There are several corporate firewall products that can do just that. Comcast can just start demanding that their customers install their root cert and that's that.
Remember they are the only venue to access the internet for a lot of people, what are they going to do? Stop using the pretty much mandatory communication and information platform?
I'm always surprised just how many people here on this site think you can fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
They could, but they don't. Until they do, or imply in any way that they might, let's stick to the facts and leave wild, flailing speculation to reddit.
Regardless of what an ISP might do, HTTPS everywhere is excellent advice.
After all the horrible consumer practices Comcast does regularly you'll still give them the benefit of the doubt? How many times do they have to prove themselves as untrustworthy and consumer hostile that you'll stop sitting there and just hoping that next magical tech will make them stop trying to extract maximum money and inject ads into your stream?
Yes, HTTPS is great and should be deployed everywhere. But thinking that they'll just give up on injecting ads into your stream when a large chunk of people use it is hopelessly naive - especially when off-the-shelf enterprise solutions that MITM HTTPS traffic already exist.
The technical capability to MiTM TLS exists since the very moment TLS was designed. It all hinges on the ability to get a trusted certificate for the domain you want to MiTM. You can do TLS MiTM with Apache if you choose to. Acquiring the Cert has always been the problem and nothing changed in that regard. Strictly speaking, things on that front have become harder since browsers are becoming more and more strict about enforcing TLS security. If Comcast moved to distributing a CA cert to their customers I could quite well imagine that all Browser vendors block that root, as they’ve done with CA that fell out of trust.
Comcast and their telco friends just managed to lobby legislation away while completely ignoring complaints and good business. It doesn't look like Americans have any power to fight against these companies so trust into other for-profit companies which are reliant to Comcast & Co. for their profits seems a bit optimistic to me :/
That post wasn't about legislation. It was about the fact that if Comcast started trying to install root certs on the machines of customers using them for their ISP (which itself is unlikely because of the extra cost both to install, and to troublehsoot, i.e., "why can't I browse anything when I am on my new phone"), Google, Apple, and Microsoft could, and likely would, decide to reject them in their respective browsers as being untrusted. Because they have seen fit to do that in other instances where user security was compromised, and an ISP MITM every bit of your traffic is no less alarming.
Not to mention the Certificate Transparency efforts..
Breaking TLS is considerably harder. And forcing a cert upon your customers would be hard to scale... It would be similar to implementing a firewall forbidding TLS and VPNs. That's a hard sell.
I stated the reason, and I don't have a replacement. It's a great idea, but for now I'll have to wait for websites to enforce https on their users. But of course it can work for you if you have the resources to spare.
> Comcast can just start demanding that their customers install their root cert and that's that.
Comcast can demand all they want but they are going to have to hand hold a lot of people though the process. Sure Windows/Mac could offer a nice executable to install it for you but you still have to get people to install it and that’s not something there while customer base will be able to do.
The process of installing CA’s on iOS devices involves even more steps. And this is a process that will have to be completed every time an new device is put on their network.
What about even more “locked down” systems? Your IoT doorbell? Your networked cctv camera? Your Smart TV?
Is it possible? Sure. Is it practical? If kazakhstan couldn’t do it I’m going to struggle to see Comcast pull it off (though if anyone can, it’s prob them). See in a Corp environment where they own all the devices it’s fairly easy to do as most of your deployed hardware if going to be able to remote install what IT asks of them, your mobile devices are going to be enrolled into MDM’s and you will have IT staff on hand to help staff enroll their devices. None of which Comcast have.
We are not talking about your avg hacker news reader configuring their devices to get online, we are talking about people like my mother who can just about browse the web and play games on her iPad and struggles to set the alarm on it. How you going to get her to install the rootca without having some do it for her? Sure get the installer to do it? But what about all your existing customers? You going to schedule a call out for each of them? And what about when she gets a new device? You going to make her take the device to the local Comcast store to get it installed?
Oh and Chrome and or Firefox could throw a massive spanner into the works by refusing to accept their root cert half way though deployment meaning all those “updated devices’ need to be updated again before they even had a chance to use it at any major scale.
Sure it’s possible, I just don’t see it as practical as of today.
You're way overthinking this. Go look at how exactly the automated deployment of MITM HTTPS corporate firewall works - it's a few steps affair and gets them 90% there.
All they need to do is block YouTube/Google/Facebook until you run the "Comcast internet setup wizard" (remember? those were a thing!) which makes most customer connections MITMable. Then charge extra for all non-MITMed connections ;)
Declare Firefox as unsupported, Google will have to cave in to the biggest telco and that's that. This article (and all others about Comcast) clearly proves that Americans have zero leverage over companies like Comcast. The customers are peacfully accepting modification of their network traffic now, why do you think you'll suddenly get any more leverage over a natural monopoly you're forced to use in the future? Especially after dismantling net neutrality?
The internet setup wizard is a pain to even get to these days esp if you are trying to run it on a “dirty” device that has already been used online and is enforcing HSTS.
You can only redirect them to the wizard if they try and connect to a non https site or the non http site of a https site they have yet to visit.
Same mother. She has a 4g sim in her iPad cheapest deal for her usage level is prepaid sims. When the prepaid credit is gone it’s cheaper to use an new sim than top up the exisiting sim. Except you have to go though a activation portal to enable the sim. It’s easy. Pop in the new sim, visit telcos website or any non https valid domain press the active button and away you go.
She still can’t do it. And in a world where more and more people are using apps instead of browsers where preinstalled apps will just fail you are gonna not to cause even more issues.
BTs Smart Setup captive portal on their routers was one of the most annoying things they did. And when searching for it the top results are for turning the thing off. Why? Because it interferes with devices that can not display the portal, Smart TVs, Amazon TV sticks, Settop boxes, webcams, IoT toasters, etc.
While they haven’t removed it from their latest router they have had to make disabling it much easier than in previous versions.
With the number of end user devices on the market, I just don’t see them managing to pull it off by getting end users to install their cert.
But you touch on a point. You say that Chrome would have to just suck it up from Comcast. Now I’m not saying I disagree, but why would Comcast go though all that pain to get end users to install a root ca if they held so much power over Chrome (the largest browser my customers use) then why not just get the browser to install the cert anyway and save all that hassle with your end users. Think of the savings they would make not having to handle all those support calls.
Like I said. Possible? sure, practical today? I don’t believe so.
Dunno what the adoption rate of the cert was or if they do force the use of the cert when accessing foreign https sites
They quietly removed the notice off the telecom's websites saying that people will need to install the cert or may lose access to foreign https sites (not from kazakhstan) but I would expect someone would of gotten word out if they had (Maybe they did and i've just not come across it).
All of these products require that a corporate root certificate is installed on the devices initiating the connection. This would require that all users install the cert on all devices, some of which do not allow such an install. I don’t think you can install certs of your choice on a PlayStation, an Amazon Echo, an Apple TV or any of the home automation systems. This would break all of those devices. It would also break any app that uses cert pinning. All of this is manageable in a corporate setting where you can remotely configure all devices and have a suitable IT support operation, but it would be an absolute support nightmare for comcast if random stuff just breaks when on their network. Think about what happens when Apple TVs or tivio boxes come with a sticker explaining that they don’t work on Comcast networks because Comcast does not allow secure communication. Banks would require their customers not to do internet banking while on Comcast networks since secure connections cannot be established.
So they'll be whitelisted. They just need to make use of FB/Google/Amazon/etc. websites impossible without the root cert and they can continue injecting ads into any website content. It's not like they care about injecting ads into PS4 API calls (yet).
Also how hard do you think it would be for American telcos to push for inclusion of their MITM certificates? Especially if other companies like Verizon come aboard the profit train?
Browser vendors distrusted whole CAs for less than full interception. In the end, all of this would require control over the device and Comcast can’t achieve that (unless legislated, but that’s a whole different ballpark)
> I'm always surprised just how many people here on this site think you have fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
I don't understand. Your second sentence seems to contradict your first; Comcast bribing legislators is a social/political attack. What did you mean?
I currently see more hope in tech solutions than political solutions to the problems of privacy, net neutrality, and script injection. We have the option to use content and routing encryption technology that looks something like TOR or I2P. Instead, we're asking politicians who don't understand the tech to protect us from ISPs who will never stop trying to leverage anything they can find in our traffic. Allowing Comcast to see the traffic at all is the problem, and politics will never prevent that.
If it's apparent to you that the political fight is more winnable, or that technical approaches to privacy are doomed, then what is the social/political solution to internet privacy? Because we don't have any right now, and it looks like we're losing the political war.
Yes, they couldn’t modify the webpage without breaking the cert signing giving the user an error, installing a ca cert on your devices and doing a mitm on your traffic (which would be hard to predict if your device has their cert installed) or getting a already trust CA to forge Certs for them which once recovered would get that trusted CA dragged though the mud by the major browsers.
Customer: "Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code."
Comcast Response: "The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?"
To me this sounds like a crazy ex-lover. "You didn't respond to my texts so I came to your house." No, Comcast, don't do that. They ignore your emails because you're trying to sell them something they don't want.
And I bet that by "ignore" they mean "didn't allow remote tracking images in emails to be loaded therefore stopping us from knowing if, when and where the email was viewed".
Yes, indeed it was. It's a fairly standard, unsurprising response for this situation; doesn't try to be defensive, doesn't try to provoke. [Edit: I'm horribly under-perceptive, after reading other comments I see I'm a bit off.]
But... this bit.
> ... [JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. ...
Oh, interesting, what Internet technology are they using?
> "RFC 6108: Comcast's Web Notification System Design"
> February 2011
Cue jawdrop. My instinctive response was to WAT and think "this is not what RFCs were for..."
But then I read this part,
> Status of This Memo
> This document is not an Internet Standards Track specification; it is published for informational purposes.
> This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; ...
Hmm.
Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.
Initially when I read this my brain was sort of going in the direction of "this kind of thing is where the net neutrality repeal thing started..." but now I've spent a bit of time reading it I don't actually think my snap response was particularly on point.
This is a bit of a stream-of-consciousness but I wanted to draw attention to that RFC.
>Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.
Huh? It sure seems to be using deep packet inspection to me. If it's looking at the data section of your packet, that's deep packet inspection. And Squid and Tomcat do that. They're not just inspecting the packets, they're altering them, creating new packets, splitting packets, etc. The "RFC" seems to be outright lying by claiming they don't do DPI.
That part just requires looking at the TCP header. So I guess the answer is "no deep packet inspection until it picks a connection to inject, and then it inspects everything in that connection". Which simplifies to "yes deep packet inspection".
An RFC is not always a standard - often they are simply 'informational'. For us, when we wrote the document, it was a way to document as transparently as possible how the system worked so that folks would not need to speculate about it and for us to explain the rationale and alternatives considered. This seemed to me at the time far better than being evasive about it. And a request for comment is often a way to solicit exactly that - good comments (e.g. suggestions on alternatives). In this case, it has led in part to things like the IETF's new(ish) CAPPORT working group being created to develop a better Internet-wide standard for how to interact with so-called captive portals. See https://datatracker.ietf.org/wg/capport/about/ for more details and feel free to join the mailing list and contribute!
We've already asked you not to post snark or unsubstantive dismissals. We ban accounts that refuse to follow the guidelines, so could you please improve?
I paged through the JS curiously, and found the URL bnpsa.g.comcast.net/images/mydevicealert/browser/. I wondered what would happen if I hit that from my ISP in Australia. I was surprised: I got an NXDOMAIN back.
But I discovered that googling the above URL as a quoted string finds a bunch of copies of the JS scattered around the Internet. Might be useful.
So then I tried hitting bnp-service-alerts.gslb2.comcast.com/images/. This actually resolved, and Chrome hung at "Connecting...". After rechecking the URLs I noticed this one was referenced in the JS as HTTPS, so I added that, and promptly got 403 Forbidden.
When you run code on a website you don’t own you have to be extremely careful. You’ll learn this quick building WordPress themes and plugins. They’re pretty careful not to directly affect the website by running their JavaScript in a scoped context and using IDs in the CSS selectors, but there is nothing to prevent the website front modifying their pop up. For example if my website had the .closebn class with display: none !important, a visitor would not be able to close the pop up. That’s a pretty common class name. To prevent this you should use dynamically generated class names that get swapped out at build time, or in this case even inline styles. Something like the close button of an injected pop up is pretty critical and inline styles would guarantee that it wouldn’t be messed with.
(I haven’t tested any of this, this is based on a quick glance at the code)
This is indeed true, and IIUC using Shadow DOM would be a workable mitigation.
Btw, ignore caniuse etc - Firefox _technically_ does support Shadow DOM, just version 0, which it has apparently supported for a little while now. It's better than nothing in a pinch.
Chrome et al are at Shadow DOM v1, which is what caniuse tests its support/no-support metrics against.
The Internet Archive is undoubtedly claiming fair use, even if you suppose the works they create aren't derivative works they are still creating copies of and distributing copyrighted material, which violates copyright law absent fair use.
Copyright is "all rights reserved" unless otherwise stated. By publishing a website, you don't give me the right to alter and re-publish it. Whether injecting ads into a website means a derived work was created would have to be found out in court I assume.
The argument is that it creates a derivative work. The right to create derivative works is separate to the right to distribute or reproduce the content, which is how Comcast is allowed to get the original website into customers' browsers.
Comcast are playing into this interpretation by adding their own license to the code they're adding.
It would open a whole can of worms. What about adding MPLS headers to packets, or performing MSS clamping? Or what about the numerous physical layer protocols that add error correction? Or the consumer routers that have parental filters, ad blocking, etc.?
RFC stands for "Request For Comments". Some of them get turned into standards, but most are just the IETF equivalent of a forum thread. They're a way to start a discussion about a network engineering design.
You can publish any old crap. Microsoft's crappy file sharing protocol has an RFC. At least one of the ludicrous "IPv6 is crap, we should just use IPv4 but with bigger numbers" proposals has an RFC. [This can't work, the numbers in IPv4 are in defined bit-level structures, "just" having bigger numbers is nonsense without a new protocol]
From the IETF's point of view all this does is use up a few kB of storage in the RFC Editor servers, and hey, maybe someone will find it useful. It usually makes cranks or corporate types go away and stop wasting everybody's time.
If you're thinking "Wait, so how do I know if RFCs matter and I should care?" I have two answers
1. The pragmatic answer. If you're reading about an RFC because everybody does this and you need to do it too, then I guess it mattered after all. You can decide you don't care about RFC 822 and you'll use email headers starting with an exclamation mark and they'll be in the form of a list of headings and then a separate list of values. But your method won't interoperate with anybody else's, so you'll be talking to yourself.
2. The textbook answer. The IETF marks its Standards Track documents with their Standards Track status, e.g. "Internet Standard" or "Proposed Standard" (there are some legacy "Draft Standard" documents too).
The thing that's so irritating about large telco's is not just that they're evil, but the casual stupidity of their actions, including their evil actions.
I mean, look at the code. Look at the function of this code. Look at the business purpose of this code. Look at the security aspects of using this code. Look at the legal ramifications (why the hell is that LGPL thing up top there ?). Look at their internal communication. Look at how easy it is to see exactly what they're doing ...
All of it screams "no double digit IQs anywhere near this thing".
And yes, I mean, I know that's not true. Their people are not this stupid (though some must be). But they do this anyway. The organisation does business analysis at the level of a 5 year old, codes like a 10 year old, obviously this has not passed legal review, ...
How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.
The random classList polyfill at the bottom was a nice touch. As I scrolled to this bit I was initially like "oh this'll be nice they encrypted some of--oh. :("
My favorite bit was the "this detects the browser type and version" snippet that was copyrighted 2001. Nice!
I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.
I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.
He is mistaken, it has nothing to do with it. My code is included in Comcast's injected code, but that doesn't mean any of Comcast's liability has shifted to me.
I don’t think it is just telcos. It is amazing how scale, inertia, lack of accountability and bureaucracy dumbs down large corporations that mostly consist of smart educated people.
A million Shakespeares typing on typewriters write no better than a monkey!
> A million Shakespeares typing on typewriters write no better than a monkey!
I like it, although I think the analogy fails here. How about "An infinite amount of Shakespeares typing on the same typewriter will inevitably produce garbage"? :)
It's not just telcos. The second-hand details I hear from a major bank makes me cringe everyday. And the main issues tend to be laziness and selfishness.
> The current problems are that a) since Trump the FCC is $#\¥
Oh please, he’s been in office less than a year - none of this amazing ‘sharing’ happened under the previous administration either. It’s totally understandable to have (in my case many) disagreements with the Presidents and their policies, but this knee-jerk habit of blaming whoever is currently in office for everything because he’s not on our team is counterproductive.
