Hacker News new | comments | show | ask | jobs | submit login
Comcast injecting JS (github.com)
461 points by brokentone 1392 days ago | hide | past | web | 273 comments | favorite



I thought this code looked familiar!

Here's my writeup on it for whoever is interested

http://blog.ryankearney.com/2013/01/comcast-caught-intercept...


Hey man, this thread really took off! Nice writeup here, if I saw that, I would have submitted that instead. I submitted this right before I left work, after noticing the requests on my server and a quick Google search (on the UUID) turned up your gist and not much else. As a web server, I was kind of trying to start some discussion to see if I was alone in seeing this and didn't expect it to get to #2.


Interesting side effect of not serving the entire blog post on the blog itself - the code in your posts won't be indexed by Google on your site, only on gist.github.hom?


I had just moved my blog to a new host. I had done an import of my blog using the Wordpress plugin instead of just exporting the entire database to help clean things up.

I forgot to install the gist plugin so my blog post no longer contained the code. I also had 3 different domains serving the same blog due to a misconfiguration with Nginx which caused my blog to take a temporary hit on Google.

I've since addressed those things so hopefully those will make my post actually appear in a google search.


Is there a downside about notifying the FBI of this? I encouraged the op to do so in another post, encouraged. If this was happening on a 56k modem over a phone line it would clearly be wire tapping.

I do not see any downsides to contact the FBI about the matter, if you think of any please let me know.


Wonder how the folks back at Comcast HQ would feel if the rest of the internet started adding messages to their web browsing telling them this kind of thing is unsatisfactory? Hey, this content injection game is a game that we all can play.

This is the old "windows alert" nonsense. Everybody and their brother that touched the windows system thought the user would want a popup when their program did something. So the user experience was/is full of annoying popups, warnings, and information messages. Log onto a heavily-customized windows machine that hasn't been used in a month or two and it's like visiting Los Vegas. Good luck trying to get anything done.

Comcast. All kinds of other internet providers manage to communicate these things to their subscribers without this nonsense. Take a hint.


Interestingly it would be easy to write some code that detected THIS code. Get web developers to add it to their sites and make it show a message that comcast are charging them for traffic they're causing. And then link to the class action.

inject.ly isn't registered (yet) so let's presume some enterprising HN reader uses that.

As a web dev, all I need to do is <script src="//inject.ly/detect.js"></script> and it will detect this (and any future variant) ISP injected content.

Extra points for someone implementing this to have it optionally make a JS call to another function or inject a customisable HTML widget on the page.


Do this!


Or just make it a browser extension.


Browser extension would require action from end-users, making educating them using it rather redundant. Doing detection in JS can easily be deployed on servers with minimal work needed, and can potentially reach a very wide audience.


I was suggesting a browser extension to undo the mangling once users are educated. I must have misunderstood the original idea.


Don't we just all need to put an appropriate JSON payload into '/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin' on every web server we control?

;-)


The URI seems to be dynamically generated. But, yeah, we can write some rewrite rules and serve the requests.

If I'm not wrong, this is implementation of JSONP to avoid cross-domain AJAX request block, right?


I'm getting a lot of requests on our servers for "/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do" so I can confirm this is in production. I can also confirm they suck at JS.


How about creating /e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do on your server to notify Comcast users about what their internet service provider is doing? If people started doing that en masse it could bring attention to the problem and with enough publicity get Comcast to reconsider JS injection.

I don't really understand the point of this, either. Couldn't they starting redirecting users to a static page somewhere if there were a real need for a "critical and time sensitive" alert? If the supposed alerts aren't critical enough to justify doing that, use email, IM, RSS or twitter, or even build a custom notification notification app.


How about putting a giant video file there? Or just embed this: https://www.youtube.com/watch?v=0ilMx7k7mso (language)


I thought I was going to be rick rolled, but that's good too.


Best idea ever! But, they'll probably prosecute who ever does it for some BS reason and sentence them to a term of 500 years


Dont forget a $70,000 fine.


Per "violation". So, $70,000 times a a few million pageviews.


every 5000ms


Of course the alternative is for comcast users to get together and sue the company for running malicious code on their machines.


Considering the way the handle their customers (myself being one of them), they honestly wouldn't care.


Welcome to the Patriot era.


Google occasionally will do this to let users searching for Google requests know that their browsing experienced is compromised.


I'm assuming you mean the browser detection using useragent right? What's the better way of doing it?


Feature detection, to start.


This is nothing new..

Rogers has been doing this for years in Canada already..

They use it to notify subscribers when they are approaching their bandwidth quota (75%) and then again when they hit 100%. You actually have to click a "I understand" button to have it not show up over and over.


Rogers also used to serve ads in place of an error message when a bad URL was requested. That was the final straw causing me to cancel my service with them and switch to Teksavvy.


For me it was their really low bandwidth caps. Acanac ftw!


That was reason #2. Going from a 60gb cap (which I'd often go over by about 20gb) to a 300gb cap actually saved me a lot of money because of overage charges.


So did Comcast IIRC


I believe Comcast hijacked NXDOMAIN DNS replies and replaced them with their own IP address, causing every non-existant domain name to go to their search page you had to opt-out of.


That's rediculous. Airtel in India also used to do this. Annoying as hell. Miss-type the domain and type all of it again.


Afaik, Airtel still does it and people still put up with it. I think they do the usage % notification hijacking as well without understanding even a bit that that internet is a pipe and people use applications other than web browsers and protocols other than http.


Yea I was not sure. I left them after their data cap for "high speed" "unlimited" internet cap was 3 gb per month. I can put up with js injection but ridiculous data caps are something I can't live with.


Shaw Cable (Canadian ISP) does this. I had never thought to look for an opt-out until reading this. Thanks.


T-Mobile is currently doing this and does not allow for opt-out.


I'm pretty sure you can forcefully opt out by using a DNS server that isn't run by scumbags, like 8.8.8.8 and 8.8.4.4 for Google Public DNS. I hear OpenDNS is similarly good.


OpenDNS does the same thing these people are complaining about -- they wrap the missing domain in something like a search page that has their logo and custom ads on it.


Next up, hijacking DNS queries to external servers.


Originally I wrote a GreaseMonkey script to redirect me from their ad page to a Google search. At the time, it was better than nothing, but still not enough to keep me from dropping Rogers. YMMV, Last updated 2008: http://userscripts.org/scripts/show/30326


How do they do it? Inject into every page or just once you've exceeded the limits? (curious as i use rogers)


If you go into your MyRogers account, they actually give you a log of when you've accepted these notices.


Well it's checking for Netscape 6 so who knows when this was originally written...


This is just one more reason for using HTTPS everywhere. Doing so prevents ISPs from intercepting and rewriting HTTP traffic.

Shame on you, Comcast.


Comcast can just as easily MITM your SSL connections, for your safety of course.

But that ridiculous, right? Since everyone verifies SSL cert signatures...


They would either need the private key of the certificate holder (which they don't have), or a certificate signed by one of the roots installed on the system, which they also won't have.

I suppose the logical next step is that Comcast requires you to install a "Comcast Internet Helper" program that also installs a Comcast root certificate into the system so they can mitm anything.. But Firefox and Chrome would probably release updates mere hours later, blocking that cert from being used from those browsers.


> They would either need the private key of the certificate holder (which they don't have), or a certificate signed by one of the roots installed on the system, which they also won't have.

Actually, this is fairly common for firewalls and other edge devices to do and is one of the problems with the "trust" in the CA system. You can get a "signing certificate" from various legitimate sources (ex. http://www.sslshopper.com/article-trusted-root-signing-certi... ) that allows your product/service to terminate SSL connections and then recreate a SSL connection. The user still sees their "lock" icon and thinks they have a secure https connection to their original site, when in fact they don't.

