Slashdot Mirror
Cox Comm. Injects Code Into Web Traffic To Announce Email Outage
An anonymous reader writes "Cox Communications appears to be injecting JavaScript and HTML into subscribers' traffic, as part of their effort to announce an email service outage. Pictures showing the popup."
Providers have been doing similiar things for a while...If you want security, use https.
Shouldn't they send an email warning us about injecting stuff in our web traffic?
Sig Battery depleted. Reverting to safe mode.
is that it refers to Outlook Express, a mail client that was deprecated over 5 years ago.
Who knows what else they are injecting.....
Well hey, someone has to put those layer 7 switches to good use.
Just compromise Cox's servers, and deliver your payload. Very blackhat friendly.
Obviously Cox are a bunch of DICKS.
It's your own fault for not realising it.
For those who wonder why people think this is EXTREMELY POOR FORM:
- Their ability to do this is based on them intercepting all your HTTP data, all the time, every day - insert massive invasion of privacy yadda yadda etc etc etc
Visit CryptoGnome in his home.
What the DNS has to do with injecting code into webpages? Do they inject stuff into banking or SSL connections too? Isn't this against net neutrality or something? I mean how cocky the ISP has to be to actually resort to this kind of s****.
"At least I've never seen it before. This is intrusive."
I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?
It might depend on your user agreement, but I would never intentionally agree to a provision that would let my ISP alter my content.
I use Millenicom, who resells Sprint, and in my area Sprint started injecting JavaScript into every page that comes over HTTP to recompress all the jpegs to a much lower quality setting.
That, at least, I could block. Now they just recompress all jpegs that come over http to a horrible level. If I want to keep the internet from looking like ass, I have to use a secure tunnel. Which is obnoxiously slow on 3G.
(Unfortunately, there's nothing Millenicom can do about it. It's up to Sprint. And there's no opt-out.)
Yep, I received this too, right on Netflix. Um, thanks, Cox, but even if I used your email service, I'd really rather watch my movie..
Keep your hands off my traffic, please. Is it too much to ask for you to simply carry my bits back and forth for the agreed-upon amount?
I'd give my right arm to be ambidextrous...
You'll care when your ISP starts doing this because no one cared when it happened to others...
First they inject for "emergency notifications" and then next they'll inject for "advertisements to keep your bill down" or something even worse.
I've seen a lot of people suggest "just use Google DNS", but frankly it's a disturbing trend (unless, naturally, your existing DNS provider is even less trustworthy.)
By using Google's recursive DNS servers you should be aware that you're offering them even more information about your online habits, as if they probably didn't have enough already. I'm pretty sure that a capitalist company like Google isn't offering free recursive DNS for purely altruistic purposes (or just to 'speed up browsing').
It's also no secret that Google are proposing including the original source IP in EDNS in recursive lookups too, again obstensively for routing edge services, but of course it also has that side effect of offering all that extra juicy information to slurp up.
Before I get jumped on as a troll, I'm not anti-Google or pro-anything else, I'm not suggesting you run away from Google and use $competitor, which basically is a choice of no difference, I'm just saying before you decide to move all your services over like that, just think about the disconcerting amount of trust being placed in a company that is in the business of getting as much personal information about you as possible for their ad networks.
I'm pretty sure that a capitalist company like Google isn't offering free recursive DNS (...) just to 'speed up browsing'
Why not? They spend a lot of money keeping Search as fast as possible, because they know that requests above a certain threshold lead people to search less, meaning less ad impressions, meaning less revenue. So what's so implausible about spending some more money on a few DNS servers?
And the data from a DNS server is almost useless; just the domain (not even full URL) and the IP, which often is of some router in front of dozens or hundreds of clients. Considering that a huge percentage of websites out there have some kind of JS code from them (e.g. Analytics, AdSense, etc), it hardly seems worth it to mess their data with such noise.
Dilbert RSS feed
So now internet companies are essentially trying to train users to trust whatever information shows up on a web page that claims to be from 'known' sources?
After all the problems that spoof emails cause for people who don't know better, you'd think an internet provider *would* know better.
I'm sorry, but if you're injecting Javascript and other text into my web sessions, that's a Web Outage (and a serious security threat.) If you're doing it to announce that your email service is down, that's probably annoying to customers who do use your email service, and much more annoying to customers who don't.
