First, let’s go into some background on the Comcast case.  A year or so ago, Comcast decided that its network was being congested by too much P2P traffic; namely, traffic from the BitTorrent P2P protocol.  So, they decided that they would clear their network of this congestion by carefully denying BitTorrent connections.  They did this by looking into the traffic that BitTorrent was sending over the network, and sending back false information so that connections to peers would fail.  The actual details of how this was done is outside the point of this post.

After some outrage from Comcast customers who used BitTorrent, the FCC decided it would step in and tell Comcast to stop or suffer consequences.  As soon as this happened, there was some question about whether or not the FCC actually had the power to do this.  But, the case went to court and a judge decided that the FCC did have the power to do this, and that Comcast had to stop denying BitTorrent connections in this way.  This was a major win for users of the Internet: the court decision basically meant that your ISP can’t deny you from accessing information on the Internet.

However, the case was appealed by Comcast because that’s just the way the US legal system works.  The appeals court reversed the decision of the first court, and decided the FCC did not have this power, which is true.  Currently, the FCC does not have power to do anything about network management on the Internet.  Because of this, their decision to sanction Comcast for shaping the network was not allowed by any law.  So, the clear answer to this conundrum is to have Congress pass a law which would give the FCC this power, right?

In my opinion, yes.  This is the essence of Net Neutrality: give the FCC the power to force ISPs to be neutral, that is, to allow users to access any website, with any protocol.  This is the current spirit of the Internet: that anyone can access any part of it, and that it’s easy for someone to create a new site that becomes an overnight sensation.  The idea of an open Internet is not possible without Net Neutrality.  So, why hasn’t this been an issue in the past?

Probably because it’s never needed to be an issue.  As users start using more bandwidth, ISPs are looking for ways to get more money.  If there is no law forcing the net to be neutral, then ISPs can manage their network however they want.  Let’s say, for example, that your ISP partners with Google and Wikipedia.  Your ISP’s basic package will allow you to access these two sites.  Want to use Bing, or Yahoo!?  That’ll be an extra $20 a month.  Want to access any website you want?  It’ll cost you.  We’ve created a situation where innovation is stifled on the greatest frontier for innovation.

One of the great things that has come out of the Internet is small businesses.  A small business can easily create a website with a good product, and become big.  Without Net Neutrality, this becomes very difficult.  A small business would first have to give some money to your ISP in order for you to be able to get to their site.  But, remember that there are multiple ISPs, and the small business would have to pay all of them to reach all their potential customers.

It’s possible, however, that competition wouldn’t allow this to happen.  One ISP would have to be “the first” to implement a pricing scheme like this.  If consumers voted with their dollars and switched ISP if this happened, then ISPs everywhere would be sent a message that this is no way to run a business.  Unfortunately, however, I have a feeling that most people would just go along with it without knowing any better.  After all, the big sites that people actually use would be able to afford the fees an ISP would put on them to get to their user base.

So, what do we do?  Check out http://www.savetheinternet.com/ .  Find out what net neutrality really means, and join the fight to keep the net neutral!

[Note: I had originally written this post on April 11.  I think it's finished, and reading over it, it does seem finished.  I'm really not sure why I never published it.  Perhaps I was going to add more... I just don't remember now!  Oh, well... better late than never.  News since this post: Google and Verizon's Net Neutrality proposal has many outraged.  I haven't looked into it much, but I'll see if I can poke around it a bit more and write a post about my thoughts.]

Sunday, 9:30 AM –I’ve discovered an interesting line while decompiling Comcast’s software (in an if statement which handles incoming messages):

(arg1.from[0].match(CALLER_ID_SERVICE_JID) || arg1.from[0].match(CALLER_ID_SERVICE_JID_TEST))

This means that comcast IS checking who the message is coming from.  Although, they seem to do something else if it’s not from one of these two addresses.  Also, what is CALLER_ID_SERVICE_JID_TEST?  I’ll have to do some more exploring!