They do have a SSL connection to their site using a certificate - it's just NOT the certificate that the original site issued. This is why many of us are looking to protocols like DANE that uses DNSSEC to add a layer of integrity protection so that you can know that you are using the correct SSL certificate. (See http://www.internetsociety.org/deploy360/resources/dane/ )

Note that no new certificates need to be added to browsers. The signing certificates work with the existing root certificates that are already in browsers.


Ouch, I wasn't aware that CAs issued this type of "root" certificates. Is this very common, or will only some CAs do it? If the latter, I'll definitely remove them from my computers list of trusted CAs..

Edit: read the DANE article, seems very sensible and simple to implement that the server specifies valid certificates.


Most people are going to click through any security warning because they just want to get to the site they wanted to go to. If Comcast does this, it would make EVERY SSL site display the warning, making it utterly meaningless.

Alternatively, it's not that outrageous to think that Comcast et al could get certs into the major browsers if they wanted to do so. It's not even implausible to think that at some point, browsers will be legally required to distribute ISP certs to allow for the "safety" of users.

If Comcast makes you install a custom application to keep your certs up, it won't matter if Fx and Chrome block each cert within hours, because Comcast can keep generating and pushing new ones out. And, as above, if the ISP is going to fiddle like this, the actual power held by browsers is greatly diminished -- users aren't going to use a browser that doesn't let them browse without nag screens on every page, even if it is "for their own good".


As I noted in a comment elsewhere in this thread, Comcast (or any other vendor) doesn't need to go through the work of getting certs into major browser. They just need to purchase and use a root signing certificate that works under the existing root CAs that are already in all the browsers.

This is part of why the trust model of the current CA system is fundamentally broken. We need to add a layer that can ensure that we are in fact using the SSL certificate that the site owner wants us to use.

There are multiple solutions being proposed out there to add this trust layer. I am a strong advocate of DANE ( http://www.internetsociety.org/deploy360/resources/dane/ ) but there are others out there, too.

There was a good talk about this at Black Hat USA 2011 on "SSL and the Future Of Authenticity" at: http://www.youtube.com/watch?v=Z7Wl2FW2TcA


I think you're a bit out of touch as those browser warning pages have changed a lot the last few years. It's actually pretty hard to get through those warnings now in most of the browsers.


I watched someone do it in one click yesterday.


IIRC, you can't open Gmail and many other websites on Chrome without genuine SSL.


If some interns running a corporate intranet can get a transparent htts proxy, what's stopping an ISP from rewriting your https traffic?


Your browser, for one. What you describe is the very definition of a MITM attack, regardless of proxy structure.

Your bank, for another. Indeed there are far too many parties with an interest in keeping https secure, that you needn't worry about it.


Because using Comcast using an HTTPS proxy to rewrite traffic means that your browser will expect data encrypted with Google's, Facebook's, Chase's, etc. certificate when it actually receives Comcast's proxy certificate. Every HTTPS site would prompt the user about an SSL certificate error.


I'm considering going a step farther and just setting up an Openvpn connection to my Linode server.


I've looked into the costs of VPNs on servers I own vs. a VPN service with unlimited bandwidth limits and the latter always wins. Setup time costs aside, VPN services usually have multiple regions you can connect to and are likely to have more reliable speeds.

This is, of course, if you trust these companies enough and [list of security implications].


A personal license of Umbrella by OpenDNS, which includes always-on laptop and phone VPN, is $20 a year currently. There are also features like Anycast that are not feasible to replicate on a personal server.

(disclosure - I start working with OpenDNS soon).


So if you were proxying some other protocol over port 80, Comcast might just inject some JavaScript into the stream and corrupt your data?

I don't even like the thought that they're running some kind of hardware that makes this possible. They're sending packets impersonating a web server you actually want to talk to, pretending to be part of a response you requested?


I'm sure they are checking content-type headers...

Just because you can do this doesn't mean you should (i will stay away from comcast xfinity).


I wouldn't be so sure. They're barely even checking what browser you're running.


if they weren't then all JS and CSS files loaded through them would have their script tags in it.

i have had these types of issues a while back at coffee shops that try to inject ads, it was breaking my XML.


Oh, good point, I guess there's got to be some kind of semi-intelligent HTTP parsing going on in the background.


The point is that it is impossible to do this right. This system breaks software.


Unless it's NSN 6...


I bet some execs are looking at the stats for this and just going 'hmmm... what a coincidence that EVERYBODY is using the same browser!'


"I don't even like the thought that they're running some kind of hardware that makes this possible"

It's called a proxy server. They're actually really common - many ISPs use them. Any hotspot that shows a log-in page in your browser will, and I know my University's internet goes through one.

Squid [1] is one of the most well-known, and it's open source.

1. http://www.squid-cache.org


So, If I'm reading their javascript right, we all need to put a file on every website we can at "/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do" with the text "43a1028c-7d11-11de-b687-1f15c5ad6a13" in it, and any unfortunate comcast user in their bandwidth-cap-limited areas will have Comcast's stupid alert box stay on.

For example: http://iainchalmers.org/e8f6b078-0f35-11de-85c5-efc5ef23aa1f...

;-)


This code is beyond awful - it fails to display, makes endless AJAX requests, and more; here are a few fun tidbits:

1. The code is not encapsulated in an IIFE, so it clobbers any global variables (like 'image_url') in the page, breaking any scripts relying on those variables.

2. The code spends an inordinate time checking if you're running Netscape Navigator 6.

3. Strangely, they include a whole bunch of code allowing the message to be dragged around the window (which is nice) but they don't allow it to be closed. Of course, it closes itself after making a single AJAX request into a black hole, so there's that. Bugs piled on top of each other make this entire message mostly harmless, if it weren't for the variable clobbering & bandwidth usage (see the next item...)

4. Upon load, checkBulletin() is immediately invoked. This does an AJAX call to '/e8f6b078-0f35-11de-85c5-efc5ef23aa1f/aupm/notify.do?dispatch=checkBulletin'. I assume this is to check if the bulletin has changed, to see if there are new messages, or maybe to check if the user has acknowledged the message yet. Unfortunately:

* This URL is relative, which means it will never actually reach its intended target (instead filling your web logs with this request)

* Upon xmlhttp.readystate=4 (request finished, successful or not, so this will change to 4 even on a 404 error), the comcast message is hidden. This means that the entire 'bandwidth exceeded' message will actually be hidden as soon as this request completes, which may be in <500ms, giving the user absolutely no time to see or acknowledge it.

* The author makes an attempt to not continue sending AJAX requests to this URL after a successful attempt, but botches it, so this request is actually sent indefinitely, every 5000ms, while every any page is open. This means every single tab on your system is popping AJAX requests every 5 seconds for the whole month that your account is nearing its quota. This likely brings you over quota pretty quickly if you leave your computer on all day.

That's right, this code causes every page served on your system to pop an AJAX request to the wrong URL every 5 seconds, as long as the tabs are open.

We can sit and argue all day whether or not it's ethical to display messages by injecting code into the DOM, but it is certainly unethical to write such awful javascript that clobbers global variables and drives up bandwidth costs by making AJAX requests to the wrong url every 5 seconds until the cows come home. Whoever wrote this script should be fired.

EDIT: Similarly, back in the dialup days, some ISPs would inject ads into their content. One way this was stopped was to argue that it was not legal for the ISP to charge you for data, then artificially inflate the size of that data by injecting ads. This script is doing just the same in a measurable way by causing these AJAX requests to be run every 5 seconds on every tab in your system.


> * This URL is relative, which means it will never actually reach its intended target (instead filling your web logs with this request)

It likely doesn't matter that the URL is relative. It contains a GUID to be unlikely to resemble any real URL, and it's clear enough that they are capable of deep-packet-inspecting all of your web traffic from the way this is already used, so they likely hijack any request to this URL path within their network to capture its contents, and return a 200.

I don't have Comcast so I can't verify, but it would be interesting for somebody to check whether that URL is masked for all Comcast users.

> That's right, this code causes every page served on your system to pop an AJAX request to the wrong URL every 5 seconds, as long as the tabs are open.

