Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Cox Comm. Injects Code Into Web Traffic To Announce Email Outage

Comments Filter:
  • Is this News? (Score:5, Informative)

    by omega6 (1072658) on Saturday December 15, 2012 @06:36PM (#42303853)
    Providers have been doing similiar things for a while...If you want security, use https.
    • Re:Is this News? (Score:5, Insightful)

      by Pedrito (94783) on Saturday December 15, 2012 @06:48PM (#42303941) Homepage
      No, not like this. At least I've never seen it before. This is intrusive. I've had it show up in my browser at least 3 times in the past couple of hours and it's about a service I don't even use. I don't care if their e-mail is out. I don't use their e-mail. I don't want this stuff and there ought to be a simple way to opt out.
      • Re:Is this News? (Score:5, Insightful)

        by sabri (584428) * on Saturday December 15, 2012 @06:54PM (#42303977)

        No, not like this. At least I've never seen it before. This is intrusive. I've had it show up in my browser at least 3 times in the past couple of hours and it's about a service I don't even use. I don't care if their e-mail is out. I don't use their e-mail. I don't want this stuff and there ought to be a simple way to opt out.

        There is, it is called: Vote With Your Money...

        • by Pedrito (94783) on Saturday December 15, 2012 @06:56PM (#42304003) Homepage
          Actually, that's exactly what I'm going to do now. I was already pissed because my connection has been going down a lot lately. Then they pull this crap. Bye Cox!
          • Re: (Score:3, Funny)

            by RMingin (985478)

            So... Your Cox has been down more than you'd like, and you can't get your Cox to stay up? Getting rid of it entirely is an option, I suppose, but I keep hearing about medications that claim to keep your Cox up any time you want it up.

            • by Kjella (173770) on Saturday December 15, 2012 @09:44PM (#42304885) Homepage

              So... Your Cox has been down more than you'd like, and you can't get your Cox to stay up? Getting rid of it entirely is an option, I suppose, but I keep hearing about medications that claim to keep your Cox up any time you want it up.

              Well his email is down, so he hasn't been getting any of the many, many, many offers to fix this.

        • Re:Is this News? (Score:5, Interesting)

          by GoodNewsJimDotCom (2244874) on Saturday December 15, 2012 @06:57PM (#42304013)
          Too bad you can't vote with your money when there is a monopoly/oligopoly. I remember Comcast suing the government for competing in certain areas. Why isn't UPS and Fedex suing the Post Office?

          Alternative title: Cox acting like a bunch of dicks.
          • Re: (Score:3, Interesting)

            by paiute (550198)

            Why isn't UPS and Fedex suing the Post Office?

            They have found it much more promising to give contributions to certain members of Congress to burden the USPS with debt so they sink and clear the way for UPS and Fedex to take over.

            • Re:Is this News? (Score:5, Insightful)

              by sjames (1099) on Saturday December 15, 2012 @07:51PM (#42304343) Homepage

              That and they need someone to deliver the last leg on unprofitable routs. More privatized profits and socialized losses.

        • by rickb928 (945187)

          Around here, that means voting for Centurylink. great choice.

      • Re:Is this News? (Score:5, Insightful)

        by mwvdlee (775178) on Saturday December 15, 2012 @06:55PM (#42303993) Homepage

        there ought to be a simple way to opt in.

        FTFY

      • by Jane Q. Public (1010737) on Saturday December 15, 2012 @07:06PM (#42304085)

        "At least I've never seen it before. This is intrusive."

        I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?

        It might depend on your user agreement, but I would never intentionally agree to a provision that would let my ISP alter my content.

        • Re:Illegal? (Score:4, Insightful)

          by girlintraining (1395911) on Saturday December 15, 2012 @07:08PM (#42304101)

          I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?

          There used to be. Nowadays is the law is basically "You, pathetic peon citizen. Them, corporation. They win."

          • "There used to be. Nowadays is the law is basically "You, pathetic peon citizen. Them, corporation. They win.""

            Funny. But I don't think it's quite that bad in the U.S. yet. In fact, I have been beginning to see a popular trend in the opposite direction. The pendulum swings...

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          > I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?

          It's a copyright violation at least. The website you visit owns the copyright on the page it serves... they are creating a derivative work by adding their own stuff to that page. I am sure that they dont have the authorization to do that from the copyright owners.

          Unfortunately... the group serving the page is the one harmed in this, so they are the only ones with standing to seek a remedy.

