retail one is still allowed. I'm not sure if you have a leased device or retail device.
> [JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.
Incidentally, Livingood is a co-author of IETF RFC 6108, which he has conveniently linked. From the RFC's general requirements numero uno:
> R3.1.1. Must Only Be Used for Critical Service Notifications. Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.
As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical. To be sure, Comcast is scheduled to increase speeds by 12/19 (at least in my region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.
It would also be interesting to learn if the OP received this message on multiple instances. If yes, it would be in violation of its own requirement--in particular, R3.1.8. User Notification Acknowledgement Must Stop Further Immediate Notifications, which itself is contradictory in its use of must and should:
> Additional Background: Once a user acknowledges a critical notification, the notification should immediately stop.
EDIT: Apparently, Livingood is an executive.
We start telling customers that a modem needs to be upgraded when one of two things happen: either they are about to or just had a speed upgrade that their modem cannot support or the modem has gone end-of-life (EOL) from the vendor.
In the former case, if the device is leased, you are send a new one to replace the device and just have to basically say ok. In the latter case, it is a customer-owned device so the customer is asked to go buy a new one someplace (e.g. Amazon, BestBuy).
And in the EOL case, the vendor may have gone out of business or shut their cable modem business down, or otherwise decided to no longer support the device due to its age. That of course means that if a security issue came up, as they do, that the vendor would not be able or willing to provide a software fix for the device. So it's best to get the ball rolling to get those devices replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0 devices (10+ years old), which can only do a single upstream and downstream channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8 years old).
Second, I am a Comcast customer who will never see these messages precisely because you do things like MITM unprotected traffic. Because I can't trust you to leave my traffic alone, all my traffic is tunneled.
So at the very least, if you feel this is a critical service you are offering (as implied by the RFC), you need an alternative communications channel for people like me who don't permit this one. Snailmail is fine; you try to upsell me constantly through that channel already.
The same thing happened on Netflix ...
This is exactly why Comcast is still the most hated company in America , and the only reason you have any customers is due to the monopoly deals of dubious legality you or your acquisitions bribed local officials to create back during the infancy of cable. We hate you, but we don’t have any choice.
It’s worth noting that government regulation created Comcast by allowing long-term monopoly contracts with municipalities. Remove the regulations which prevent competition in local internet and TV services; don’t add more regulations.
Also, most games I have played seem to use HTTPS. The only time it is used is when the game does not need an instant result, in which case they use HTTP or HTTPs. Most of the times, this is in the main menu or similar. Doing this makes it even harder (assuming they use certificate pinning) for users to change the values returns to gain any advantage on their client.
Any part of the game that needs speed should be using a UDP based protocol.
I recommend you add your primary email address. You can do this via the self-service portal.
Go to https://customer.xfinity.com/#/settings/account under Account / Settings / Contact Information. IIRC you are sent a confirmation email you have to act on before it takes effect.
Implying you’d probably miss it and, if not you, the customers they’re trying to reach.
I don't think there's any fault in logic in presuming that the best way to make sure a customer receives a notification is to insert as near to their known-active stream as possible. I don't condone altering that stream, but I think it would be nice if they could send a page, potentially at the browser or OS level, exclusive for system control and status messages (no sales, marketing, billing, or collection messages allowed).
I had tried calling customer service to see if they'd give me a new bundle but they told me they were only for new customers, so I switched ISPs.
Anyways, when I went in store to return the equipment, the guy I spoke to told me to not bother with phone support but to instead come in store or call him directly (he gave me a business card) since he can get existing customers bundled rates that the phone reps can't.
While I had the choice of ISP many don't, I'd definitely recommend going to a store location where you can talk face to face with someone in your area and see if you can't get a contract at a better rate than you pay month to month.
Why would they not maintain a clean marketing list!?
I don't mind the anon downvotes though, it's par for the course anywhere.
However, the supported device list  shows that it's still an allowed modem to use for a e.g. 200mbit connection. A user that's looking to purchase a modem isn't discouraged from getting one from Amazon.
Since Comcast considers it EOL, any interaction with Comcast support includes the stipulation that it's likely the modem that's causing the problem, and the customer will be liable for a surcharge if a technician decides it's the modem causing a problem.
For a brand new modem, purchased from Amazon right now.
There seems to be a disconnect between EOL for the purpose of leasing a modem and EOL from the vendor.
As another comment points out though, I'd also like to understand why it was decided to comminate by injecting JS into pages people are visiting rather than following a more traditional communication channel like snail mail. I assume that this solution scales better and has get immediate $ attached. However, it also seems obvious to me that it reenforces brand image and political issues people have with your company.
I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment. I understand that non-cable competitors don't have this cost to shuffle around, and that this will mean you are forced to either A) raise prices publicly or B) have lower margins. That's your problem because of your technology legacy; don't pass the misery on to the customer.
While you're at it, offer two hardware choices: one with, and one without routing/wireless. I refuse to run a wifi network in my household for your other customers and expect complete control over my LAN configuration.
On the topic of injection: I get that you don't think it's immoral, but hey, 1) most people who understand it think it is totally unacceptable. And 2) the window for this approach is rapidly closing for you as the web moves to SSL everywhere. Give up on this approach now and save face.
I love how it's in the interests of public companies to brag about how successful they are. When I see a comment like this, I like to checkout the most recent 10K. According to Comcast's stated figures, they made $8.7 BILLION last year. So, they're doing pretty well. Now, obviously, they can't just give the modems away, but if they would at least STOP BILLING THE CUSTOMER for a leased modem after their costs have been recouped, that would be a HUGE public-relations win.
If we all could buy the modem of our choice, over time, say, amortized over the length of your contract, and then RELIABLY stop getting billed for it, I'd LOVE to just buy it through them. I'd argue that the reduced support costs for NOT BEING RENT-A-CENTER JERKS about the modems would save them a lot of money in the long run.
As a website owner you should have the right to verify all code that will run on your website to be sure that it won’t cause issues since only you have the context needed to make that call. What if there’s a global DIV selector that hides the close button, the website visitor is screwed! And they’ll just think it’s a problem with your website.
3.0 spec does up to 1.2Gbit/sec, just like Comcast. You know up to 200Mbit/sec, which is more like 20 because of all the "extreme complexities of the internet service".
At the very least, you have customer addresses. You should also have phone numbers and email addresses. If you have a way to bill customers, you have a way to contact them.
Injecting JS into HTTP sites is disgusting. It violates both the user's and the site's expectations and is entirely unnecessary.
There is no ethical excuse to ever inject code into a webpage.
Your own argument about it being critical is false or sophistry. If there were wildfires coming to burn someone's house down..that might qualify as critical. Not this, and deep down you know it.
You should be embarrassed to attach your name to such an obviously poor decision.
If a fellow community member has a first-hand involvement with a situation under discussion, such as working for a company that some people are mad at or does some wrong thing, we're all responsible for reacting responsibly. Otherwise bad things happen, such as first-hand observers being scared to post because they'll get lashed out at, and the already-weak community bonds we have here getting weaker. We all know what the culture of online shaming has led to and it's all our job not to do it on HN.
This is, in and of itself, a blaming statement. Blaming statements, such as the one contained in the comment you replied to, are a result of a) dissonance and b) inability to resolve the dissonance.