I can only hope that they infinitely hang requests to their special URL in the case that user is under the quota so that this is not true. But if it is true, and they are not perfect about masking the URL (edit: it seems like people below on this thread have seen requests to this URL in their server logs), this could be construed as a DDOS attack by Comcast on every owner of an HTTP server via their own customers.


brokentone comments below that they've seen the urls in their production logs. I don't see it in any of mine but I'd be willing to bet that a company writing JS that bad would probably screw up the rest of the process too.

Surely a class action against Comcast is in order here? They're charging everyone for bandwidth they're not using.


That's likely to happen even if Comcast are using DPI to intercept the requests due to users moving between Comcast and other internet connections.


I can confirm that I saw a large number of these urls show up in my logs as well.


> Whoever wrote this script should be fired.

Not to mention the potential GPL violation for cut-n-pasting brainjar code.

http://www.brainjar.com/terms.asp


Oh, the irony of Comcast being guilty of copyright infringement....


Can we get them on 6 strikes?


More like 6 Million strikes ;)


I love how the top comment expresses outrage, not that Comcast is injecting JS into people's sessions, but that it's poorly written JS.


This is Hacker News. We take our code seriously.


This is the Internet. We take other people's code even more seriously :-)


Nobody is allowed to see my code. It's not allowed.


There are a lot of things in this code that make me think that it was written by someone for whom JavaScript is not their main language - but probably the most glaring example is the use of `new Object()`. I've never seen anyone with more than 3 days JS experience use the Object constructor over a literal.


Oh, it's just awful. It's worse than just "not knowing JavaScript." This is code from someone who has no idea how to program:

    function Browser() {
        var ua, s, i;
        this.isIE = false;
        this.isNS = false;
        this.version = null;
        ua = navigator.userAgent;
        s = "MSIE";
        if ((i = ua.indexOf(s)) >= 1) {
            this.isIE = true;
            this.version = parseFloat(ua.substr(i + s.length));
            return;
        }
        s = "Netscape6/";
        if ((i = ua.indexOf(s)) >= 0) {
            this.isNS = true;
            this.version = parseFloat(ua.substr(i + s.length));
            return;
        }
        s = "Gecko";
        if ((i = ua.indexOf(s)) >= 0) {
            this.isNS = true;
            this.version = 6.1;
            return;
        }
    }
But it's not just these people. Code like this is everywhere! Here's what I ran into on www.safeco.com today (NSFL!):

    function setupAddress(frm, i, clickevent) {
        if (frm["USERESADDASMAILINGMAIN" + i].checked) {
            if (frm.NEWRESIDENCEADDRESS1.value == "" && frm.NEWRESIDENCEADDRESS2.value == "") {
                alert("Resident address must be entered for this option.");
                frm.NEWRESIDENCEADDRESS1.focus();
                frm["USERESADDASMAILINGMAIN" + i].checked = false;
            }
            if (frm.NEWRESIDENCEADDRESS1.value == "" && frm.NEWRESIDENCEADDRESS2.value != "") {
                FieldSwap(document.frmMain.NEWRESIDENCEADDRESS1, document.frmMain.NEWRESIDENCEADDRESS2);
            }
            frm["NEWMAILINGADDRESS1" + i].value = frm.NEWRESIDENCEADDRESS1.value;
            frm["NEWMAILINGADDRESS1" + i].disabled = true;
            frm["NEWMAILINGADDRESS1" + i].onfocus = frm["NEWMAILINGADDRESS1" + i].blur;
            frm["NEWMAILINGADDRESS2" + i].value = frm.NEWRESIDENCEADDRESS2.value;
            frm["NEWMAILINGADDRESS2" + i].disabled = true;
            frm["NEWMAILINGADDRESS2" + i].onfocus = frm["NEWMAILINGADDRESS2" + i].blur;
            frm["NEWMAILINGCITY" + i].value = frm.NEWRESIDENCECITY.value;
            frm["NEWMAILINGCITY" + i].disabled = true;
            frm["NEWMAILINGCITY" + i].onfocus = frm["NEWMAILINGCITY" + i].blur;
            frm["NEWMAILINGSTATE" + i].value = frm.NEWRESIDENCESTATE.value;
            frm["NEWMAILINGSTATE" + i].disabled = true;
            frm["NEWMAILINGSTATE" + i].onfocus = frm["NEWMAILINGSTATE" + i].blur;
            frm["NEWMAILINGZIPCODE" + i].value = frm.NEWRESIDENCEZIPCODE.value;
            frm["NEWMAILINGZIPCODE" + i].disabled = true;
            frm["NEWMAILINGZIPCODE" + i].onfocus = frm["NEWMAILINGZIPCODE" + i].blur;
            if (i != 0) {
                frm["EXPLANATIONVEH" + i].value = "";
                frm["EXPLANATIONVEH" + i].disabled = true;
                frm["EXPLANATIONVEH" + i].onfocus = frm["EXPLANATIONVEH" + i].blur;
            }
        } else {
            frm["NEWMAILINGADDRESS1" + i].disabled = false;
            frm["NEWMAILINGADDRESS1" + i].onfocus = null;
            frm["NEWMAILINGADDRESS2" + i].disabled = false;
            frm["NEWMAILINGADDRESS2" + i].onfocus = null;
            frm["NEWMAILINGCITY" + i].disabled = false;
            frm["NEWMAILINGCITY" + i].onfocus = null;
            frm["NEWMAILINGSTATE" + i].disabled = false;
            frm["NEWMAILINGSTATE" + i].onfocus = null;
            frm["NEWMAILINGZIPCODE" + i].disabled = false;
            frm["NEWMAILINGZIPCODE" + i].onfocus = null;
            if (i != 0) {
                frm["EXPLANATIONVEH" + i].disabled = false;
                frm["EXPLANATIONVEH" + i].onfocus = null;
            }
            if (clickevent) {
                frm["NEWMAILINGADDRESS1" + i].value = '';
                frm["NEWMAILINGADDRESS2" + i].value = '';
                frm["NEWMAILINGCITY" + i].value = '';
                frm["NEWMAILINGSTATE" + i].value = '';
                frm["NEWMAILINGZIPCODE" + i].value = '';
            }
        }
    }


> This is code from someone who has no idea how to program

That's a quite strong assertion. What's wrong with your first example? I can think of very few criticisms (s isn't needed for example) but there's lots of things they did well:

- It follows the best practices for an OO constructor (doesn't return the object, just sets properties of `this`)

- All temporary variables are local. No global pollution (besides the "Browser" function itself, but because you're quoting it out of contect, I can't tell if even that's local or not)

- Degrades gracefully (everything is null) instead of picking a default incorrect choice

Sure, I would have written it differently, but so would everyone else here.

As for your second example, sure, it's not great, but I can sort of imagine some sleep-deprived developer coding up that to interop with some auto-generated DOM elements from an old PHP script left behind by a forgotten intern. We need more context here.


I was foaming at the mouth a bit, wasn't I?

All your points are well taken, and a better analysis of the code by far than my hasty reaction.

So what was bothering me about the first example? Probably the repetition of the indexOf() tests, combined with one of the indexOf() tests being >= 1 and the rest >= 0.

But you're right, it's not nearly as bad as I made it out to be.

Since I've put my foot in my mouth, I guess I'll put my money there too and show how I might have done it. If I were doing UA detection at all, that is:

    function Browser() {
        function is( ua, result ) {
            var start = navigator.userAgent.indexOf( ua );
            if( start < 0 ) return false;
            result.version = result.version ||
                parseFloat( navigator.userAgent.substr( start + ua.length ) );
            return result;
        }
        return(
            is( 'MSIE', { isIE: true } ) ||
            is( 'Netscape6/', { isNS: true } ) ||
            is( 'Gecko', { isNS: true, version: 6.1 } ) ||
            {}
        );
    }
But that fails on one of your points, since it returns an object instead of setting properties of 'this'. It's also less flexible - what if one of the tests needed more than a simple string comparison? At least it's simpler?