      • Re:Is this News? (Score:5, Interesting)

        by theskipper (461997) on Saturday December 15, 2012 @07:17PM (#42304147)

        Or instead there ought to be a simple way to just opt in. Or they could produce a FF/IE addon. Or put a big notice on their homepage with this info. Or automated social media notifications. Etc.

        Messing with DNS to redirect bad domains to ad parking pages is still around but no one cares anymore. However, this is right in the user's face which feels different, like it's an offensive volley, like one ISP is finally ready for war. The first battle in ISPs training users to accept a tainted connection.

        In all honesty, I think they picked the perfect application to start the ball rolling. Few average Joe customers would argue against email outage notifications because it seems like it's an important function that the ISP should provide. More importantly users are used to dynamic pages now, it "feels" like a Facebook or Twitter thing. So in their mind it's probably ok, or at least something that would be hard to argue against from a layman's perspective.

        So it's a good starting point to start boiling the frog. I'll bet that their internal calculations show no more than one year to completely boil the poor beast (i.e. ad insertions). That's the holy grail.

      • by Nutria (679911)

        FF's pop-up blocker and ABP must be effective at stripping injected code, because I have the email outage, too, but have not seen the Cox windows.

        (BTW, Cox HSI is probably a bit expensive, but my service has been sturdily reliable. Other than hurricanes, I can't remember the last time I had a Cox outage.)

        • Adblock isn't, by default at least. I saw it here once on my phone and then on my laptop, both running firefox with adblock.
      • Re:Is this News? (Score:5, Informative)

        by DarkTempes (822722) on Saturday December 15, 2012 @07:34PM (#42304247)
        You can use noscript or any adblock addon to block this.

        Look for something like <script src="http://184.178.98.*/static/FloatingContent/243/floating-frame.js" type="text/javascript"></script> in the head.
        Craft rules as appropriate.
      • by X0563511 (793323)

        There is.... use a secure protocol.

        • Unless the web site that you're reading doesn't offer a secure protocol. Slashdot, for example, redirects HTTPS to HTTP unless you subscribe. A lot of smaller sites don't offer HTTPS at all, possibly because they're on a shared hosting plan. Entry-level shared hosting plans tend not to include HTTPS for reasons involving outdated browsers (mostly IE on Windows XP and Android Browser on Android 2.x) and the IPv4 address shortage. I recently moved my own web site from Go Daddy to WebFaction because WebFaction
      • Re:Is this News? (Score:4, Interesting)

        by Grishnakh (216268) on Saturday December 15, 2012 @11:35PM (#42305301)

        I used to be a Cox customer until last month, because I moved across the country (to where Comcast is the cable provider, and IME they suck far, far worse than Cox, just judging by the few weeks of service I've had with Comcast versus about 7 years with Cox).

        This announcement is especially annoying, because it's an outage on some stupid service that no one with a brain would ever use. Seriously, what moron actually uses ISP-provided email in this day and age? What a brilliant idea: as soon as you have to move or change providers for some reason, all your email is suddenly gone, and your email address is defunct, and if you didn't notify everyone in your address book beforehand you're screwed.

        • by tepples (727027)

          Seriously, what moron actually uses ISP-provided email in this day and age?

          People trying to register for web services that block not only disposable addresses but also free webmail providers such as Hotmail, Yahoo, and Gmail.

          • by Grishnakh (216268)

            With the massive number of people who use the Big 3 free webmail providers, which web services these days still block those for registration? I can't think of a single one I've run across in years.

            • by tepples (727027)
              Google block registration hotmail yahoo turns up this request [thetfp.com] and this request [drupal.org]. I guess blocking major webmail providers does two things: 1. it forces users to use paid providers that serve as less-disposable identifiers, which discourages people from registering on a forum or wiki just to post spam, and 2. it warns users against trying to register using an e-mail provider known to incorrectly classify confirmation e-mails sent from a given domain as spam. I just use my catch-all *@pineight.com for these th
    • Re:Is this News? (Score:5, Insightful)

      by guttentag (313541) on Saturday December 15, 2012 @07:06PM (#42304079) Journal
      It's the modern equivalent of the phone company playing a recorded message while you are talking to someone on the phone. Or the post office opening your mail and gluing a message to the contents, ransom-note-style, about your mail carrier being out sick. It wouldn't happen. But cox wants to condition people to think of the web like cable TV, where thy can cover part of the picture with service announcements. The FCC needs to weigh in on this and stop it.
      • by Anonymous Coward

        Actually it's far more invasive than that, it means they actually LISTEN to the phone conversation and choose the correct GAP in that conversation to inject their javascript. They don't just randomly shove in javascript into a HTTP socket, they have to be watching the traffic.

