Thursday, September 19, 2013

AliExpress Buyer Protection is Useless

Hong Kong Hongyuan Cree Lighting Co., LTD sold defective LEDs and refuses to respond to any messages concerning their product. Likewise, AliExpress, the company which served as a clearinghouse for the transaction, is remaining silent despite requests for assistance.

Inside a GU-10 LED Fixture
In July I began a quest to convert all of the lighting in my house to LEDs. Most of the fixtures I have use halogen bulbs and are hooked to wirelessly controllable dimmers. So I began to investigate what would need to be done to switch to LEDs while keeping the same functionality. I first replaced my dimmer switches with ones which would work with LEDs and then began to look for LED bulbs.

I couldn't find many dimmable GU-10 LED bulbs on the shelves of stores here in the US, so I navigated to AliExpress.com to find a supplier from outside the US. The site had an abundance of suppliers providing every imaginable combination of brightness, color temperature, and form factor. 

Cree Inc. Logo
Months prior to this, at the beginning of the year, I ordered ten 15W Cree branded GU-10 dimmable LEDs from the supplier ShenZhen Kinglong E-commerce Co., Ltd. on AliExpress.com. I replaced the halogens in one room of my house with these in order to evaluate them, and was overall very pleased with their performance. This led me to look for the same type of product for the remainder of my house.

The wrong place to buy LEDs
Unfortunately, this time around I wanted to order both warm white and cool white bulbs in a larger quantity, and the previous supplier didn't offer the exact combination I needed. I found that the vendor Hong Kong Hongyuan Cree Lighting Co., LTD was offering the products I needed.

Product Description on AliExpress.com
On the product page Hong Kong Hongyuan Cree Lighting Co., LTD describes the lights I ordered as lasting an average of 100,000 hours, being fully dimmable, and working between 85 - 265 volts. Of the 25 LEDs I ordered, 10 stopped working after less than 24 hours of usage.

One dead LED
As the LEDs continued to fail each day, I contacted Hong Kong Hongyuan Cree Lighting Co., LTD. and asked for replacement bulbs or a refund. After two days of no response, I began to look into my options for opening a dispute. However, because I had already confirmed that I received the product in an acceptable condition on the AliExpress website, I was no longer allowed to open a dispute. I contacted AliExpress directly, asking for assistance, but no one has responded.

The AliExpress Logo
This highlights a key problem with ordering from remote suppliers: they do not have any incentive to maintain good customer relationships. Marketplaces like AliExpress are supposedly able to mitigate this effect, but as you can see, when a situation extends beyond their automated system for dispute they exert no effort to provide assistance. 

Here's my advice to anyone planning to order from AliExpress.com:

1. Don't buy from Hong Kong Hongyuan Cree Lighting Co., LTD. 

2. Don't confirm you have received the product until the last possible moment.

3. Don't put your faith in companies on AliExpress doing the "right" thing.

4. Don't expect AliExpress to help if it falls outside of their automated system.

As for me, I definitely won't be buying from Hong Kong Hongyuan Cree Lighting Co., LTD again. I'll also remember that AliExpress should be approached with caution and without expectations of good customer service.

Friday, May 10, 2013

Adobe says "NO" to canceling Creative Cloud membership

Today, while trying to cancel my Adobe Creative Cloud membership, before it auto-renews for another year, my request was denied by Adobe without explanation. This is alarming, as the contract I agreed to when I signed up for Adobe's Creative Cloud service assured me that I could cancel at anytime.



This all started when I received an email on April 10, informing me that my membership would soon expire, and would be automatically renewed on May 10. Adobe wanted me to renew at a continued rate of $29.99 per month, their standard price for students and teachers. I like Adobe products and have used them for years, but at $29.99 per month this amounts to about $400 a year spent on their products. It's totally reasonable if you use all of their products, but I really only use Photoshop, and I own an older version that gets the job done just fine. So I decided I would say goodbye to the luxury of Adobe Creative Cloud for a while.