So who am I to criticize? :-)

On the second example, it's not just that function - the entire web page is full of similar code. Here's another snippet:

    addressCheckMsg="";
    if(!type)
    {
        iLen = line1.value.length;
        for(i=0; (i<4) && (i<iLen); i++)
        {
            var ch = line1.value.substring(0,i+3);
            chUpper=ch.toUpperCase();
            switch(chUpper)
            {
                case 'PO BOX':
                    addressCheckMsg += "     Resident address can not be a P.O. Box.\n";
                    i=iLen;
                    break;
                case 'P.O. BOX':
                    addressCheckMsg += "     Resident address can not be a P.O. Box.\n";
                    i=iLen;
                    break;
                case 'P. O. BOX':
                    addressCheckMsg += "     Resident address can not be a P.O. Box.\n";
                    i=iLen;
                    break;
                case 'P O BOX':
                    addressCheckMsg += "     Resident address can not be a P.O. Box.\n";
                    i=iLen;
                    break;
                case 'POB':
                    addressCheckMsg += "     Resident address can not be a P.O. Box.\n";
                    i=iLen;
                    break;
                default:
                    break;
            }           
        }
    }
Yikes. I'd better not say more or I'll start foaming again... :-)


Your first example has nice trickery in it but I prefer the original version. I think it is important to keep it simple.

Compressed code is often not the best way to do it; adding a few lines of verbosity can reduce the time it takes to understand the code to a fraction while sacrificing very little in terms of performance.


I disagree about the first one. I think that is easier to understand, easier to add more options and less prone to errors.


It's good that this discussion can actually be had on here civilly. Too often I see vitriol and pedantic disagreement on HN for no reason other than the swinging of the e-peen.


actually in this code, "this" refers to the window object. it means it's same as window.version.


I thought that for a moment, but it isn't so. They do call the Browser() function as a constructor with 'new Browser()', so 'this' is the object it's constructing.


I'm curious to read the criticism on code.


Ethical stuff aside, I can't imagine hiring someone to actually produce code THIS bad. Where the hell did they find the coder to make this?


They're all over the place. People just starting out. It could've been an intern fresh out of college. It could've been someone who just never graduated beyond copy-and-paste-from-StackOverflow. It could've been written by a person who never did web development before and was just told to make it work.

The little HN/Twitter/Reddit "awesome programmer" bubble is just that... a bubble. It's easy for us to forget that lots of people write lots of bad, untested code all day long. As much as it frustrates me, lots of people code who don't care about code - it's just their job.


"People just starting out."

Ha, you give them too much credit.

This code is from a 10-year veteran "consultant," probably charging over $200/hour, brought on by the Global Services company hired by the Consulting Agency that Comcast brought in to assist in completing the critical time-sensitive project as quickly as possible.

It was also deemed a great success, and presentations were made about how effective it was, how smart the manager who hired the consulting agency is, and how skilled the global services contractors were who implemented it were, all only 2 weeks behind schedule—a new record for a project of this scope.

That manager got a promotion and is now VP of something or other. He sleeps like a baby and makes 100 times more than you.


This is exactly who wrote this code. I nearly accepted a job with one of Comcast's major consulting partners. My first hint should have been 2 technical interviews in which they were impressed that I used linux... and couldn't tell me a thing about what their day to day looked like. "Oh it's always different"

When I was issued my company laptop, the software had been installed by hand (OS and all). I offered to setup an imaging system for them... but the "IT guy" from the "IT consulting firm" wasnt exactly sure what that was and needed to find out who to get approval from first...


Hey, hey, now. I did include people who never moved on from copy-and-paste too.


They understand that "good code" is code that delivers a lot of value to the person who needs it. Why hate on them for that? You just sound jealous that they make more than you do.


"Good code" that delivers a lot of value and is high quality and maintainable is still better!

I'm not jealous. They don't make more than me. I said they make more than you. And I'm not hating—I'm just telling it exactly like it is, because I understand it, and it's insane, like the truth tends to be when you have huge amounts of power and money being controlled by puny incompetent humans.


Maybe he has had the pleasure of being someone that gets to maintain that "good" code. I know I have.. and at Comcast no less.


That's the whole point. Code is not meant to serve the people who maintain it. Maintainability is only a concern once lack of such starts impacting your actual customers. If writing ugly code and fixing it up later is necessary in order to get shit out the door, why is that bad?


So because it satisfies the suits, he should reserve passing judgement? Try again; he is a programmer, not a suit. Hint: there exist many seperate but equally valid systems for judging worth/merit/quality.

Also, even for a suit, "Maintainability is only a concern once lack of such starts impacting your actual customers." is only true if by "actual customers" you mean shareholders. If you really want to get down to it and make an obnoxious out of place point, you can technically fuck over the customers all you want so long as doing so does not actually hurt the business (meaning: hurt the shareholders). Bonus points for figuring out how this could be done by a consulting company.


If you are a money-chasing robot, perhaps. Most businesses care at least a little about making a good product/satisfying their customers. That's good. Making life easy for your employees at the expense of your customers? That's bad.


Because if you want to be a software developer in the long term, you need to prefer the long term alternative in most cases.

A typical example is, "If we don't get something out the door, we'll be out of business. 'Shit' is something that can be shipped quickly, therefore we must ship 'shit'."

But companies that ship 'shit' generally go out of business anyway. Either their customers find it unappealing and leave, or ongoing maintenance quickly becomes so difficult and expensive that the product can not improve except by being rewritten under new management.

With something like a secure website (or script injected into arbitrary websites by a large ISP) the severity of the security vulnerabilities that tend to result from "shipping shit" often you only get one or two chances as a company.


How is that relevant? Comcast is not a software company. Shipping something that works and then never touching it again is exactly what they want.


>They're all over the place. People just starting out. It could've been an intern fresh out of college. It could've been someone who just never graduated beyond copy-and-paste-from-StackOverflow. It could've been written by a person who never did web development before and was just told to make it work.

I'm an intern, just moving past S.O. copy-pasta jobs and generally get scared at what the hacker news crowd might say about my code... seeing this caliber of shit get pushed live by a major ISP is almost comical, if an admitted novice such as myself can see that it should be a sign as to the ineptitude of our current crop of ISPs.


The code on your GitHub, for the most part, seems fine.

One thing I can say is don't use exec[1] if you can avoid it:

    $string = 'rm /var/www/Giftest/*.gif';
    exec($string);
While there's nothing * technically* wrong, it's platform specific and I think it would be better to use PHP's unlink[2] function. Also, sorry if this is wrong, I haven't looked at the regex but it seems your parsing YouTube URLs? Have you looked at oEmbed[3] - it may be an easier way to accomplish what your doing? You can use it with json_decode[4] to get an object.

[1] https://github.com/Machtap/GiffyTube/blob/master/download.ph...

[2] http://php.net/manual/en/function.unlink.php

[3] http://apiblog.youtube.com/2009/10/oembed-support.html

[4] http://php.net/manual/en/function.json-decode.php


would you be willing to discuss this further? No contact in your profile.


Sorry for the delay in getting back to you. Check your emails.


The type of programmer who writes code like this never wonders whether their code could be better or not. So don't worry, just by being self-aware enough to ask the question you put yourself on a higher level.


One thing I have learned over the years: It is easy to write "this is crap code" over a lot of production code I have seen. But making it better, writing consistently great code in the usual environment is much harder.

Don't let the macho attitude of HN infect you too much - a lot of people here (and elsewhere) are great in criticizing others.


+1. When you have whole pile of pretty bad code to maintain, it is very difficult to make the fixes significantly better within the time you have to make the fix. Usually significant improvements would require extensive refactoring which is feasible or sensible in surprisingly few cases.

Though, I have to admit, bitching about other peoples' code is fun.


You should be scared... what's with the hardcoded login info exposed on github?

https://github.com/Machtap/_ctv/blob/master/_www/model/commo...