It is, in fact, unknown what the culture of online shaming has led to in our society. In fact, I'd hazard "shaming" online is actually just raw blame provided by some rationalized thought process driven by Internet interactions themselves, not the people reacting. See This Video Will Make You Angry on YouTube for context. Screwing with people's Internet in contextually what could be considered "wrong" behavior becomes highly polarizing. In as much as someone coughs because they smoke, people blaming is a result of a larger problem, perhaps related to the fitness of memes and some people's weakness in being hacked emotionally by memes with higher sophistication. Again, that problem is noted by the dissonance and inability to resolve it, but the behaviors emerging from those who are "infected" by the thoughts are not exactly theirs to bear alone. We blamed the tobacco industry for smoking. Why can we not blame the employees who are providing the rationalizations for bad behavior? One might argue that they shouldn't be blamed because they have no choice in the matter. It may be their job to argue otherwise for the company.
The irony here is that vast majority of the denizens of HN are likely responsible for creating most of the "mess" we're in today by writing software without considering the long term effects on consciousness and perception of reality. That "mess" would be defined as means, by algorithms or neural networks, to attempt to exploit weaknesses in human nature to spread other's beliefs in a unnatural way. Growth hacking. In some cases, like Comcast, those beliefs are rooted in sophisticated rationalizations which sound good when limited in scope. But! I don't care what anyone says about it, changing the content of a page which, when requested from one place returns one thing and when requested from another (which ones pay for I might add) returns another thing entirely is a violation of TRUST. At least it is to me. I like consistency in my data.
If one of the "members" of this group we call HN wants to make a blaming statement against someone who is defending this irrational logic, then I say let them blame! How else are we to uncover the dissonance and solve it? Or, perhaps, that dissonance is desired to be left in place by our complicit behaviors trying to be "nice" to each other.
I've suggested before social media sites could benefit from a "this is a blaming statement" flag on articles or comments. I stand by that assertion today. Logging back out again. Thank you for all the hard work that goes into running this place.
...unless it's for adblocking...
Although I do that with a MITM proxy locally (and thus filters everything on my LAN), it would certainly lead to a very interesting situation if an ISP decided to do it...
Way too much non-spam disappears down overeager spam filters, which most people only check if they are specifically expecting some particular mail and it does not show up as expected--and even then many won't check their filters.
An ISP could white list their own mail in their spam filters but that would only help with the customers who use their ISP provided email. A lot of people use third party email providers instead and never use their ISP email.
I will at least _glance_ at my email.
For critical service info I'd want SMS personally, from a verified number with a link on the company main domain to verify the info.
Is that the idea here?
Or does this efficacy come at some cost (namely, the sentiment behind this thread)?
You know it's actually an important piece of mail when the envelope isn't imploring you to open it.
More work, but way less scummy.
In either case, the argument does not address the fact that customers recognize unsolicited packet injection as unacceptable ISP behavior. Without support metrics, we can argue all day about the efficacy of one method of delivery over another, but the fact remains that no sensible user would perceive e-mail and/or post of official notice from their ISP as overtly intrusive. With as much internal advertising as Comcast distributes amongst its existing customers, it blows my mind that official notice generated from boilerplate and delivered via snail mail would fail to achieve the intended goal.
To be sure, your pre-edited comment:
> Surely showing up in-person at their door must be an even more effective "reminder" than the browser injection! Is that next?
This standard seems like a terrible mistake. Isn't this exactly what malware creators want? To condition users to click the browser pop up that says "YOUR COMPUTER IS INFECTED WITH MALWARE, CALL THIS NUMBER/INSTALL THIS HORRIBLE THING TO FIX IT?"
Why on Earth would anyone issue a standard that says that ISPs should deliver that kind of notification, thus training consumers to believe them?
When used by practicing engineers as a low-overhead way to document interoperability requirements for working software, it's been fantastically successful. But it also lends itself to this kind of pseudo-fraud "standardization" by less ethical players.
Bottom line: an "RFC" means nothing per se. What matters is whether the community wants to support it. So RFC7540 is an important standard everyone agrees to support. RFC6108 is garbage.
This should be ILLEGAL, I don't give a crap about "getting the government out of our lives", well guess what, they need to step in and prevent these slimy "business" practices from happening or punish the corporations trying to exploit their captive audience.
Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.
Making up quotes like this is against HN guidelines (and common decency).
Moreover there's nothing in the guidelines about "making up quotes" (which again isn't a reasonable interpretation of what that is), whereas there are actual, explicit guidelines against addressing yourself to unreasonably interpreted versions of other people's comments.
You're right that it isn't explicitly mentioned in the site guidelines, but those aren't a list of proscribed behaviors but a set of values to internalize. I'd say "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize" covers this case pretty squarely.
And virtually anyone in any argument could insist, tediously, that those disagreeing with them have failed to interpret with sufficient charity.
But it's one thing to note that as a hypothetical possibility, and another entirely to point to something that's actually a clear cut offense. I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented or misinterpreted so much as they're using this occasion as a jumping off point to litigate the abstract principle. Which I don't think is a constructive use of anybody's time, which is why this is a bad norm that shouldn't be observed.
No, that is what I'm suggesting. Your comment reads as a quote. After reading it, I went to the linked page and looked around for the context. Turns out, there was no context for that quote, because it's not a quote, because those words aren't actually in the original text.
I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position. Is there a significant difference between the way I phrased Comcast's position on whether or not they were exhorting their customers to purchase a new modem, and the way they actually phrased it? Because I don't think there is.
You're spending a lot of time prosecuting this point, and requiring time to be spent by others who care about HN being better than other online communities.
Whether or not some hypothetical person not making a "reasonable interpretation" would have been misled, or whether it's reasonable that a reader had to spend time searching for the quote to verify it to realize that it was not actually a quote (and how many others would have bothered to do that), are matters that we could spend many more hours debating.
Or, you could just accept that it's better to refrain from misquoting people in future and we could all get on with our lives.
All it would have taken you was to preface the "quote" with something like "the response, which effectively amounts to saying...", and it would have saved everyone the bother.
C'mon, is this really a hill you want to die on? Maybe let it go :)
I got bit by this a bunch when I first got on HN; it was surprising to me how seriously it was taken. But it is, and it's not hard to work around.
> The gist of the HN community's opinion is, "don't use quotation marks when paraphrasing."
> Lately the Democrats approach has been, "oppose Trump at every turn."
However, when paraphrasing a specific individual, it is frowned upon at best, and considered intentionally misleading at worst, to put paraphrases in quotes.
> pvg said, "I don't care what HN thinks, I'll do what I want."
> pvg continued with, "no one else cares what HN thinks either."
Contrast that with,
> pvg said that "only harcore lispers" care about how paraphrasing works.
In the last example, you can clearly tell the direct quote from the paraphrase. This is very important when communicating someone else's ideas.
Regardless of hard and fast "rules" of punctuation and grammar, you have a large number of people calling your writing misleading, confusing, and inaccurate. Clear communications should be the goal of any writing; wouldn't you be best served by hearing and incorporating this feedback?
 MLA: "Paraphrases and summaries do not use quotation marks" - http://www.lmu.edu/Assets/Academic+Affairs+Division/Academic...
