Cox Comm. Injects Code Into Web Traffic To Announce Email Outage 271
An anonymous reader writes "Cox Communications appears to be injecting JavaScript and HTML into subscribers' traffic, as part of their effort to announce an email service outage. Pictures showing the popup."
Is this News? (Score:5, Informative)
Re:Is this News? (Score:5, Insightful)
Re:Is this News? (Score:5, Insightful)
No, not like this. At least I've never seen it before. This is intrusive. I've had it show up in my browser at least 3 times in the past couple of hours and it's about a service I don't even use. I don't care if their e-mail is out. I don't use their e-mail. I don't want this stuff and there ought to be a simple way to opt out.
There is, it is called: Vote With Your Money...
Re:Is this News? (Score:5, Funny)
Re: (Score:3, Funny)
So... Your Cox has been down more than you'd like, and you can't get your Cox to stay up? Getting rid of it entirely is an option, I suppose, but I keep hearing about medications that claim to keep your Cox up any time you want it up.
Re:Is this News? (Score:5, Funny)
So... Your Cox has been down more than you'd like, and you can't get your Cox to stay up? Getting rid of it entirely is an option, I suppose, but I keep hearing about medications that claim to keep your Cox up any time you want it up.
Well his email is down, so he hasn't been getting any of the many, many, many offers to fix this.
Re:Is this News? (Score:5, Interesting)
Alternative title: Cox acting like a bunch of dicks.
Re: (Score:3, Interesting)
Why isn't UPS and Fedex suing the Post Office?
They have found it much more promising to give contributions to certain members of Congress to burden the USPS with debt so they sink and clear the way for UPS and Fedex to take over.
Re:Is this News? (Score:5, Insightful)
That and they need someone to deliver the last leg on unprofitable routs. More privatized profits and socialized losses.
Re:Is this News? (Score:5, Insightful)
"In other words, we can no longer have nice things from what is still, in theory, our government, because we have placed what is still, in theory, our government into the hands of vandals and madmen, so the solution is to hand everything over to a private sector that repeatedly has shown that, in the pursuit of an extra nickel in profits, it would sell your grandmother to the Somali pirates and drill an oil-well in Lincoln's nose on Mount Rushmore."
Re: (Score:3, Interesting)
Absolutely, the USPS should be responsible for funding pensions and retiree health care just like any other governmental or private entity.
But that's the problem - so far as I can tell, they've had stricter funding requirements related to future retiree health care than any other entity. This was imposed by Congress in 2006.
Here's an article --> http://www.huffingtonpost.com/ron-bloom/reality-check-postal-service_b_1927634.html [huffingtonpost.com]
Re: (Score:3)
Actually no, he hit it spot on. No matter what else you say about them, they really did get screwed by congress.
The USPS actually did balance their checkbook to the point that they had surpluses. They didn't end up in trouble until congress added an unreasonable requirement that they fully fund vetrans benefits...decades ahead of time. Something no other agency must do.
This was pretty clearly done to put them in this situation.
Re: (Score:3, Informative)
No, they don't. They might use FedEx to ship their Priority Mail flat rate boxes, but the final door-to-door delivery is done by the USPS. In my experience, Priority Mail is usually one day faster than First Class, and much, much faster than either FedEx or UPS Ground.
In addition, UPS has a service where USPS does the final residential delivery.
Re: (Score:2)
Around here, that means voting for Centurylink. great choice.
Re:Is this News? (Score:5, Insightful)
there ought to be a simple way to opt in.
FTFY
Illegal? (Score:4)
"At least I've never seen it before. This is intrusive."
I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?
It might depend on your user agreement, but I would never intentionally agree to a provision that would let my ISP alter my content.
Re:Illegal? (Score:4, Insightful)
I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?
There used to be. Nowadays is the law is basically "You, pathetic peon citizen. Them, corporation. They win."
Re: (Score:2)
"There used to be. Nowadays is the law is basically "You, pathetic peon citizen. Them, corporation. They win.""
Funny. But I don't think it's quite that bad in the U.S. yet. In fact, I have been beginning to see a popular trend in the opposite direction. The pendulum swings...
Re: (Score:2)
Google Plus sucks, granted. What's this "Smart Screen" feature? I'm not a Windows user, and certainly not a Win8 user (who is? It isn't very popular).
As far as Ubuntu going down the tubes, the Linux-oriented boards are full of people bitching about Ubuntu, Unity, Gnome3, Unity+Amazon, etc. Since Unity was pushed out by Ubuntu, other distros, especially Linux Mint, have grown greatly. Ubuntu tries to claim they're still the most popular and that everyone loves Unity, but that's probably bullshit, esp. s
Re: (Score:2, Interesting)
> I'm not certain, but isn't there a law against messing with your packet stream, and inserting their own content?