The database doesn't accept external connections, out of curiosity, what is the proper way to pass connection credentials?


at a minimum:

- keep config variables in a separate file that is in your .gitignore and won't get pushed to github.

- keep config file outside of any web accessible directory in case the file renders in plaintext for some reason.

Regardless of db only accepting local connections - an attacker is one step closer to dumping the db.


Hrm, is there really a problem if the test data on my development server were to get dumped? It's not like those credentials or the accounts stored in the db carry over when this gets deployed to production, nor will the changes for production ever come close to my github.

Still very valuable things to be aware of in future situations where the above might not apply, thank you very much.


Keep it up - keep moving up and learning more stuff. Be awesome. Don't worry too much about what other people think of your code, worry just enough that it pushes you to write better code. :)


I agree, they're everywhere - but it doesn't explain this well-written RFC[1] to accompany the code.

[1] http://tools.ietf.org/html/rfc6108


From the RFC:

> R3.1.1. Must Only Be Used for Critical Service Notifications Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.

So much for that.


Probably written by a different person.


You know, there is nothing wrong in picking up code from stack overflow. If you are very efficient in picking up good, well written snippets that fit the style of the project and work without debugging and any time waste - more power to you.

Personally, I consider google search (and stack overflow) as an extension of my development environment and I'd recommend using it and melding your dev env with google search as much as possible. It really helps and speeds things up.


I agree - there's nothing wrong with picking up code from SO if you trust it and understand it. But that takes experience .

I've come across lots of situations where the accepted answer isn't the best answer.

So I'm talking about knowing vs. cargo-culting.


Honest question: Why is everyone so cynical and brash here?

Is it because we don't like Comcast?


> Honest question: Why is everyone so cynical and brash here?

It's a rockstar developer thing. You wouldn't understand.



Unpaid/underpaid interns!


That moment you see document.write()'ing style into the document... Yikes.


soooo is there a browser plugin to block stuff like this yet?


noscript.


Actually, I dont' think noscript/notscript will block this. It blocks loaded javascript, not inline stuff.


Any chance you can elaborate a bit? I'm not as familiar with how JS is loaded and exactly what noscript does as I should be.


I wondered why I was seeing `checkBulletin()` in my logs.


canceled my services with comcast because of this, plus FIOS has an excellent offer around my area! :)


This is probably part of their "Web Notifcation System". They have a published RFC talking about how it works (RFC6108).

Using that system they can selectively notify customers. Like if they detect your system is infected with a virus. Or warn you your service will be discontinued if you don't pay your bill.

http://tools.ietf.org/html/rfc6108


Look at all the work that went into that RFC. Unbelievable that they couldn't get a half-decent developer to verify that the notification is coded well enough to even show properly.


I agree. The entire concept is about trying to be less invasive in the web browsing experience (by adding a popup instead of redirect the entire web session) but that all falls apart because of crappy JavaScript.


My ISP has a similar system. Except it works like this: if your machine is detected to be sending spam, for instance, the next time you try to view a webpage you're served an information page that your PC is compromised, please fix it and click here to not see this page again next time. Your actual traffic isn't compromised, it's just redirected to let you know of a problem. I can't tell you what would happen if you got close to your data limit, since we don't have any.


The real goal of this is for the copyright infringement notices they want to send. Which I'm sure they will deem "critical".


They are legally required to serve DMCA copyright infringement notices to maintain their safe harbor status.


By mail, not by using a browser popup.


Isn't JS injection a copyright violation, since it creates a derived work? Or has that idea been shot down before?


This remains an untested field of copyright law, as far as I know. I've been waiting for literally over a decade for some test case on this matter to come up, and it never does. Perhaps by 2023.


Isn't this just a matter of

1) building a webpage where you own the copright

2) Have someone in one of the cities where this is happening browse to your page.

3) Copyright violated, and you get to be the test case!


Courts will generally refuse to take on manufactured cases. Their job is resolve real disputes.

A lower court would probably just throw the case out.

And if it didn't, the higher courts, which would set a widely binding precedent, would exercise their discretion simply not to hear the case. Yes: they get to pick and choose what appeals to hear.


It doesn't have to be manufactured, someone just has to notice it already happening.


Good luck fighting against a team of lawyers with virtually unlimited budget. If you're lucky you might get a cash settlement but they'll still be screwing everybody else with impunity.


The idea would be that websites would take action, not end users. (Otherwise, how would it be a copyright vio?) I think we can assume that if it was infringement, Google would have an interest and the pockets to go to battle.

IANAL, but I can't really see how it would be infringement, though.


Comcast is such an incompetent company. I tried to sign up for service once and they charged me ten bucks to ship me two coax cables yet I was never able to get my service activated because I mistakenly thought my place was hooked up to cable when it wasn't and when I tried to call to correct this and schedule an installation I kept getting put on hold for a half hour before being given a message saying there was an error with their phone system and to call back. I mean seriously wtf.


for companies like comcast the easy solution is chargeback as a SaaS owner i hate to promote the idea of chargeback - but seriously they sting bad and could really act as a good wake up call for companies like comcast.


after 2 weeks, 3 techs coming to my house,5 chat conversations and multiple phone calls I finally have service... I don't really like this legal monopoly for cable companies... I would switch to ATT but right now they are about twice the cost...


As a different point, my place was already pre-wired. I bought a cable modem from Best Buy, and plugged it in. It synced immediately. Then I went online and ordered service. They charged me $10 to send a self-install kit, but it wasn't needed I was actually online within minutes.

So sometimes their systems work...

I was very sad about switching from my other carrier (Sonic.net), but they ultimately couldn't deliver very much bandwidth. And Comcast was actually cheaper.


> And Comcast was actually cheaper.

At least for the first 6/12 months. Then you get to haggle and threaten disconnection for a day, then you are good for another 6/12 months.


In my case, their published (non-promotional) rates were cheaper than the bonded DSL I was using. I really didn't want to switch, but I just couldn't justify the amount I was spending for the bandwidth I got.


That didn't work for me. I threatened to leave for CenturyLink DSL unless they could give me a better deal and the only thing the lady offered me was a triple play package for more than what I was already paying. So I had to switch over to DSL at 12/1 speeds.

The one good thing is that CenturyLink isn't part of that 6 strikes deal.


Has anyone other than OP actually seen this in the wild? None of the systems I know about on Comcast here in Chicago have had HTTP manipulated at all today. Maybe they're not doing it here because the 250GB bandwidth cap is "temporarily suspended"?


This is the real question. We can laugh all we want to a out their crappy code, but what I want to know is where this code is actually in the wild. If I see this coming down my Comcast connection, I'm likely to cancel my service that day.


If you search for the GIUD that's part of one of the URL's in the code, you can find other places online including someones "Top 404 pages" log. While not widespread (yet), it is indeed happening. This post was from last year, but this month Comcast bumped me up to 100Mbps so I will be purposefully reaching my 300GB limit to test if it's still in production.


Posted this separate, but I'm seeing the following users/metros in my request logs

c-75-65-181-xxx.hsd1.la.comcast.net West Monroe, LA

c-174-52-141-xxx.hsd1.ut.comcast.net Provo, UT

c-69-137-179-xxx.hsd1.az.comcast.net Tuscon, AZ

c-76-109-127-xxx.hsd1.fl.comcast.net Miami, FL

cpe-72-225-230-xxx.nyc.res.rr.com New York, NY

c-68-48-154-xxx.hsd1.md.comcast.net Washington, DC

c-98-224-83-xxx.hsd1.ca.comcast.net Fresno, CA

c-66-41-214-xxx.hsd1.mn.comcast.net Minneapolis, MN


I'd be interested in hearing from a lawyer whether this would constitute interception of or tampering with telecommunications. In a lot of places that's highly illegal except for installation/maintenance/repair, law enforcement or where it's been invited and approved.


> where it's been invited and approved.

I bet the permission to do it is part of the ToS agreement.


I suspect so. But depending on jurisdiction it may not be waivable. Or the ToS may be drafted in a way that doesn't cover this.