The FCC under Trump has been very friendly to the large enterprises at the expense of small businesses and customers. Trump himself has approved many regulatory changes which are hostile to small businesses, employees and customers across many different industries.
It's safe to say at this point that we have a clear idea of what decisions Trump and his FCC will make in the future, and that there would little to no hope for decisions which will increase competition. A year is plenty of time for assessing the character of an adminstration, and Trump's has been remarkably consistent in this regard.
Is that when they subsidized the ISPs with billions to build out infrastructure, which they never did?
The problem with anti-government rhetoric in the US is it creates a self-fulfilling prophecy. Government is not inherently as incompetent and weak as yours often is.
There is no reason why a regulatory solution cannot work in the US when they work well in many other countries of greatly varying size and population density.
If your government fails you, that is not a failure of government: it is a failure of your government.
No, but government could easily have opted for a regulatory regime that prevented it from being a problem, instead of allowing them to continue milking their situation.
The EU member states implementation of deregulation of the telecoms sector is far from perfect, but most of them have ended with something that works reasonably well.
E.g. in the UK, while the cable operator (there's only one of note left standing) has mostly escaped regulation, but BT had it's last-mile infrastructure subjected to heavy regulation to the point where it's been split out into its own company (OpenReach) that maintains the network and is legally obliged to resell access to anyone at the same terms.
You can even get the prices to terminate an IP connection with a subscriber on their website.
ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.
I know the US also has a form of local-loop unbundling, but it's clearly not working very well given the level of complaints people have about these services in the US. Possibly because of the price-setting mechanism?
As a result there's a lot of competition in the ISP space in the UK (as there is elsewhere in the EU).
(Where it's not perfect is that the way the regulations have been set up gives too few incentives for BT to invest and innovate in the last mile network and is often accused of milking OpenReach for profit; two ways of improving on that would be to restrict how much profit they could take out as dividends to a proportion of how much they reinvest in network improvements and/or split maintenance/operation into regional franchises and force companies like OpenReach to bid for it on a franchise basis; though the latter is hard to get the evaluation-criteria right for)
> ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.
It's worth noting this involves two different layers of regulatory separation.
Most ISPs don't run their own LLU operation. They buy access from one of BT Wholesale or TalkTalk Wholesale (who are technically LLUers and both, in turn, use the last-mile network run by Openreach). As you say, the prices which both of the BT Group companies are allowed to charge are regulated and published and companies can "innovate" at quality of service or features offered.
The relevant part here is that the US has never AFAIK had the same wholesale access model. With that, an upstart ISP could have the same coverage as Verizon/Comcast/etc but have the option of not doing these scummy things and/or being as network-neutral as they pleased, within the limits of their business model, without having to spend boatloads of money building a network to access those customers.
LLU, on the other hand, requires way more investment so it's not surprising that it never really took off in the US where DSL always seemed like the poor relation compared to the cable networks.
There’s a lot to dislike about the UK government, but the way they regulated the ISP market is perfect. We have one of the most competitive ISP markets in the world.
In my time in the US several years ago I was horrified at the cost and quality of internet (and mobile) service compared to the UK.
Any strong libertarian ideals I once had were crushed by the reality of things like this. (Healthcare too but that’s another discussion).
No, it's not a "natural monopoly." The primary issue right now is getting the legal right to use this infrastructure, which is protected by local city and county governments. Most of these local governments simply choose to not allow other companies to move in.
Under Ajit Pai's reasoning, by doing this, Comcast is adding to the evidence that it is an "information service" rather than a "communication service."
When there even is any competition. Where I live, it's literally Comcast or else tether my mobile phone. Satellite is technically an option, but realistically between the cost and my tree coverage there's no way to make it work.
"A natural monopoly is a monopoly in an industry in which high infrastructural costs and other barriers to entry relative to the size of the market give the largest supplier in an industry, often the first supplier in a market, an overwhelming advantage over potential competitors."
I have a few years of experience inside Comcast and I've concluded that Comcast's executive management are the ones at fault here. Across several divisions, their engineers have been fantastic and a pleasure to work with. This all goes to shit when the businesspeople around the engineers are making terrible, selfish decisions and optimizing their hourly employees for numbers (call center I'm looking at YOU)
To be fair, I'd say "good engineers" especially where Comcast is, probably choose their employer not the other way around. Not to say whether they are right or wrong for working there, but we shouldn't pretend "good engineers" are otherwise destitute.
A good person doesnt blindly follow orders period. You dont get to call yourself a good person just because you signed a mortgauge or had a kid. If your actions are bad, then you are bad.
You think things in the world are so "obviously" black and white.
Comcast making shitty business decisions is not burning Jews in ovens. And the fact your not immediately laughed out of the room when you make such comparisons is the real sad reflection of society in this thread.
If there's one belief I think needs to be more widespread in technical circles, it's this. Good engineers recognize the impact of their engineering, and engineer for social good. We don't remember programmers because of how good their programming was, we remember them because of how good the programs they made were.
Almost every big company that has a call center is looking to optimize their hourly employees. In most cases they are the largest staffs and are highly sensitive to census tolerances. It’s definitely not just Comcast.
I'm not sure it's about developers. Just consider - a pointy haired boss returns from a meeting and says "it's decided - make it show our sales-boosting popup here".
Rather than arguing, I guess, many (who haven't left for one reason or another) would just go with "uh, whatever" attitude and slap something together just enough for PHB to see that popup (and let customer complaints do the rest).
i look at some companies and I just shake my head.
Microsoft in the last 10 years, and consider how much talent and budget they have access to.
i remember when zynga had to lay off programmers by the thousands. I was thinking, they had THOUSANDS of programmers and the best they came up with was skins over top of farmville?
> How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.
You're assuming it was written any time in the last, oh, decade or more? That's surprising. Perhaps you've never spent time in a cost center far outside the profit centers of a large enterprise, where things that work are left alone to do so, because you're not going to get investment in replacing them or bringing them up to date with modern best practices, because they work.
I mean, there are weekend hacks of similar age and quality, with my name on them, that I know are still in active service. Because, for all their myriad other faults, they mostly work, and everyone who works with them is used to using them and to dealing with the occasional cases in which they misbehave. These are not things which anyone rebuilds just for the sake of it. So they go on being used until they stop working entirely, and the the business replaces them with something else.
Whether or not that's a sensible way to go about things is an open question, if you like. I don't think it is, because these aren't the sorts of things which cripple a business if they misfire - or make much impact even if they don't. So investing heavily in them would seem like a waste of money, though perhaps you disagree. But the world need not be mad for this to be the way of things.
> [JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.
Incidentally, Livingood is a co-author of IETF RFC 6108, which he has conveniently linked. From the RFC's general requirements numero uno:
> R3.1.1. Must Only Be Used for Critical Service Notifications. Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.
As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical. To be sure, Comcast is scheduled to increase speeds by 12/19 (at least in my region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.
It would also be interesting to learn if the OP received this message on multiple instances. If yes, it would be in violation of its own requirement--in particular, R3.1.8. User Notification Acknowledgement Must Stop Further Immediate Notifications, which itself is contradictory in its use of must and should:
> Additional Background: Once a user acknowledges a critical notification, the notification should immediately stop.
>As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical.
Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.
This is just about the worst possible way to notify a customer of any issue anyway, because it legitimizes those stupid ad-based malware popups that have become so prevalent.
As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.
As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.
To be a devil's advocate, Comcast customers have been phished before via email too:
My "quote" isn't significantly different from what was actually said, in fact hews extremely closely to it, and is designed for rhetorical purpose of making clear how small a distinction is being relied upon in order to claim the statement is something other than a request for you to buy a new modem.
Moreover there's nothing in the guidelines about "making up quotes" (which again isn't a reasonable interpretation of what that is), whereas there are actual, explicit guidelines against addressing yourself to unreasonably interpreted versions of other people's comments.
If you're rewording something someone else said, even if you're keeping it very close to the original words, don't use quotation marks. Quotes say "this is literally what was said".
I got bit by this a bunch when I first got on HN; it was surprising to me how seriously it was taken. But it is, and it's not hard to work around.
That's a weird HN-ism, though, not how writing or paraphrasing works anywhere else. The goal is understandable and laudable but 'redefining the meaning of quotes' is a thing only hardcore lispers can love.
What I'm getting at is, no, they shouldn't, nor should they expect anyone to adopt some weird made-up usage of standard punctuation. Perhaps they should put 'avoid paraphrasing as a rhetorical device' or something like it in the guidelines - that would make sense and be reasonably enforceable. "Don't use quotes the way everyone uses quotes" (like I just did) is just silly and ridiculous. You might as well put "don't call anyone a butthead without using the Oxford comma" in the guidelines.
This is not an "HN-ism". It is not proper to use quotation marks when paraphrasing. Doing so is explicitly attributing words to someone that they did not say.
> not how writing or paraphrasing works anywhere else
That's simply false.
If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it. But you can't reasonably expect every other forum to use that lowest common denominator. Railing against simple, longstanding house rules like this is just pointless contrarianism.
No, it isn't. I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech. The fact that they didn't actually say it comes from context. Punctuation is not semantic markup.
This doesn't come from reddit, it comes from, you know, the way people actually write. The fact that it requires repeated and lengthy explanations is a pretty decent indication it's not how anyone else writes.
Writing style guides are a thing & a thing that have been around for a long time. All 3 of the style guides I’ve had reason to use (AP, MLA & CMS) all require that quoted material be direct quotes.
Now, I think that it’s a fair argument that a web forum needn’t have the same formality as other written word, but your assertion that “it’s not how anyone writes” is clearly untrue.
And just as a single data point, I expect when someone uses quotes even on the web that they are asserting a verbatim quote.
kasey_junk said "I'm a stupid moron with an ugly face and a big butt and a my butt smells and I like to kiss my own butt". Should this not include quotes, even though you didn't say it?
"AP, MLA & CMS" are an absurd counterpoint that falls well within 'that's not how anyone writes'. They are, if anything, lengthy exceptions to how anyone writes.
It's a deeply silly argument and my point is 'an internet messageboard should not be regulating punctuation'. It should, as this one usually does, try to regulate behaviour.
I don't think that's the rule? I think the rule is if you're using quotes and it's ambiguous as to whether the person the quotes are attributed to actually said it, then the person better have actually said it.
(For what it's worth: this little subthread is about 10x more interesting than the story and the rest of the thread it's attached to).
It is also the case that this was something Paul Graham was idiosyncratically peevish about; at one point, he attempted a unified definition of trolling that amounted to "forcing one to rebut something they hadn't said" --- which obviously isn't the definition of trolling.
Yep, 'idiosyncratic' is a good way to summarize it. At the end of the day, it's just another dumb thing to yell at people about - it doesn't improve discourse or 'stimulate intellectual curiosity'. As an inveterate rule-yeller myself, the fewer of these the better.
I agree with pvg. The notion that a comment on HN is, in some sense, in poor form because it doesn't adhere to AP/MLA/CMS specifications is ridiculous. Nobody agreed to that, and I doubt anyone would even agree that that's accepted informally as a norm.
I didn’t mean to imply that the web should follow those style guides (and said as much). I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.
I certainly default to assuming it does and in many contexts it is an explicit rule.
So you don't think that a comment thread like this one is a context where MLA guidelines would yield the most reasonable interpretation of what someone is saying?
I was refuting his claim that no one expects that quotes imply an assertion of verbatim quote.
I don't understand how you've refuted that while also saying they sometimes don't. Are we arguing about contexts here? My claim is almost trivial - nobody reasonably familiar with English thinks quotes imply a verbatim quote. That's just not what quotes are for.
I guess I’m far out of the mainstream then. If you put quotes around something and attribute it to someone or some text, I assume you are asserting a verbatim quote, either in the context of web forums, business communications or more formal writing covered by a style guide. In the context of fiction, if you put quotes around something I assume it is to declare that the character is saying exactly what is quoted.
That your position is that I’m in the minority on this is doubly surprising to me given that’s what all the style guides and my high school English teachers taught me.
I appreciate your good nature in taking the time to engage in this silliness but I have a hard time believing your high school teacher or anyone else taught you that. The wikipedia page on it:
"In English writing, quotation marks are placed in pairs around a word or phrase to indicate:
Quotation or direct speech: Carol said "Go ahead" when I asked her if the launcher was ready.
Mention in another work of a title of a short or subsidiary work, like a chapter or episode: "Encounter at Farpoint" was the pilot episode of Star Trek: The Next Generation.
Scare quotes used to mean "so-called" or to express irony: The "fresh" apples were full of worms."
Even 'direct speech' is at odds with 'verbatim quote' and that's the first thing there. Direct speech can be completely made up.
You said no one expects that and he pointed out the style guides do. So some people do. In addition to the style guides, a couple people here have said that they do as well (which is why we're arguing). I'm another. Regardless of whether the majority think this way, we can safely say that some people do.
Getting back to the actual point, in formal writing, quotation marks are definitely considered to delimit actual quotes. That's where their name comes from and that's their purpose. If you want to paraphrase or otherwise interpret what was said you just work it in without quotes.
Personally, I relax my expectations in informal contexts if I don't know the person or their writing habits, but I'm just being pragmatic. In other words, the rule doesn't change, it's just not always followed.
> I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech.
That's fine, when you're writing fiction. But in most online forums, fiction is frowned upon.
You don't need to fall back to a "default expectation" when usage is adequately indicated by context and by good faith efforts to interpret a statement in it's most reasonable form. Nobody confused it for a literal quote, nor did anybody feel it caused any misunderstanding, and those realities preempt any need to appeal to a default expectation.
In your case, I do agree that it was obviously not a literal quote. However, by the time I joined the thread, the topic had become more generalized.
Still, it would have been clearer to say something like "Exactly. And the response, which amounts to 'we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one', is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system."
Also, for what it's worth, I do agree 100% with your argument there :)
@mirmir: Point taken. In the context of this as a more general subject, I think your observation is perfectly reasonable.
However, I think (1) few are as lucid as you on that particular point and (2) whatever the merits of this as a general debate, and I think there is some merit, I think the question is whether this norm improves conversation in a thread like this. I think it was invoked frivolously, spawned a long, 50+ comment chain, and it didn't clear up any of the confusion that it seems like the norm is supposed to be designed for.
>If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it.
In terms of what contexts one should keep in mind when interpreting comments with good faith to come to a most reasonable interpretation of what they are saying, the way language is used on reddit is probably a much more reasonable benchmark than MLA style guides.
I think you're missing an important distinction. When paraphrasing a group of people or stating a cultural zeitgeist, quotes are acceptable:
> The gist of the HN community's opinion is, "don't use quotation marks when paraphrasing."
> Lately the Democrats approach has been, "oppose Trump at every turn."
However, when paraphrasing a specific individual, it is frowned upon at best[1][2], and considered intentionally misleading at worst[3], to put paraphrases in quotes.
> pvg said, "I don't care what HN thinks, I'll do what I want."
> pvg continued with, "no one else cares what HN thinks either."
Contrast that with,
> pvg said that "only harcore lispers" care about how paraphrasing works.
In the last example, you can clearly tell the direct quote from the paraphrase. This is very important when communicating someone else's ideas.
Regardless of hard and fast "rules" of punctuation and grammar, you have a large number of people calling your writing misleading, confusing, and inaccurate. Clear communications should be the goal of any writing; wouldn't you be best served by hearing and incorporating this feedback?
[2] Purdue: "Indirect quotations are not exact wordings but rather rephrasings or summaries of another person's words. In this case, it is not necessary to use quotation marks" (note that no example of indirect quotations include quotation marks) - https://owl.english.purdue.edu/owl/resource/577/01/
That exhaustingly (if not exhaustively) describes a number of important distinctions that never come up when some hapless commenter gets told off they're using quotes wrong. It's a Talmudic absurdity to apply to a message board. We don't have 70 comment threads about the proper use of "it's" vs "its", with MLA citations (which, it's worth recalling, "specifies guidelines for formatting manuscripts and using the English language in writing")
It's just a dumb, arbitrary rule. It serves no purpose beyond facilitating righteous rebuke. You can make a better rule dealing with the underlying behaviour while oxygen deprived from screaming at dang about HN's political bias.
Do you feel that my paraphrase was intentionally misleading, or even confusing, or innacurrate? Even unintentionally? Does anybody? Does anybody think the norm currently being debated yielded any actual tangible value in this thread? Did it save someone from misunderstanding Comcast's position?