(Unlike many people here, I actually do use my ISP's email service, because it includes a shell account where I'm running procmail, in addition to the spam filtering they do, so email that gets forwarded by my primary email address does go through there. But otherwise I'd be running the filters somewhere else. And it still doesn't justify breaking my http sessions.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
If you find a way to inject data (in a useful way) into an HTTPS stream without adding your own certificate to the person's computer, there are a LOT of government agencies that would LOVE to talk to you.
Who's to say some significant fraction of popup adds we see in general browsing aren't injected by the ISPs? The actual content providers could be totally unaware while the ISPs are selling ad space on any site, what a cash cow.
ISP: Hey, company X - for $100,000 we can make sure your ads are seen on 3% of all requests in region R, on sites with content targeted at demographic D.
Company X: Is that legal?
ISP: Of course! It's right here on page 17 of the terms and conditions...
Why wouldn't they??
while [ 1 ]; do echo -n -e "\xe2\x95\xb$((($RANDOM&1)+1))"; done
If you find a way to inject data (in a useful way) into an HTTPS stream without adding your own certificate to the person's computer
The easiest way is to just con users into installing a certificate. After several failed connections on port 443, the next hit on port 80 will be MITM'd to say "Have you been getting certificate errors? This certificate allows devices using this Internet connection to connect to secure websites. Here's how to install it:" followed by instructions pertinent to the User-agent that retrieved the page.
Being a web browser support person, I get to hear about ISPs injecting code in web pages frequently, first time was ... what, 7 years ago? Of course, usually that was ads; in that sense at least Cox is not trying to sell you anything.
First case I recall was a Canadian ISP injecting their own ads into search results. More recently there's a low-cost ISP in India which will inject ads in any (insecure) web page.
Of course, I'm not going to pay for someone's service and tolerate them inserting pop-up ads into the pages I see. If they were giving the service away for free or at a substantial discount (like NetZero does) then that's one thing, but paying near full price for something like that doesn't cut it.
Actually it's far more invasive than that, it means they actually LISTEN to the phone conversation and choose the correct GAP in that conversation to inject their javascript. They don't just randomly shove in javascript into a HTTP socket, they have to be watching the traffic.
So they're giving themselves the basis for monitoring your URL surfing later too.
So when they inject adverts, or sell your surfing habits to others, they can point to this and point out that they've been monitoring web surfing and injecting message 'for service quality purposes' for a long time. And thus the change is actually minor, because you like quality service don't you?
Remember phone logs? Tony Blair demanded that phone records for everyone be kept for 2 years and available on demand, he pushed it through the EU when the UK had the chair. His argument was that 'this data is already kept for billing purposes so it changes nothing'. So he opened the basis for spying on everyone, just in case sometime in future they commit a crime. And his lawyer game was, "well it's recorded for billing" so it's only a minor change. The minor change being to keep it for 2 years and replace the warrant with a RIPA letter from one of Murdochs employees in the police.
Your surfing is already monitored, so it makes no difference if we also monitor it on behalf of Govt/RIAA/Voting Corp/Marketing Corp/Fox News/News International...
...next they'll inject for "advertisements to keep your bill down" or something even worse.
This is cable. Originally you paid for cable because there were no ads.
They'll say it's to keep your bill down, then raise rates. Complain and they'll say the increases would have been higher.
If they're nice they may offer a higher tier plan without injected ads so you can pay a fee for them to suck less.
In phase two the injected ads will be flash video and will count against your (newly reduced!) bandwidth cap. The ad server will query your bandwidth usage and serve full HD ads at double the normal frequency to enhance overage charges if you're close to or over your cap.
HTTP is used for many purposes besides delivering HTML pages. This is a stupid idea.
Cox probably only injects it when the response has the correct MIME type, so you don't get it in images and binaries. Still, there is a huge amount of XML and HTML that is never intended to be seen by the user: automatic update checks can break, all kinds of mobile applications and other networked applications, aggregator services, etc. Some IM programs use HTTP-like requests.
There was a good analogy above, that this is like playing a recorded message when someone makes a phone call, before transferring it to the correct recipient. As you can imagine, this would screw up faxes and modems quite bad.
Now that I'm done complaining, I should come up with an alternative. The best candidate is email, but the email was down so it wouldn't help much. They surely should put up a big message on the home page, as many people will be going there to look up the phone number for tech support. Apart from that, I think the correct way to handle it is to do nothing. This HTTP injection technique may be appropriate for urgent security problems, but not for announcing an outage.
This is basically a man-in-the-middle attack.
"A plan fiendishly clever in its intricacies"- Homer Simpson