Not to mention violation of the copyright of the website (and other rightsholders):

• derivative works

• public performance

• willful infringement

• GPL violation

• patent infringement


I wonder if there is some way to devise a website that implement a copyright protection technology that js injection circumvents.


Cox is doing something very similar. It's somewhat disconcerting to see JS like this ending up in pages, especially since they didn't get the URL right and a future version of this script could conceivably allow someone to serve malicious content to every Comcast subscriber, injected directly into your page.


This is felony computer tampering on a worse level than accessing a URL that is accidentally public but nobody will be fined or imprisoned for it.


Has this been confirmed to still be happening? The guys blog post[1] states that this was on Nov 20th 2012. Anyone currently using a comcast account want to put down their pitchfork for a second and help verify this?

[1] http://blog.ryankearney.com/2013/01/comcast-caught-intercept...


Hi awj, I'm the author of the blog post. As dangrossman said, Comcast only enforces the limit in 2 cities. I live in the Nashville area, so I'm affected. They just doubled my 50Mbps connection to 100Mbps so I will go over my limit this month as I have 2 more grace periods left. If it happens again I'll update my blog post.


Are there down sides to contacting the FBI about this? They in part exist to document and keep track of potential crimes(potentially correlate them over long time frames that may not be worth while to keep track of for an individual but can add great benefit to society at large when the burden and information is centralized.) This seems like it would fall under their definition of internet crime found on:http://www.ic3.gov/faq/default.aspx.

If there are not major down sides please file a complaint with the FBI, I believe the url is:http://www.ic3.gov/default.aspx.

I encourage you to explain

* your evidence that when accessing various websites they appear to be tampered with between the server and your computer.

* Your worry that it impacts your bill with Comcast as it seems to be eating up you bandwidth. An estimate of the amount of money being eaten up if you have reason to suspect it is a city wide occurrence how much money is lost for everyone across the city?

* If you have packet logs of these occurrences I encourage you to include them.

* Unless you have hard evidence that points to Comcast that is doing the tampering I would not accuse any party of responsibility.

* If you have concerned friends who can independently verify similar conditions, it would probably be valuable to have them file similar complaints, referencing each other where applicable.


Comcast only enforces data caps in two cities right now, so your testing pool is much more limited than simply anyone using Comcast. Ryan (the author of the blog post) lives in one of those two cities. A potential tester would have to be in either the Nashville or Tucson area, and have used over 90% of their bandwidth cap for the month.


It would be nice if there was an easier way to find out ISP injections for the layperson who can't really use wireshark/proxy and data comparisons, or for technical people that just don't have the time.

This project had potential ( it detected torrent traffic shaping) but it seems to no longer be under dev. http://broadband.mpi-sws.org/transparency/results/

Also this is a good read and contains comcast traffic shaping info: https://www.eff.org/wp/detecting-packet-injection

ps. Who cares about the shit JavaScript, this discussion should be about detecting packet injection and shaping.


There is validity in scrutinizing the code quality as well.

I agree that the ethical discussion is likely the paramount concern here and should be discussed, but the code they're using floods the global namespace which in theory could actually degrade service for end-users (by potentially breaking commonly visited JS-powered sites that happen to use globals of the same name).

Its worth pointing out that it would take minimal effort to make this code not suck as much (wrapping it in a closure for a start). IMO it gives more context to the initiative on Comcast's part. No time, effort, or care was put into considering the ethical implications of this practice nor its practical effect on the end-user.


They're also violating this patent:

http://www.google.com/patents/US20110264729

Which I can tell you for certain that they don't own. Bastards.


    Inventors	 Denis Kulgavin
    Applicant	 Kulgavin Denis

Which one are you?


If visiting a public URL is "accessing a protected computer without authorization" if the owner didn't mean to make it public, I would suppose that hacking my communications with a website in order to inject code into my web browser should be too.


Comcast is an awful awful awful company. Yet I pay them over $100/month. I hate them with a passion. I've never experienced worse customer service. If I could pay double the price with a different company for internet/cable, I would do it in an instant but I unfortunately have no other options.


Yeah, me neither.

The worst part is that once I was griping about the horribleness of Comcast on Twitter, and a Verizon representative chimed in cheerily to tell me to check out FIOS. Only thing being, it's been ten years since they first announced FIOS was "coming soon" to my neighborhood and it still isn't here yet.

Sometimes you don't know whether to laugh or cry, you know?


And this is why you should just encrypt everything (even Hacker News) with ssl and install ssl-everywhere.


My ISP does something similar, but it's meant to inject ads: one ad that scrolls in from the bottom every two-three minutes (for ten seconds or so, and that can't be dismissed), as well as another ad that covers up ads that other websites serve up.[0]

I've now resorted to using a remote VPN for all of my traffic.

[0]: A reddit post in which I discuss it: http://www.reddit.com/r/self/comments/19zhl6/my_isp_is_injec...


I will encourage you like I have in several other posts, example https://news.ycombinator.com/item?id=5484850, at this point to contact the FBI. If this was happening over a 56k modem on a phone line it would clearly be wire tapping.

I do not currently see a downside, if you see one let me know.


The hilarious thing about this is comcasts ridiculously buzz worded job ads for engineers. It's like they just cut and pasted everything any manager read in a blog or magazine and pasted it to dice: http://www.dice.com/jobsearch/servlet/JobSearch?op=302&d...


- Regular, consistent and punctual attendance. Must be able to work nights and weekends, variable schedule(s) as necessary.

WOW.

- Other duties and responsibilities as assigned.

No developer in their right mind would apply for this job.


    > Tasks
    > Consistent exercise of independent judgment and
    > discretion in matters of significance.
This one literally stipulates that you will be expected to think for yourself on a regular basis. Why on earth is this in there?


as a catch all. if they want to get rid of you, they can always cite this as a reason.


This at least partially explains the quality of their code.


This is the js my ISP (VodafoneFJ) injects into all web pages: https://gist.github.com/mark-up/5297830

It basically optimizes images and replaces all image alt text with text saying to hit CTRL+R to load full-versions of images.

I know that VodafoneUK and VodafoneAU do the same.

On the bright side, at least they respect the no-transform cache-control header directive.


I believe T-Mobile does this in the US as well.


Sprint does this too.


Better hope you aren't naming any of your javascript variables similarly..


They're probably just desperate because for some strange reason, people don't seem to be getting the alerts sent to their @comcast.net email addresses...


edit: I'm OP, not the content author. I serve a media website, which is where I noticed and from where my concern stems. Comcast users should also be concerned about this.

Just scanned my logs more fully and have serious concerns. As people have noted, this really does make requests every 5 seconds. My 404 page is currently 18KB, which means these users (who are being warned about their bandwidth) are being forced by their ISP to download extra web traffic from the site they're sitting on. For me that number is 1/3MB / minute and I'm seing users who sit around a very long time.

Also, this isn't restricted to the two metros Tuscon and Nashville people have mentioned. Here is a sample of hits I'm seeing (removing final octet from IP/hostname):

c-75-65-181-xxx.hsd1.la.comcast.net West Monroe, LA

c-174-52-141-xxx.hsd1.ut.comcast.net Provo, UT

c-69-137-179-xxx.hsd1.az.comcast.net Tuscon, AZ

c-76-109-127-xxx.hsd1.fl.comcast.net Miami, FL

cpe-72-225-230-xxx.nyc.res.rr.com New York, NY

c-68-48-154-xxx.hsd1.md.comcast.net Washington, DC

c-98-224-83-xxx.hsd1.ca.comcast.net Fresno, CA

c-66-41-214-xxx.hsd1.mn.comcast.net Minneapolis, MN

So what do we do about this?


"So what do we do about this?"

Use TLS, warn customers about a malicious ISP attacker their connection, set up an encrypted proxy/VPN service for people to use, etc.


So this sucks, but its not as bad as many are making it out to be. In a previous role, I was forced to deploy an appliance that did this exact same thing. Its not a man in the middle, or traffic intercept with forged responses.