        So they're giving themselves the basis for monitoring your URL surfing later too.

        So when they inject adverts, or sell your surfing habits to others, they can point to this and point out that they've been monitoring web surfing and inje

    • by billstewart (78916) on Saturday December 15, 2012 @08:35PM (#42304587) Journal

      I'm sorry, but if you're injecting Javascript and other text into my web sessions, that's a Web Outage (and a serious security threat.) If you're doing it to announce that your email service is down, that's probably annoying to customers who do use your email service, and much more annoying to customers who don't.

      (Unlike many people here, I actually do use my ISP's email service, because it includes a shell account where I'm running procmail, in addition to the spam filtering they do, so email that gets forwarded by my primary email address does go through there. But otherwise I'd be running the filters somewhere else. And it still doesn't justify breaking my http sessions.)

    • by rs79 (71822)

      So I click on the first link in the article "Pictures" and I get a fucking ad and have to click through to something far more reasonable looking to me than the fucking ad.

      I've really had enough of those things, they're everywhere now. If they don't go way soon I'll make them go away (at least for me).

  • by icebike (68054) on Saturday December 15, 2012 @06:37PM (#42303857)

    Shouldn't they send an email warning us about injecting stuff in our web traffic?

  • Not seeing any sort of injections here. I do have DNS set to 8.8.8.8. though.
    • by Dan667 (564390)
      that is google's dns. It would be useful to know what is the best dns to use.
      • Using Google DNS & L3 DNS here (Gulf Coast). It doesn't matter what DNS provider you use, I don't think, it hits you anyway. I don't think the west coast is affected by the outage, though. At least, that's what Cox says.
        • Re: (Score:3, Insightful)

          by Anonymous Coward

          I've seen a lot of people suggest "just use Google DNS", but frankly it's a disturbing trend (unless, naturally, your existing DNS provider is even less trustworthy.)

          By using Google's recursive DNS servers you should be aware that you're offering them even more information about your online habits, as if they probably didn't have enough already. I'm pretty sure that a capitalist [telegraph.co.uk] company like Google isn't offering free recursive DNS for purely altruistic purposes (or just to 'speed up browsing').

          It's also no

          • I'm pretty sure that a capitalist company like Google isn't offering free recursive DNS (...) just to 'speed up browsing'

            Why not? They spend a lot of money keeping Search as fast as possible, because they know that requests above a certain threshold lead people to search less, meaning less ad impressions, meaning less revenue. So what's so implausible about spending some more money on a few DNS servers?

            And the data from a DNS server is almost useless; just the domain (not even full URL) and the IP, which often is of some router in front of dozens or hundreds of clients. Considering that a huge percentage of websites out there

      • What the DNS has to do with injecting code into webpages? Do they inject stuff into banking or SSL connections too? Isn't this against net neutrality or something? I mean how cocky the ISP has to be to actually resort to this kind of s****.
        • by dbIII (701233)

          Do they inject stuff into banking or SSL connections too?

          There are ways to do that (eg. using the IMHO dangerous and pointless perversion of a https proxy that gets both ends to trust the thing in the middle - you can buy appliances that do that), but unless you are working for a place that wishes to snoop on all their employees encrypted web traffic and using their web connection it's not likely to happen.

        • by dbIII (701233)

          What the DNS has to do with injecting code into webpages

          It doesn't have anything to do with DNS since the injecting is something done with a web proxy. A way round it is to get your web traffic via a different port (requires agreement from the webserver on the other end) or to completely leapfrog their web proxy and use a different one at the end of a VPN.
          All these things of course depend on your ISP upstream letting you do it. It's trivial for an ISP to block all direct connections of any kind if they re

        • by DarwinSurvivor (1752106) on Saturday December 15, 2012 @08:49PM (#42304679)
          If you find a way to inject data (in a useful way) into an HTTPS stream without adding your own certificate to the person's computer, there are a LOT of government agencies that would LOVE to talk to you.
          • If you find a way to inject data (in a useful way) into an HTTPS stream without adding your own certificate to the person's computer

            The easiest way is to just con users into installing a certificate. After several failed connections on port 443, the next hit on port 80 will be MITM'd to say "Have you been getting certificate errors? This certificate allows devices using this Internet connection to connect to secure websites. Here's how to install it:" followed by instructions pertinent to the User-agent that retrieved the page.

      • by neokushan (932374)

        What's "best" depends on what your needs are and where you are. For many people, their ISP's DNS should be faster than a 3rd party, but that depends on their ISP being somewhat competent and not dicks who will redirect you whenever they can.