It's a copyright violation at least. The website you visit owns the copyright on the page it serves... they are creating a derivative work by adding their own stuff to that page. I am sure that they dont have the authorization to do that from the copyright owners.
Unfortunately... the group serving the page is the one harmed in this, so they are the only ones with standing to seek a remedy.
Re: (Score:3)
Re:Is this News? (Score:5, Interesting)
Or instead there ought to be a simple way to just opt in. Or they could produce a FF/IE addon. Or put a big notice on their homepage with this info. Or automated social media notifications. Etc.
Messing with DNS to redirect bad domains to ad parking pages is still around but no one cares anymore. However, this is right in the user's face which feels different, like it's an offensive volley, like one ISP is finally ready for war. The first battle in ISPs training users to accept a tainted connection.
In all honesty, I think they picked the perfect application to start the ball rolling. Few average Joe customers would argue against email outage notifications because it seems like it's an important function that the ISP should provide. More importantly users are used to dynamic pages now, it "feels" like a Facebook or Twitter thing. So in their mind it's probably ok, or at least something that would be hard to argue against from a layman's perspective.
So it's a good starting point to start boiling the frog. I'll bet that their internal calculations show no more than one year to completely boil the poor beast (i.e. ad insertions). That's the holy grail.
Re: (Score:2)
In addition, since they can do DNS redirects, whenever some Cox email user (how many of those are there anyway?) goes to email.cox.com, or whatever their URL is, Cox can redirect it to a new site with a big message saying, "Sorry, but this service is down! That's what you get for trusting us with your email."
Anyone who doesn't use Cox email, or isn't visiting cox.com, doesn't need to be bothered with this news.
Re: (Score:3)
FF's pop-up blocker and ABP must be effective at stripping injected code, because I have the email outage, too, but have not seen the Cox windows.
(BTW, Cox HSI is probably a bit expensive, but my service has been sturdily reliable. Other than hurricanes, I can't remember the last time I had a Cox outage.)
Re: (Score:2)
Re:Is this News? (Score:5, Informative)
Look for something like <script src="http://184.178.98.*/static/FloatingContent/243/floating-frame.js" type="text/javascript"></script> in the head.
Craft rules as appropriate.
Re: (Score:2)
There is.... use a secure protocol.
Not all web sites support HTTPS (Score:2)
Re:Is this News? (Score:4, Interesting)
I used to be a Cox customer until last month, because I moved across the country (to where Comcast is the cable provider, and IME they suck far, far worse than Cox, just judging by the few weeks of service I've had with Comcast versus about 7 years with Cox).
This announcement is especially annoying, because it's an outage on some stupid service that no one with a brain would ever use. Seriously, what moron actually uses ISP-provided email in this day and age? What a brilliant idea: as soon as you have to move or change providers for some reason, all your email is suddenly gone, and your email address is defunct, and if you didn't notify everyone in your address book beforehand you're screwed.
Re: (Score:2)
Seriously, what moron actually uses ISP-provided email in this day and age?
People trying to register for web services that block not only disposable addresses but also free webmail providers such as Hotmail, Yahoo, and Gmail.
Re: (Score:2)
With the massive number of people who use the Big 3 free webmail providers, which web services these days still block those for registration? I can't think of a single one I've run across in years.
Re: (Score:2)
Re:Is this News? (Score:5, Insightful)
More invasive than that (Score:3, Insightful)
Actually it's far more invasive than that, it means they actually LISTEN to the phone conversation and choose the correct GAP in that conversation to inject their javascript. They don't just randomly shove in javascript into a HTTP socket, they have to be watching the traffic.
So they're giving themselves the basis for monitoring your URL surfing later too.
So when they inject adverts, or sell your surfing habits to others, they can point to this and point out that they've been monitoring web surfing and inje
Re:Is this News? (Score:5, Insightful)
Causing web outage to announce email outage? (Score:5, Insightful)
I'm sorry, but if you're injecting Javascript and other text into my web sessions, that's a Web Outage (and a serious security threat.) If you're doing it to announce that your email service is down, that's probably annoying to customers who do use your email service, and much more annoying to customers who don't.
(Unlike many people here, I actually do use my ISP's email service, because it includes a shell account where I'm running procmail, in addition to the spam filtering they do, so email that gets forwarded by my primary email address does go through there. But otherwise I'd be running the filters somewhere else. And it still doesn't justify breaking my http sessions.)
Re: (Score:2)
So I click on the first link in the article "Pictures" and I get a fucking ad and have to click through to something far more reasonable looking to me than the fucking ad.
