Comcast Using JavaScript Injection To Serve Ads On Public Wi-Fi Hotspots 230
An anonymous reader writes: For some time now, Comcast has setting up public Wi-Fi hotspots, some of which are run on the routers of paying subscribers. The public hotspots are free, but not without cost: Comcast uses JavaScript to inject self-promotional ads into the pages served to users. "Security implications of the use of JavaScript can be debated endlessly, but it is capable of performing all manner of malicious actions, including controlling authentication cookies and redirecting where user data is submitted. ... Even if Comcast doesn't have any malicious intent, and even if hackers don't access the JavaScript, the interaction of the JavaScript with websites could "create" security vulnerabilities in websites, [EFF technologist Seth Schoen] said. "Their code, or the interaction of code with other things, could potentially create new security vulnerabilities in sites that didn't have them," Schoen said."
JavaScript (Score:4, Insightful)
Yet another reason to disable JavaScript from your computing devices.
JavaScript (Score:4, Insightful)
Re: (Score:2, Informative)
honestly the number of times i have to whitelist a page to run javascript is surprisingly small. In fact, some even end up working better (I'm looking at you theonion.com and your regional paywall-after-a-certain-number-of-pageviews).
Re:JavaScript (Score:4, Informative)
A lot of browser addons like NotScript and NoScript even allow you to easily whitelist javascript permissions by domain trying to do so on a page, so if things are not happy you just click the icon, and click allow for the domains that are pertinent to the site and not the ad networks et al.
Re: (Score:2)
Which is great if you only visit the same sites. I try to do something similar to what you request, but if you don't have a regular set of websites you visit, you are going to be constantly twiddling permissions.
It's annoying enough when it's just me, but my parents/wife/family respond, "This website is broken, your setup drives me nuts, I just want things to work."
Re: (Score:2)
Then disable disabling javascript for their users and keep their accounts in a sandbox, or on separate machines. If it's your network, and they've authorised you to manage security, backups and hardware then they get what you decide. Or they get to manage it themselves.
They do understand binary?
Re: (Score:2, Informative)
That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.
Just disable JavaScript from third party sites. When you browse your local news page there is no reason for them to pull in scripts from adtech, google-analytics or whatever.
The pages that doesn't work when you disable external JavaScripts are just a handful and usually you just need to enable "samename-cdn.com" or similar because they store some stuff on another domain to distribute the load.
Re: (Score:2, Informative)
> That would be nice, but it's impossible to use the modern web and HTML5 without JavaScript.
Tell that to the 2.2 millions users that have made NoScript the 3rd most popular non-developer add-on for firefox. [mozilla.org]
Good advice. But the subject is abuse by Comcast. (Score:2)
But the subject is about Comcast abuse. Here is just one example, from Comcast's "Automatic Payment Terms & Conditions", retrieved a few minutes ago:
"6. COMCAST SHALL BEAR NO LIABILITY OR RESPONSIBILITY FOR ANY LOSSES OF ANY KIND THAT YOU MAY INCUR AS A RESULT OF A PAYMENT MADE ON ITEMS INCORRECTLY BILLED..."
Most people don't have time to read legal language. Many would not understand it fully. It is overly broad. And, in my experience, Comcast often tr
Comcast: Least popular company in the U.S. (Score:3)
"In April 2014, Comcast was awarded the 2014 "Worst Company in America" award; an annual contest by the consumer affairs blog The Consumerist [slashdot.org] that runs a series of reader polls to determine the least popular company in America."
More from the same Wikipedia article:
In 2004 and 2007, the American Customer Satisfaction Index [slashdot.org] (ACSI) survey found that Comcast had the worst customer satisfaction rating of any company or government agency in the country, including the
Re:Defetism (Score:4, Informative)
Now if those @#*$&! at Mozilla gave me that convenient checkbox to enable/disable Javascript without having to mess with about:config, I'd have one gripe less.
Then you should use the NoScript plug-in which automatically blocks JavaScript from sites you visit (except certain white list sites and you may have to block them yourself). Besides, the plug-in remember what you have set it up (allow/not allow) even after the browser update (thump up for the developers to keep up with the browser). It is a simple workaround.
QuickJava (Score:2)
Now if those @#*$&! at Mozilla gave me that convenient checkbox to enable/disable Javascript without having to mess with about:config, I'd have one gripe less.
Consider your request granted. QuickJava [mozilla.org] puts buttons to enable/disable Flash, JavaScript, Java, Silverlight, etc., etc. on the menu bar.