 Purdue: "Indirect quotations are not exact wordings but rather rephrasings or summaries of another person's words. In this case, it is not necessary to use quotation marks" (note that no example of indirect quotations include quotation marks) - https://owl.english.purdue.edu/owl/resource/577/01/
 "But then there's a long slide through confusion and bias into intentionally misleading quote-mangling and outright fabrication" - http://www.slate.com/blogs/lexicon_valley/2013/10/17/gay_tal...
A lot of zeros and ones are being spilled on behalf of the abstract principle how quotes can be hypothetically used abused and interpreted, but none of the 40+ comments beneath my now-flagged paraphrase of Comcast's statement is actually arguing that my paraphrase was in any way distorting or misleading.
So I question the value of this norm, if the practical way it tangibly cashes out is in the form of extremely long derailments substantively unrelated to the the comment that caused the rule to be invoked.
It's just a dumb, arbitrary rule. It serves no purpose beyond facilitating righteous rebuke. You can make a better rule dealing with the underlying behaviour while oxygen deprived from screaming at dang about HN's political bias.
> not how writing or paraphrasing works anywhere else
That's simply false.
If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it. But you can't reasonably expect every other forum to use that lowest common denominator. Railing against simple, longstanding house rules like this is just pointless contrarianism.
In terms of what contexts one should keep in mind when interpreting comments with good faith to come to a most reasonable interpretation of what they are saying, the way language is used on reddit is probably a much more reasonable benchmark than MLA style guides.
No, it isn't. I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech. The fact that they didn't actually say it comes from context. Punctuation is not semantic markup.
This doesn't come from reddit, it comes from, you know, the way people actually write. The fact that it requires repeated and lengthy explanations is a pretty decent indication it's not how anyone else writes.
Now, I think that it’s a fair argument that a web forum needn’t have the same formality as other written word, but your assertion that “it’s not how anyone writes” is clearly untrue.
And just as a single data point, I expect when someone uses quotes even on the web that they are asserting a verbatim quote.
I certainly default to assuming it does and in many contexts it is an explicit rule.
I don't understand how you've refuted that while also saying they sometimes don't. Are we arguing about contexts here? My claim is almost trivial - nobody reasonably familiar with English thinks quotes imply a verbatim quote. That's just not what quotes are for.
Getting back to the actual point, in formal writing, quotation marks are definitely considered to delimit actual quotes. That's where their name comes from and that's their purpose. If you want to paraphrase or otherwise interpret what was said you just work it in without quotes.
Personally, I relax my expectations in informal contexts if I don't know the person or their writing habits, but I'm just being pragmatic. In other words, the rule doesn't change, it's just not always followed.
That your position is that I’m in the minority on this is doubly surprising to me given that’s what all the style guides and my high school English teachers taught me.
"In English writing, quotation marks are placed in pairs around a word or phrase to indicate:
Quotation or direct speech: Carol said "Go ahead" when I asked her if the launcher was ready.
Mention in another work of a title of a short or subsidiary work, like a chapter or episode: "Encounter at Farpoint" was the pilot episode of Star Trek: The Next Generation.
Scare quotes used to mean "so-called" or to express irony: The "fresh" apples were full of worms."
Even 'direct speech' is at odds with 'verbatim quote' and that's the first thing there. Direct speech can be completely made up.
"AP, MLA & CMS" are an absurd counterpoint that falls well within 'that's not how anyone writes'. They are, if anything, lengthy exceptions to how anyone writes.
It's a deeply silly argument and my point is 'an internet messageboard should not be regulating punctuation'. It should, as this one usually does, try to regulate behaviour.
(For what it's worth: this little subthread is about 10x more interesting than the story and the rest of the thread it's attached to).
Don't be an ass.
Don't call other people asses.
Don't complain about votes.
Some weird thing about quotes we can't even sort out as well-intentioned nerds who love to talk about rules.
I don't think that's a good rule. I think what it's trying to address is probably a good rule. But it's addressing it in the dumbest possible way.
That's fine, when you're writing fiction. But in most online forums, fiction is frowned upon.
Still, it would have been clearer to say something like "Exactly. And the response, which amounts to 'we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one', is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system."
Also, for what it's worth, I do agree 100% with your argument there :)
However, I think (1) few are as lucid as you on that particular point and (2) whatever the merits of this as a general debate, and I think there is some merit, I think the question is whether this norm improves conversation in a thread like this. I think it was invoked frivolously, spawned a long, 50+ comment chain, and it didn't clear up any of the confusion that it seems like the norm is supposed to be designed for.
As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.
To be a devil's advocate, Comcast customers have been phished before via email too:
...and then there's the various phone and even door-to-door scams, but I'd consider the latter to be much harder to do.
Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.
Ultimately the objective is to ensure a customer is on a device that can (1) deliver the performance for which they pay and (2) is up to date technically (i.e. supports IPv6 and channel bonding) and is supported by the vendor (i.e. software updates & bug fixes).
One of the big risks we have to help mitigate is when a device goes EOL, which means no more software updates, and a security or significant performance issue arises in the future. By proactively beginning the replacement process this helps minimize any future impact when it is a major issue like that. So taking action gradually on a proactive basis prevents a more severe impact later on. In many cases, these are DOCSIS 2.0 devices and that technology and often the software is from 2001, the same year as the 1st gen iPod and when Windows XP was released.
Eventually a modem will go into End-of-Service (EOS) status. At that point there is a definite date/time limit for the device, after which it is de-provisioned from the network and the customer must replace it to continue service. This has been the case in the past with DOCSIS 1.0 and 1.1 devices for example, after years of work to encourage customers to replace them.
See also https://www.xfinity.com/support/articles/end-of-life-devices
and the start of the EOL/EOS process for DOCSIS 1.1 devices https://www.dslreports.com/forum/r27473499-Speed-Heads-Up-Ti... and https://www.dslreports.com/forum/r28497383-Speed-Upgrade-You... and https://www.dslreports.com/forum/r30524429-Equip-Reminder-Pl... and https://www.dslreports.com/forum/r30450278-Speed-Heads-Up-Ti...
Unless I’m misunderstanding, this was not causing such a problem. Casting it as a customer good is rhetorically amusing, and probably holds water with people who are predisposed to agree with you, but I can make any number of morally bankrupt decisions using exactly the same logic. You have simpler ways to deliver this message, that do not cause nearly as much harm to your customer and do not require you to intercept and modify their traffic.
And mail pieces don't produce the potentially rather widespread indignation that traffic injection does. Granted, I don't see the harm in it that a lot of people here do. Unencrypted traffic is unencrypted traffic - open to tampering by anyone, not just Comcast, and for many less innocuous reasons than the one for which you've chosen to do so. But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology. Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
Lots of reasons, including years of experience with response rates for particular types of messages / calls to action. Clearly one particular communications channel won't work for everyone - each person has their own preferences. One of the things we're working on is to better enable you to control just that - basically one person may ask for SMS messages, another alerts via their mobile app, another via email, another via phone call, etc. You can see the beginnings of that in MyAccount / Settings / Communication & Ad Preferences.
> But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology.
Agree. And more TLS is better IMHO. I also like the work that Let's Encrypt has been doing - they've had a really big impact on the adoption of TLS. (See also http://labs.comcast.com/innovation-fund-spotlight-lets-encry...)
> Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
You bet - totally agree! One of the places we're engaging to try to do that is in the IETF's CAPPORT working group and I think the charter describes reiterates all the points you made: https://datatracker.ietf.org/wg/capport/about/
> All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
My pleasure & thanks for being a customer that's willing to offer constructive criticism. :-)
The fact that Comcast has and abuses its monopoly is bad enough. That you would try to standardize your abusive behavior is appaling.
This reminds me of the part in Romeo & Juliet where Sampson says "I do not bite my thumb at thee, but I do bite my thumb."
Here's what a customer should do:
Just file a complain. Via snail mail. To the FCC. Include screenshots of VP explaining how this is all ok.
After that the customer should enjoy the show. I'm sure at least the customer is going to be provided a top tier service for the rest of his life in any comcast service region. Most likely for free.
This is how one teaches companies to behave. He or she finds a pressure point and exploits it. It does not matter that the opponent is 350lb gorilla. Small joint manipulation by a 95lb girl puts that gorilla on its back. For Comcast, VZ, etc that pressure point is a snail mail complain to the FCC. For national banks, it is the OCC. It works every time it is tried. What does not work is bitching about it on HN.
I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without constraints. I used to have Free which was great but did not offer fibre when fiber was installed. I switched to Orange in 5 min via a web page. I have another possibility (SFR) but they are despicable liars and for this reason alone I scraped them.
This is France, where competition is not a national sport so I was expecting the US to have 5 other companies banging on the door.
The BBC had an article about this a few years ago . Basically the highly regulated countries had cheaper and faster internet.
> Rick Karr, who made a PBS documentary in which he travelled to the UK to find out why prices were lower, says that the critical moment came when the British regulator Ofcom forced British Telecom to allow other companies to use its copper telephone wires going to and from homes.
> But US regulators took a different approach. Rather than encouraging competition between operators using the same network, the US encouraged competition between different infrastructure owners - big companies that could afford to build their own networks.
> Some believe that UK-style regulation is bad for competition and innovation, however, and suggest that the US is already one of the world leaders in broadband.
I’m prone to suspicion of their business practices too, but every one of the Comcast technical staff I’ve met, from Jason down, has been an excellent person deeply committed to the best mission of a telecoms company, enabling human communication. Is that a marketing campaign? Yes, but as far as I can tell it’s an honest campaign of showing the world who they are and what they care about.
The US model is closer to US railroads model, although not entirely accurate, analogy; largely privately owned with some govt owned, funded by large infrastructure companies that charge customers for usage and also due to infrastructure costs are rarely duplicated in close proximity. It's had issues with off and on regulation, profitability, localised monopolies that have a tendency to over charge when they can get away with it.
Suppose you were a major company with big dollars to spend on offering internet service... someone like Google, for example. Then suppose you wanted to provide service in Louisville, Kentucky. How many years do you think it would take to get permission to attach your lines to the existing telephone poles (owned by the city) if the local telephone and cable providers try to tie you up in lawsuits? What if the city's mayor was enthusiastically supportive, and willing to pass new laws and spend hundreds of thousands of dollars of the city's money going to court to permit Google to start offering service. It would still take years to get permission. Fortunately, this isn't one of the many cases where state or local laws prohibit other companies from competing with the one local cable company, or it couldn't happen at all.
Now imagine it is anyone OTHER than Google with their huge warchest, legal department, public support, and local government support. It wouldn't get anywhere at all. If it did, the cable company would drop rates for a few years until the competitor went out of business, then raise them afterward.
The United States pays lip service to the idea of competition, but most of our politicians have gotten "competition" confused with "supporting big corporations". This is why internet service providing is a monopoly or oligopoly in nearly all US locations.
Example: the online marketplace for social, search, and email is stagnant for obscure legal reasons. We should identify these (copyright and the CFAA) and remove the barriers.
Megacorps have exploited core conservative values to guilt people into believing that they're commies if they refuse to write a blank check for any big company that wants one. We can make real progress, and it's important progress, by highlighting to Republican/conservative-leaning voters that selling their country to corporate raiders is not a pre-requisite for being pro-business or pro-small-government.
By no means do I believe that Democrats or liberals have clean hands on this. All sides deliberately ignore and subvert intellectual property matters because it is so dang profitable, and this affects "liberal" industries much more deeply than "conservative" ones. Copyright is fundamentally "big government", which more conservatives would recognize if the narrative around this issue wasn't so tightly controlled. And that's not to say that copyright doesn't serve a useful purpose at all, just that we should be cautious and wary about it.
Since bad political actors and profiteers actively and successfully cultivate tribal dynamics for their benefit, the tribal context and instinct can't be ignored. It must be worked within. Approaching a tribe as an outsider just causes them to raise their shields and ignore anything you say.
Good principles and values drive most actors on both sides of the aisle. Political alignment basically seems to just come down to which principles we prefer to favor/bias. Under that context, the need for balanced, inclusive dialogue is clear, and we should all be grateful for the diversity of opinion that keeps everything in balance.
Maintaining that diversity means working within the structures of human association to create authentic, grateful alliances built on that recognized need, instead of allowing others to abuse those same structures to provoke destructive animosities.
Some cities only have one existing fiber line even coming into them, usually owned by one of the local duopolies (typically phone, since they originally were required to offer phone service to everybody).
This gives incumbents an immediate advantage in terms of reaching customers with physical infrastructure, before counting any of the (admittedly fucked) politics involved.
I live in Washington DC, in the city, and I only really have one choice where I live, Comcast.
In NYC, in one apartment I had 3 or 4 differennt ISPs to choose from, RCN included. In my current place, I only have one.
The idea is to make it better for people, not corporations (which are not starving either)
I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?
So called unbundling was done, but in exchange, the backbone provider got a legal monopoly. Almost everywhere AT&T or Verizon lies fiber has competition, usually with a local cable company.
For an example, here's the page for Portland's agreements:
A former coworker was telling me the difficulty of getting a DSLAM installed in a high-rental area, like a Seattle neighborhood. The DSLAM install requires approval from 40% of the property owners, so you might write each landlord a letter, but the landlords aren't opening letters unless there is rent money inside. So installing a DSLAM becomes a political game of convincing the several hundred "rental-transient" people in the neighborhood to talk to their landlord. One of the reasons behind the "Ask your Landlord about Wave Internet" signs you see around.
 Renters often only plan to stay in a location through their current lease, and thus have less long-term concern over the area. In this way, transience destroys community.
"Those who comment" are far from a random sampling of the user base. It's entirely possible that 95% of users are satisfied "enough" with the service and yet nearly 100% of comments to be strongly negative.
I think sometime around 2008 I first saw them do it (I noticed NoScript blocking a script on a page that it wouldn't normally). If I remember correctly, following it to its source hinted that it was a test for some alert system.
In 2012 I saw them injecting a script to notify people that their email servers were down ( https://www.dslreports.com/forum/remark,27826161 ) though the paranoid in me thinks that was an innocuous way to test how acceptable altering traffic would be.
The escalation I've seen in the last couple of years is the ability being used for Cox customer surveys.
As far as I know they haven't injected anything into my SSL/TLS traffic... yet.