I've really had enough of those things, they're everywhere now. If they don't go way soon I'll make them go away (at least for me).
Re:Is this News? (Score:5, Funny)
Comment removed (Score:5, Funny)
Re: (Score:3, Funny)
Re:Is this News? (Score:4, Funny)
They should have warned us (Score:5, Funny)
Shouldn't they send an email warning us about injecting stuff in our web traffic?
Re: (Score:2)
the email would go:
"we are announcing that our email service is currently out.
PS: if you didn't get this mail, let us know and we'll send it again."
signed "IC&H". not sure what that refers to. must be a victim of circumstance..
Re:They should have warned us (Score:5, Funny)
You should feel it soon; or maybe it'll just go over your head again.
Posting from Cox in Irvine, CA (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Insightful)
I've seen a lot of people suggest "just use Google DNS", but frankly it's a disturbing trend (unless, naturally, your existing DNS provider is even less trustworthy.)
By using Google's recursive DNS servers you should be aware that you're offering them even more information about your online habits, as if they probably didn't have enough already. I'm pretty sure that a capitalist [telegraph.co.uk] company like Google isn't offering free recursive DNS for purely altruistic purposes (or just to 'speed up browsing').
It's also no
Re: (Score:3)
I'm pretty sure that a capitalist company like Google isn't offering free recursive DNS (...) just to 'speed up browsing'
Why not? They spend a lot of money keeping Search as fast as possible, because they know that requests above a certain threshold lead people to search less, meaning less ad impressions, meaning less revenue. So what's so implausible about spending some more money on a few DNS servers?
And the data from a DNS server is almost useless; just the domain (not even full URL) and the IP, which often is of some router in front of dozens or hundreds of clients. Considering that a huge percentage of websites out there
Re: (Score:3)
Re: (Score:2)
There are ways to do that (eg. using the IMHO dangerous and pointless perversion of a https proxy that gets both ends to trust the thing in the middle - you can buy appliances that do that), but unless you are working for a place that wishes to snoop on all their employees encrypted web traffic and using their web connection it's not likely to happen.
Re: (Score:2)
It doesn't have anything to do with DNS since the injecting is something done with a web proxy. A way round it is to get your web traffic via a different port (requires agreement from the webserver on the other end) or to completely leapfrog their web proxy and use a different one at the end of a VPN.
All these things of course depend on your ISP upstream letting you do it. It's trivial for an ISP to block all direct connections of any kind if they re
Re:Posting from Cox in Irvine, CA (Score:4)
Social-engineering a cert installation (Score:3)
If you find a way to inject data (in a useful way) into an HTTPS stream without adding your own certificate to the person's computer
The easiest way is to just con users into installing a certificate. After several failed connections on port 443, the next hit on port 80 will be MITM'd to say "Have you been getting certificate errors? This certificate allows devices using this Internet connection to connect to secure websites. Here's how to install it:" followed by instructions pertinent to the User-agent that retrieved the page.
Re: (Score:2)
What's "best" depends on what your needs are and where you are. For many people, their ISP's DNS should be faster than a 3rd party, but that depends on their ISP being somewhat competent and not dicks who will redirect you whenever they can.
Google's DNS is a solid one, it's generally got a fairly low ping and, surprisingly, they don't filter anyhting or inject ads (they may be tracking your every site request though, so it depends on how you feel about them. Easiest to remember, though: 8.8.8.8
My personal f
Re: (Score:2)
Not seeing any sort of injections here. I do have DNS set to 8.8.8.8. though.
Can you receive email? If you can, you're probably not affected anyhow.
The amusing part (Score:4, Funny)
is that it refers to Outlook Express, a mail client that was deprecated over 5 years ago.
Re: (Score:2)
Having worked for an ISP not that long ago, I can confirm that a LOT of people still use this.
Re: (Score:2)
I remember deprecating Outlook Express at least 10 years ago.
Re: (Score:3)
I remember defenestrating Outlook Express at least 10 years ago.
Re: (Score:2)
Outlook Express replaced Internet Mail and News, and was nearly the same.
Windows Live Mail replaced Windows Mail, and was mostly the same, but dropped support for Usenet newsgroups.
Mail is now the included client in Windows 8, and has dropped support for POP3, but added ActiveSync.
Re: (Score:2)
Mail is now the included client in Windows 8, and has dropped support for POP3, but added ActiveSync.
Oh thank the heavens.... POP3 is so terrible that I'd actually rather be shoehorned into something proprietary but near-universally supported. I really do hope that support for it starts disappearing, because I just want to smack anyone who thinks that suggesting "We support POP" is a good answer to the "How do I get email on device or application X" question.