        Google's DNS is a solid one, it's generally got a fairly low ping and, surprisingly, they don't filter anyhting or inject ads (they may be tracking your every site request though, so it depends on how you feel about them. Easiest to remember, though: 8.8.8.8

        My personal f

    • Not seeing any sort of injections here. I do have DNS set to 8.8.8.8. though.

      Can you receive email? If you can, you're probably not affected anyhow.

  • by Anonymous Coward on Saturday December 15, 2012 @06:38PM (#42303875)

    is that it refers to Outlook Express, a mail client that was deprecated over 5 years ago.

    • by neokushan (932374)

      Having worked for an ISP not that long ago, I can confirm that a LOT of people still use this.

    • by PopeRatzo (965947)

      is that it refers to Outlook Express, a mail client that was deprecated over 5 years ago.

      I remember deprecating Outlook Express at least 10 years ago.

      • I remember defenestrating Outlook Express at least 10 years ago.

  • by Anonymous Coward

    Who knows what else they are injecting.....

  • by suso (153703) * on Saturday December 15, 2012 @06:44PM (#42303911) Homepage Journal

    Well hey, someone has to put those layer 7 switches to good use.

  • by Anonymous Coward on Saturday December 15, 2012 @06:46PM (#42303925)

    Just compromise Cox's servers, and deliver your payload. Very blackhat friendly.

  • Well, DUH! (Score:3, Insightful)

    by Crypto Gnome (651401) on Saturday December 15, 2012 @07:01PM (#42304035) Homepage Journal
    Obviously Cox are a bunch of DICKS.

    It's your own fault for not realising it.

    For those who wonder why people think this is EXTREMELY POOR FORM:
    - Their ability to do this is based on them intercepting all your HTTP data, all the time, every day - insert massive invasion of privacy yadda yadda etc etc etc
  • about your damned severe weather advisory! So what if a tropical storm is going to destroy my property, You're interrupting my TV time
  • by damnbunni (1215350) on Saturday December 15, 2012 @07:09PM (#42304107) Journal

    I use Millenicom, who resells Sprint, and in my area Sprint started injecting JavaScript into every page that comes over HTTP to recompress all the jpegs to a much lower quality setting.

    That, at least, I could block. Now they just recompress all jpegs that come over http to a horrible level. If I want to keep the internet from looking like ass, I have to use a secure tunnel. Which is obnoxiously slow on 3G.

    (Unfortunately, there's nothing Millenicom can do about it. It's up to Sprint. And there's no opt-out.)

    • I seem to remember a similar issue when I had an Evo 4G device from Sprint a couple of years ago. The device came preconfigured with a system-wide HTTP proxy that was not only incredibly slow, but also compressed images badly. It would also affect most methods of tethering, if memory serves. Perhaps you're seeing the same proxy?

      As far as I know there isn't actually any requirement by the network to proxy anything, and I've been able to disable it from the system settings on all of my devices since I learn

      • It's a proxy alright, but it's handled transparently by the network, not by any proxy settings on my end here.

        I have to define a system-wide proxy in order to get around it. It's very annoying.

    • by X0563511 (793323) on Saturday December 15, 2012 @08:28PM (#42304551) Homepage Journal

      Yea, it's obnoxiously slow because the images haven't been compressed to shit.

      They are trying to hide that your connection is garbage.

      I have Sprint myself. Horribly slow.

      • No, it's a latency issue; adding the forward makes interactivity horrible.

        Actually transferring data is fine. I get between 1.2 and 2.1 megabit speeds most of the time.

  • Raise your hand.. (Score:5, Insightful)

    by claar (126368) on Saturday December 15, 2012 @07:15PM (#42304135)

    Yep, I received this too, right on Netflix. Um, thanks, Cox, but even if I used your email service, I'd really rather watch my movie..

    Keep your hands off my traffic, please. Is it too much to ask for you to simply carry my bits back and forth for the agreed-upon amount?

    • by cawpin (875453)
      I agree but do have a question. When did the warnings start? I've been online all day today and haven't seen it.
      • by claar (126368)

        I only received one around perhaps 3pm central?

        It was a single overlay window with the Cox logo, white box, black text, in the bottom-right corner of the Netflix browse titles page, with small red x in the corner to close the overlay.

        Obviously injected, very obnoxious, but not intrusive to the browsing experience. Not an acceptable practice for an ISP.

          -Ben

  • Cox should just have sent an email to the affected users.