You say that as if it were even possible. Or are you referring to the use of SSL stripping?
HSTS preloading (or visiting a site with HSTS headers that you've previously visit) will protect you from even that.
The later specs allowed for floating channels based on channel maps, which allowed Comcast to bypass those degraded channels.
Note: I'm not an apologist, but I worked for Comcast and for a subcontractor. Comcast treated (at least in my opinion) their customers like wallets that called and complained, but under the subcontractor I saw that since they didn't rewire 100% of all networks purchased, it was common that the older lines were causing the degradation and also reflection on other RF channels sometimes on the other side of an area even.
Now if Comcast invested in their network as opposed to buying other companies and calling it investment, this might have been fixed, but that would be decades vs. having every modem that wasn't compliant to the new spec swapped.
The newer modems support more channels and newer modulation/technology. This isn't just about supporting newer speeds. In order for them to support those newer speeds for other customers they have to upgrade their equipment to support more channels and newer modulation/technologies.
At some point these older technologies are not just wasting resources by being less efficient, but are preventing the company from upgrading their equipment.
The reason I don't understand, is because it's common to see people complaining about the state of broadband in America compared to other countries. Yet Comcast is probably the most progressive as far as pushing the technology goes. Don't misunderstand me, I believe Comcast holds a near/total monopoly in many locations around America but at least they're progressive with their network and technology despite the lack of meaningful competition.
it's as easy as walking into a Comcast store and swapping it
I live about 6 minutes from one, and it can still be a multi-hour adventure.
or am I misunderstanding?
Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?
What will happen is someone at Comcast will notice that their injections aren't happening often enough anymore due to HTTPS adoption. Someone at Comcast will suggest implementing a MITM TLS proxy service to get things working again. Someone else at Comcast will note that wouldn't actually work because they can't install fake root certs on every client device...
Then Comcast will basically switch to a model where the HTTPS interception is "optional" (requiring the client-side use the proxy explicitly), but they'll start shipping some kind of "Comcast Setup" executable (or mobile app) users are supposed to run on their client laptops/phones so that they can get these important service notices, which turns on the client-side use of the proxy and installs the fake root certs. Geeks may not install it, but the bulk of their customers will, and everyone loses. I don't think broadband consumers are aware of the fact that they shouldn't trust software provided by their ISP...
That's my fear too. This has to be handled by other means and has to stop. If everything is HTTPS you can be sure it gets very unsecure by design, as everyone will upgrade its capabilities and inject you certs, than we would need a new more secure protocol.
Why is email still unsecure and sent in plain text? Why is there hype for HTTPS but everyone is fine with sending mail in plain text yet we have SMIME, etc and no one is using or supporting it.
> Do we, as a community, have any mechanism to detect if these sorts of attacks are occurring?
Yes, Caddy can detect whether a connection is being MITM'ed: https://caddyserver.com/docs/mitm-detection
It's the fact that the ISP is modifying traffic in-route, to inject something that was never intended to be part of the page, that is the problem.
I expect my ISP to be a neutral carrier of messages, not meddling and altering my mail to add whatever they happen to feel like adding today.
HTTPs is good, got it.
I mean, look at the code. Look at the function of this code. Look at the business purpose of this code. Look at the security aspects of using this code. Look at the legal ramifications (why the hell is that LGPL thing up top there ?). Look at their internal communication. Look at how easy it is to see exactly what they're doing ...
All of it screams "no double digit IQs anywhere near this thing".
And yes, I mean, I know that's not true. Their people are not this stupid (though some must be). But they do this anyway. The organisation does business analysis at the level of a 5 year old, codes like a 10 year old, obviously this has not passed legal review, ...
How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.
You think things in the world are so "obviously" black and white.
Comcast making shitty business decisions is not burning Jews in ovens. And the fact your not immediately laughed out of the room when you make such comparisons is the real sad reflection of society in this thread.
"Good" as in technically competent? (in which case untrue).
In any case, here the intended meaning was clearly "technical ability", which doesn't require morality
"good" as in having the qualities required for a particular role, as per Google.
A million Shakespeares typing on typewriters write no better than a monkey!
I like it, although I think the analogy fails here. How about "An infinite amount of Shakespeares typing on the same typewriter will inevitably produce garbage"? :)
Would we have gotten twice as many plays out of him?
He was clearly slacking.
Eh, telco infrastructure is a natural monopoly. No government needed for that.
The EU member states implementation of deregulation of the telecoms sector is far from perfect, but most of them have ended with something that works reasonably well.
E.g. in the UK, while the cable operator (there's only one of note left standing) has mostly escaped regulation, but BT had it's last-mile infrastructure subjected to heavy regulation to the point where it's been split out into its own company (OpenReach) that maintains the network and is legally obliged to resell access to anyone at the same terms.
You can even get the prices to terminate an IP connection with a subscriber on their website.
ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.
I know the US also has a form of local-loop unbundling, but it's clearly not working very well given the level of complaints people have about these services in the US. Possibly because of the price-setting mechanism?
As a result there's a lot of competition in the ISP space in the UK (as there is elsewhere in the EU).
(Where it's not perfect is that the way the regulations have been set up gives too few incentives for BT to invest and innovate in the last mile network and is often accused of milking OpenReach for profit; two ways of improving on that would be to restrict how much profit they could take out as dividends to a proportion of how much they reinvest in network improvements and/or split maintenance/operation into regional franchises and force companies like OpenReach to bid for it on a franchise basis; though the latter is hard to get the evaluation-criteria right for)
It's worth noting this involves two different layers of regulatory separation.
Most ISPs don't run their own LLU operation. They buy access from one of BT Wholesale or TalkTalk Wholesale (who are technically LLUers and both, in turn, use the last-mile network run by Openreach). As you say, the prices which both of the BT Group companies are allowed to charge are regulated and published and companies can "innovate" at quality of service or features offered.
The relevant part here is that the US has never AFAIK had the same wholesale access model. With that, an upstart ISP could have the same coverage as Verizon/Comcast/etc but have the option of not doing these scummy things and/or being as network-neutral as they pleased, within the limits of their business model, without having to spend boatloads of money building a network to access those customers.
LLU, on the other hand, requires way more investment so it's not surprising that it never really took off in the US where DSL always seemed like the poor relation compared to the cable networks.
In my time in the US several years ago I was horrified at the cost and quality of internet (and mobile) service compared to the UK.
Any strong libertarian ideals I once had were crushed by the reality of things like this. (Healthcare too but that’s another discussion).
It's worth noting, though, that this is the EU's doing, through the Telecoms Directive, not something the UK government did of its own accord.
The current problems are that a) since Trump the FCC is shit, b) local municipalities "vowing" to not enter the market (and others have no incentive).
See these for b:
Oh please, he’s been in office less than a year - none of this amazing ‘sharing’ happened under the previous administration either. It’s totally understandable to have (in my case many) disagreements with the Presidents and their policies, but this knee-jerk habit of blaming whoever is currently in office for everything because he’s not on our team is counterproductive.
It's safe to say at this point that we have a clear idea of what decisions Trump and his FCC will make in the future, and that there would little to no hope for decisions which will increase competition. A year is plenty of time for assessing the character of an adminstration, and Trump's has been remarkably consistent in this regard.
Not for everything.