Re: (Score:2)
Windows Mail replaced Outlook Express and "functions" nearly the same.
FTFY.
If they are doing this.... (Score:2, Insightful)
Who knows what else they are injecting.....
the truth is out there (Score:2)
the truth is out there
Layer 7 switches (Score:3)
Well hey, someone has to put those layer 7 switches to good use.
Nice single point of attack (Score:5, Interesting)
Just compromise Cox's servers, and deliver your payload. Very blackhat friendly.
Re:Nice single point of attack (Score:5, Interesting)
In fact, is everyone absolutely certain this is actually Cox and not some malware outbreak masquerading as the ISP?
Well, DUH! (Score:3, Insightful)
It's your own fault for not realising it.
For those who wonder why people think this is EXTREMELY POOR FORM:
- Their ability to do this is based on them intercepting all your HTTP data, all the time, every day - insert massive invasion of privacy yadda yadda etc etc etc
Re: (Score:2)
There IS a rather large difference between blindly passing packets through the network and inspecting each one deeply enough to inject additional content into the stream.
i dont care.... (Score:2)
My ISP does this for far worse reasons. (Score:5, Interesting)
I use Millenicom, who resells Sprint, and in my area Sprint started injecting JavaScript into every page that comes over HTTP to recompress all the jpegs to a much lower quality setting.
That, at least, I could block. Now they just recompress all jpegs that come over http to a horrible level. If I want to keep the internet from looking like ass, I have to use a secure tunnel. Which is obnoxiously slow on 3G.
(Unfortunately, there's nothing Millenicom can do about it. It's up to Sprint. And there's no opt-out.)
Re: (Score:2)
As far as I know there isn't actually any requirement by the network to proxy anything, and I've been able to disable it from the system settings on all of my devices since I learn
Re: (Score:2)
It's a proxy alright, but it's handled transparently by the network, not by any proxy settings on my end here.
I have to define a system-wide proxy in order to get around it. It's very annoying.
Re:My ISP does this for far worse reasons. (Score:4, Insightful)
Yea, it's obnoxiously slow because the images haven't been compressed to shit.
They are trying to hide that your connection is garbage.
I have Sprint myself. Horribly slow.
Re: (Score:2)
No, it's a latency issue; adding the forward makes interactivity horrible.
Actually transferring data is fine. I get between 1.2 and 2.1 megabit speeds most of the time.
Re: (Score:2)
The JavaScript effectively redirected all image requests to a proxy, with 'Press Alt-R to reload this image at full quality' as a mouseover text on everything. If you reloaded it, you'd get full quality.
It was really annoying, but less so than the current 'you get a recompressed image no matter what, ha ha.'
Raise your hand.. (Score:5, Insightful)
Yep, I received this too, right on Netflix. Um, thanks, Cox, but even if I used your email service, I'd really rather watch my movie..
Keep your hands off my traffic, please. Is it too much to ask for you to simply carry my bits back and forth for the agreed-upon amount?
Re: (Score:2)
Re: (Score:2)
I only received one around perhaps 3pm central?
It was a single overlay window with the Cox logo, white box, black text, in the bottom-right corner of the Netflix browse titles page, with small red x in the corner to close the overlay.
Obviously injected, very obnoxious, but not intrusive to the browsing experience. Not an acceptable practice for an ISP.
-Ben
Re: (Score:3)
You didn't complain about their hands on your traffic when you accessed the Netflix content which they have locally cached on their servers, courtesy of Netflix and Akamai.
That doesn't require any "meddling", it's up to a website operator (and their contractors if relevant) to decide where to deliver content from, if they choose to host servers with the customer's ISP that is their prerogative,
OTOH if cox is messing with the packets to put in a caching system without netflix's cooperation then that is bad.
And you didn't complain when they used traffic shaping to send your requests for un-cached Netflix data not over their general Internet peering links, but rather across a dedicated link where they peer directly with Netflix.
Why would they need to use "traffic shaping"? normal internet routing protocols should do this just fine!
IMO an ISPs job is to get your packets to/from the entity you are co
Alternative (Score:2)
Cox should just have sent an email to the affected users.
Adsense (Score:2)
I wonder if they could have done the same thing with Adsense.
Target the ads for a specific area.
Re: (Score:2)
I don't get adsense anymore.
Bad practice.. (Score:5, Insightful)
So now internet companies are essentially trying to train users to trust whatever information shows up on a web page that claims to be from 'known' sources?
After all the problems that spoof emails cause for people who don't know better, you'd think an internet provider *would* know better.
Is there a standard? (Score:2)
Is there any standard (but unused...) messaging system for an upstream provider to send a network status message to its users?