  • by hey (83763)

    I wonder if they could have done the same thing with Adsense.
    Target the ads for a specific area.

  • Bad practice.. (Score:5, Insightful)

    by Nezic (151658) on Saturday December 15, 2012 @08:21PM (#42304511)

    So now internet companies are essentially trying to train users to trust whatever information shows up on a web page that claims to be from 'known' sources?

    After all the problems that spoof emails cause for people who don't know better, you'd think an internet provider *would* know better.

  • Is there any standard (but unused...) messaging system for an upstream provider to send a network status message to its users?

    Like DHCP, something that should only work on the local network, and can't work cross-network?

    If there was, and it was available, would you just turn it off anyway?

    Hell, with everyone going to streaming video instead of TV, what's going to happen to the Emergency Broadcast System?

    Tornado? what Tornado? I was watching Netflix...

  • Surf using HTTPS only. Not all web sites over this, yet. But more and more complaints to them about their lack of support for secure communications could get more to see the need.

    Use an offsite provy via a secure vpn/ssh. Rent a VPS for a few more a month (VPS providers are not known to be doing this, yet). Or rent one of those free-for-a-year micro instances at a cloud provider and run your own proxy and connect via ssh.

    This post has been sponsored by your own ISP.

    • by dalias (1978986)
      Or just have the good sense to purchase business-class service. I really doubt they do this crap to their business class. Most of the time, business class is only marginally more expensive than residential, and has none of the restrictions such as no-server rules or other crippling of the connection. Sometimes it's even the SAME price; this seems very common in the case of DSL but I'm not sure about cable. Often you can get one or more static ips at little cost that way, too.
    • by tepples (727027)

      Surf using HTTPS only. Not all web sites over this, yet.

      And they won't until April 2014, when Internet Explorer for Windows XP reaches its end of life. Until then, roughly 14 percent of all traffic comes from web browsers that don't support Server Name Indication, which is the only way that shared hosting providers can feasibly offer HTTPS. The most popular browsers with SNI-ignorant SSL stacks are IE on XP and Android Browser on Android 2.x.

  • by jomama717 (779243) <jomama717@gmail.com> on Sunday December 16, 2012 @12:43AM (#42305609) Journal
    Who's to say some significant fraction of popup adds we see in general browsing aren't injected by the ISPs? The actual content providers could be totally unaware while the ISPs are selling ad space on any site, what a cash cow.

    ISP: Hey, company X - for $100,000 we can make sure your ads are seen on 3% of all requests in region R, on sites with content targeted at demographic D.
    Company X: Is that legal?
    ISP: Of course! It's right here on page 17 of the terms and conditions...

    Why wouldn't they??
  • by sgunhouse (1050564) on Sunday December 16, 2012 @03:29AM (#42306021)

    Being a web browser support person, I get to hear about ISPs injecting code in web pages frequently, first time was ... what, 7 years ago? Of course, usually that was ads; in that sense at least Cox is not trying to sell you anything.

    First case I recall was a Canadian ISP injecting their own ads into search results. More recently there's a low-cost ISP in India which will inject ads in any (insecure) web page.

    Of course, I'm not going to pay for someone's service and tolerate them inserting pop-up ads into the pages I see. If they were giving the service away for free or at a substantial discount (like NetZero does) then that's one thing, but paying near full price for something like that doesn't cut it.

  • by fa2k (881632) <pmbjornstad&gmail,com> on Sunday December 16, 2012 @08:36AM (#42306589)

    HTTP is used for many purposes besides delivering HTML pages. This is a stupid idea.

    Cox probably only injects it when the response has the correct MIME type, so you don't get it in images and binaries. Still, there is a huge amount of XML and HTML that is never intended to be seen by the user: automatic update checks can break, all kinds of mobile applications and other networked applications, aggregator services, etc. Some IM programs use HTTP-like requests.

    There was a good analogy above, that this is like playing a recorded message when someone makes a phone call, before transferring it to the correct recipient. As you can imagine, this would screw up faxes and modems quite bad.

    Now that I'm done complaining, I should come up with an alternative. The best candidate is email, but the email was down so it wouldn't help much. They surely should put up a big message on the home page, as many people will be going there to look up the phone number for tech support. Apart from that, I think the correct way to handle it is to do nothing. This HTTP injection technique may be appropriate for urgent security problems, but not for announcing an outage.

  • by acoustix (123925) on Sunday December 16, 2012 @11:33AM (#42307103) Homepage

    This is basically a man-in-the-middle attack.

Stellar rays prove fibbing never pays. Embezzlement is another matter.

Working...