Most of the time these appliances act as a 'cache' device. They will sit some where in the network ( inline, out of band, or as a WCCP device ) that will answer common router cache lookups.

In the case of WCCP, User behind cable modem X requests www.google.com ( HTTP Non Secure Traffic ONLY! ) and the router asks the appliance, "Hey, do you have a cache record for this request from this user behind modem X?". At this point, the appliance will do a DHCP Lease Query for that IP and get Option 82 from the lease record. Most of the time this is the mac address of the Modem. Then it takes this Mac address and either looks up in an internal database or an external one to check if this user has a message 'waiting', IE: Over allotted bandwidth, billing note, spam or just BS. If there is a message waiting, the appliance will tell the router, "YUP, i've got it. Let me send back this small .JS response". From my experience, this small JS ( Even if it is horribly written ) will be returned to the user with some code in it that does another request to the website originally requested in a frame of some sort. Request is made again, but this time the "message" waiting for the user has already been delivered, so the initial process returns "Nope, nothing for that user" and the content originally requested is loaded upon the 2nd round trip. Its still your PC with a fake original response. I won't pretend to know how Comcast or Rogers does this, but I know one Vendor I have used did it this way. I fought it till I was told to put it in production or find other employment. It sucks, but if done correctly on HTTP Non Secure traffic only in a manner that is described above, I think its a better idea than products like procera or sandvine do which IS MITM forged responses. Hope this helps explain a little better what maybe going on in this situation.


It looks like based on the code and reference to 'bulletins' this is a product from PerfTech ... http://www.perftech.com/bulletin_system.html


Something that we're used to see in China (China Telecom is regularly pissing me off with injected ads), but that I would not expect to see in the US. Though I seem to remember seeing such kind of practice once in San Francisco.

What are the legal recourses you have with regards to this type of forced advertisement?


Not only that but it appears people are using Comcast as a DOS proxy http://blog.ryankearney.com/2013/01/comcast-caught-intercept...


This is either a bad april fools joke, or it might be related one of the following:

* ISP - 'six strikes' of content abuse

http://www.techradar.com/us/news/internet/broadband/six-stri...

* EBS - Emergency Broadcast System

http://www.washingtonpost.com/blogs/blogpost/post/wheres-an-...

http://news.cnet.com/8301-19882_3-57321623-250/wheres-the-em...


To add to the old news litany: Saw this on Vodafone over in Germany a few years back. To add to the security litany: SSL. EVERYWHERE. Firesheep ends up useful again :)

That said, this was probably only noticed as quickly as it was due to its stupidity and intrusiveness.

IMO what should be championed for is good decentralized end-to-end security, something like opportunistic IPSEC / anonymous SSL everywhere by default.

Sure, there are holes in it you can fly planes through, but it's a world better than it being cost effective for whoever to inject and MITM everything.

I'm not even going to touch on the pros/cons of over-subscription and business models which rely on it. (IMO most do, at least implicitly, and I'm not sure how to normalize analysis of that.)


Any opportunistic encryption would simply be blocked by the ISP that wanted to do this kind of thing, so the clients fall back to plaintext.


Comcast does this for good reason.

https://amibotted.comcast.net

Yes, the javascript is crappy, but no reason for their customers to be outraged. I don't know any other ISP that is helping out with the botnet problem.


Um, is this something that is always injected? I have comcast and I don't see it in any pages.

I'm guessing this is their clever way of reminding you to pay the bill when you're late?

Pay your bill or they'll stuff ugly JavaScript in your browser, you've been warned!


It's right there near the top....

You have reached 90% of your <b>monthly data usage allowance</b>.


Nope, I don't have it. Are you Canadian? Maybe it's a Canada thing? Doing it to tell you about your data allowance is a bit excessive, for sure.


You don't have what? Comcast had a data cap nationwide (250GB/mo) even if you weren't aware of it. They temporarily stopped enforcing it outside of two test markets (Nashville and Tucson) where they're working out exactly what limits people will put up with. You wouldn't see this popup unless you live there and you've used over 225GB this month.


Thanks for the explanation.


Comcast is not available in Canada.


I don't grok why they'd even try to inject their code into a webpage you requested. Why not simply create a separate page that you see BEFORE, that you read and acknowledge receiving, and then finish sending the requested page?


The easiest way to combat this is to use SSL. You should be doing that on your website anyway.

Another effective way of combatting this is to detect what's happening and add a "This ad was sponsored by Comcast:" message.

I can sort of see the intent behind this. I just wish they'd tell their customers about their service usage out-of-band, like sending them a text message or an email.

One part of me realized "OMG they're going to track which websites I visit by looking at the HTTP Referer!" But then I quickly realised that as my ISP, they already have access to that information anyway...


Do comcast users come from a recognisable range of addresses? If so I might have to add a warning to everything I output along the lines of:

"Your ISP (Comcast) adds terrible Javascript to the code of this page without our knowledge or permission, therefore if you have any problems with this application please contact their support line in the first instance and not us. While your ISP is modifying our code, especially while they are modifying it by adding such terrible code of their own, we simply cannot support you, sorry."


No but their hostnames generally call out "comcast" somewhere therein. I've called out some affected clients elsewhere.


This is why I run an always-on VPN


Ladies and gentlemen, this is why if you are hiring a programmer, you always ask for a work-sample test before making the hiring decision final.

https://news.ycombinator.com/item?id=5227923

Yes, the code sample suggests someone clueless about programming in general, even more than being clueless about the particular language of this program. So on what basis was the coder hired?


I live in France and I'm a customer of Orange. I was really surprised to see on my mobile, on Facebook (m.facebook.com - I've noticed it only there, but perhaps there are more pages like that) they're injecting a HTML with "Return to Orange World" link in the footer directing to orange.fr. Not sure if anything more though - I have a plain old mobile with Opera Mini.

I'm curious if they have some deal with FB to do it.


It could be the fact that you have a strange combination of both an old phone and (what could be a customized) Opera Mini.

I have an iPhone at Orange and never saw this.


I've installed Opera Mini on my own, so it's not customized.


Major web sites should sue for theft of service. They are modifying someone else's copyrighted content to steal their advertising revenue.

Also: https everywhere, now.


I'm glad I'm not on Comcast anymore. Terrible customer service combined with anti-customer practices like this, in addition to the lowest cost/service value on the planet and I'm glad to be done.

We switched to CenturyLink and we're really happy. I'm regularly getting 35-40 Mbps for half the price of 6 Mbps on Comcast. It is a little unnerving to know that 40 is literally the limit of their DSL technology though.


I'm pretty sure Comcast aren't the only ones doing this. I had mobipcs for a while (when I just got new house, had to wait for DLS to get installed) and they injected js that tracked your browsing and replaced certain ads it found (as well as caused various errors because it wasn't written properly). I wouldn't be surprised if other companies did the same.


Non-quality of code question, and sorry I haven't been able to parse this from the comments so far. Am I reading this correctly to mean that Comcast's method of alerting customers that they are close to their cap drives them closer to their cap?


Some of the worse Javascript I have ever laid my eyes upon. Polluting the global namespace, checks for Netscape Navigator 6... It burns my eyes reading this. Did they actually hire a programmer who wrote this?


I see a lot of discussion on the quality of the code, but not much about the fact that Comcast is modifying the content they are serving without informing their customers AKA the legality of the situation...


The image_url variable references "constantguard/BotAssistance", which turns up in search results as a system used to alert customers of DNS changer malware.


Wait, does the Detect Browser script actually work for browsers made after 2001? I'd hope that Comcast's customers aren't using Netscape 6...


I'm torn.

This seems bad, but the warning (exceeding your bandwidth quota) seems valuable. I can't think of another, better way to message this.


Your profile reveals you're a former Comcast employee. That's a disclaimer worth posting here.

But yeah, if you have service with Comcast they have your home phone, email addresses, and physical address. They can get in touch with you every way that every company that CAN'T read all of your internet traffic already gets in touch with you.