Re:JavaScript (Score:5, Insightful)
Better yet, disable HTTP. This is a MITM injection attack and SSL was invented to help prevent this.
Re:JavaScript (Score:4, Informative)
Re: (Score:3)
No points.
Or pronouns.
you don't either (Score:3)
https everywhere
Re: (Score:2)
Re: (Score:3)
Yes because often public wifi refuses to work altogether if you turn it off.
comcast is where googles evil goes (Score:2)
conservation of evil. It has to go somewhere. Comcast seems to be at the root of every bad deed these days. I think we figured out that google is dumping its evil quota on comcast.
Copyright violation? (Score:5, Interesting)
Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.
On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.
Re:Copyright violation? (Score:5, Insightful)
Re:Copyright violation? (Score:5, Informative)
And doing so for a commercial purpose. Which, in theory, could make it criminal.
Re:Copyright violation? (Score:5, Interesting)
And doing so for a commercial purpose. Which, in theory, could make it criminal.
If I recall correctly, Comcast is currently arguing just this in court -- but for third parties stripping ads from their cable streams.
I think they're going to try really hard to differentiate between the goose and the gander here.
Re: (Score:2)
I think they're going to try really hard to differentiate between the goose and the gander here.
goose = about to be cooked
gander = watching goose process
Re: (Score:3)
Please. Copyright is to be used *BY* the $BIG_CORPORATIONS against $LITTLE_PEOPLE and $SMALL_BUSINESS, not the other way around.
That's why $BIG_CORPORATIONS bought the current laws!!!
Re: (Score:2)
And doing so for a commercial purpose. Which, in theory, could make it criminal.
At the very least they are modifying user content, which should by all rights push them out of any DMCA safe harbor protections.
Re:Copyright violation? (Score:5, Funny)
STFU
Why is ComCast's marketing dept posting as 'AC'? :)
Re: (Score:2)
What a crushing rejoined. I'm going to go commit suicide now out of shame.
Re: (Score:3)
Only leased routers do this, so the router is under ownership of Comcast and is rented to the end-user.
Re: (Score:2)
Re: (Score:2)
There’s nothing grey here. What matters is who’s instructing the router to make changes.
Car analogy time: If you borrow a car that I own, and you run someone over with it, you are generally speaking liable for actions you initiated, not me as owner of the car. (Granted, if I cut the brake lines before you borrowed it, that changes things, but let’s assume a mechanically sound vehicle for sake of argument.)
Comcast programs the routers(*) to modify content. The Comcast subscriber where t
Re:Copyright violation? (Score:4, Insightful)
I think it is.
It is one thing to install software on your own computer that serves modified content. When you start serving the modified content to other people, I believe that creates the difference.
If comcast can inject ads, then there would be no problem with ISPs offering "Advertising Filtering" proxy servers for their customers and serving them sanitized content.
Re: (Score:3)
Of course there'd be a problem with that. Comcast's users won't pay as much for ad free content as their customers - advertisers - will pay to shove ads down your throat.
Re:Copyright violation? (Score:5, Funny)
Well, then obviously, you charge those ad distributors for a silver ad plan that gets by the filters.
Then charge customers for a silver ad blocking plan that blocks them.
But a gold ad plan will get by that.
But a gold ad blocking plan will block that.
But a platinum ad plan will get by even that....
Queue Comcast's CEO singing "We're In The Money!"
Copyright violation? (Score:5, Insightful)
Yes, definitely. Also, it violates the policies of ad-free sites to not subject their visitors to ads. Websites will not be able to maintain their terms of service. For example: if you pay the website for an ad-free subscription, and Comcast then injects ads, your customers are screwed.
An ad-blocker is for personal use -- kind of like marking a page in a book that you're reading or removing a picture because you don't want to see it. Systematic modification of copyrighted content before delivery to customers is definitely criminal.
Re: (Score:2)
But Comcast is leading the user to believe that the page looks like their modified version. If the user mods the page with plugins, they know it isn't being displayed as I intended. I don't mind the user doing that, but I do mind an intermediary doing it.
Perhaps a plugin that checks the integrity of a page against an embedded signed hash and launches a DOS against the ISP if it has been corrupted.
Re: (Score:2)
Oh, a DOS doesn't need to be launched, that would imply you are trying to circumvent the courts. Merely have the plugin send a DMCA take down notice to the content provider every time it detects that an unauthorized derivative work has been made and shared.
Re: (Score:2)
How about if a EULA is includes as a recognition string on the signature? "By altering this page you request our extra special network resiliency testing service. If EULAS are legal, then so is that.