I blamed O'dog for the fucking shady counterproductive NSA practices that he allowed to continue.
The Obama DoJ took a dump regularly on whistleblowers.
And the infamous CIA kill-by-drone program.
And those are just the obvious big ticket items.
The problem with anti-government rhetoric in the US is it creates a self-fulfilling prophecy. Government is not inherently as incompetent and weak as yours often is.
There is no reason why a regulatory solution cannot work in the US when they work well in many other countries of greatly varying size and population density.
If your government fails you, that is not a failure of government: it is a failure of your government.
I mean, there are weekend hacks of similar age and quality, with my name on them, that I know are still in active service. Because, for all their myriad other faults, they mostly work, and everyone who works with them is used to using them and to dealing with the occasional cases in which they misbehave. These are not things which anyone rebuilds just for the sake of it. So they go on being used until they stop working entirely, and the the business replaces them with something else.
Whether or not that's a sensible way to go about things is an open question, if you like. I don't think it is, because these aren't the sorts of things which cripple a business if they misfire - or make much impact even if they don't. So investing heavily in them would seem like a waste of money, though perhaps you disagree. But the world need not be mad for this to be the way of things.
The random classList polyfill at the bottom was a nice touch. As I scrolled to this bit I was initially like "oh this'll be nice they encrypted some of--oh. :("
My favorite bit was the "this detects the browser type and version" snippet that was copyrighted 2001. Nice!
I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.
I don't get it, how does that work?
Lots of ads, undercut your competition by something like $1 and "new customer deals" and then shaft your customers after a while
The average customer just go to the store with the flashier lights (or the one which is more convenient)
"A natural monopoly is a monopoly in an industry in which high infrastructural costs and other barriers to entry relative to the size of the market give the largest supplier in an industry, often the first supplier in a market, an overwhelming advantage over potential competitors."
When there even is any competition. Where I live, it's literally Comcast or else tether my mobile phone. Satellite is technically an option, but realistically between the cost and my tree coverage there's no way to make it work.
The average customer just goes to their cable company (coax cable) or their telephone company (DSL).
(And the kicker is... they both suck!)
Microsoft in the last 10 years, and consider how much talent and budget they have access to.
i remember when zynga had to lay off programmers by the thousands. I was thinking, they had THOUSANDS of programmers and the best they came up with was skins over top of farmville?
Once you get up to around 20+ people on the team, the collective IQ of that teams drops to level where stupid things like this happen...
Nothing good from development by committee, this appears to be a project that was developed by committee
Rather than arguing, I guess, many (who haven't left for one reason or another) would just go with "uh, whatever" attitude and slap something together just enough for PHB to see that popup (and let customer complaints do the rest).
What makes that obvious to you - appears to pass the "we're unlikely to be fined and any fine will be too small to bother us" legal review.
Because "National Security".
"[JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now."
However, RFC 6108 requirement for use R3.1.1 states:
R3.1.1. Must Only Be Used for Critical Service Notifications
Additional Background: The system must only provide
critical notifications, rather than trivial notifications.
An example of a critical, non-trivial notification, which
is also the primary motivation of this system, is to advise
the user that their computer is infected with malware, that
their security is at severe risk and/or has already been
compromised, and that it is recommended that they take
immediate, corrective action NOW.
Remember they are the only venue to access the internet for a lot of people, what are they going to do? Stop using the pretty much mandatory communication and information platform?
I'm always surprised just how many people here on this site think you can fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
Regardless of what an ISP might do, HTTPS everywhere is excellent advice.
Yes, HTTPS is great and should be deployed everywhere. But thinking that they'll just give up on injecting ads into your stream when a large chunk of people use it is hopelessly naive - especially when off-the-shelf enterprise solutions that MITM HTTPS traffic already exist.
Breaking TLS is considerably harder. And forcing a cert upon your customers would be hard to scale... It would be similar to implementing a firewall forbidding TLS and VPNs. That's a hard sell.
I couldn't agree more! That's one of the reasons for example we have supported groups like Let's Encrypt (http://labs.comcast.com/innovation-fund-spotlight-lets-encry...) and CrypTech (https://cryptech.is/).
Also how hard do you think it would be for American telcos to push for inclusion of their MITM certificates? Especially if other companies like Verizon come aboard the profit train?
Comcast can demand all they want but they are going to have to hand hold a lot of people though the process. Sure Windows/Mac could offer a nice executable to install it for you but you still have to get people to install it and that’s not something there while customer base will be able to do.
The process of installing CA’s on iOS devices involves even more steps. And this is a process that will have to be completed every time an new device is put on their network.
What about even more “locked down” systems? Your IoT doorbell? Your networked cctv camera? Your Smart TV?
Is it possible? Sure. Is it practical? If kazakhstan couldn’t do it I’m going to struggle to see Comcast pull it off (though if anyone can, it’s prob them). See in a Corp environment where they own all the devices it’s fairly easy to do as most of your deployed hardware if going to be able to remote install what IT asks of them, your mobile devices are going to be enrolled into MDM’s and you will have IT staff on hand to help staff enroll their devices. None of which Comcast have.
We are not talking about your avg hacker news reader configuring their devices to get online, we are talking about people like my mother who can just about browse the web and play games on her iPad and struggles to set the alarm on it. How you going to get her to install the rootca without having some do it for her? Sure get the installer to do it? But what about all your existing customers? You going to schedule a call out for each of them? And what about when she gets a new device? You going to make her take the device to the local Comcast store to get it installed?
Oh and Chrome and or Firefox could throw a massive spanner into the works by refusing to accept their root cert half way though deployment meaning all those “updated devices’ need to be updated again before they even had a chance to use it at any major scale.
Sure it’s possible, I just don’t see it as practical as of today.
They published a response to the backlash - http://mic.gov.kz/en/news/matters-using-registration-certifi... saying that it would only be used to improve the security when accessing foreign resources, battle porn terrorism and transnational crime.
Dunno what the adoption rate of the cert was or if they do force the use of the cert when accessing foreign https sites
They quietly removed the notice off the telecom's websites saying that people will need to install the cert or may lose access to foreign https sites (not from kazakhstan) but I would expect someone would of gotten word out if they had (Maybe they did and i've just not come across it).
All they need to do is block YouTube/Google/Facebook until you run the "Comcast internet setup wizard" (remember? those were a thing!) which makes most customer connections MITMable. Then charge extra for all non-MITMed connections ;)
Declare Firefox as unsupported, Google will have to cave in to the biggest telco and that's that. This article (and all others about Comcast) clearly proves that Americans have zero leverage over companies like Comcast. The customers are peacfully accepting modification of their network traffic now, why do you think you'll suddenly get any more leverage over a natural monopoly you're forced to use in the future? Especially after dismantling net neutrality?
You can only redirect them to the wizard if they try and connect to a non https site or the non http site of a https site they have yet to visit.
Same mother. She has a 4g sim in her iPad cheapest deal for her usage level is prepaid sims. When the prepaid credit is gone it’s cheaper to use an new sim than top up the exisiting sim. Except you have to go though a activation portal to enable the sim. It’s easy. Pop in the new sim, visit telcos website or any non https valid domain press the active button and away you go.