A lot of zeros and ones are being spilled on behalf of the abstract principle how quotes can be hypothetically used abused and interpreted, but none of the 40+ comments beneath my now-flagged paraphrase of Comcast's statement is actually arguing that my paraphrase was in any way distorting or misleading.
So I question the value of this norm, if the practical way it tangibly cashes out is in the form of extremely long derailments substantively unrelated to the the comment that caused the rule to be invoked.
This rule is too idiosyncratic, annoying, not found anywhere in the guidelines, and is not offering any net benefit in this context that I can see.
If the object of the rule is to produce derails like this, it's doing more harm than good. So unless someone wants to explain how it's invocation in this thread improved the quality of conversation about Comcast's javascript injection policy, I would encourage others to join me in not observing the norm.
Making up a weaponized quote that's close to what was originally said is actually worse, because then it's harder for passers-by to tell apart and more injurious to the original statement. By 'weaponized' I mean altering it to sharpen the point for indignation or snark purposes. It's a harmful internet practice that we've asked to users to abstain from.
You're right that it isn't explicitly mentioned in the site guidelines, but those aren't a list of proscribed behaviors but a set of values to internalize. I'd say "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize" covers this case pretty squarely.
How about to sharpen the point for brevity and clarity in order to convey a perfectly legitimate point? Arguing against something doesn't mean that you interpreted it uncharitably and doesn't merit the exaggerated description of being weaponized (and the comfort level with such exaggerations as "injurious" and "weaponized" is amusing in the context where the concern is about insufficient proximity between a statement and how that statement is subsequently characterized. There's a lot more distance between those adjectives and what I did than between the statement and my paraphrase of it.)
And virtually anyone in any argument could insist, tediously, that those disagreeing with them have failed to interpret with sufficient charity.
But it's one thing to note that as a hypothetical possibility, and another entirely to point to something that's actually a clear cut offense. I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented or misinterpreted so much as they're using this occasion as a jumping off point to litigate the abstract principle. Which I don't think is a constructive use of anybody's time, which is why this is a bad norm that shouldn't be observed.
> I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented
No, that is what I'm suggesting. Your comment reads as a quote. After reading it, I went to the linked page and looked around for the context. Turns out, there was no context for that quote, because it's not a quote, because those words aren't actually in the original text.
You're talking about something slightly different than what I asked. You clearly were able to check and conclude that this wasn't a literal quote. There was no difficulty there. You apparently got stuck there, and were unable to proceed from that information to the conclusion that I was restating the position in an extremely similar but more concise form, which would have been a way of interpreting my statement in its most reasonable form.
I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position. Is there a significant difference between the way I phrased Comcast's position on whether or not they were exhorting their customers to purchase a new modem, and the way they actually phrased it? Because I don't think there is.
I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position.
You're spending a lot of time prosecuting this point, and requiring time to be spent by others who care about HN being better than other online communities.
Whether or not some hypothetical person not making a "reasonable interpretation" would have been misled, or whether it's reasonable that a reader had to spend time searching for the quote to verify it to realize that it was not actually a quote (and how many others would have bothered to do that), are matters that we could spend many more hours debating.
Or, you could just accept that it's better to refrain from misquoting people in future and we could all get on with our lives.
All it would have taken you was to preface the "quote" with something like "the response, which effectively amounts to saying...", and it would have saved everyone the bother.
C'mon, is this really a hill you want to die on? Maybe let it go :)
> Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.
Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.
Ultimately the objective is to ensure a customer is on a device that can (1) deliver the performance for which they pay and (2) is up to date technically (i.e. supports IPv6 and channel bonding) and is supported by the vendor (i.e. software updates & bug fixes).
One of the big risks we have to help mitigate is when a device goes EOL, which means no more software updates, and a security or significant performance issue arises in the future. By proactively beginning the replacement process this helps minimize any future impact when it is a major issue like that. So taking action gradually on a proactive basis prevents a more severe impact later on. In many cases, these are DOCSIS 2.0 devices and that technology and often the software is from 2001, the same year as the 1st gen iPod and when Windows XP was released.
Eventually a modem will go into End-of-Service (EOS) status. At that point there is a definite date/time limit for the device, after which it is de-provisioned from the network and the customer must replace it to continue service. This has been the case in the past with DOCSIS 1.0 and 1.1 devices for example, after years of work to encourage customers to replace them.
If his modem is actively interfering with your network I could see that this is critical. If he has been hacked and is actively DDOSing sites, that’s critical. We can debate the correct response in those cases (getting on the phone and calling seems to work really well when you want people to pay you, as does turning off service).
Unless I’m misunderstanding, this was not causing such a problem. Casting it as a customer good is rhetorically amusing, and probably holds water with people who are predisposed to agree with you, but I can make any number of morally bankrupt decisions using exactly the same logic. You have simpler ways to deliver this message, that do not cause nearly as much harm to your customer and do not require you to intercept and modify their traffic.
It's true that if there's a vulnerability discovered, and you have 50000 modems with the vulnerability, you cannot wait for the modems "to be hacked" to act. It is reasonable to try to replace EOL modems ASAP.
In this scenario do you honestly believe the best course of action is to insert a popup on web pages? If you are truly concerned you will act to preserve your network for all customers by blocking traffic from the problematic modem and then call the person. This is legally less risky than doing traffic inspection. (Losing common carrier status would be a very big deal.)
Like most on this thread, I think that injecting code is a step too far, but I definitely appreciate that you took the time to explain the motivations behind this.
Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know. And if Comcast can afford to send that much junk mail, I should tend to think Comcast can afford to send one or two, or five, mail pieces that carry a warning like ACTION REQUIRED TO MAINTAIN SERVICE on the envelope, to those of whom action is indeed required to maintain service. You guys shipped me a whole new unsolicited modem! (One which I'll put into service, too, just as soon as I've worked out how to disable all the routing and wireless smarts I don't want, don't need, and won't suffer messing with my network.) Surely you can afford bulk rate.
And mail pieces don't produce the potentially rather widespread indignation that traffic injection does. Granted, I don't see the harm in it that a lot of people here do. Unencrypted traffic is unencrypted traffic - open to tampering by anyone, not just Comcast, and for many less innocuous reasons than the one for which you've chosen to do so. But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology. Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
As was mentioned in the original thread, other means of attempting to contact the individual occurred. This was apparently not the first attempt or method used to contact individuals.
Perhaps the user read those emails and simply doesn't care to upgrade the modem. Unless those emails created an opportunity for the user to acknowledge receipt, then there will probably be numerous people who receive these popups despite receiving the emails, deliberating, and choosing to take no action.
> Why traffic injection instead of mail pieces? I mean, I open all of mine, even the 75%+ that are upsells I don't want, on the off chance one of them will tell me something I need to know.
Lots of reasons, including years of experience with response rates for particular types of messages / calls to action. Clearly one particular communications channel won't work for everyone - each person has their own preferences. One of the things we're working on is to better enable you to control just that - basically one person may ask for SMS messages, another alerts via their mobile app, another via email, another via phone call, etc. You can see the beginnings of that in MyAccount / Settings / Communication & Ad Preferences.
> But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology.
> Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
You bet - totally agree! One of the places we're engaging to try to do that is in the IETF's CAPPORT working group and I think the charter describes reiterates all the points you made: https://datatracker.ietf.org/wg/capport/about/
> All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
My pleasure & thanks for being a customer that's willing to offer constructive criticism. :-)
> Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.
Here's what a customer should do:
Just file a complain. Via snail mail. To the FCC. Include screenshots of VP explaining how this is all ok.
After that the customer should enjoy the show. I'm sure at least the customer is going to be provided a top tier service for the rest of his life in any comcast service region. Most likely for free.
This is how one teaches companies to behave. He or she finds a pressure point and exploits it. It does not matter that the opponent is 350lb gorilla. Small joint manipulation by a 95lb girl puts that gorilla on its back. For Comcast, VZ, etc that pressure point is a snail mail complain to the FCC. For national banks, it is the OCC. It works every time it is tried. What does not work is bitching about it on HN.
...unless the upgrade actually means loss of service due to incompatibility, in which case I would agree that is critical, but nonetheless "go buy a new modem" is something no customer wants to hear, especially if they're already paying $$$ every month for the service.
> Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.
We start telling customers that a modem needs to be upgraded when one of two things happen: either they are about to or just had a speed upgrade that their modem cannot support or the modem has gone end-of-life (EOL) from the vendor.
In the former case, if the device is leased, you are send a new one to replace the device and just have to basically say ok. In the latter case, it is a customer-owned device so the customer is asked to go buy a new one someplace (e.g. Amazon, BestBuy).
And in the EOL case, the vendor may have gone out of business or shut their cable modem business down, or otherwise decided to no longer support the device due to its age. That of course means that if a security issue came up, as they do, that the vendor would not be able or willing to provide a software fix for the device. So it's best to get the ball rolling to get those devices replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0 devices (10+ years old), which can only do a single upstream and downstream channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8 years old).
In the spirit of efficacy, browser injection may have a better response rate than email. Taking this to its next logical step, surely showing up in-person at your door is even more effective.
Is that the idea here?
Or does this efficacy come at some cost (namely, the sentiment behind this thread)?
With all the junk mail I get from my cable company about "upgrading" my service to include some crap I don't want, I would think they could find a way to slip in a "hey, your modem's busted" notice.
I don't know what's worse: the straw man attempt at arguing efficacy while focusing on the weaker of two suggested options, or the (presumably) unscalable slippery slope of dispatching personnel to a customer's front door.
In either case, the argument does not address the fact that customers recognize unsolicited packet injection as unacceptable ISP behavior. Without support metrics, we can argue all day about the efficacy of one method of delivery over another, but the fact remains that no sensible user would perceive e-mail and/or post of official notice from their ISP as overtly intrusive. With as much internal advertising as Comcast distributes amongst its existing customers, it blows my mind that official notice generated from boilerplate and delivered via snail mail would fail to achieve the intended goal.
To be sure, your pre-edited comment:
> Surely showing up in-person at their door must be an even more effective "reminder" than the browser injection! Is that next?
Time Warner did show up at my door when they updated their speeds. I thought it was strange,and asked him to have Time Warner call and schedule a time, but it worked. He was going door to door.
Regular mail, yes. Email, though, is largely just a waste of time.
Way too much non-spam disappears down overeager spam filters, which most people only check if they are specifically expecting some particular mail and it does not show up as expected--and even then many won't check their filters.
An ISP could white list their own mail in their spam filters but that would only help with the customers who use their ISP provided email. A lot of people use third party email providers instead and never use their ISP email.
I find the reverse is true. My USPS mailbox receives daily credit card application forms, electoral flyers, catalogues, etc. I also get frequent mail from Comcast but they are _all_ bullshit ads, trying to hoodwink me into cable TV. I don't open them anymore, they just go in the bin.
They could sign their messages? Also needs users to have easy to use mua that handles signing and shows "this is genuinely from your ISP unless they/you've been hacked".
For critical service info I'd want SMS personally, from a verified number with a link on the company main domain to verify the info.
Thank you so much for participating in this discussion! Frequently having people like you who actually involved in what's being discussed is part of what makes HN special to me and many others.
As another comment points out though, I'd also like to understand why it was decided to comminate by injecting JS into pages people are visiting rather than following a more traditional communication channel like snail mail. I assume that this solution scales better and has get immediate $ attached. However, it also seems obvious to me that it reenforces brand image and political issues people have with your company.
There is no ethical excuse to ever inject code into a webpage.
Your own argument about it being critical is false or sophistry. If there were wildfires coming to burn someone's house down..that might qualify as critical. Not this, and deep down you know it.
You should be embarrassed to attach your name to such an obviously poor decision.
I think the mindset is that at least he’ll be embarrassed on his yacht. Short of that thinking, you’d have to assume a few solid layers of cognitive dissonance.
There is no ethical excuse to ever inject code into a webpage.
...unless it's for adblocking...
Although I do that with a MITM proxy locally (and thus filters everything on my LAN), it would certainly lead to a very interesting situation if an ISP decided to do it...
I mean, the end-user who requested the page certainly has a right to voluntarily inject script into the page they requested as it is rendered in their own browser running on a machine they own connected to an upstream internet provider they pay for access? Nice try at false equivalence however.
It's false equivalence because you (and everyone else) knows that the case of an end user injecting script into a page on the receiving end of the connection is not the scenario under discussion, and is not the behavior that the rule implied by the earlier comment would be intended to prohibit. If the comment was tongue in cheek then I have misunderstood you and withdraw my objection :).
Indeed. Whoever thinks this is fine would probably also be okay with the telephone company injecting jingles into your phone conversations every 30 seconds.
Treating anyone this rudely is a bannable offence on Hacker News. Please take the civility requirement more deeply to heart (https://news.ycombinator.com/newsguidelines.html), and please don't do this again.
If a fellow community member has a first-hand involvement with a situation under discussion, such as working for a company that some people are mad at or does some wrong thing, we're all responsible for reacting responsibly. Otherwise bad things happen, such as first-hand observers being scared to post because they'll get lashed out at, and the already-weak community bonds we have here getting weaker. We all know what the culture of online shaming has led to and it's all our job not to do it on HN.
> We all know what the culture of online shaming has led to and it's all our job not to do it on HN.
This is, in and of itself, a blaming statement. Blaming statements, such as the one contained in the comment you replied to, are a result of a) dissonance and b) inability to resolve the dissonance.
It is, in fact, unknown what the culture of online shaming has led to in our society. In fact, I'd hazard "shaming" online is actually just raw blame provided by some rationalized thought process driven by Internet interactions themselves, not the people reacting. See This Video Will Make You Angry on YouTube for context. Screwing with people's Internet in contextually what could be considered "wrong" behavior becomes highly polarizing. In as much as someone coughs because they smoke, people blaming is a result of a larger problem, perhaps related to the fitness of memes and some people's weakness in being hacked emotionally by memes with higher sophistication. Again, that problem is noted by the dissonance and inability to resolve it, but the behaviors emerging from those who are "infected" by the thoughts are not exactly theirs to bear alone. We blamed the tobacco industry for smoking. Why can we not blame the employees who are providing the rationalizations for bad behavior? One might argue that they shouldn't be blamed because they have no choice in the matter. It may be their job to argue otherwise for the company.
The irony here is that vast majority of the denizens of HN are likely responsible for creating most of the "mess" we're in today by writing software without considering the long term effects on consciousness and perception of reality. That "mess" would be defined as means, by algorithms or neural networks, to attempt to exploit weaknesses in human nature to spread other's beliefs in a unnatural way. Growth hacking. In some cases, like Comcast, those beliefs are rooted in sophisticated rationalizations which sound good when limited in scope. But! I don't care what anyone says about it, changing the content of a page which, when requested from one place returns one thing and when requested from another (which ones pay for I might add) returns another thing entirely is a violation of TRUST. At least it is to me. I like consistency in my data.
If one of the "members" of this group we call HN wants to make a blaming statement against someone who is defending this irrational logic, then I say let them blame! How else are we to uncover the dissonance and solve it? Or, perhaps, that dissonance is desired to be left in place by our complicit behaviors trying to be "nice" to each other.
I've suggested before social media sites could benefit from a "this is a blaming statement" flag on articles or comments. I stand by that assertion today. Logging back out again. Thank you for all the hard work that goes into running this place.
Second, I am a Comcast customer who will never see these messages precisely because you do things like MITM unprotected traffic. Because I can't trust you to leave my traffic alone, all my traffic is tunneled.
So at the very least, if you feel this is a critical service you are offering (as implied by the RFC), you need an alternative communications channel for people like me who don't permit this one. Snailmail is fine; you try to upsell me constantly through that channel already.
Downvoting because they weren't that snarky and because of your smugness. Your willingness to tell some one straight up why you downvoted them was good however.
why am I smug? I totally agree with the premise and personally hate comcast, but if _jal wants to be taken seriously by jlivingood, snarkyness isn't the way to go.
I don't mind the anon downvotes though, it's par for the course anywhere.
I second this, in addition, the injection is not only related to EOS/EOL for modems it is also for when you are approaching your data cap. Which is rather annoying because it actually can halt your gaming or netflix experience oddly. I have had both happen, one I was playing PlayerUnknown's Battlegrounds and the game crashed. Since the game itself uses web based tools, for its menu system, upon restarting the client a Comcast injected message popped up warning me I have used 90% of my data cap.
HTTPS is not free. Game developers are usually very performance-sensitive. If you're not transmitting any sensitive data, it may seem appealing to forgo the seemingly-needless HTTPS overhead.