Re: (Score:2)
Contract law doesn’t work like that, fortunately.
The ISP (allegedly a common carrier) isn’t a party to that EULA. Only the end-user accessing the site is. The end user has no power to bind the ISP legally to anything.
Aside from that, such a term would never be enforceable in any kind of website AUP. I can put, “By accessing my home page, you owe me a million dollars,” but it ain’t gonna fly...
Re: (Score:2)
That is actually why I oppose EULAS in general. I'm just noting that the courts have a sketchy record when it comes to making sense.
For the rest, I could argue that since the ISP inspected the payload of the packet rather than just the header, they imposed themselves as a party to the transaction. A common carried just sends the bits along.
Another amusing option would be accessing the GOP homepage and then starting a stink over them so blatantly endorsing Comcast...
Or perhaps some .gov pages...
Re:Copyright violation? (Score:5, Interesting)
Does this violate the copyright of the sites the user is visiting? By modifying the content stream, they're creating a derivative work without authorization.
On the other hand, user-controlled plugins and ad blockers do that all the time, so I wouldn't be too quick to make that argument in court.
I'd argue against that... except... by modifying the content en-route, they are likely pushing legitimate ad-content out of the users view. i.e. If I ran a search engine, and paid for that service by placing a banner add at the bottom advertising chicken wings... and then Comcast did their injection attack and pushed that add further down, they would most certainly be affecting my commercial revenue.
If the user chose to block that add themselves, that would be entirely different. They made a choice to do so, or to scroll their screen. But this is an intermediary company forcing that content out of the users view for a profit. I'd say the EFF should throw up a page, visit it on one of these networks and then sue the living crap out of Comcast.
Re: (Score:2, Interesting)
It's more serious. It violates the CFAA, since it injects code that make other computers do things they weren't indended to do (put advertising).
The responsible people should be jailed.
Re: (Score:2)
There are no legal issues with an end user altering the presentation of what they receive to suit their needs. It's not like you're under contract to download all of the cross-site scripts today's hipster web developers burden their creations with. Injecting some Greasemonkey Javascript or blocking malicious code can be interpreted as a derivative work but there is no further distribution to other parties to make the case of damages through copyright infringement. This is commonly done with screen readers a
Re: (Score:2)
Leave it to Comcast to test the boundaries of sleazy practices.
Re: (Score:2)
Okay, IANAL, but this is my understanding. If you're the copyright holder, nobody has the right to change your work without your permission (which may be a CC license or something).
Copyrights in the US are registered and unregistered. Both are valid, but there's differences in the enforcement. If somebody violates your unregistered copyright, I believe you'd have to sue for actual losses, which in most cases is a whole lot below the filing fee to sue. If somebody violates a copyright you'd registered
Re: (Score:1)
you are not getting internet for free, you have to sign in using your comcast id which is included with the comcast service you are paying for.
Re:Copyright violation? (Score:4, Informative)
As I recall, it's not free ... it's available to people who are already Comcast subscribers.
In other words, this should be no different from any other context in which you connect to the interwebs via your Comcast service.
Except Comcast is letting the people who host the routers pay the electrical bill, and injecting even more ads into it.
And I definitely agree that modifying other people's content is getting into a sketchy area of copyright, and possibly stealing the ad revenue from those site owners.
Because, if the people who actually own the sites aren't having their ads serves, but suddenly someone else's ads are showing up, then isn't Comcast just skimming from someone else's stuff?
Re: (Score:2)
The owner of the copyright on the web page isn't getting free anything from Comcast. In fact, if they're getting hit up for protection money (nice website you have there. It'd be a real shame if it took 5 minuted to load....)
Re: (Score:2)
Soon... Valentines Day...
Re: (Score:2)
Well since you are getting connection to the internet for free...
Nope, not true.
I don't have Comcast's phone or TV service (both of which suck), and only have their internet service because that's what we're stuck with in this little town for broadband (at least until sat/wireless catches up in speed). ...and yeah, those bills they send me every month say that you're sadly mistaken.
so don't use them! (Score:5, Funny)
Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.
Re: (Score:2)
Don't use random hot spots. It's like safe sex, only for your computer. Stay away from sketchy connections.
It's even like not buying what is advertised. I won't.
Re:so don't use them! (Score:5, Funny)
Don't use random hot spots. It's like safe sex, only for your computer.
[me] Aight baby, play with that packet. You know how I like it ... *stp-broadcast* ...