She still can’t do it. And in a world where more and more people are using apps instead of browsers where preinstalled apps will just fail you are gonna not to cause even more issues.
BTs Smart Setup captive portal on their routers was one of the most annoying things they did. And when searching for it the top results are for turning the thing off. Why? Because it interferes with devices that can not display the portal, Smart TVs, Amazon TV sticks, Settop boxes, webcams, IoT toasters, etc.
While they haven’t removed it from their latest router they have had to make disabling it much easier than in previous versions.
With the number of end user devices on the market, I just don’t see them managing to pull it off by getting end users to install their cert.
But you touch on a point. You say that Chrome would have to just suck it up from Comcast. Now I’m not saying I disagree, but why would Comcast go though all that pain to get end users to install a root ca if they held so much power over Chrome (the largest browser my customers use) then why not just get the browser to install the cert anyway and save all that hassle with your end users. Think of the savings they would make not having to handle all those support calls.
Like I said. Possible? sure, practical today? I don’t believe so.
I don't understand. Your second sentence seems to contradict your first; Comcast bribing legislators is a social/political attack. What did you mean?
I currently see more hope in tech solutions than political solutions to the problems of privacy, net neutrality, and script injection. We have the option to use content and routing encryption technology that looks something like TOR or I2P. Instead, we're asking politicians who don't understand the tech to protect us from ISPs who will never stop trying to leverage anything they can find in our traffic. Allowing Comcast to see the traffic at all is the problem, and politics will never prevent that.
If it's apparent to you that the political fight is more winnable, or that technical approaches to privacy are doomed, then what is the social/political solution to internet privacy? Because we don't have any right now, and it looks like we're losing the political war.
Case #1: Malware. Full disconnect, redirect to explanation.
Case #2: EOL hardware causing interference. Full disconnect, redirect to explanation, method to rectify.
Case #3: Consumer not getting what they paid for: email me/snailmail.
I think the RFC makes it clear: this should not be for trivial notifications, only critical notifications, and if it is truly critical, it should disable the entirety of the connectivity until the user acknowledges/remedies/whatever.
I call shenanigans.
As a site owner, could I prosecute Comcast for infringing on my rights by altering the content of my pages?
Unfortunately, expect to see more of this happening with the useful idiot Pai running the FCC.
I paged through the JS curiously, and found the URL bnpsa.g.comcast.net/images/mydevicealert/browser/. I wondered what would happen if I hit that from my ISP in Australia. I was surprised: I got an NXDOMAIN back.
But I discovered that googling the above URL as a quoted string finds a bunch of copies of the JS scattered around the Internet. Might be useful.
So then I tried hitting bnp-service-alerts.gslb2.comcast.com/images/. This actually resolved, and Chrome hung at "Connecting...". After rechecking the URLs I noticed this one was referenced in the JS as HTTPS, so I added that, and promptly got 403 Forbidden.
Question to anyone on Comcast [edit: which has been answered]: does http://bnpsa.g.comcast.net/images/mydevicealert/browser/ resolve for you?
(I haven’t tested any of this, this is based on a quick glance at the code)
Btw, ignore caniuse etc - Firefox _technically_ does support Shadow DOM, just version 0, which it has apparently supported for a little while now. It's better than nothing in a pinch.
Chrome et al are at Shadow DOM v1, which is what caniuse tests its support/no-support metrics against.
Nope, it does not for me. Non-existent domain.
> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code.
[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?
So ignoring spam entitles you to this behaviour?
The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered, especially not in an automated way without some oversight. If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
And no, I don't think people would be as livid as you suggest if the modem just broke; ISP modems are fragile little things, and it's not uncommon to go through them. I don't think I've had a single ISP where I didn't have to eventually, and the natural progression for each one (Comcast included) was:
1. I called the ISP
2. We did some test with support
3. Once we did the Speedtest / reboot song and dance, a new modem was issued that day.
This is expected; if I had asked for such a service from Comcast, this would be a different discussion entirely (an Opt-In service), but as it is, it's a pretty lame reason to suggest that Comcast needs to be able to inject data into pages I load.
And I rather liked Comcast for the year I had it - I wasn't keen on being on them since I would rather have been with our Municipal, but the place I was at was not yet in a service area for the municipal. More or less, even with my support and canceling experience, I was fine with the service I received. This would have upset me considerably.
I am skeptical of this - maybe we made a mistake in telling the customer that. The people that are sent notifications are carefully checked to match the EOL/EOS modem criteria or speed mismatch criteria and would not be sent otherwise. It is sometimes the case that a customer has recently upgraded their device but their old device remains provisioned and on their account (and needs to be removed), which sometimes explains this.
> It was an automated advertisement done in a very not good way;
It was not an ad - it was a request that the customer replace/upgrade their device. They can buy that anywhere, whether used on eBay or new on Amazon, etc.
> Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?
We've been working to greatly simplify billing, as customers have told us for some time that we were packing too much info into those statements and it was sort of information overload.
> The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered,
Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers. As noted elsewhere, we're working on better methods and part of that might depend on Internet-wide standards rather than something Comcast-specific (which is always my personal preference).
> If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
It's not basic maintenance - that should always be transparent to customers. This is about moving to new technology from outmoded technology. A good example of a key concern for modem upgrades is that the vendor does not support it any longer and the software/hardware is 8 - 10 years old.
The crux of disagreement is the method of delivery and the importance of the upgrade requiring this sort of injection. You write:
> Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers.
I'm still not convinced as to why a phone call or an email would not suffice. What information is specifically being cited by customers as "information overload"? Why can this not simply be a notification as a part of the Xfinity main page? Why isn't an email that only has information on the EOL of a modem is less obstructive than yet another pop-up for users who are trained to ignore pop-ups?
The case for an injection isn't really made simply because other intrusive methods are more intrusive; the presentation of the message itself is just more information in a sea of information, and the criticality of the issue isn't sufficiently justified either. This is not the appropriate way of communicating information that has no such urgency. It's a very nice thing to phase out modems that are EOL, sure, I will grant that. But the information is not so urgent that it needs to be delivered right now or injected into the webpage. That is not something the ISP should be doing, which I suspect is another point of contention that will be had.
This is a perfect example of the culture problem at Comcast. You seem to have worked yourselves into believing that you're something other than a dumb pipeline. Now you feel entitled to stick your fingers into the content.
I suspect this mass-psychosis is coming from the top, and the need to move into higher-margin businesses. Keep your messages on xfinity.com.
You admit alternatives exist, but decided to modify webpages anyway? Adding your own modifications to a copyright protected work (e.g. any web page) creates a derivative work. Generally only the copyright holder of the original work can create or authorize derivative works. Unless you have a license the copyright holder for each webpage you are modifying, this is copyright infringement. Why did your legal department approve a plant that might make the company liable for up to $150,000 per work infringed?
(b) Pretty sure if the person's modem were to actually stop working, they would get in touch with their ISP.
Man-in-the-middle attacks by an internet provider are hacking and a breach of trust, and should be criminal in my opinion.
Not getting fast enough Netflix? Here's your message, injected every time you go to their site. Not getting the best search results? Try the new Xfinity search, it's faster and won't cost you the $.002 that Google search will cost.
This is a very slippery slope, and one that we're already sliding down thanks to Ajit Pai's FCC.