The method they've chosen is terrible for at least the following reasons: - The alert will not work on many platforms & devices. - The alert may not reach the account owner. - The alert will not work on SSL traffic. - There is no record that the customer saw the alert (contrast with phone call) - There are serious privacy issues involved in parsing user's web traffic.


The alert will significantly increase your data usage...


It's extremely bad. The fact that ISP monopolies are not regulated in favor of consumers is slowly going to destroy the openness that has made the web so successful. Instead of giving us raw pipes these monopolies are injecting themselves as proxies where they can monitor, cap bandwidths, shape traffic, censor content, insert messages and even add ads, which Comcast already does when a DNS request is not resolved in a HTTP session.

If you look at what Comcast does on the TV side, things like adding ads to the guide so it's barely usable, you can see where this is going. But the federal regulators of the monopolies are asleep at the switch, we can't even get network neutrality passed. The monopolies know how to play the lobbying game as well as how to slowly turn up the heat so the users aren't all outraged at once. But we can expect more abuses, more ads, more monitoring, more restrictions, more unwanted 'value adds' as time goes on.


  | It's extremely bad. The fact that ISP monopolies
  | are not regulated in favor of consumers is slowly
  | going to destroy the openness that has made the
  | web so successful.
This is a little over the top. Whether or not to use this to notify users of time-sensitive information could be a question posed at even a small ISP without such 'evil ambitions.'

It's probably more useful to discuss the pros/cons of this approach to notifying users than it is to decry over-arching problems with the entire industry. These (over-arching industry issuse) have been discussed ad nauseum, and action is more useful than discussion at this point (at least on technical forums such as this).

  | But the federal regulators of the monopolies
  | are asleep at the switch
Look up regulatory capture.


Here are some other ways.

1. They could email you. 2. They could send you a SMS. 3. They could let you view your bandwidth usage by logging into their site. 4. They could provide an application (desktop or mobile) to keep track of your bandwidth and alert you at certain points.


My provider (T-Mobile in the UK, using a mobile 3g dongle) send me an SMS, and the connection software has lots of graphs and numbers.

They still send interstitial content warning me that I've exceeded my fair-use limit. It's a bit annoying because I very carefully checked what the limits were before I signed up.

What's worse is that they use weird, broken, IP addresses and horrible proxies for image mangling.

EDIT: Here's a pastebin.

(http://pastebin.com/k6ddD0sJ)

EDIT: Here's a Security \\\stack Exchange question about it: (http://security.stackexchange.com/questions/9368/mobile-carr...)


I use T-Mobile as my mobile carrier and as far as I know they do numbers 2, 3, and 4 that you listed here. I know this because I have received an SMS when I neared my 2GB of unlimited 4G data transfer. I also have logged into their site and used the app on my phone (HTC One S) to monitor my data usage. The phone app even tells you how much data was used by each app and when. It is fantastic. Could that be so hard for Comcast?


My ISP gives emails at 50%, 80% and of course 100%. They also do options 3 and 4 (no idea about 2) but the emails are so very easy, and knowing you've hit 50% gives you time to mitigate before you get capped.


They should redirect to a notification page. Injecting js is unacceptable.


This is a still intrusion in others communications.

I wonder isn't there any law in US that forbids carriers from fiddling with messages?


Cable companies, IIRC, aren't common carriers the same way a phone company is. They aren't regulated by the FCC the same way phone companies/tv broadcasters are.

They can do pretty much whatever they want to.


I can't think of a worse way to message it. You don't inject your data into my private communications. No matter what.

The right way would be to ask the customer when they sign up for service what method they would like to receive service notices through. Phone, email, SMS, lettermail, twitter, Facebook, there's a million better ways than to modify my data.


Oh boy.

Since you're a comcast employee, maybe go ask the guys running your SMTP/POP3/IMAP servers. I have faith that you guys can come up with some way to communicate with the people using them.


Email? Text?


That could work, but I'm guessing often this might not be the account owner (kids?) racking up the bandwidth.


All the more reason to notify the bill payer, and not the current surfer/downloader.


Doesn't matter; it's the account owner who is responsible for it.

Injecting into a webpage is unacceptable.


Maybe the power company should blink account warnings in morse code through your lightbulbs. After all, it may not be the person paying the bill that is using all of the power....


Thanks, now everyone is looking at me because I am laughing with myself!


They have a comment in the script

  // Intended use is to display browser notifications for critical and time sensitive alerts.
I imagine you can rack up a fair amount of usage before checking emails, only to find you went over your cap a few hours ago.


All the more reason not to have hard caps on bandwidth.


I suppose calling on the phone is out of the question.


And what happens when your 6 year old kid gets all the notifications? Or your neighbor who is using your Wi-Fi?


Another reason to use an SSH tunnel or VPN for all traffic, combined with HTTPS Everywhere.


brainjar! My go to resource for DIV positioning back in 1999.


Where is the Chrome extension to block this?


HTTPS Everywhere[1]. Using SSL certificates helps prevent man-in-the-middle attacks[2], such as this. Comcast wouldn't be able to read any of your traffic and insert js without spoofing SSL certificates.

[1] https://chrome.google.com/webstore/detail/https-everywhere/g...

[2] http://security.stackexchange.com/questions/8145/does-https-...


Another reason to use SSL everywhere.


if they just went to unlimited internet, they wouldn't need this thing.


Mobile carriers do this too. I see the exact same feature being provided on my Sprint line.


If this was happening on a 56k modem over a phone line it would clearly be wire tapping. I encouraged the op in another post, https://news.ycombinator.com/item?id=5484850, to contact the FBI. If you see a downside to this let me know, but until I realize one, or have one pointed out I encourage you to do so.


I was just blocking 1.2.3.4, which the inserted js used to download the rest of the "features". I have no reason not to report this to the FBI accept I don't really understand whats going on here so I wouldn't be a good contact.

If you would like to see the content of the script, I can show it to you, it's bit different than the one posted here.


OMG LOL. Have they never heard about jQuery? Christ, they could have made the code so much more elegant.


So you think they should inject a third-party dependency instead of just some inline js? And that would make it more elegant?


They could just inject it inline. No problem there.

The whole document.write block 27-51 (possibly the CSS-block too, but I'm not sure about this) could be written far more elegant in jQuery.

But the real saving is that "drag and drop" code - jQuery would abstract all that isIE/isNS crap from them.


The block of code they injected here was 7.9 KB (3.7 KB gzipped). jQuery is 93 KB (33 KB gzipped). So no, I don't think that would have been more elegant. Injecting anything into users' pages without permission is insane. Injecting a huge library like jQuery would be even more insane.


As long as you're already injecting something, why not go all the way?


Wasted resources. The difference in size between the two (using the numbers from the above comment) is 85.1 KB. Now think of all the customers Comcast has and you will see quickly the difference it makes with a few KB.


Oh man, I thought you were being sarcastic earlier!?

...unless you're still being sarcastic?


Their jQuery code would probably look like http://enterprise-js.com/23, with aggressive caching methods used on all jQuery selectors: http://enterprise-js.com/27


Wait, what? Why didn't I know about this website before? I am writing all these down!!!11oneoneone EOSarcasm


-1 not enough jQuery


right tool for the right job.

a 1 page script written for comcast does not demand jQuery.

That's not to say it would have improved it.


It at least would remove this damn ugly browser switching code. Hey, it's 2013, no need to reinvent the wheel...


You're missing the point. You're too focused on the code writing part. It's the extra unnecessary resources loaded from jQuery.

The difference in size is 85.1 KB (according to an above post). 85.1 KB * 100,000,000 (Just an example of the number of times it is loaded) = 7.92555511 terabytes of wastes resources.


jQuery would make this worse. It would be like adding a truck to be towed by a car that's running out of gas anyway.


But think about the Netscape 6!


I didn't know you could get downvoted this hard on HN... I had to select it to even read this!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: