What I Do

I write kickass software for small and large companies. You can find my code everywhere from the Rackspace Control Panel to Early Stage Startups, and design firms in Australia and the Cayman Islands. My work includes custom software, responsive web design, and consulting.


Evidence my ISP may be making money from tracking its customers


tl;dr: My ISP, Access Media 3 has started injecting tracking cookies into html packets going through their network and are potentially making money from tracking their customers.


About a week ago I started noticing something strange. I was viewing YouTube and saw a white bar (pictured below) at the top of the page. I didn’t think much of it until I visited StackOverflow and saw the exact same white bar.

white frame

I opened the chrome dev tools and found a few javascript errors:

js console

Upon further inspection it turns out this ‘random script’ had been injected by a <script> tag in the header. I looked at some other sites and noticed the same script being inserted almost everywhere. Here is what it looks like:

<script type=”text/javascript”> var dot=’.'; var setCookie=’net’;var gAnalytic=’adsvc1107131′;var IETest=’rxg’; var v=’ashx’; var R=’ajs’; var gid=’5d738f4aeccb49c39d3013cabc563f64′; </script>
<script type=”text/javascript” src=”http://rxg.adsvc1107131.net/ajs.ashx?t=1&amp;5d738f4aeccb49c39d3013cabc563f64″ id=”js-1006893410″ data-loaded=”true”></script>

I realized that the only sites that weren’t affected were those using https rather than http. This makes sense, you can’t inject code into https because it is encrypted.

The effect of this script was to add an iframe to YouTube and StackOverflow however other pages (including ones I’ve built myself) had no injected iframes and only the script tags in the <head>. My theory is that this is related to sites that provide ads however I have not confirmed this.

Here is a gist of the iframe that was being injected into YouTube.

tl;dr: The iframe is coming from Ad-vantage Networks.

I did a whois on some of the domains where these scripts are being hosted and they pointed to Ad-vantage Networks also. Or they were pretty obvious urls like: advn.net. I followed some of the urls around and found an interesting open folder which stores a bunch of the javascript that Ad-vantage uses:


I poked around on Google and found that Ad-vantage Networks is now known as MediaShift.

So who is injecting the code?

My initial thoughts were that it was just a simple Chrome extension. So I checked the site on Firefox and my Nexus… same result. I plugged in my ethernet cord to rule out my wireless router… same result. Same white bar at the top of YouTube. I switched my Nexus over to 3G and voila! The white bar disappeared. Something in between my wall and YouTube was injecting this code.

I ran mtr to see if there were any suspicious hops that my packets were routing through and this was the result:


Nothing out of the ordinary, at least to my untrained eye (I’m by no means a networks expert).

Plot twist time

Around the same time that I started seeing this injected code I was building a Node.js website and noticed a weird change in behavior. Usually when my node server was off and I accidentally hit its url I received the standard Chrome “This webpage is not available” page. With no change on my behalf, I started seeing different error pages as shown below.





At the time I didn’t think much of it at all. Now I believe it shows the vital clue in this whole situation. But before figuring that out I did some more research into what MediaShift did. Here’s a slide from their front page that was particularly interesting. Internet network providers you say? I dug further into their site and found their list of partners.

The kicker

After looking through these providers for more info I found the final piece of the puzzle. RGNets.com‘s main product is the rXg box. Look back to that new error page I was seeing. Here is the fine print:

Generated Sat, 04 Jan 2014 23:52:15 GMT by va-bbg-core-rxg2.am3wireless.com (squid/3.3.3)

Notice three interesting points:

  1. The machine seems to be an rXg made by RGNets.com
  2. Its owned by am3, Access Media 3, my ISP
  3. It is a squid server

Some research into squid servers shows this ability. Most interestingly the ability to “Add, remove, or modify an HTTP header field (e.g., Cookie)”. Which is exactly the injection I was seeing.


Access Media 3, my ISP (which we are forced to use in my apartment complex), is using an rXg machine to inject javascript and cookies into any un-encrypted html packets going through my network.


As the injected javascript is obfuscated in most circumstances I have no idea what the effect of the injection is exactly. At the very least I can see multiple references to persisting cookies – a way to track a user’s behavior on the internet. As seen by MediaShift’s website it is clear that they offer this data collection system as a way for networks to make money. Its therefore not too much of a stretch to conclude that Access Media is making money from selling the data of its users behavior to unknown parties.

I’m certainly not ok with this at all, and I assume most people wouldn’t be. I skimmed through my Access Media contract and they do mention they have the right to ‘monitor’ the traffic across their network, however if by monitor they mean ‘conduct XSS injections against every user’ I know a lot of people will not be happy, especially with the current state of affairs regarding internet security and tracking.

I’ll let Kim DotCom explain why its important that this tracking does not happen:

Apparently similar behavior has been reported before by other ISPs:



I’ve sent an email to Access Media so we’ll see what their response is.

Comments on reddit


Must have Chrome Ext for Coders: Easy Code Selection

Not sure if this was a problem only I had but I used to get really frustrated when I’d copy a snippet from SO or similar, and I wouldn’t select all the code accidentally… have gotten one or two bugs from it before so thought I’d solve it once and for all. Check out the video above as I show how my chrome extension makes it so you can click on any code snippet and the whole snippet will be selected.

Install link.

Source code.

Day 6 of #30DaysofBlogging

#30DaysofBlogging – Day 0

I’ve been meaning to make a personal site for forever and a day. Today is the day.  I’m locked away in Blacksburg, Va for the entirety of winter break (aside from four days in Vegas!) and what better way to make use of the time than to build all the things I’ve always wanted to build. I’ve made a list of over 30 ideas/projects/tutorials that I can hopefully knock out one day at a time.

Here’s a sneak peek at some of the ideas:

  • A way to scroll web pages by just tilting your head,
  • A video journal of me creating a useful web app from scratch,
  • A platform for splitting the cost of college textbooks in half (really pumped for this),
  • A test to see if I can put together a decent looking website in a coffee break,
  • The meaning of life,
  • Thoughts on my siesta sleep schedule,
  • A way to make it look like you are really popular on facebook,
  • An app which counts down the seconds you have until death (spoiler: yes you’re going to die),
  • What resources I use to learn,
  • Learning how to 3D print jewelry,
  • A video journal of the upcoming MHacks Hackathon,
  • A way to make iPhone cases using your voice,
  • The launch of my new app (which aims to be the AirBnB for physical books),
  • Plus many, many more!

Hopefully I make it through the winter alive with a github account teeming with cool projects.

Hayden Lee

I write kickass software for small and large companies. You can find my code everywhere from the Rackspace Control Panel to Early Stage Startups, and design firms in Australia and the Cayman Islands. My work includes custom software, responsive web design, and consulting. Contact.