Also, most games I have played seem to use HTTPS. The only time it is used is when the game does not need an instant result, in which case they use HTTP or HTTPs. Most of the times, this is in the main menu or similar. Doing this makes it even harder (assuming they use certificate pinning) for users to change the values returns to gain any advantage on their client.
Any part of the game that needs speed should be using a UDP based protocol.
If your game is executing js (as for the example given by the GP), you are transmitting sensitive data. In that scenario not only confidentiality but even more integrity of the data is important.
I think it’s funny you’re approaching your data cap and they add 400 lines to the size of each web page you visit. I hope pages they tamper with are subtracted from your cap.
This is exactly why Comcast is still the most hated company in America [1], and the only reason you have any customers is due to the monopoly deals of dubious legality you or your acquisitions bribed local officials to create back during the infancy of cable. We hate you, but we don’t have any choice.
It’s worth noting that government regulation created Comcast by allowing long-term monopoly contracts with municipalities. Remove the regulations which prevent competition in local internet and TV services; don’t add more regulations.
You should mark this day. This is probably the most positive customer experience you're going to ever have with a Comcast employee. I had a choice between Verizon and Comcast. Comcast was cheaper and I still went with Verizon.
Then they ought to stop abusing the communication channels they have. If they send so much email and snail mail spam that the customer automatically ignores it, that's the choice they have made.
What happens when a customer who really does have a modem that is vulnerable or outmoded runs into related issues? Is that customer going to accept "Well, we included it with our junk mail" as an explanation? As for email, does anyone use their ISP-provided email address anymore? Everyone has a third party provider (mostly Gmail).
I don't think there's any fault in logic in presuming that the best way to make sure a customer receives a notification is to insert as near to their known-active stream as possible. I don't condone altering that stream, but I think it would be nice if they could send a page, potentially at the browser or OS level, exclusive for system control and status messages (no sales, marketing, billing, or collection messages allowed).
I am so sick and tired of xfinity mailings addressed to me or my wife or former residents of the home address asking us to switch to them for a two year discount that I know they won’t give us because we’re already a customer. They even just jacked my rates yet again.
Along the lines of this. Anyone in the industry, why do they not cross reference the street addresses of their current subscribers and reduce the promotional mailing list or mail relevant promotions? Maybe it seems cheaper to do it this way, but it's actually quite antagonistic to current customers.
Why would they not maintain a clean marketing list!?
As a Comcast customer until ~6 months ago, I brought in a cable box they forced upon me as part of a packaged rate (cheaper than internet alone) once my contract ended.
I had tried calling customer service to see if they'd give me a new bundle but they told me they were only for new customers, so I switched ISPs.
Anyways, when I went in store to return the equipment, the guy I spoke to told me to not bother with phone support but to instead come in store or call him directly (he gave me a business card) since he can get existing customers bundled rates that the phone reps can't.
While I had the choice of ISP many don't, I'd definitely recommend going to a store location where you can talk face to face with someone in your area and see if you can't get a contract at a better rate than you pay month to month.
As a web developer this feels like an absolutely terrible practice. I have to support contracts for website performance, quality and behavior with clients and you could be putting us in breach. If I got a bug report of unexpected ads popping up, we'd probably waste thousands trying to figure this out.
Exactly. The first thing I thought about when I saw this was the implications of having JavaScript that has not been tested in the context of a website running. You have no clue how it will conflict.
As a website owner you should have the right to verify all code that will run on your website to be sure that it won’t cause issues since only you have the context needed to make that call. What if there’s a global DIV selector that hides the close button, the website visitor is screwed! And they’ll just think it’s a problem with your website.
One more note, there are way better ways to do what they’re trying to do. Even with how terrible IFrames are, they prevent CSS and JavaScript conflicts. A simple position fixed div at the bottom of the screen containing an iframe seems more appropriate. If you are going to run code on my site, make sure it’s as small as possible. This could have been accomplished in 2 lines of code (excluding iframe host).
I’ve had to patch against this in the past when it turned out my system was breaking for a set of users whose company was installing a browser extension that injected JS that broke the app. Never did find out exactly what it did, but I worked around it but fixing the progressive enhancement to work properly in the context of broken JS as well as no JS.
Can you discuss why DOCSIS 3.0 users get this notice? I have a 3.0 modem, and received the notice, but it looks like my modem will still support my speed tier (75mbps in Chicago)
It usually means you are about to get a speed upgrade that will go beyond what your modem is capable of delivering. In that case it is possible you could have a 1st generation 4x4 modem (so it can bond 4 downstream and 4 upstream channels).
I wonder if your customers would be happy enough without the speed upgrade if they weren’t wasting bandwidth downloading code they never wanted to run in the first place
Comcast does not provide any speed on residential lines that DOCIS 3.x cannot accommodate. It is like requiring Formula car to drive on a gravel road in Alaska.
Different modems can use different numbers of DOCSIS channels. A 4x4 DOCSIS 3 modem is only capable of, at most, 150Mbps and on average 75-100Mbps. A new DOCSIS 3.1 model can do >1.2Gbps.
3.0 spec does up to 1.2Gbit/sec, just like Comcast. You know up to 200Mbit/sec, which is more like 20 because of all the "extreme complexities of the internet service".
DOCSIS 3.0 supports 38Mbps per channel, which is in the table on wikipedia. Not every modem is capable of 1.2Gbps - The fanciest modem out there is 32 channels, which gets to your theoretical 1.2Gbps. If you have a 4 channel modem and expect consistent speeds of more than 100Mbps, you are SOL.
A 4x4 channel 3.0 modem should really only be used for ~75-100Mbps tiers, and is capable of at best 150Mbps. The more channels you have available the more capacity you can pull from — higher peak speeds and potentially better speeds at peak time.
The ARRIS SB6141 [1] is a DOCSIS 3.0 modem which is considered EOL by Comcast. This device is still being actively sold by the manufacturer. It handles the maximum throughput of most Comcast plans. It's not 5-8 years old.
However, the supported device list [2] shows that it's still an allowed modem to use for a e.g. 200mbit connection. A user that's looking to purchase a modem isn't discouraged from getting one from Amazon.
Since Comcast considers it EOL, any interaction with Comcast support includes the stipulation that it's likely the modem that's causing the problem, and the customer will be liable for a surcharge if a technician decides it's the modem causing a problem.
For a brand new modem, purchased from Amazon right now.
There seems to be a disconnect between EOL for the purpose of leasing a modem and EOL from the vendor.
You should not interfere with a customer's traffic they are paying for. If you need to contact them for a critical issue, then call, email, or snail mail. You risk disrupting their experience, and in some cases the customer may not even be able to receive your critical message. Does your JS injection work for customers who have JS disabled?
Stop trying to rationalize it; this is not OK, period. If you can't reach your customer via his contact information, too bad, consider him a lost cause. And if it was something critical resulting in the customer's loss of Internet access, you can bet he will contact you then, if he cares.
You have our phone number. You have our address. Use them! Do not MITM our connections, that's a huge violation of trust. This is NOT okay. Any response other than "we're terribly sorry, our engineering team is rolling this back on Monday" is the wrong response.
As an (unwilling) Comcast user, I purchased my own modem because your rental rates are preposterous. However, I wish I didn't have to think about this at all. If you force me to upgrade a modem I've purchased, I'll be very annoyed by the unanticipated cost.
I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment. I understand that non-cable competitors don't have this cost to shuffle around, and that this will mean you are forced to either A) raise prices publicly or B) have lower margins. That's your problem because of your technology legacy; don't pass the misery on to the customer.
While you're at it, offer two hardware choices: one with, and one without routing/wireless. I refuse to run a wifi network in my household for your other customers and expect complete control over my LAN configuration.
On the topic of injection: I get that you don't think it's immoral, but hey, 1) most people who understand it think it is totally unacceptable. And 2) the window for this approach is rapidly closing for you as the web moves to SSL everywhere. Give up on this approach now and save face.
> I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment.
I love how it's in the interests of public companies to brag about how successful they are. When I see a comment like this, I like to checkout the most recent 10K. According to Comcast's stated figures, they made $8.7 BILLION last year. So, they're doing pretty well. Now, obviously, they can't just give the modems away, but if they would at least STOP BILLING THE CUSTOMER for a leased modem after their costs have been recouped, that would be a HUGE public-relations win.
If we all could buy the modem of our choice, over time, say, amortized over the length of your contract, and then RELIABLY stop getting billed for it, I'd LOVE to just buy it through them. I'd argue that the reduced support costs for NOT BEING RENT-A-CENTER JERKS about the modems would save them a lot of money in the long run.
You explain why it is important to notify about their EOL modems, but you fail to explain why this, of all options, is the appropriate communication channel.
At the very least, you have customer addresses. You should also have phone numbers and email addresses. If you have a way to bill customers, you have a way to contact them.
Injecting JS into HTTP sites is disgusting. It violates both the user's and the site's expectations and is entirely unnecessary.
I think it's amazing Comcast documented their MITM attack as an RFC. Are those still literally Requests for Comments? Are the comments collected anywhere?
"What is a RFC?", "What happens to the comments?", OK a specific RFC is the topic but it's like asking "What is the internet?". https://en.wikipedia.org/wiki/Request_for_Comments is much more appropriate resource for that level of question IMO.
Right, ok so we're in a discussion about what "wildly" means :). Imo the rfc was mentioned, so a simple link to the wiki article would have been a polite reply.
unfortunately the word 'RFC' has been corrupted from meaning exactly that, a publishing forum for ideas, into a pretty asinine form of technical marketing whereby you can publish an informational outside any normal consensus process and assume the sheen of standardization. that started happening 2 decades ago.
I don't care of it's critical or not, I don't care what the issue is, a carrier should not inject code into a webpage it serves, PERIOD. I didn't knowingly opt into this, and I don't have a feasible alternative where I live. This should NOT be allowed, it's a security and privacy risk, and who knows what that JavaScript is actually doing or what vulnerabilities it opens up for malicious advertisers whose scripts are also on the page.
This should be ILLEGAL, I don't give a crap about "getting the government out of our lives", well guess what, they need to step in and prevent these slimy "business" practices from happening or punish the corporations trying to exploit their captive audience.
This standard seems like a terrible mistake. Isn't this exactly what malware creators want? To condition users to click the browser pop up that says "YOUR COMPUTER IS INFECTED WITH MALWARE, CALL THIS NUMBER/INSTALL THIS HORRIBLE THING TO FIX IT?"
Why on Earth would anyone issue a standard that says that ISPs should deliver that kind of notification, thus training consumers to believe them?
Just to be clear. This is not an IETF Standard that has gone through the standards process. It is an "individual submission" published as an informational document. The IETF does not endorse documents classified as "informational."
IETF RFCs are not "standards" in the sense that you are thinking. The RFC process is deliberately designed to be open to submission from anyone, and there is no particular vetting or consensus forming that happens.
When used by practicing engineers as a low-overhead way to document interoperability requirements for working software, it's been fantastically successful. But it also lends itself to this kind of pseudo-fraud "standardization" by less ethical players.
Bottom line: an "RFC" means nothing per se. What matters is whether the community wants to support it. So RFC7540 is an important standard everyone agrees to support. RFC6108 is garbage.
I'm struggling to find it, but there was a article a couple of weeks ago about communities forming their own isps. It's beginning to seem very sensible
They are not blocking, throttling, or interfering (in any way that harms functionality) with legal applications; in a nutshell that is 2015 requirement.
Now, if that Javascript happens to interact badly with some particular web page, then you could complain to the FCC as long as the 2015 rules remain in effect (which is more than a week, for what that's worth).
In a way it throttles.. lets pretend they included 4,000 lines of code in each website, or a 1gig of data. It also throttles the experience by taking up processor cycles to render the data. It harms functionality because the popup covers usable website area, and what was meant to function without closing a popup does not. It blocks screen real estate. I really hope someone makes a case.
Jason Livingood: "This is a web notification system that presents an overlay service message for non-TLS sessions. Documented in RFC 6108 & in place for many years - https://tools.ietf.org/html/rfc6108 . In this case the alert informs customer of need to upgrade an end of life device."
Unfortunately, in the US and Europe at least most people will care about this and even get a response. I think 4-5 years back when I was in one of the cities in which MTNL is there in India, ads were being served in the same way on MTNL. They were injecting an ad serving pop-up on every page served on HTTP. The worst thing was it sometimes used to show some sketchy virus ads also. I complained about it multiple times, never even heard back from them.
It strikes me that the best way to combat this might be in the browser itself - intercept and remove the offending javascript (or better, redirect its execution into a walled sandbox where it thinks it's setting cookies and downloading code) and remove it from the main page viewing stream.
When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.
I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without constraints. I used to have Free which was great but did not offer fibre when fiber was installed. I switched to Orange in 5 min via a web page. I have another possibility (SFR) but they are despicable liars and for this reason alone I scraped them.
This is France, where competition is not a national sport so I was expecting the US to have 5 other companies banging on the door.
In a natural monopoly regulation /increases/ competition and freedom for the consumer.
The BBC had an article about this a few years ago [0]. Basically the highly regulated countries had cheaper and faster internet.
> Rick Karr, who made a PBS documentary in which he travelled to the UK to find out why prices were lower, says that the critical moment came when the British regulator Ofcom forced British Telecom to allow other companies to use its copper telephone wires going to and from homes.
> But US regulators took a different approach. Rather than encouraging competition between operators using the same network, the US encouraged competition between different infrastructure owners - big companies that could afford to build their own networks.
> Some believe that UK-style regulation is bad for competition and innovation, however, and suggest that the US is already one of the world leaders in broadband.
This UK model is closely related to how roads are funded, as mostly govt funded monopoly on infrastructure (with occasional public private financing, which comes with its own issues, toll roads etc) and common access paid for by users (fuel tax, road tax, etc).
The US model is closer to US railroads model, although not entirely accurate, analogy; largely privately owned with some govt owned, funded by large infrastructure companies that charge customers for usage and also due to infrastructure costs are rarely duplicated in close proximity. It's had issues with off and on regulation, profitability, localised monopolies that have a tendency to over charge when they can get away with it.
It might be easier to convince me ISPs were a natural monopoly if they weren't also a legally protected monopoly where they are, and generally have plenty of competition where they aren't.
I’m not sure that’s evidence against their natural monopoly position. It might be that we’re in a world where in some places, it’s plausible to have two ISPs, and in many it’s not—but if two try, they’ll both fail to get enough people to be profitable. Then any sane provider wants to demand exclusivity as the cost of pulling fiber through a community, and unhappily acknowledges that they’ll have to cover all of their exclusive territory. If we’re in that world, and the service is nearly essential, we’ll see legal monopolies in lots of places, and some places with no legal monopoly and no service—they can’t agree on a price.
I’m prone to suspicion of their business practices too, but every one of the Comcast technical staff I’ve met, from Jason down, has been an excellent person deeply committed to the best mission of a telecoms company, enabling human communication. Is that a marketing campaign? Yes, but as far as I can tell it’s an honest campaign of showing the world who they are and what they care about.
Do you personally have the ability to create large-scale broadband networks, using only the financial means available to the average citizen? An estimate by Goldman Sachs put the cost of nationwide Google Fiber at $140 billion. Personally, I'm not sure if I could come up with that kind of money, in a pinch.
In the US, two infrastructures evolved into internet infrastructure, one was the phone service (pretty much AT&T's long distance network and Ma Bell's local infrastructure). The other was the local Cable Companies, Cox, Bright house, Comcast et. al. So in most locations you have one of two choices, go with DSL and the phone company or Cable which in many areas is Comcast. AT&T just installed fiber here in the Florida Key's so alternatives are starting to pop up in more remote locations in the US, but it's still pretty much a go with the local phone company or local cable company monopoly decision.
A lot of cities grant exclusive agreements to these companies. Lately they are more competitive but historically one cable company would be granted the right to serve an entire city.
For an example, here's the page for Portland's agreements:
Regulations can limit new entries in other ways as well.
A former coworker was telling me the difficulty of getting a DSLAM installed in a high-rental area, like a Seattle neighborhood. The DSLAM install requires approval from 40% of the property owners, so you might write each landlord a letter, but the landlords aren't opening letters unless there is rent money inside. So installing a DSLAM becomes a political game of convincing the several hundred "rental-transient"[0] people in the neighborhood to talk to their landlord. One of the reasons behind the "Ask your Landlord about Wave Internet" signs you see around.
[0] Renters often only plan to stay in a location through their current lease, and thus have less long-term concern over the area. In this way, transience destroys community.
You were able to switch in 5 minutes because nothing actually changed except who sent you the bill. In the US this isn't possible because whoever owns the physical wire/fiber into your place gets to bill you, exclusively.
>I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?
So called unbundling was done, but in exchange, the backbone provider got a legal monopoly. Almost everywhere AT&T or Verizon lies fiber has competition, usually with a local cable company.
"Those who comment" are far from a random sampling of the user base. It's entirely possible that 95% of users are satisfied "enough" with the service and yet nearly 100% of comments to be strongly negative.
Not to disagree with any of the other points, but it's always worth remembering that any physical utility in the US has approximately 16x more land to cover than France. Not to mention the greater variety in climates (which do impact utilities).
Some cities only have one existing fiber line even coming into them, usually owned by one of the local duopolies (typically phone, since they originally were required to offer phone service to everybody).
This gives incumbents an immediate advantage in terms of reaching customers with physical infrastructure, before counting any of the (admittedly fucked) politics involved.
Then why do Americans in large urban centers not have greater choice of ISPs? If it's all about physical distance, why is there still no competition in dense areas?
I live in Washington DC, in the city, and I only really have one choice where I live, Comcast.
Well, sure if they decide to only grant a single franchise which is what happens in a lot of cases. There is no reason they can't allow several competing operators in a given city though.
The solution to this problem in France was to say "if you put some infrastructure to provide a service you have to share it with others, and get some costback". The costback is regulated.
The idea is to make it better for people, not corporations (which are not starving either)
> When reading about Comcast I was always wondering why they have no competition when everyone who comments is complaining.
Suppose you were a major company with big dollars to spend on offering internet service... someone like Google, for example. Then suppose you wanted to provide service in Louisville, Kentucky. How many years do you think it would take to get permission to attach your lines to the existing telephone poles (owned by the city) if the local telephone and cable providers try to tie you up in lawsuits? What if the city's mayor was enthusiastically supportive, and willing to pass new laws and spend hundreds of thousands of dollars of the city's money going to court to permit Google to start offering service. It would still take years to get permission. Fortunately, this isn't one of the many cases where state or local laws prohibit other companies from competing with the one local cable company, or it couldn't happen at all.
Now imagine it is anyone OTHER than Google with their huge warchest, legal department, public support, and local government support. It wouldn't get anywhere at all. If it did, the cable company would drop rates for a few years until the competitor went out of business, then raise them afterward.
The United States pays lip service to the idea of competition, but most of our politicians have gotten "competition" confused with "supporting big corporations". This is why internet service providing is a monopoly or oligopoly in nearly all US locations.
I think this is really a critical thing to get integrated into the American public dialogue. Pro-business and pro-competition does not mean zero governmental oversight or regulation. My opinion is that if there isn't substantial churn or upheaval in the market at least a couple of times per decade, there is something broken in the market, and we should be looking at what kind of actions would be useful to allow fresh, new entrants to make an impact (without explicitly picking winners or issuing subsidies).
Example: the online marketplace for social, search, and email is stagnant for obscure legal reasons. We should identify these (copyright and the CFAA) and remove the barriers.
Megacorps have exploited core conservative values to guilt people into believing that they're commies if they refuse to write a blank check for any big company that wants one. We can make real progress, and it's important progress, by highlighting to Republican/conservative-leaning voters that selling their country to corporate raiders is not a pre-requisite for being pro-business or pro-small-government.
You correctly call out "copyright" as a problem in the free market, then go on to blame Republicans for the status quo, when it was the entertainment industry and THEIR captured legislators -- the Democrats -- which gave us the DMCA, which has been used as one of the biggest hammers to prevent competition ever conceived. So please don't single out conservatives for giving us the monopolized internet we have now. Both sides are to blame, in their own ways. Unless we, as a country, stop making these sorts of issues tribal, we're never going to fix them.
I'm not trying to blame anyone specifically. This is just a major rhetorical exploit that works on Republican-leaning voters. I know because I and many of my associates are Republican-leaning and very conservative, at least by HN standards. We need to call out these divisive rhetorical exploits because they're used by nefarious groups to subvert actual dialogue and keep people at the extremes.
By no means do I believe that Democrats or liberals have clean hands on this. All sides deliberately ignore and subvert intellectual property matters because it is so dang profitable, and this affects "liberal" industries much more deeply than "conservative" ones. Copyright is fundamentally "big government", which more conservatives would recognize if the narrative around this issue wasn't so tightly controlled. And that's not to say that copyright doesn't serve a useful purpose at all, just that we should be cautious and wary about it.
Since bad political actors and profiteers actively and successfully cultivate tribal dynamics for their benefit, the tribal context and instinct can't be ignored. It must be worked within. Approaching a tribe as an outsider just causes them to raise their shields and ignore anything you say.
Good principles and values drive most actors on both sides of the aisle. Political alignment basically seems to just come down to which principles we prefer to favor/bias. Under that context, the need for balanced, inclusive dialogue is clear, and we should all be grateful for the diversity of opinion that keeps everything in balance.
Maintaining that diversity means working within the structures of human association to create authentic, grateful alliances built on that recognized need, instead of allowing others to abuse those same structures to provoke destructive animosities.
> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code.
[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?
What he is saying is that they exhausted all other contact methods. If they stopped after the email and let the persons modem stop working, they would have likely been livid about that as well. Look, I don’t like Comcast any more than you do. But at some point, you need to recognize your biases when evaluating your enemy. I thought this was some nefarious attack based on the headline, but it’s just a critical system message that was thoroughly explained by an executive and you all are freaking out...
The problem here is that I've had the exact same thing happen, and zero attempt was given. The stupid part? My modem was not EOL, was a BYOM (bring your own modem) that had many years left before EOL. I'm pretty damn sure they're using this as a "first line of contact," not final.
I sincerely disagree, especially as per the report Comcast's own second level confirmed there was no need to replace the modem. It was an automated advertisement done in a very not good way; Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?
The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered, especially not in an automated way without some oversight. If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
And no, I don't think people would be as livid as you suggest if the modem just broke; ISP modems are fragile little things, and it's not uncommon to go through them. I don't think I've had a single ISP where I didn't have to eventually, and the natural progression for each one (Comcast included) was:
1. I called the ISP
2. We did some test with support
3. Once we did the Speedtest / reboot song and dance, a new modem was issued that day.
This is expected; if I had asked for such a service from Comcast, this would be a different discussion entirely (an Opt-In service), but as it is, it's a pretty lame reason to suggest that Comcast needs to be able to inject data into pages I load.
And I rather liked Comcast for the year I had it - I wasn't keen on being on them since I would rather have been with our Municipal, but the place I was at was not yet in a service area for the municipal. More or less, even with my support and canceling experience, I was fine with the service I received. This would have upset me considerably.
> I sincerely disagree, especially as per the report Comcast's own second level confirmed there was no need to replace the modem.
I am skeptical of this - maybe we made a mistake in telling the customer that. The people that are sent notifications are carefully checked to match the EOL/EOS modem criteria or speed mismatch criteria and would not be sent otherwise. It is sometimes the case that a customer has recently upgraded their device but their old device remains provisioned and on their account (and needs to be removed), which sometimes explains this.
> It was an automated advertisement done in a very not good way;
It was not an ad - it was a request that the customer replace/upgrade their device. They can buy that anywhere, whether used on eBay or new on Amazon, etc.
> Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?
We've been working to greatly simplify billing, as customers have told us for some time that we were packing too much info into those statements and it was sort of information overload.
> The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered,
Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers. As noted elsewhere, we're working on better methods and part of that might depend on Internet-wide standards rather than something Comcast-specific (which is always my personal preference).
> If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
It's not basic maintenance - that should always be transparent to customers. This is about moving to new technology from outmoded technology. A good example of a key concern for modem upgrades is that the vendor does not support it any longer and the software/hardware is 8 - 10 years old.
As a Comcast customer, I request you discontinue this injecting of javascript into webpages for ANY reason, unreasonably limiting an INFINITE RESOURCE and monopolizing localities so you are the only viable choice. This should not be the behavior of the largest telecom provider in the continental US. We deserve better.
Well, thank you for the response, but I am not very satisfied with the answers.
The crux of disagreement is the method of delivery and the importance of the upgrade requiring this sort of injection. You write:
> Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers.
I'm still not convinced as to why a phone call or an email would not suffice. What information is specifically being cited by customers as "information overload"? Why can this not simply be a notification as a part of the Xfinity main page? Why isn't an email that only has information on the EOL of a modem is less obstructive than yet another pop-up for users who are trained to ignore pop-ups?
The case for an injection isn't really made simply because other intrusive methods are more intrusive; the presentation of the message itself is just more information in a sea of information, and the criticality of the issue isn't sufficiently justified either. This is not the appropriate way of communicating information that has no such urgency. It's a very nice thing to phase out modems that are EOL, sure, I will grant that. But the information is not so urgent that it needs to be delivered right now or injected into the webpage. That is not something the ISP should be doing, which I suspect is another point of contention that will be had.
You admit alternatives exist, but decided to modify webpages anyway? Adding your own modifications to a copyright protected work (e.g. any web page) creates a derivative work. Generally only the copyright holder of the original work can create or authorize derivative works. Unless you have a license the copyright holder for each webpage you are modifying, this is copyright infringement. Why did your legal department approve a plant that might make the company liable for up to $150,000 per work infringed?
The arrogance is unreal. Your difficulty communicating with your customers is not my problem. Keep it out of my website.
This is a perfect example of the culture problem at Comcast. You seem to have worked yourselves into believing that you're something other than a dumb pipeline. Now you feel entitled to stick your fingers into the content.
I suspect this mass-psychosis is coming from the top, and the need to move into higher-margin businesses. Keep your messages on xfinity.com.
Just a small note that as a customer I would prefer to be redirected to a notice hosted on your website so there is no confusion about the source of the notification. If I saw this pop up on a website I visited daily I would probably think it was spam and ignore it.
I hate to be too cynical, but in today's 'regulatory framework' it's easy to interpret this method of "notification" as merely a test to use for future notifications.
Not getting fast enough Netflix? Here's your message, injected every time you go to their site. Not getting the best search results? Try the new Xfinity search, it's faster and won't cost you the $.002 that Google search will cost.
This is a very slippery slope, and one that we're already sliding down thanks to Ajit Pai's FCC.
Expect to see more of this behavior from Comcast, as no amount of customer outcry can now prevent it.
BSNL- The state-owned broadband provider here in India does this regularly. They intercept HTTP traffic and redirect it to their plans page. The saddest part is no one really cares about this here.
I've worked at comcast too for a while as a consultant, and I think the problem is that they take people that were working in customer service and promote them to senior engineer roles and management roles. This is why they hire consultants when everything goes upside down. Alot of telco's do this, I've seen this in many datacenter environments with ISP's and telcos. You got guys making decisions that don't really have the background to be making those decisions.
How fucked up are we when we live in a society where this not only dreamed up but actually believed to make sense and implemented.
Yes, it speaks volumes about comcast but i also speaks about the culture where comcast exist. And even IF there is backlash from this the whole idea that they might have gotten away with it is just absurd.
497 comments
[ 2.7 ms ] story [ 332 ms ] threadRemember they are the only venue to access the internet for a lot of people, what are they going to do? Stop using the pretty much mandatory communication and information platform?
I'm always surprised just how many people here on this site think you can fight social/political fights with technology. Especially when it comes to entities that can bribe legislation and control your communication.
Regardless of what an ISP might do, HTTPS everywhere is excellent advice.
Yes, HTTPS is great and should be deployed everywhere. But thinking that they'll just give up on injecting ads into your stream when a large chunk of people use it is hopelessly naive - especially when off-the-shelf enterprise solutions that MITM HTTPS traffic already exist.
Breaking TLS is considerably harder. And forcing a cert upon your customers would be hard to scale... It would be similar to implementing a firewall forbidding TLS and VPNs. That's a hard sell.
I couldn't agree more! That's one of the reasons for example we have supported groups like Let's Encrypt (http://labs.comcast.com/innovation-fund-spotlight-lets-encry...) and CrypTech (https://cryptech.is/).
Comcast can demand all they want but they are going to have to hand hold a lot of people though the process. Sure Windows/Mac could offer a nice executable to install it for you but you still have to get people to install it and that’s not something there while customer base will be able to do.
The process of installing CA’s on iOS devices involves even more steps. And this is a process that will have to be completed every time an new device is put on their network.
What about even more “locked down” systems? Your IoT doorbell? Your networked cctv camera? Your Smart TV?
Is it possible? Sure. Is it practical? If kazakhstan couldn’t do it I’m going to struggle to see Comcast pull it off (though if anyone can, it’s prob them). See in a Corp environment where they own all the devices it’s fairly easy to do as most of your deployed hardware if going to be able to remote install what IT asks of them, your mobile devices are going to be enrolled into MDM’s and you will have IT staff on hand to help staff enroll their devices. None of which Comcast have.
We are not talking about your avg hacker news reader configuring their devices to get online, we are talking about people like my mother who can just about browse the web and play games on her iPad and struggles to set the alarm on it. How you going to get her to install the rootca without having some do it for her? Sure get the installer to do it? But what about all your existing customers? You going to schedule a call out for each of them? And what about when she gets a new device? You going to make her take the device to the local Comcast store to get it installed?
Oh and Chrome and or Firefox could throw a massive spanner into the works by refusing to accept their root cert half way though deployment meaning all those “updated devices’ need to be updated again before they even had a chance to use it at any major scale.
Sure it’s possible, I just don’t see it as practical as of today.
All they need to do is block YouTube/Google/Facebook until you run the "Comcast internet setup wizard" (remember? those were a thing!) which makes most customer connections MITMable. Then charge extra for all non-MITMed connections ;)
Declare Firefox as unsupported, Google will have to cave in to the biggest telco and that's that. This article (and all others about Comcast) clearly proves that Americans have zero leverage over companies like Comcast. The customers are peacfully accepting modification of their network traffic now, why do you think you'll suddenly get any more leverage over a natural monopoly you're forced to use in the future? Especially after dismantling net neutrality?
You can only redirect them to the wizard if they try and connect to a non https site or the non http site of a https site they have yet to visit.
Same mother. She has a 4g sim in her iPad cheapest deal for her usage level is prepaid sims. When the prepaid credit is gone it’s cheaper to use an new sim than top up the exisiting sim. Except you have to go though a activation portal to enable the sim. It’s easy. Pop in the new sim, visit telcos website or any non https valid domain press the active button and away you go.
She still can’t do it. And in a world where more and more people are using apps instead of browsers where preinstalled apps will just fail you are gonna not to cause even more issues.
BTs Smart Setup captive portal on their routers was one of the most annoying things they did. And when searching for it the top results are for turning the thing off. Why? Because it interferes with devices that can not display the portal, Smart TVs, Amazon TV sticks, Settop boxes, webcams, IoT toasters, etc.
While they haven’t removed it from their latest router they have had to make disabling it much easier than in previous versions.
With the number of end user devices on the market, I just don’t see them managing to pull it off by getting end users to install their cert.
But you touch on a point. You say that Chrome would have to just suck it up from Comcast. Now I’m not saying I disagree, but why would Comcast go though all that pain to get end users to install a root ca if they held so much power over Chrome (the largest browser my customers use) then why not just get the browser to install the cert anyway and save all that hassle with your end users. Think of the savings they would make not having to handle all those support calls.
Like I said. Possible? sure, practical today? I don’t believe so.
They published a response to the backlash - http://mic.gov.kz/en/news/matters-using-registration-certifi... saying that it would only be used to improve the security when accessing foreign resources, battle porn terrorism and transnational crime.
Dunno what the adoption rate of the cert was or if they do force the use of the cert when accessing foreign https sites
They quietly removed the notice off the telecom's websites saying that people will need to install the cert or may lose access to foreign https sites (not from kazakhstan) but I would expect someone would of gotten word out if they had (Maybe they did and i've just not come across it).
Also how hard do you think it would be for American telcos to push for inclusion of their MITM certificates? Especially if other companies like Verizon come aboard the profit train?
I don't understand. Your second sentence seems to contradict your first; Comcast bribing legislators is a social/political attack. What did you mean?
I currently see more hope in tech solutions than political solutions to the problems of privacy, net neutrality, and script injection. We have the option to use content and routing encryption technology that looks something like TOR or I2P. Instead, we're asking politicians who don't understand the tech to protect us from ISPs who will never stop trying to leverage anything they can find in our traffic. Allowing Comcast to see the traffic at all is the problem, and politics will never prevent that.
If it's apparent to you that the political fight is more winnable, or that technical approaches to privacy are doomed, then what is the social/political solution to internet privacy? Because we don't have any right now, and it looks like we're losing the political war.
Customer: "Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code."
Comcast Response: "The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?"