Like DHCP, something that should only work on the local network, and can't work cross-network?
If there was, and it was available, would you just turn it off anyway?
Hell, with everyone going to streaming video instead of TV, what's going to happen to the Emergency Broadcast System?
Tornado? what Tornado? I was watching Netflix...
Work yourself around it (Score:2)
Surf using HTTPS only. Not all web sites over this, yet. But more and more complaints to them about their lack of support for secure communications could get more to see the need.
Use an offsite provy via a secure vpn/ssh. Rent a VPS for a few more a month (VPS providers are not known to be doing this, yet). Or rent one of those free-for-a-year micro instances at a cloud provider and run your own proxy and connect via ssh.
This post has been sponsored by your own ISP.
Re: (Score:2)
Re: (Score:2)
Surf using HTTPS only. Not all web sites over this, yet.
And they won't until April 2014, when Internet Explorer for Windows XP reaches its end of life. Until then, roughly 14 percent of all traffic comes from web browsers that don't support Server Name Indication, which is the only way that shared hosting providers can feasibly offer HTTPS. The most popular browsers with SNI-ignorant SSL stacks are IE on XP and Android Browser on Android 2.x.
Ad Injection (Score:3)
ISP: Hey, company X - for $100,000 we can make sure your ads are seen on 3% of all requests in region R, on sites with content targeted at demographic D.
Company X: Is that legal?
ISP: Of course! It's right here on page 17 of the terms and conditions...
Why wouldn't they??
Seriously ... (Score:3)
Being a web browser support person, I get to hear about ISPs injecting code in web pages frequently, first time was ... what, 7 years ago? Of course, usually that was ads; in that sense at least Cox is not trying to sell you anything.
First case I recall was a Canadian ISP injecting their own ads into search results. More recently there's a low-cost ISP in India which will inject ads in any (insecure) web page.
Of course, I'm not going to pay for someone's service and tolerate them inserting pop-up ads into the pages I see. If they were giving the service away for free or at a substantial discount (like NetZero does) then that's one thing, but paying near full price for something like that doesn't cut it.
HTTP not just for web pages (Score:3)
HTTP is used for many purposes besides delivering HTML pages. This is a stupid idea.
Cox probably only injects it when the response has the correct MIME type, so you don't get it in images and binaries. Still, there is a huge amount of XML and HTML that is never intended to be seen by the user: automatic update checks can break, all kinds of mobile applications and other networked applications, aggregator services, etc. Some IM programs use HTTP-like requests.
There was a good analogy above, that this is like playing a recorded message when someone makes a phone call, before transferring it to the correct recipient. As you can imagine, this would screw up faxes and modems quite bad.
Now that I'm done complaining, I should come up with an alternative. The best candidate is email, but the email was down so it wouldn't help much. They surely should put up a big message on the home page, as many people will be going there to look up the phone number for tech support. Apart from that, I think the correct way to handle it is to do nothing. This HTTP injection technique may be appropriate for urgent security problems, but not for announcing an outage.
Isn't this illegal? (Score:3)
This is basically a man-in-the-middle attack.
Re:What a crap (Score:4, Insightful)
You'll care when your ISP starts doing this because no one cared when it happened to others...
First they inject for "emergency notifications" and then next they'll inject for "advertisements to keep your bill down" or something even worse.
Re: (Score:3)
...next they'll inject for "advertisements to keep your bill down" or something even worse.
This is cable. Originally you paid for cable because there were no ads.
They'll say it's to keep your bill down, then raise rates. Complain and they'll say the increases would have been higher.
If they're nice they may offer a higher tier plan without injected ads so you can pay a fee for them to suck less.
In phase two the injected ads will be flash video and will count against your (newly reduced!) bandwidth cap. The ad server will query your bandwidth usage and serve full HD ads at double the normal freq
Re: (Score:2)
IPv6 isn't adopted yet.
That's your idea of news, that nobody gives a crap and continue to not give a crap about IPv6? Personally I feel the last oh... decade? or so of IPv6 stories have been flogging the same dead horse.
Re: (Score:2)
Also, you may want to check on that 60 billion years. That's a bit longer (over 45 billion years) than the age of the universe. You want "million".
Re: (Score:2)
Seriously, guys. I don't want to download them over mobile. Stop this crap.
Install a system-wide ad blocker on your phone.
Re: (Score:2)
Probably due to underpowered servers.
Re: (Score:2)
Cox has software? Ask them for the Linux version. They will ask you to use Windows. Your tell them you need Linux for the security. They will ask you why you need security. Tell them it's to keep bad companies from messing with your web browsing.