Expect to see more of this behavior from Comcast, as no amount of customer outcry can now prevent it.
Must Only Be Used for Critical Service Notifications
> Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.
Not only is Comcast trying to justify this awful practice, they picked one of the worst possible examples to do so. There is no set of circumstances under which a 'You have malware!' popup should be taken seriously.
Why did the IETF ever agree to standardize this? It reminds me of their standardization of Cisco's "lawful intercept" router backdoor protocol.
I guess this is what you get when the IETF literally has NSA agents as chairs of its groups.
From the IETF's point of view all this does is use up a few kB of storage in the RFC Editor servers, and hey, maybe someone will find it useful. It usually makes cranks or corporate types go away and stop wasting everybody's time.
If you're thinking "Wait, so how do I know if RFCs matter and I should care?" I have two answers
1. The pragmatic answer. If you're reading about an RFC because everybody does this and you need to do it too, then I guess it mattered after all. You can decide you don't care about RFC 822 and you'll use email headers starting with an exclamation mark and they'll be in the form of a list of headings and then a separate list of values. But your method won't interoperate with anybody else's, so you'll be talking to yourself.
2. The textbook answer. The IETF marks its Standards Track documents with their Standards Track status, e.g. "Internet Standard" or "Proposed Standard" (there are some legacy "Draft Standard" documents too).
>This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose
At first I noticed that all traffic was being hijacked to show me a full page message that I was at 90% of my data limit and to contact the Comcast Security Assurance team. It looks really scammy like those alerts from "Microsoft" that my computer is infected.
After clicking on the acknowledge link multiple times it wouldn't stop so I called the security assurance team.
While waiting on hold for 30 minutes it finally stopped but I was already irate. I had to argued with the rep because he told me that I could disable the web notifications and he finally found out that Comcast removed that option and he apologized that there was nothing he could do.
But if what has been said by all parties is true, I can't find significant fault with Comcast.
Here is the text of the "ad" (typed from viewing the attached image in the OP):
Get ready, we're increasing Internet speeds in your area.
Our records show that the modem you currently have connected to our network won't be able to handle these faster speeds, so we recommend updating your equipment.
<b>Buy from a Retailer</b>
Before you make your purchase, visit https://mydeviceinfo.xfinity.com to view a list of modems certified to work on our network with your speed tier.
<b>Lease and XFINITY Modem</b>
Call 1-855-242-2876 and we will send you a Self Install Kit
Injecting anything into a website makes me feel a bit dirty, but nobody has refuted Comcast's claim that other communication methods were tried first and that this was more of a last resort.
Speaking in general terms because I'm not involved deeply with DOCSIS, older devices are less efficient and generally use more spectrum(even in a cable, there are RF spectrum limitations) to deliver the same speeds. Customers using old devices that don't support the newer and faster standards reduce the total bandwidth available to all customers, increasing costs for both Comcast and its customers.
edit: fix formatting. HN needs a preview button.
The Boy who Cried Wolf didn't have man-in-the-middle technology available but the lesson remains the same: if you want to be heard, shut the fuck up until you've got something to say.
The nominal speed is 1/10 as much, but the actual difference in actual experience is much smaller, because the not-Comcast provider does a much better job of actually delivering on the speeds they claim to be selling me. It's really only a noticeable difference when I want to do something like download an OS install image. Which happens infrequently enough that, for me, going with Comcast would have worked out to something on the order of getting that image an hour faster for $200 per time I do it.
More importantly, not-Comcast stays up. The coworking space's Internet service is maddeningly intermittent.
Anything else fails to meet the criteria of "critical".
If I buy a crappy 802.11b wifi dongle, are you going to inject JS too?
But... this bit.
> ... [JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. ...
Oh, interesting, what Internet technology are they using?
> "RFC 6108: Comcast's Web Notification System Design"
> February 2011
Cue jawdrop. My instinctive response was to WAT and think "this is not what RFCs were for..."
But then I read this part,
> Status of This Memo
> This document is not an Internet Standards Track specification; it is published for informational purposes.
> This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; ...
Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.
Initially when I read this my brain was sort of going in the direction of "this kind of thing is where the net neutrality repeal thing started..." but now I've spent a bit of time reading it I don't actually think my snap response was particularly on point.
This is a bit of a stream-of-consciousness but I wanted to draw attention to that RFC.
Huh? It sure seems to be using deep packet inspection to me. If it's looking at the data section of your packet, that's deep packet inspection. And Squid and Tomcat do that. They're not just inspecting the packets, they're altering them, creating new packets, splitting packets, etc. The "RFC" seems to be outright lying by claiming they don't do DPI.
> Pre-established TCP sessions on port 80 are identified by the SMB and forwarded with no impact.
(SMB = Session Management Broker)
How does the system identify a "pre-established session"?
This seems to corroborate what you're saying
Customer: "Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code."
Comcast Response: "The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?"
To me this sounds like a crazy ex-lover. "You didn't respond to my texts so I came to your house." No, Comcast, don't do that. They ignore your emails because you're trying to sell them something they don't want.
Here is the Twitter of the Comcast rep for anybody interested: https://twitter.com/jlivingood
And in US people seem to be happy about that. If they wouldn't, it would be changed.
If this is copyright violation, is it copyright violation of Comcast allowing you to download a file off the internet?
Comcast are playing into this interpretation by adding their own license to the code they're adding.
§ 303a Datenveränderung
Yes, it speaks volumes about comcast but i also speaks about the culture where comcast exist. And even IF there is backlash from this the whole idea that they might have gotten away with it is just absurd.
Scroll down this link slightly for a screenshot:
I'd argue that both you and your friend have been harmed by this and that the postal service should be punished. Their job is to deliver messages unmodified and uninspected.
Here, the friend is a web page and the postal service is the ISP. Same deal. Injecting content into a page defames (and possibly breaks) the site and deceives the requester.
(Yes, the site should use HTTPS to prevent this. And you should lock your house's door. But that doesn't excuse dishonest ISPs or burglars who take advantage when you don't.)
I guess the EFF has tried this defense of our freedoms...
I think we should have a regulation that forces ISP to post the average speed of their networks at peek time everytime they advertise their theoretical network.
Would you make this decision if it doubled your salary?
I love making money, helathy forms of capitalism, fierce competition, and benefiting as a consumer from other companies competing.
But I’ll not be a part of this for any job, not in a free country where there are so many opportunities to do better that this. No sir, I respectfully decline your offer.
I thought that was illegal. Like, it's editing somebody else's copyrighted work or something.
You're susceptible to even worse MITM attacks if you allow unencrypted traffic when using public wifi.
All the more reason for ISP competition
Google foresaw this, hence Google Fiber / Alphabet build-outs being stopped 14 months ago.
Or do modern browsers mitigate that?
We need to burn these monsers at the stake.
Oh and of course he's also retweeting a lovely Net Neutrality tweet... https://twitter.com/feamster/status/938236691126636546
https://tools.ietf.org/html/rfc6108 Comcast's Web Notification System Design
Yeah, cuz we're all supposed to know about rfc6108.. Guess I have some catching up to do on "Internet Engineering".
I guess their is a "slippery slope" argument to be made here, but in the current incarnation, this is innocuous.
I shall keep up my vigilance against the telecom industry.