To me this sounds like a crazy ex-lover. "You didn't respond to my texts so I came to your house." No, Comcast, don't do that. They ignore your emails because you're trying to sell them something they don't want.
Here is the Twitter of the Comcast rep for anybody interested: https://twitter.com/jlivingood
But... this bit.
> ... [JL] This is our web notification system, documented in RFC 6108 https://tools.ietf.org/html/rfc6108, which has been in place for many years now. ...
Oh, interesting, what Internet technology are they using?
> "RFC 6108: Comcast's Web Notification System Design"
> February 2011
Cue jawdrop. My instinctive response was to WAT and think "this is not what RFCs were for..."
But then I read this part,
> Status of This Memo
> This document is not an Internet Standards Track specification; it is published for informational purposes.
> This is a contribution to the RFC Series, independently of any other RFC stream. The RFC Editor has chosen to publish this document at its discretion and makes no statement about its value for implementation or deployment. Documents approved for publication by the RFC Editor are not a candidate for any level of Internet Standard; ...
Hmm.
Reading through, this outlines a way to avoid using deep packet inspection by using Squid and Tomcat instead.
Initially when I read this my brain was sort of going in the direction of "this kind of thing is where the net neutrality repeal thing started..." but now I've spent a bit of time reading it I don't actually think my snap response was particularly on point.
This is a bit of a stream-of-consciousness but I wanted to draw attention to that RFC.
Huh? It sure seems to be using deep packet inspection to me. If it's looking at the data section of your packet, that's deep packet inspection. And Squid and Tomcat do that. They're not just inspecting the packets, they're altering them, creating new packets, splitting packets, etc. The "RFC" seems to be outright lying by claiming they don't do DPI.
> Pre-established TCP sessions on port 80 are identified by the SMB and forwarded with no impact.
(SMB = Session Management Broker)
How does the system identify a "pre-established session"?
This seems to corroborate what you're saying
https://news.ycombinator.com/newsguidelines.html
I paged through the JS curiously, and found the URL bnpsa.g.comcast.net/images/mydevicealert/browser/. I wondered what would happen if I hit that from my ISP in Australia. I was surprised: I got an NXDOMAIN back.
But I discovered that googling the above URL as a quoted string finds a bunch of copies of the JS scattered around the Internet. Might be useful.
So then I tried hitting bnp-service-alerts.gslb2.comcast.com/images/. This actually resolved, and Chrome hung at "Connecting...". After rechecking the URLs I noticed this one was referenced in the JS as HTTPS, so I added that, and promptly got 403 Forbidden.
Question to anyone on Comcast [edit: which has been answered]: does http://bnpsa.g.comcast.net/images/mydevicealert/browser/ resolve for you?
Nope, it does not for me. Non-existent domain.
https://gist.github.com/thoroc/f4d043ead762392561256e20dea81...
https://gist.github.com/ryankearney/4146814/42d9ca5ec42fe43c...
(I haven’t tested any of this, this is based on a quick glance at the code)
Btw, ignore caniuse etc - Firefox _technically_ does support Shadow DOM, just version 0, which it has apparently supported for a little while now. It's better than nothing in a pinch.
Chrome et al are at Shadow DOM v1, which is what caniuse tests its support/no-support metrics against.
:(
If this is copyright violation, is it copyright violation of Comcast allowing you to download a file off the internet?
Comcast are playing into this interpretation by adding their own license to the code they're adding.
https://tools.ietf.org/html/rfc6108#section-3.1
Why did the IETF ever agree to standardize this? It reminds me of their standardization of Cisco's "lawful intercept" router backdoor protocol.
https://tools.ietf.org/html/rfc3924
https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/Bl...
I guess this is what you get when the IETF literally has NSA agents as chairs of its groups.
https://arstechnica.com/information-technology/2014/01/nsa-e...
>This RFC is not a candidate for any level of Internet Standard. The IETF disclaims any knowledge of the fitness of this RFC for any purpose
From the IETF's point of view all this does is use up a few kB of storage in the RFC Editor servers, and hey, maybe someone will find it useful. It usually makes cranks or corporate types go away and stop wasting everybody's time.
If you're thinking "Wait, so how do I know if RFCs matter and I should care?" I have two answers
1. The pragmatic answer. If you're reading about an RFC because everybody does this and you need to do it too, then I guess it mattered after all. You can decide you don't care about RFC 822 and you'll use email headers starting with an exclamation mark and they'll be in the form of a list of headings and then a separate list of values. But your method won't interoperate with anybody else's, so you'll be talking to yourself.
2. The textbook answer. The IETF marks its Standards Track documents with their Standards Track status, e.g. "Internet Standard" or "Proposed Standard" (there are some legacy "Draft Standard" documents too).
I mean, look at the code. Look at the function of this code. Look at the business purpose of this code. Look at the security aspects of using this code. Look at the legal ramifications (why the hell is that LGPL thing up top there ?). Look at their internal communication. Look at how easy it is to see exactly what they're doing ...
All of it screams "no double digit IQs anywhere near this thing".
And yes, I mean, I know that's not true. Their people are not this stupid (though some must be). But they do this anyway. The organisation does business analysis at the level of a 5 year old, codes like a 10 year old, obviously this has not passed legal review, ...
How can an organisation that executes this badly become this big ? I mean, I know the answer is "government" and government making them a monopoly, but still. WTF.
The random classList polyfill at the bottom was a nice touch. As I scrolled to this bit I was initially like "oh this'll be nice they encrypted some of--oh. :("
My favorite bit was the "this detects the browser type and version" snippet that was copyrighted 2001. Nice!
I think the move to open-source the code was a ham-fisted way to get the "we're modifying copyrighted documents in flight" part past the lawyers. It's admittedly a pretty decent legal move.
I don't get it, how does that work?
A million Shakespeares typing on typewriters write no better than a monkey!
I like it, although I think the analogy fails here. How about "An infinite amount of Shakespeares typing on the same typewriter will inevitably produce garbage"? :)
Would we have gotten twice as many plays out of him?
He was clearly slacking.
Eh, telco infrastructure is a natural monopoly. No government needed for that.
The current problems are that a) since Trump the FCC is shit, b) local municipalities "vowing" to not enter the market (and others have no incentive).
See these for b: - https://arstechnica.com/tech-policy/2017/11/voters-reject-ca... - https://www.wired.com/2013/07/we-need-to-stop-focusing-on-ju...
Oh please, he’s been in office less than a year - none of this amazing ‘sharing’ happened under the previous administration either. It’s totally understandable to have (in my case many) disagreements with the Presidents and their policies, but this knee-jerk habit of blaming whoever is currently in office for everything because he’s not on our team is counterproductive.
It's safe to say at this point that we have a clear idea of what decisions Trump and his FCC will make in the future, and that there would little to no hope for decisions which will increase competition. A year is plenty of time for assessing the character of an adminstration, and Trump's has been remarkably consistent in this regard.
Not for everything.
I blamed O'dog for the fucking shady counterproductive NSA practices that he allowed to continue.
The Obama DoJ took a dump regularly on whistleblowers.
And the infamous CIA kill-by-drone program.
And those are just the obvious big ticket items.
The problem with anti-government rhetoric in the US is it creates a self-fulfilling prophecy. Government is not inherently as incompetent and weak as yours often is.
There is no reason why a regulatory solution cannot work in the US when they work well in many other countries of greatly varying size and population density.
If your government fails you, that is not a failure of government: it is a failure of your government.
The EU member states implementation of deregulation of the telecoms sector is far from perfect, but most of them have ended with something that works reasonably well.
E.g. in the UK, while the cable operator (there's only one of note left standing) has mostly escaped regulation, but BT had it's last-mile infrastructure subjected to heavy regulation to the point where it's been split out into its own company (OpenReach) that maintains the network and is legally obliged to resell access to anyone at the same terms.
You can even get the prices to terminate an IP connection with a subscriber on their website.
ISPs can put equipment in the BT exchanges and get a raw connection, or can pay for "backhaul" to a set of central locations.
I know the US also has a form of local-loop unbundling, but it's clearly not working very well given the level of complaints people have about these services in the US. Possibly because of the price-setting mechanism?
As a result there's a lot of competition in the ISP space in the UK (as there is elsewhere in the EU).
(Where it's not perfect is that the way the regulations have been set up gives too few incentives for BT to invest and innovate in the last mile network and is often accused of milking OpenReach for profit; two ways of improving on that would be to restrict how much profit they could take out as dividends to a proportion of how much they reinvest in network improvements and/or split maintenance/operation into regional franchises and force companies like OpenReach to bid for it on a franchise basis; though the latter is hard to get the evaluation-criteria right for)
It's worth noting this involves two different layers of regulatory separation.
Most ISPs don't run their own LLU operation. They buy access from one of BT Wholesale or TalkTalk Wholesale (who are technically LLUers and both, in turn, use the last-mile network run by Openreach). As you say, the prices which both of the BT Group companies are allowed to charge are regulated and published and companies can "innovate" at quality of service or features offered.
The relevant part here is that the US has never AFAIK had the same wholesale access model. With that, an upstart ISP could have the same coverage as Verizon/Comcast/etc but have the option of not doing these scummy things and/or being as network-neutral as they pleased, within the limits of their business model, without having to spend boatloads of money building a network to access those customers. LLU, on the other hand, requires way more investment so it's not surprising that it never really took off in the US where DSL always seemed like the poor relation compared to the cable networks.
In my time in the US several years ago I was horrified at the cost and quality of internet (and mobile) service compared to the UK.
Any strong libertarian ideals I once had were crushed by the reality of things like this. (Healthcare too but that’s another discussion).
It's worth noting, though, that this is the EU's doing, through the Telecoms Directive, not something the UK government did of its own accord.
https://www.wired.com/2013/07/we-need-to-stop-focusing-on-ju...
https://tech.slashdot.org/story/17/04/12/0345217/tennessee-c...
Lots of ads, undercut your competition by something like $1 and "new customer deals" and then shaft your customers after a while
The average customer just go to the store with the flashier lights (or the one which is more convenient)
The average customer just goes to their cable company (coax cable) or their telephone company (DSL).
(And the kicker is... they both suck!)
When there even is any competition. Where I live, it's literally Comcast or else tether my mobile phone. Satellite is technically an option, but realistically between the cost and my tree coverage there's no way to make it work.
"A natural monopoly is a monopoly in an industry in which high infrastructural costs and other barriers to entry relative to the size of the market give the largest supplier in an industry, often the first supplier in a market, an overwhelming advantage over potential competitors."
You think things in the world are so "obviously" black and white.
Comcast making shitty business decisions is not burning Jews in ovens. And the fact your not immediately laughed out of the room when you make such comparisons is the real sad reflection of society in this thread.
or
"Good" as in technically competent? (in which case untrue).
In any case, here the intended meaning was clearly "technical ability", which doesn't require morality
"good" as in having the qualities required for a particular role, as per Google.
Once you get up to around 20+ people on the team, the collective IQ of that teams drops to level where stupid things like this happen...
Nothing good from development by committee, this appears to be a project that was developed by committee
Rather than arguing, I guess, many (who haven't left for one reason or another) would just go with "uh, whatever" attitude and slap something together just enough for PHB to see that popup (and let customer complaints do the rest).
Microsoft in the last 10 years, and consider how much talent and budget they have access to.
i remember when zynga had to lay off programmers by the thousands. I was thinking, they had THOUSANDS of programmers and the best they came up with was skins over top of farmville?
Because "National Security".
I mean, there are weekend hacks of similar age and quality, with my name on them, that I know are still in active service. Because, for all their myriad other faults, they mostly work, and everyone who works with them is used to using them and to dealing with the occasional cases in which they misbehave. These are not things which anyone rebuilds just for the sake of it. So they go on being used until they stop working entirely, and the the business replaces them with something else.
Whether or not that's a sensible way to go about things is an open question, if you like. I don't think it is, because these aren't the sorts of things which cripple a business if they misfire - or make much impact even if they don't. So investing heavily in them would seem like a waste of money, though perhaps you disagree. But the world need not be mad for this to be the way of things.
What makes that obvious to you - appears to pass the "we're unlikely to be fined and any fine will be too small to bother us" legal review.
> [JL] We are not trying to sell you a new one. If you own your modem we're informing you that it is either end of life (EOL) or that you are about to get a speed upgrade that the modem will be unable to deliver.
Incidentally, Livingood is a co-author of IETF RFC 6108, which he has conveniently linked. From the RFC's general requirements numero uno:
> R3.1.1. Must Only Be Used for Critical Service Notifications. Additional Background: The system must only provide critical notifications, rather than trivial notifications. An example of a critical, non-trivial notification, which is also the primary motivation of this system, is to advise the user that their computer is infected with malware, that their security is at severe risk and/or has already been compromised, and that it is recommended that they take immediate, corrective action NOW.
As composed as Livingood's response was, a modem at EOL and/or incapable of supporting an incremental speed upgrade doesn't strike me as critical. To be sure, Comcast is scheduled to increase speeds by 12/19 (at least in my region): 10Mb->25M, 25M->60M, 75M->100M. Although I disagree with Comcast's method and categorization, it would be interesting to learn what modem the OP was using.
It would also be interesting to learn if the OP received this message on multiple instances. If yes, it would be in violation of its own requirement--in particular, R3.1.8. User Notification Acknowledgement Must Stop Further Immediate Notifications, which itself is contradictory in its use of must and should:
> Additional Background: Once a user acknowledges a critical notification, the notification should immediately stop.
EDIT: Apparently, Livingood is an executive.
Exactly. And the response, "we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one" is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system.
As more Comcast customers receive JS-based notices like these injected into their normal web traffic, any enterprising jerk can clone the message, change the links to point to their own phishing site, change or omit the phone number, and snag a whole bunch of unsuspecting Comcast customers.
To be a devil's advocate, Comcast customers have been phished before via email too:
http://technology.pitt.edu/news-and-alerts/phishing-alert-em...
...and then there's the various phone and even door-to-door scams, but I'd consider the latter to be much harder to do.
Making up quotes like this is against HN guidelines (and common decency).
Moreover there's nothing in the guidelines about "making up quotes" (which again isn't a reasonable interpretation of what that is), whereas there are actual, explicit guidelines against addressing yourself to unreasonably interpreted versions of other people's comments.
I got bit by this a bunch when I first got on HN; it was surprising to me how seriously it was taken. But it is, and it's not hard to work around.
> not how writing or paraphrasing works anywhere else
That's simply false. If you want to use Reddit et al as your standard reference on the use of language and punctuation, have at it. But you can't reasonably expect every other forum to use that lowest common denominator. Railing against simple, longstanding house rules like this is just pointless contrarianism.
No, it isn't. I'm saying what somebody else is saying, in their voice. This goes in quotes, because it's someone else's speech, even if it's my version of their speech. The fact that they didn't actually say it comes from context. Punctuation is not semantic markup.
This doesn't come from reddit, it comes from, you know, the way people actually write. The fact that it requires repeated and lengthy explanations is a pretty decent indication it's not how anyone else writes.
Now, I think that it’s a fair argument that a web forum needn’t have the same formality as other written word, but your assertion that “it’s not how anyone writes” is clearly untrue.
And just as a single data point, I expect when someone uses quotes even on the web that they are asserting a verbatim quote.
"AP, MLA & CMS" are an absurd counterpoint that falls well within 'that's not how anyone writes'. They are, if anything, lengthy exceptions to how anyone writes.
It's a deeply silly argument and my point is 'an internet messageboard should not be regulating punctuation'. It should, as this one usually does, try to regulate behaviour.
(For what it's worth: this little subthread is about 10x more interesting than the story and the rest of the thread it's attached to).
Don't be an ass.
Don't call other people asses.
Don't complain about votes.
And then:
Some weird thing about quotes we can't even sort out as well-intentioned nerds who love to talk about rules.
I don't think that's a good rule. I think what it's trying to address is probably a good rule. But it's addressing it in the dumbest possible way.
I certainly default to assuming it does and in many contexts it is an explicit rule.
I don't understand how you've refuted that while also saying they sometimes don't. Are we arguing about contexts here? My claim is almost trivial - nobody reasonably familiar with English thinks quotes imply a verbatim quote. That's just not what quotes are for.
That your position is that I’m in the minority on this is doubly surprising to me given that’s what all the style guides and my high school English teachers taught me.
"In English writing, quotation marks are placed in pairs around a word or phrase to indicate:
Quotation or direct speech: Carol said "Go ahead" when I asked her if the launcher was ready. Mention in another work of a title of a short or subsidiary work, like a chapter or episode: "Encounter at Farpoint" was the pilot episode of Star Trek: The Next Generation. Scare quotes used to mean "so-called" or to express irony: The "fresh" apples were full of worms."