Sunday, 1:44 PM — Hmm… some interesting declarations:

public static const CALLER_ID_SERVICE_JID_TEST:String=”vismedia02@comcast.net”;
public static const CALLER_ID_SERVICE_JID:String=”callerid_alert@comcast.net”;

Monday, 9:19 AM — I’ve discovered an interesting URL in the code — machenmusik.com — it’s the package for the caller id decoding function (so, the project should be hosted there).  However, it currently just gives a login prompt.  Very strange.  Anyway, I’m attempting to translate the caller ID decoding into python.  I’ll let others translate it from there.  We’ll see how this works out…

Monday, 3:18 PM — Well, after playing with the decompiled actionscript a bunch, I can’t get it to return any comprehensible output.  The same goes for the python I translated.  So, I’m kinda giving up right now due to lack of knowlege.  If someone else would like to pick up where I’ve left off, contact me and I can send you what I have so far…  It was worth a try, right?

So, how does this work?  Did comcast come up with some super-secret way to encode this data so no one but them can use it?  Nope; they’re simply using XMPP.

For those unaware, XMPP is a very nice concept: an open messaging protocol.  This means that companies don’t need to invent their own protocol, or shell out big bucks to use another protocol.  Just grab a server and client, and you have an instant messaging system.  XMPP is also designed to be expandible.  Is there a feature you need that it’s missing?  Just code it in, following the current specifications.  The problem with this is that different clients can conform to different specifications for things that aren’t part of the official protocol, but that’s another discussion.

Comcast decided to not reinvent the wheel, and just use XMPP, with a little twist.  If you already know a bit about XMPP, I’ll give you the stanza as a client receives it:

<message to=”bob.graese@comcast.net/comcast” from=”callerid_alert@comcast.net/wcdc01b” id=”sn-30552863″ type=”headline”><CInfo>3NoAaS45q2vvGEmdgNb35TReIbQcE7F5d4vtkBu0l1bsyVdLRr3VxaTyWbV
nyXpEIgjAs1QbBV2CK1HJjIb+yvTDOMXh5uDGh+Q552jyV6vxPM10+tlhNBfTEvNjB7QJnTHkd2Mmj5
Cl3JCdoRRw8/RTGSzDGrSQwLAmpht6GmS7DNMGcHc=</CInfo></message>

(The line breaks above have been inserted by me in order to not destroy the layout)  So, what’s all this saying?  When your phone rings, comcast sends you a message over the XMPP protocol.  This message goes TO (your_main_account)@comcast.net, using the resource “comcast”, and comes FROM callerid_alert@comcast.net (very original naming), with a little resource tacked on the end there.  Each message has a unique ID, and a tag saying that the message is a “headline” (I’m not sure on the specifics of this, I’m guessing this would be used for news items in a XMPP client).  Then, Comcast starts the non-standard part.

When sending an IM over XMPP, there’s usually a body tag inside the message tag.  However, Comcast has invented a CInfo tag, which isn’t part of the XMPP specification.  Inside, there’s a long, encoded string.  Unfortunately, I haven’t worked out how they encode it (I’ll be working on that in the coming days; Any ideas?  Let me know!)

So, what does this mean?  It means that everything is unsecure (except the CInfo tag).  Theoretically, if comcast’s programming is dumb enough, I could send a caller ID message to any comcast user, and have it display on their TV and computer, even though their phone isn’t ringing.  Or, I could call their house, then send them a different caller ID message, and spoof my caller ID info.

Of course, this all hinges on the assumption that comcast figured no one would think of this.  I’m guessing that Comcast doesn’t check who the message is FROM.  If they do, and it needs to be from callerid_alert@comcast.net, then none of this will work.  However, if they don’t check, this could be a fun security excersise.

But first, I need to decode the information inside CInfo.  I don’t have much security expertise, so I can’t guarantee any progress on this.  If you have an idea, please let me know.  If you figure it out on your own, I’d also like to know.  If you use my ideas to expand into your own project, a small link is all I ask.

Stay tuned in the next couple of days to see if I can make any progress.