[ap] tee hee *beep*
[me] oh yea, deeper inspection, deeper inspection! oh yea!
[ap] *56k carrier sound*
[me] That's what I like to hear! Now, I put on my robe and wizards hat
[ap]
[me] baby-aye-pee you still there? Where'd ya go??
So setup a case where harm is being done (Score:2)
then take 'em to court.
Re: (Score:2)
The WiFi isn't free; it's only for Comcast subscribers who already pay Comcast money. This makes it commercial, which means that Comcast is likely planning criminal copyright violations.
FrontPorch Technology Ransacks the Device!!! (Score:2)
Did anyone catch the promise in the FrontPorch video ad that customers could use the technology to "gather valuable business intelligence"? Guess it doesn't only deliver ads... it ransacks the device!!!
Terms and Conditions (Score:1)
I'm sure the terms and conditions you agree to when using their hotspots explicitly grant them permission to do so.
Re: (Score:2)
That’s the grey area I wonder about. I think you’re right, but I could see arguments made the other way.
If it’s in the AUP that end-users are granting Comcast the right to modify pages they request, then they’re essentially granting a limited agency to Comcast to act on their behalf. The one similar case that comes to mind was some religious nutcase company that would send you DVD’s with all the racy & violent bits edited out so your good Christian family could still watc
Content Security Policy (Score:5, Interesting)
It would be interesting to see what would happen if you browsed a website with Content Security Policy headers on a Comcast public Wi-Fi hotspot.
The technology is new enough that the injection technology might not handle it and thus the browser would block the ad. But if they did, by changing the CSP headers, the website might have a stronger case for suing Comcast since they would be explicitly bypassing a security technology.
Illegal (Score:1)
Cookie settings help (Score:2)
Always make sure your session cookies are tagged with HttpOnly, so Javascript code has no access to them.
From a user of a wifi hotspot's point of view, use a VPN or only browse HTTPS sites.
Re: (Score:2)
vpn. all the way.
you see that stream of octets? you can't get into them!
bwahahaha!
now, it seems that comcast (my isp) drops my vpn connection every few hours. I'm working on a modem reboot system that keeps my network up but its a huge PITA that comcast resets my connection several times a day and it requires a full modem reboot to get it back again.
still, I'll continue to use a vpn for many reasons. the 'opaque stream of octets' keeps their fingers out of my data, very nicely. they can't modify or rea
Hosts file solution? (Score:2, Flamebait)
Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.
Generically, for instance, if the ads injected were coming from ads.comcast.net one could simply add a line to the hosts file:
0.0.0.0 ads.comcast.net
Wouldn't this prevent the ads from loading to begin with? I mean sure it's a little more difficult on phones and tablets but regular PCs it should be at all difficult to make this edit.
Since I'm apparently in a generous mood, for windows users, open an "administrator command prompt"
Windows 8 reverts the hosts file (Score:4, Interesting)
Maybe I'm missing some thing here but it seems like a edit to a local hosts file could resolve this.
You're not the only one who uses hosts files like this. When Flash ads first appeared on Slashdot, I started blocking servers that send Flash ads. (I'll never buy Splunk because it was the first thing I ever saw advertised in a Flash ad.) I've since switched to click-to-play plug-ins for that, but I have written a few thoughts on how to make hosts file parsing more efficient than it currently is [pineight.com].
Alex P. Kowalski (APK) has long been an advocate of using hosts files for DNS blacklisting and acceleration, and his tool for Windows [blogspot.com] aggregates multiple sources over a million lines long. It also looks up the IP addresses for commonly accessed sites and caches them locally. He claims that his tool is more efficient than DNS because the operating system's hosts file parser allegedly runs in kernel space (fewer context switches) and the most commonly accessed sites (good or bad) are at the top of the list.
But lately, Windows Defender has been reverting the hosts file so that malware can't use the hosts file to redirect Facebook and the major webmails and "steal" users' credentials that way. You have to opt out of hosts file protection [mvps.org] if you want to continue using APKware.
Re: (Score:2)
Re: (Score:2)
Are you really starting this up again?
He called you out last time and you were made to look like quite the fool.
Just leave the site and not come back (Score:2)
Also, your HOSTS file does nothing if the ads are served from the root of the domain. What're you going to do, block the entirety of the site? Good luck reading it!
A lot of Slashdot users have told me that if a site has objectionable ads that slip past the ad blocker, they will in fact just leave the site and not come back. I've done that, for example, to www.facebook.com in my laptop's hosts file.