Even 'direct speech' is at odds with 'verbatim quote' and that's the first thing there. Direct speech can be completely made up.
https://en.wikipedia.org/wiki/Direct_speech
Getting back to the actual point, in formal writing, quotation marks are definitely considered to delimit actual quotes. That's where their name comes from and that's their purpose. If you want to paraphrase or otherwise interpret what was said you just work it in without quotes.
Personally, I relax my expectations in informal contexts if I don't know the person or their writing habits, but I'm just being pragmatic. In other words, the rule doesn't change, it's just not always followed.
That's fine, when you're writing fiction. But in most online forums, fiction is frowned upon.
Still, it would have been clearer to say something like "Exactly. And the response, which amounts to 'we're not trying to sell you a modem, we're just encouraging you to strongly consider buying a new one', is such a hair-splittingly asinine response considering the rather serious breach of trust posed by the notification system."
Also, for what it's worth, I do agree 100% with your argument there :)
However, I think (1) few are as lucid as you on that particular point and (2) whatever the merits of this as a general debate, and I think there is some merit, I think the question is whether this norm improves conversation in a thread like this. I think it was invoked frivolously, spawned a long, 50+ comment chain, and it didn't clear up any of the confusion that it seems like the norm is supposed to be designed for.
In terms of what contexts one should keep in mind when interpreting comments with good faith to come to a most reasonable interpretation of what they are saying, the way language is used on reddit is probably a much more reasonable benchmark than MLA style guides.
> The gist of the HN community's opinion is, "don't use quotation marks when paraphrasing."
> Lately the Democrats approach has been, "oppose Trump at every turn."
However, when paraphrasing a specific individual, it is frowned upon at best[1][2], and considered intentionally misleading at worst[3], to put paraphrases in quotes.
> pvg said, "I don't care what HN thinks, I'll do what I want."
> pvg continued with, "no one else cares what HN thinks either."
Contrast that with,
> pvg said that "only harcore lispers" care about how paraphrasing works.
In the last example, you can clearly tell the direct quote from the paraphrase. This is very important when communicating someone else's ideas.
Regardless of hard and fast "rules" of punctuation and grammar, you have a large number of people calling your writing misleading, confusing, and inaccurate. Clear communications should be the goal of any writing; wouldn't you be best served by hearing and incorporating this feedback?
[1] MLA: "Paraphrases and summaries do not use quotation marks" - http://www.lmu.edu/Assets/Academic+Affairs+Division/Academic...
[2] Purdue: "Indirect quotations are not exact wordings but rather rephrasings or summaries of another person's words. In this case, it is not necessary to use quotation marks" (note that no example of indirect quotations include quotation marks) - https://owl.english.purdue.edu/owl/resource/577/01/
[3] "But then there's a long slide through confusion and bias into intentionally misleading quote-mangling and outright fabrication" - http://www.slate.com/blogs/lexicon_valley/2013/10/17/gay_tal...
It's just a dumb, arbitrary rule. It serves no purpose beyond facilitating righteous rebuke. You can make a better rule dealing with the underlying behaviour while oxygen deprived from screaming at dang about HN's political bias.
A lot of zeros and ones are being spilled on behalf of the abstract principle how quotes can be hypothetically used abused and interpreted, but none of the 40+ comments beneath my now-flagged paraphrase of Comcast's statement is actually arguing that my paraphrase was in any way distorting or misleading.
So I question the value of this norm, if the practical way it tangibly cashes out is in the form of extremely long derailments substantively unrelated to the the comment that caused the rule to be invoked.
If the object of the rule is to produce derails like this, it's doing more harm than good. So unless someone wants to explain how it's invocation in this thread improved the quality of conversation about Comcast's javascript injection policy, I would encourage others to join me in not observing the norm.
You're right that it isn't explicitly mentioned in the site guidelines, but those aren't a list of proscribed behaviors but a set of values to internalize. I'd say "Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize" covers this case pretty squarely.
And virtually anyone in any argument could insist, tediously, that those disagreeing with them have failed to interpret with sufficient charity.
But it's one thing to note that as a hypothetical possibility, and another entirely to point to something that's actually a clear cut offense. I don't think I twisted or misrepresented anything, and no one seems to be suggesting the anything was actually misrepresented or misinterpreted so much as they're using this occasion as a jumping off point to litigate the abstract principle. Which I don't think is a constructive use of anybody's time, which is why this is a bad norm that shouldn't be observed.
No, that is what I'm suggesting. Your comment reads as a quote. After reading it, I went to the linked page and looked around for the context. Turns out, there was no context for that quote, because it's not a quote, because those words aren't actually in the original text.
I'm asking whether, even a person who wasn't making a reasonable interpretation of what I was saying, would have been misled by the way I characterized Comcast's position. Is there a significant difference between the way I phrased Comcast's position on whether or not they were exhorting their customers to purchase a new modem, and the way they actually phrased it? Because I don't think there is.
You're spending a lot of time prosecuting this point, and requiring time to be spent by others who care about HN being better than other online communities.
Whether or not some hypothetical person not making a "reasonable interpretation" would have been misled, or whether it's reasonable that a reader had to spend time searching for the quote to verify it to realize that it was not actually a quote (and how many others would have bothered to do that), are matters that we could spend many more hours debating.
Or, you could just accept that it's better to refrain from misquoting people in future and we could all get on with our lives.
All it would have taken you was to preface the "quote" with something like "the response, which effectively amounts to saying...", and it would have saved everyone the bother.
C'mon, is this really a hill you want to die on? Maybe let it go :)
Well, what I meant (within the response length constraints of Twitter) was that we're not saying you can only buy it from us. Just that the customer needs to buy it someplace. That way a customer can do as the wish - ranging from buying a used one on eBay to getting a new one from Amazon or Best Buy.
Ultimately the objective is to ensure a customer is on a device that can (1) deliver the performance for which they pay and (2) is up to date technically (i.e. supports IPv6 and channel bonding) and is supported by the vendor (i.e. software updates & bug fixes).
One of the big risks we have to help mitigate is when a device goes EOL, which means no more software updates, and a security or significant performance issue arises in the future. By proactively beginning the replacement process this helps minimize any future impact when it is a major issue like that. So taking action gradually on a proactive basis prevents a more severe impact later on. In many cases, these are DOCSIS 2.0 devices and that technology and often the software is from 2001, the same year as the 1st gen iPod and when Windows XP was released.
Eventually a modem will go into End-of-Service (EOS) status. At that point there is a definite date/time limit for the device, after which it is de-provisioned from the network and the customer must replace it to continue service. This has been the case in the past with DOCSIS 1.0 and 1.1 devices for example, after years of work to encourage customers to replace them.
See also https://www.xfinity.com/support/articles/end-of-life-devices and the start of the EOL/EOS process for DOCSIS 1.1 devices https://www.dslreports.com/forum/r27473499-Speed-Heads-Up-Ti... and https://www.dslreports.com/forum/r28497383-Speed-Upgrade-You... and https://www.dslreports.com/forum/r30524429-Equip-Reminder-Pl... and https://www.dslreports.com/forum/r30450278-Speed-Heads-Up-Ti...
Unless I’m misunderstanding, this was not causing such a problem. Casting it as a customer good is rhetorically amusing, and probably holds water with people who are predisposed to agree with you, but I can make any number of morally bankrupt decisions using exactly the same logic. You have simpler ways to deliver this message, that do not cause nearly as much harm to your customer and do not require you to intercept and modify their traffic.
And mail pieces don't produce the potentially rather widespread indignation that traffic injection does. Granted, I don't see the harm in it that a lot of people here do. Unencrypted traffic is unencrypted traffic - open to tampering by anyone, not just Comcast, and for many less innocuous reasons than the one for which you've chosen to do so. But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology. Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
Lots of reasons, including years of experience with response rates for particular types of messages / calls to action. Clearly one particular communications channel won't work for everyone - each person has their own preferences. One of the things we're working on is to better enable you to control just that - basically one person may ask for SMS messages, another alerts via their mobile app, another via email, another via phone call, etc. You can see the beginnings of that in MyAccount / Settings / Communication & Ad Preferences.
> But with Let's Encrypt, browser manufacturers, and friends leading the charge toward TLS everywhere or as nearly so as is practical, and with most sites that most people use already employing TLS, the attack surface is closing for even an other-than-innocuous variant of your notification methodology.
Agree. And more TLS is better IMHO. I also like the work that Let's Encrypt has been doing - they've had a really big impact on the adoption of TLS. (See also http://labs.comcast.com/innovation-fund-spotlight-lets-encry...)
> Of course, that also means that that methodology itself is reaching a natural end-of-life, as it cannot work anywhere that TLS exists, and the majority of the web where it does exist continues to grow. If this low-latency notification scheme is of unique value to your business, then now is the time to consider replacing the outdated technology that underpins it with something which will continue to work reliably over the next decade or two.
You bet - totally agree! One of the places we're engaging to try to do that is in the IETF's CAPPORT working group and I think the charter describes reiterates all the points you made: https://datatracker.ietf.org/wg/capport/about/
> All that said, I appreciate your decision to engage in this forum. That's unprecedented in my experience from someone in a position like yours, and I wouldn't mind seeing more of it.
My pleasure & thanks for being a customer that's willing to offer constructive criticism. :-)
The fact that Comcast has and abuses its monopoly is bad enough. That you would try to standardize your abusive behavior is appaling.
This reminds me of the part in Romeo & Juliet where Sampson says "I do not bite my thumb at thee, but I do bite my thumb."
As other commenters have mentioned, these are such small distinctions to legitimize something as fundamentally troubling as javascript injections.
Here's what a customer should do:
Just file a complain. Via snail mail. To the FCC. Include screenshots of VP explaining how this is all ok.
After that the customer should enjoy the show. I'm sure at least the customer is going to be provided a top tier service for the rest of his life in any comcast service region. Most likely for free.
This is how one teaches companies to behave. He or she finds a pressure point and exploits it. It does not matter that the opponent is 350lb gorilla. Small joint manipulation by a 95lb girl puts that gorilla on its back. For Comcast, VZ, etc that pressure point is a snail mail complain to the FCC. For national banks, it is the OCC. It works every time it is tried. What does not work is bitching about it on HN.
We start telling customers that a modem needs to be upgraded when one of two things happen: either they are about to or just had a speed upgrade that their modem cannot support or the modem has gone end-of-life (EOL) from the vendor.
In the former case, if the device is leased, you are send a new one to replace the device and just have to basically say ok. In the latter case, it is a customer-owned device so the customer is asked to go buy a new one someplace (e.g. Amazon, BestBuy).
And in the EOL case, the vendor may have gone out of business or shut their cable modem business down, or otherwise decided to no longer support the device due to its age. That of course means that if a security issue came up, as they do, that the vendor would not be able or willing to provide a software fix for the device. So it's best to get the ball rolling to get those devices replaced when that occurs. Most of our EOL devices today are DOCSIS 2.0 devices (10+ years old), which can only do a single upstream and downstream channel (no channel bonding) and 1st generation DOCSIS 3.0 devices (5 - 8 years old).
Is that the idea here?
Or does this efficacy come at some cost (namely, the sentiment behind this thread)?
More work, but way less scummy.
You know it's actually an important piece of mail when the envelope isn't imploring you to open it.
In either case, the argument does not address the fact that customers recognize unsolicited packet injection as unacceptable ISP behavior. Without support metrics, we can argue all day about the efficacy of one method of delivery over another, but the fact remains that no sensible user would perceive e-mail and/or post of official notice from their ISP as overtly intrusive. With as much internal advertising as Comcast distributes amongst its existing customers, it blows my mind that official notice generated from boilerplate and delivered via snail mail would fail to achieve the intended goal.
To be sure, your pre-edited comment: > Surely showing up in-person at their door must be an even more effective "reminder" than the browser injection! Is that next?
Way too much non-spam disappears down overeager spam filters, which most people only check if they are specifically expecting some particular mail and it does not show up as expected--and even then many won't check their filters.
An ISP could white list their own mail in their spam filters but that would only help with the customers who use their ISP provided email. A lot of people use third party email providers instead and never use their ISP email.
I will at least _glance_ at my email.
For critical service info I'd want SMS personally, from a verified number with a link on the company main domain to verify the info.
As another comment points out though, I'd also like to understand why it was decided to comminate by injecting JS into pages people are visiting rather than following a more traditional communication channel like snail mail. I assume that this solution scales better and has get immediate $ attached. However, it also seems obvious to me that it reenforces brand image and political issues people have with your company.
There is no ethical excuse to ever inject code into a webpage.
Your own argument about it being critical is false or sophistry. If there were wildfires coming to burn someone's house down..that might qualify as critical. Not this, and deep down you know it.
You should be embarrassed to attach your name to such an obviously poor decision.
...unless it's for adblocking...
Although I do that with a MITM proxy locally (and thus filters everything on my LAN), it would certainly lead to a very interesting situation if an ISP decided to do it...
If a fellow community member has a first-hand involvement with a situation under discussion, such as working for a company that some people are mad at or does some wrong thing, we're all responsible for reacting responsibly. Otherwise bad things happen, such as first-hand observers being scared to post because they'll get lashed out at, and the already-weak community bonds we have here getting weaker. We all know what the culture of online shaming has led to and it's all our job not to do it on HN.
This is, in and of itself, a blaming statement. Blaming statements, such as the one contained in the comment you replied to, are a result of a) dissonance and b) inability to resolve the dissonance.
It is, in fact, unknown what the culture of online shaming has led to in our society. In fact, I'd hazard "shaming" online is actually just raw blame provided by some rationalized thought process driven by Internet interactions themselves, not the people reacting. See This Video Will Make You Angry on YouTube for context. Screwing with people's Internet in contextually what could be considered "wrong" behavior becomes highly polarizing. In as much as someone coughs because they smoke, people blaming is a result of a larger problem, perhaps related to the fitness of memes and some people's weakness in being hacked emotionally by memes with higher sophistication. Again, that problem is noted by the dissonance and inability to resolve it, but the behaviors emerging from those who are "infected" by the thoughts are not exactly theirs to bear alone. We blamed the tobacco industry for smoking. Why can we not blame the employees who are providing the rationalizations for bad behavior? One might argue that they shouldn't be blamed because they have no choice in the matter. It may be their job to argue otherwise for the company.
The irony here is that vast majority of the denizens of HN are likely responsible for creating most of the "mess" we're in today by writing software without considering the long term effects on consciousness and perception of reality. That "mess" would be defined as means, by algorithms or neural networks, to attempt to exploit weaknesses in human nature to spread other's beliefs in a unnatural way. Growth hacking. In some cases, like Comcast, those beliefs are rooted in sophisticated rationalizations which sound good when limited in scope. But! I don't care what anyone says about it, changing the content of a page which, when requested from one place returns one thing and when requested from another (which ones pay for I might add) returns another thing entirely is a violation of TRUST. At least it is to me. I like consistency in my data.
If one of the "members" of this group we call HN wants to make a blaming statement against someone who is defending this irrational logic, then I say let them blame! How else are we to uncover the dissonance and solve it? Or, perhaps, that dissonance is desired to be left in place by our complicit behaviors trying to be "nice" to each other.
I've suggested before social media sites could benefit from a "this is a blaming statement" flag on articles or comments. I stand by that assertion today. Logging back out again. Thank you for all the hard work that goes into running this place.
Second, I am a Comcast customer who will never see these messages precisely because you do things like MITM unprotected traffic. Because I can't trust you to leave my traffic alone, all my traffic is tunneled.
So at the very least, if you feel this is a critical service you are offering (as implied by the RFC), you need an alternative communications channel for people like me who don't permit this one. Snailmail is fine; you try to upsell me constantly through that channel already.
I don't mind the anon downvotes though, it's par for the course anywhere.
The same thing happened on Netflix ...
Also, most games I have played seem to use HTTPS. The only time it is used is when the game does not need an instant result, in which case they use HTTP or HTTPs. Most of the times, this is in the main menu or similar. Doing this makes it even harder (assuming they use certificate pinning) for users to change the values returns to gain any advantage on their client.
Any part of the game that needs speed should be using a UDP based protocol.
This is exactly why Comcast is still the most hated company in America [1], and the only reason you have any customers is due to the monopoly deals of dubious legality you or your acquisitions bribed local officials to create back during the infancy of cable. We hate you, but we don’t have any choice.
It’s worth noting that government regulation created Comcast by allowing long-term monopoly contracts with municipalities. Remove the regulations which prevent competition in local internet and TV services; don’t add more regulations.
