We were working on some feature for a client's website, and suddenly things started breaking. We eventually tracked it down to some shoddy HTML + Javascript being on our page that we certainly didn't put there, and further investigation revealed that our ISP - whom we were paying for a business connection - was just slapping a fucking banner ad on most of the pages that were being served.
This was around ... 2008? I wonder if they were injecting it into AJAX responses, too.
My boss called them up and chewed them several new assholes, and the banner was gone by afternoon.
I don't know what the official name for the phenomena is where you widely experience a huge problem, the market reacts to fix the problem almost completely, people who never experienced the problem in the first place because the world before them solved it begin to complain about the solution, people defending the solution are mocked by people who have no context, the solution is rolled back and all the people who did it are happy with their win for a brief moment in time, then the original problem comes back in force but all of the walls put up to tear down the original solution make it 1000x harder to fix.
I feel like there needs to be a name for this. For now, "Those who do not learn from history are doomed to repeat it." is the most apt I think.
Happens constantly when you're essentially born on 3rd base. Maybe that's the proper name. Born on 3rd Base Syndrome.
I was going to say exactly this: people get sick, a vaccine is born, people get less sick, the vaccination practice gets established, the sickness vanishes. Then efforts maybe slump because the perception of danger and living memory of the sickness have largely left the building, and then those with baseless claims against the vaccine rear their heads and gain more followers. Now you have an under-vaccinated populace with ever fewer vaccinated people and the sickness can spread again, even more fervently than it could have originally, because younger folks have never experienced the virus live and are too often not vaccinated.
Yeah, I think this can really happen, and it's just about the heart of the preparedness paradox, a term that I mentioned somewhere else in this thread.
I've often said that my grandmother was so grateful for all the childhood vaccines that came out during my mom's and my aunt's childhoods, or around that time (the Baby Boom era), because my grandmother really concretely saw how terrible some of those diseases were, with people in her generation actually contracting them in childhood, maybe even dying of them. But if you've really never seen them, it's pretty natural that they start to seem like something that barely even exists at all.
Like, I don't even know the different between typhus and typhoid, or what their symptoms are, or what you actually do to prevent them, or exactly how they're spread, or whether they've been eradicated in certain regions or whatever (or even whether there are any vaccines against them or whether or not I've personally received those vaccines in infancy!). I just barely have a vague sense that these are truly awful things that apparently exist in the world, probably relate to water contamination somehow, and may potentially come back in war zones or disaster zones. (Way to go, people who do ... something? ... to prevent those two!)
> suddenly things started breaking. We eventually tracked it down
Amateur level ... Around 2006, we enjoyed some clients complaining why information on our CMS was being duplicated.
No matter what we did, there was no duplication on our end. So we started to trace the actions from the from the client (inc browser, ip etc). And low and behold, we got one action coming from the client, and another from a different IP source.
After tracing back the IP, it was a anti virus company. We installed the software on a test system, and ... Yep, the assh** duplicated every action, inc browser settings, session, you name it.
Total and complete mimic beyond the IP. So any action the user did + the information of the page, was send to their servers for "analyzing".
Little issue ... This was not from the public part of our CMS but the HTTPS protected admin pages!
Sure, our fault for not validating the session with extra IP checks but we did not expect the (admin only) session to leak out from a HTTPS connection.
So we tried to see if they reacted to login attempts at several bank pages. O, yes, they send the freaking passwords etc. We tried on a unused bank account, o, look, it was duplicating bank actions (again, bank at fault for not properly checking the session / ip).
It only failed on a bank transfer because the token for authorization was different on their side, vs our request.
You can imagine that we had a rather, how to say, less then polite talks / conversation with the software team behind that anti-virus. They "fixed it" in a new release. Did they remove the whole tracking? Nowp, they just removed the code for the session stealing if the connection was secure.
O, and the answer to why they did it. "it a bug" (yea, right, your mimic a total user behavior, and its a "bug"). Translation: Legal got up their behinds for that crap and they wanted to avoid legal issues with what they did.
Remember folks, if its free your the product. And when its paid, you are often STILL the product. And yes, that was a paid anti-virus "online protection". And people question why i never run any anti-virus software beyond a off-line scan from time to time, and have Windows "online" protections disabled.
Companies just can not stop themselves from being greedy. Same reason why i NEVER use Windows 11... You expect if you paid for Windows, Office or whatever, to not be the product, but hey ...
Our app reports all of the runtime exceptions to the server. We had one years ago (maybe before 2008) that was caused by somebody's "toolbar" replacing a method like Element.appendChild with one that sometimes crashed.
This inspired me to add a list of all script tags to error reports.
My ISP (Mediacom) appears to have a deal with certain websites to display service messages. The only two I've encountered it on is Amazon and Facebook but they are somehow able to insert a maintenance banner at the top of those two when downtime is anticipated or if I am near the end of my bandwidth quota. Haven't gotten any ads this way but they have the technology.
One thing you can arrange is "Oh, you need to trust our Router's security thing" and so you're adding a new private root CA trust, then they "just" issue CA certs which they've arranged for you to trust. This is commonly how corporate and institutional systems are set up, it's a terrible idea but it's very common.
One thing that helps drive it away at work is that we're a University, and essentially all the world's universities have a common authenticated WiFi (because students and perhaps more importantly, academics, just travel from one to another and expect stuff to work, if you got a degree in the last 20 or so years you likely used this, eduroam) but obviously they don't trust each other on this stuff so their sites all use the Web PKI, the same public trust as everybody else, internal stuff might not, but the moment you're asking some History professor to manually install a certificate you might as well assign them a dedicated IT person, so, everything facing ordinary users has public certs from, of course, Let's Encrypt.
> This is commonly how corporate and institutional systems are set up, it's a terrible idea but it's very common.
Tbh makes it kinda sense for those systems, when used only with internal tools and on company devices... but yeah I’d just (of course) Let’s Encrypt if I was setting it up for a client.
No - I have visited two universities in the past month in France and each of them has its own Wi-Fi logins and passwords. And then one more a few months ago in Poland.
AHHHH - I just called a friend of mine at one of the French schools. He told me that this is for researchers only and thsi is why I was given another (permanent) access.
I stand corrected and I apologize. This is actually awesome. Working in the field, this is probably one of the most interesting deployments I have seen over many years and I will have a close look at it now.
Haha, yeah this kind of stuff made HTTP long polling requests over mobile pretty fun. IIRC, we ran HTTP over IMAP and POP3 ports for cases where port 80 was unreliable.
The modern version of that is brave or ublock or screen reader extensions or spyware inserting JS or data attributes which leads to user complaints. We don't need ISPs hacking lines, people do it to themselves when they sign up to shady sms services on download sites.
We were working on some feature for a client's website, and suddenly things started breaking. We eventually tracked it down to some shoddy HTML + Javascript being on our page that we certainly didn't put there, and further investigation revealed that our ISP - whom we were paying for a business connection - was just slapping a fucking banner ad on most of the pages that were being served.
This was around ... 2008? I wonder if they were injecting it into AJAX responses, too.
My boss called them up and chewed them several new assholes, and the banner was gone by afternoon.