Whitespace defined (Score:2)
Which MITM? (Score:2)
[Client-side DNS blacklisting] won't protect against MITM, DPI, or other forms of attack.
What sort of man-in-the-middle attack are you referring to? Hosts protects against DNS MITM (admittedly by being one). HTTPS protects against HTTP MITM on sites that support it (such as Reddit [reddit.com]). And Perspectives protects against HTTPS MITM.
Re: (Score:2)
Re: (Score:2)
I admit that language is approximate (Score:2)
Sensu stricto, no. (Score:2)
Re: (Score:2)
Re: (Score:2)
FACT: APK's Hosts file turns almost any website into a horrible version of Slashdot Beta, with all that white space and broken-up article text.
No it doesn't. Screenshots or STFU.
Re: (Score:2)
I'm not stupid enough to utilize APK's nimrod HOSTS file.
Betting you are, though.
So you don't use it yet you claim it breaks things?
Yeah, keep being a dumbass.
Interesting you mention Nimrod (Score:2)
Hosts + HTTPS + Flashblock (Score:2)
Comcast's Xfinity injection attack TOTALLY bypasses your HOSTS file.
How is Comcast going to inject into an HTTPS session without my browser's certificate verifier smelling a rat?
And the fun part is, I can keep ads from showing to you long enough for you to whitelist the site, and then slam your ass with ads anyways.
At this point I'm ready to split the difference. I agree with APK that hosts is a useful first line of defense, but I agree with you that it doesn't do everything. HTTPS and Flashblock are the next lines.
Good luck with that certificate (Score:2)
Re: (Score:2)
An amateur edited site known to be full of inaccuracies
Ad hominem. Did you try following the chain of sources that Wikipedia cites?
Re: (Score:2)
You forgot a step if you are running 8.*. If you only do what you have, then Windows Defender will reject your edits as being "malicious".
See here to fix that:
http://winhelp2002.mvps.org/ho... [mvps.org]
Re: (Score:2)
After a few pages of spam from you I just have one question:
Does your host file based solution block your fucking annoying Slashdot comments?
Question (Score:2)
ISP? (Score:2)
Re: (Score:2)
Malicious (Score:4)
Even if Comcast doesn't have any malicious intent
Of course they have malicious intent; they are inserting ads where previously there were none. Isn't that malicious enough for you?
Until today, I didn't see the point... (Score:5, Insightful)
Until today, I didn't see the point... (Score:3, Insightful)
Re: (Score:2)
I am able to load https on Slashdot. You have to be a subscriber, but that is one perk. It costs me about $10 every few years, so I am willing to pay for a secure connection and no ads.
Real life wins (Score:2)
"We think it's a courtesy, and it helps address some concerns that people might not be absolutely sure they're on a hotspot from Comcast," Douglas said.
OK to continue (Score:2)
If browsers treated HTTP GET nowadays like they have treated HTTP POST (i.e. pop up an annoying modal dialog that says "This connection is untrusted. Are you sure you want to continue?"), I daresay this would motivate everyone to move to HTTPS.
The problem is the web of trust and the cost of getting certificates. There needs to be a mechanism for getting a free or trivial cost certificate if you are not a corporation.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
“To ensure your security, in order to use our service, you must follow these simple instructions so that your system will trust our security certificate.”
Then MitM every SSL request. There’s commercial carrier grade hardware that will carry out the MitM & injection, and I’d bet you get a huge portion of users who blindly do it. SSL be damned...
Re: (Score:3)
That should go over really well for internet banking and other security sensitive uses.
Re: (Score:2)
Easy fix for them: Whitelist of banks, etc. to not run injection on. They get to claim they’re preserving security for important sites while still injecting adds on everything else. Pretty sure most non-geeks would fall for it.
Re: (Score:2)
Or just always use https.
There's no fucking reason not to.
Re: (Score:2)
It drives me nuts that I have to give my cable company (TW) rights to modify the DOCSIS cable modem I bought & own by pushing TFTP configurations down to it. I can’t even imagine giving them ownership of a device that connects directly to the green side of my network that they can modify any time they want.
You can have my old PC router when you pry my cold dead fingers off it...
Re: (Score:2)
You know you can just buy your own DOCSIS cable modem and not pay them a monthly lease (and pay for the extra electricity), right?
Re: (Score:2)
Most injection systems look at the Content-Type header and only inject text/html. Most of them are pretty conservative at this point and actually manage not to foul up most sites. Still evil and probably a copyright violation, but they’re generally smart enough not to monkey with AJAX calls, binary downloads, etc.