I recommend you add your primary email address. You can do this via the self-service portal.
Go to https://customer.xfinity.com/#/settings/account under Account / Settings / Contact Information. IIRC you are sent a confirmation email you have to act on before it takes effect.
Edit: typo.
Implying you’d probably miss it and, if not you, the customers they’re trying to reach.
I don't think there's any fault in logic in presuming that the best way to make sure a customer receives a notification is to insert as near to their known-active stream as possible. I don't condone altering that stream, but I think it would be nice if they could send a page, potentially at the browser or OS level, exclusive for system control and status messages (no sales, marketing, billing, or collection messages allowed).
Why would they not maintain a clean marketing list!?
I had tried calling customer service to see if they'd give me a new bundle but they told me they were only for new customers, so I switched ISPs.
Anyways, when I went in store to return the equipment, the guy I spoke to told me to not bother with phone support but to instead come in store or call him directly (he gave me a business card) since he can get existing customers bundled rates that the phone reps can't.
While I had the choice of ISP many don't, I'd definitely recommend going to a store location where you can talk face to face with someone in your area and see if you can't get a contract at a better rate than you pay month to month.
As a website owner you should have the right to verify all code that will run on your website to be sure that it won’t cause issues since only you have the context needed to make that call. What if there’s a global DIV selector that hides the close button, the website visitor is screwed! And they’ll just think it’s a problem with your website.
One more note, there are way better ways to do what they’re trying to do. Even with how terrible IFrames are, they prevent CSS and JavaScript conflicts. A simple position fixed div at the bottom of the screen containing an iframe seems more appropriate. If you are going to run code on my site, make sure it’s as small as possible. This could have been accomplished in 2 lines of code (excluding iframe host).
https://en.wikipedia.org/wiki/DOCSIS
3.0 spec does up to 1.2Gbit/sec, just like Comcast. You know up to 200Mbit/sec, which is more like 20 because of all the "extreme complexities of the internet service".
However, the supported device list [2] shows that it's still an allowed modem to use for a e.g. 200mbit connection. A user that's looking to purchase a modem isn't discouraged from getting one from Amazon.
Since Comcast considers it EOL, any interaction with Comcast support includes the stipulation that it's likely the modem that's causing the problem, and the customer will be liable for a surcharge if a technician decides it's the modem causing a problem.
For a brand new modem, purchased from Amazon right now.
There seems to be a disconnect between EOL for the purpose of leasing a modem and EOL from the vendor.
[1] https://www.arris.com/surfboard/products/cable-modems/sb6141... [2] https://mydeviceinfo.xfinity.com/device/arris-sb6141-336
I get that's problematic for your modernization efforts, but in that case: eliminate modem rental fees. Bake the fees in to the standard cost of the service and don't let customers use their own equipment. I understand that non-cable competitors don't have this cost to shuffle around, and that this will mean you are forced to either A) raise prices publicly or B) have lower margins. That's your problem because of your technology legacy; don't pass the misery on to the customer.
While you're at it, offer two hardware choices: one with, and one without routing/wireless. I refuse to run a wifi network in my household for your other customers and expect complete control over my LAN configuration.
On the topic of injection: I get that you don't think it's immoral, but hey, 1) most people who understand it think it is totally unacceptable. And 2) the window for this approach is rapidly closing for you as the web moves to SSL everywhere. Give up on this approach now and save face.
I love how it's in the interests of public companies to brag about how successful they are. When I see a comment like this, I like to checkout the most recent 10K. According to Comcast's stated figures, they made $8.7 BILLION last year. So, they're doing pretty well. Now, obviously, they can't just give the modems away, but if they would at least STOP BILLING THE CUSTOMER for a leased modem after their costs have been recouped, that would be a HUGE public-relations win.
If we all could buy the modem of our choice, over time, say, amortized over the length of your contract, and then RELIABLY stop getting billed for it, I'd LOVE to just buy it through them. I'd argue that the reduced support costs for NOT BEING RENT-A-CENTER JERKS about the modems would save them a lot of money in the long run.
At the very least, you have customer addresses. You should also have phone numbers and email addresses. If you have a way to bill customers, you have a way to contact them.
Injecting JS into HTTP sites is disgusting. It violates both the user's and the site's expectations and is entirely unnecessary.
This should be ILLEGAL, I don't give a crap about "getting the government out of our lives", well guess what, they need to step in and prevent these slimy "business" practices from happening or punish the corporations trying to exploit their captive audience.
This standard seems like a terrible mistake. Isn't this exactly what malware creators want? To condition users to click the browser pop up that says "YOUR COMPUTER IS INFECTED WITH MALWARE, CALL THIS NUMBER/INSTALL THIS HORRIBLE THING TO FIX IT?"
Why on Earth would anyone issue a standard that says that ISPs should deliver that kind of notification, thus training consumers to believe them?
When used by practicing engineers as a low-overhead way to document interoperability requirements for working software, it's been fantastically successful. But it also lends itself to this kind of pseudo-fraud "standardization" by less ethical players.
Bottom line: an "RFC" means nothing per se. What matters is whether the community wants to support it. So RFC7540 is an important standard everyone agrees to support. RFC6108 is garbage.
§ 303a Datenveränderung
Now, if that Javascript happens to interact badly with some particular web page, then you could complain to the FCC as long as the 2015 rules remain in effect (which is more than a week, for what that's worth).
I guess the EFF has tried this defense of our freedoms...
https://github.com/jawj/IKEv2-setup https://github.com/trailofbits/algo etc.
Oh and of course he's also retweeting a lovely Net Neutrality tweet... https://twitter.com/feamster/status/938236691126636546
https://tools.ietf.org/html/rfc6108 Comcast's Web Notification System Design
Yeah, cuz we're all supposed to know about rfc6108.. Guess I have some catching up to do on "Internet Engineering".
I live in France and use Orange as my fibre provider. 1 Gbps/250 Mbps without constraints. I used to have Free which was great but did not offer fibre when fiber was installed. I switched to Orange in 5 min via a web page. I have another possibility (SFR) but they are despicable liars and for this reason alone I scraped them.
This is France, where competition is not a national sport so I was expecting the US to have 5 other companies banging on the door.
The BBC had an article about this a few years ago [0]. Basically the highly regulated countries had cheaper and faster internet.
> Rick Karr, who made a PBS documentary in which he travelled to the UK to find out why prices were lower, says that the critical moment came when the British regulator Ofcom forced British Telecom to allow other companies to use its copper telephone wires going to and from homes.
> But US regulators took a different approach. Rather than encouraging competition between operators using the same network, the US encouraged competition between different infrastructure owners - big companies that could afford to build their own networks.
> Some believe that UK-style regulation is bad for competition and innovation, however, and suggest that the US is already one of the world leaders in broadband.
[0] http://www.bbc.co.uk/news/magazine-24528383
The US model is closer to US railroads model, although not entirely accurate, analogy; largely privately owned with some govt owned, funded by large infrastructure companies that charge customers for usage and also due to infrastructure costs are rarely duplicated in close proximity. It's had issues with off and on regulation, profitability, localised monopolies that have a tendency to over charge when they can get away with it.
I’m prone to suspicion of their business practices too, but every one of the Comcast technical staff I’ve met, from Jason down, has been an excellent person deeply committed to the best mission of a telecoms company, enabling human communication. Is that a marketing campaign? Yes, but as far as I can tell it’s an honest campaign of showing the world who they are and what they care about.
Laughable.
For an example, here's the page for Portland's agreements:
https://www.portlandoregon.gov/revenue/58882
A former coworker was telling me the difficulty of getting a DSLAM installed in a high-rental area, like a Seattle neighborhood. The DSLAM install requires approval from 40% of the property owners, so you might write each landlord a letter, but the landlords aren't opening letters unless there is rent money inside. So installing a DSLAM becomes a political game of convincing the several hundred "rental-transient"[0] people in the neighborhood to talk to their landlord. One of the reasons behind the "Ask your Landlord about Wave Internet" signs you see around.
[0] Renters often only plan to stay in a location through their current lease, and thus have less long-term concern over the area. In this way, transience destroys community.
I thought that AT&T was split once in the past to differentiate backbone and service providers - why not in the case of fiber?
So called unbundling was done, but in exchange, the backbone provider got a legal monopoly. Almost everywhere AT&T or Verizon lies fiber has competition, usually with a local cable company.
"Those who comment" are far from a random sampling of the user base. It's entirely possible that 95% of users are satisfied "enough" with the service and yet nearly 100% of comments to be strongly negative.
Some cities only have one existing fiber line even coming into them, usually owned by one of the local duopolies (typically phone, since they originally were required to offer phone service to everybody).
This gives incumbents an immediate advantage in terms of reaching customers with physical infrastructure, before counting any of the (admittedly fucked) politics involved.
I live in Washington DC, in the city, and I only really have one choice where I live, Comcast.
In NYC, in one apartment I had 3 or 4 differennt ISPs to choose from, RCN included. In my current place, I only have one.
The idea is to make it better for people, not corporations (which are not starving either)
Suppose you were a major company with big dollars to spend on offering internet service... someone like Google, for example. Then suppose you wanted to provide service in Louisville, Kentucky. How many years do you think it would take to get permission to attach your lines to the existing telephone poles (owned by the city) if the local telephone and cable providers try to tie you up in lawsuits? What if the city's mayor was enthusiastically supportive, and willing to pass new laws and spend hundreds of thousands of dollars of the city's money going to court to permit Google to start offering service. It would still take years to get permission. Fortunately, this isn't one of the many cases where state or local laws prohibit other companies from competing with the one local cable company, or it couldn't happen at all.
Now imagine it is anyone OTHER than Google with their huge warchest, legal department, public support, and local government support. It wouldn't get anywhere at all. If it did, the cable company would drop rates for a few years until the competitor went out of business, then raise them afterward.
The United States pays lip service to the idea of competition, but most of our politicians have gotten "competition" confused with "supporting big corporations". This is why internet service providing is a monopoly or oligopoly in nearly all US locations.
Example: the online marketplace for social, search, and email is stagnant for obscure legal reasons. We should identify these (copyright and the CFAA) and remove the barriers.
Megacorps have exploited core conservative values to guilt people into believing that they're commies if they refuse to write a blank check for any big company that wants one. We can make real progress, and it's important progress, by highlighting to Republican/conservative-leaning voters that selling their country to corporate raiders is not a pre-requisite for being pro-business or pro-small-government.
By no means do I believe that Democrats or liberals have clean hands on this. All sides deliberately ignore and subvert intellectual property matters because it is so dang profitable, and this affects "liberal" industries much more deeply than "conservative" ones. Copyright is fundamentally "big government", which more conservatives would recognize if the narrative around this issue wasn't so tightly controlled. And that's not to say that copyright doesn't serve a useful purpose at all, just that we should be cautious and wary about it.
Since bad political actors and profiteers actively and successfully cultivate tribal dynamics for their benefit, the tribal context and instinct can't be ignored. It must be worked within. Approaching a tribe as an outsider just causes them to raise their shields and ignore anything you say.
Good principles and values drive most actors on both sides of the aisle. Political alignment basically seems to just come down to which principles we prefer to favor/bias. Under that context, the need for balanced, inclusive dialogue is clear, and we should all be grateful for the diversity of opinion that keeps everything in balance.
Maintaining that diversity means working within the structures of human association to create authentic, grateful alliances built on that recognized need, instead of allowing others to abuse those same structures to provoke destructive animosities.
> Comcast has my phone office number, my cell for texts, my email, and my home address, yet they choose to molest my requested web pages by injecting hundreds of lines of code.
[JL] The notice is typically sent after a customer ignores several emails. Perhaps some of those ended up in your spam folder?
So ignoring spam entitles you to this behaviour?
(b) Pretty sure if the person's modem were to actually stop working, they would get in touch with their ISP.
Man-in-the-middle attacks by an internet provider are hacking and a breach of trust, and should be criminal in my opinion.
The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered, especially not in an automated way without some oversight. If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
And no, I don't think people would be as livid as you suggest if the modem just broke; ISP modems are fragile little things, and it's not uncommon to go through them. I don't think I've had a single ISP where I didn't have to eventually, and the natural progression for each one (Comcast included) was:
1. I called the ISP
2. We did some test with support
3. Once we did the Speedtest / reboot song and dance, a new modem was issued that day.
This is expected; if I had asked for such a service from Comcast, this would be a different discussion entirely (an Opt-In service), but as it is, it's a pretty lame reason to suggest that Comcast needs to be able to inject data into pages I load.
And I rather liked Comcast for the year I had it - I wasn't keen on being on them since I would rather have been with our Municipal, but the place I was at was not yet in a service area for the municipal. More or less, even with my support and canceling experience, I was fine with the service I received. This would have upset me considerably.
I am skeptical of this - maybe we made a mistake in telling the customer that. The people that are sent notifications are carefully checked to match the EOL/EOS modem criteria or speed mismatch criteria and would not be sent otherwise. It is sometimes the case that a customer has recently upgraded their device but their old device remains provisioned and on their account (and needs to be removed), which sometimes explains this.
> It was an automated advertisement done in a very not good way;
It was not an ad - it was a request that the customer replace/upgrade their device. They can buy that anywhere, whether used on eBay or new on Amazon, etc.
> Comcast's own billing system notifies you of just about everything else; you can forward your billing statements and other such information to other emails, why not this?
We've been working to greatly simplify billing, as customers have told us for some time that we were packing too much info into those statements and it was sort of information overload.
> The reason everyone is freaking out is because they feel pretty darn strongly that the ISP should not be injecting code into webpages delivered,
Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers. As noted elsewhere, we're working on better methods and part of that might depend on Internet-wide standards rather than something Comcast-specific (which is always my personal preference).
> If this is to be a service, the bar for what is necessary for such information must be far higher than "an automated system decides it's time." We get into really scary territory just by doing this in the first place, but to use it for advertisements or basic maintenance? That is a misuse of such technology.
It's not basic maintenance - that should always be transparent to customers. This is about moving to new technology from outmoded technology. A good example of a key concern for modem upgrades is that the vendor does not support it any longer and the software/hardware is 8 - 10 years old.
As a Comcast customer, I request you discontinue this injecting of javascript into webpages for ANY reason, unreasonably limiting an INFINITE RESOURCE and monopolizing localities so you are the only viable choice. This should not be the behavior of the largest telecom provider in the continental US. We deserve better.
The crux of disagreement is the method of delivery and the importance of the upgrade requiring this sort of injection. You write:
> Available alternatives are not great, such as using DPI everywhere, DNS modification (we use DNSSEC), or a walled garden (all service disrupted while in walled garden). These methods tend to be more costly and cause more disruption for customers.
I'm still not convinced as to why a phone call or an email would not suffice. What information is specifically being cited by customers as "information overload"? Why can this not simply be a notification as a part of the Xfinity main page? Why isn't an email that only has information on the EOL of a modem is less obstructive than yet another pop-up for users who are trained to ignore pop-ups?
The case for an injection isn't really made simply because other intrusive methods are more intrusive; the presentation of the message itself is just more information in a sea of information, and the criticality of the issue isn't sufficiently justified either. This is not the appropriate way of communicating information that has no such urgency. It's a very nice thing to phase out modems that are EOL, sure, I will grant that. But the information is not so urgent that it needs to be delivered right now or injected into the webpage. That is not something the ISP should be doing, which I suspect is another point of contention that will be had.
You admit alternatives exist, but decided to modify webpages anyway? Adding your own modifications to a copyright protected work (e.g. any web page) creates a derivative work. Generally only the copyright holder of the original work can create or authorize derivative works. Unless you have a license the copyright holder for each webpage you are modifying, this is copyright infringement. Why did your legal department approve a plant that might make the company liable for up to $150,000 per work infringed?
This is a perfect example of the culture problem at Comcast. You seem to have worked yourselves into believing that you're something other than a dumb pipeline. Now you feel entitled to stick your fingers into the content.
I suspect this mass-psychosis is coming from the top, and the need to move into higher-margin businesses. Keep your messages on xfinity.com.
Not getting fast enough Netflix? Here's your message, injected every time you go to their site. Not getting the best search results? Try the new Xfinity search, it's faster and won't cost you the $.002 that Google search will cost.
This is a very slippery slope, and one that we're already sliding down thanks to Ajit Pai's FCC.
Expect to see more of this behavior from Comcast, as no amount of customer outcry can now prevent it.
Yes, it speaks volumes about comcast but i also speaks about the culture where comcast exist. And even IF there is backlash from this the whole idea that they might have gotten away with it is just absurd.