 You may cancel your plan at any time by accessing your Account information on the Creative Cloud site or by calling your regional Adobe customer service center.

Trusting the above language from the Adobe Subscription Terms, I headed to Adobe's website to cancel my account. There I was told that I had to "chat" with a customer service representative to cancel. I clicked on chat, and waited about 4 minutes for a representative. When one finally responded, here's what happened:



First, despite entering my Adobe ID before entering the chat, they still requested it, ok, not a big deal. Next, they asked for an order number, which I wasn't sure about. I pulled up my list of orders on Adobe's site and saw there was one order for each month of service, each with a unique number. I chose the most recent one. After thinking about it for 10 minutes or so, the customer service representative responded, that they could not cancel the order because it was "in process". The representative then promised to "escalate" the issue and give me a response in 24-48 hours.

This whole situation is just ridiculous. Why can't Adobe just have a cancel button that cancels your subscription? Why can't Adobe's customer service reps cancel your subscription when you ask? I am posting this so that future Creative Cloud subscribers will know what they're getting into: selling their soul to Adobe.

Tuesday, April 9, 2013

Assistant to the injected ads: Google Inc.?

A quick look at the servers involved in the CMA / R66T Ad Injections

Up until this point I have only posted screenshots of the advertisement injections taking place on the CMA Communications network. Obviously other evidence of these practices has been collected. To shed some light on who exactly is assisting in the delivery of these ads, I’d like to share some details of a bit of investigating I did trying to find the provider of the injected ads. (Please note I am not an expert in this field and these are my exploratory notes. They should not be taken as confirmed evidence.)

For the truly adventurous, I’ve discovered that you can visit the URL: 


from just about any network and experience the banner ads for yourself. If this link stops working, or you’d prefer not to embark upon the journey yourself, here’s what you would find if you did:

Stop 1 - adserver.adtechus.com (207.200.74.32)

The first stop is at a server which is registered to surprise, AOL Inc. 
















and all it seems to do is serve up another JavaScript injection, using the code:











Stop 2 - as.casalemedia.com (209.18.46.41)

Casale Media is a premiere creator of spiffy banner advertisements, like the ones used by R66T. Though their domain registration indicates they are in Toronto, their website shows that they have six additional locations across the US and Canada.









Their server presents an iframe injection and some nice tracking images:







Stop 3 - cdn.optmd.com (128.242.186.216)

Another “premiere solution” for ad placement, Optimax Media Delivery has a domain registered to a Santa Monica, California address:










their server offers up the following code:










Stop 4 - ad.doubleclick.net (173.194.46.27)

Uh,oh.... it looks like we ultimately arrive at doubleclick.net, which in case you didn’t know is registered to non other than:








I will stop at this point and allow you to ponder this a bit. My personal hope and belief is that Google is not aware that they may be assisting in the delivery of advertisements bound for injections. Although I must say, “Apple v Google” has an familiar ring to it (that’s a joke by the way). 

* Please note this is just the route for one of the advertisements delivered by R66T LLC, this is one of many routes and DoubleClick and others are likely unaware of their affiliation with these activities. Additionally, further investigation is required to determine the validity of DoubleClick or any other named entity being involved in advertisement injection, the information here is exploratory in nature and does not reflect knowledge of contracts or partnerships between any of the named parties.  *









Friday, April 5, 2013

An Update on CMA Communications' Ad Injection Practices

Part of the new "Acceptable Use Policy" of CMA Communications - Added April 4, 2013


Thanks to the intelligent and rational nature of Redditors, the post which detailed CMA Communications' injection of advertisements into their paying customer's HTTP requests received quite a bit of attention. I'd like to provide you with an update on what has occurred since then:


1. I've contacted several of the media outlets suggested, only one has responded and they seem to have backed out of running the story. (Update 4/7/2013: ArsTechnica is now running an article about the injections: http://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-for-hs-ok).


2. I've contacted a few major companies which have affected websites, but none have responded. 


3. The FCC has responded that this is not something they can help with.


4. A complaint with the FTC has been submitted, but they note that they do not act on individual consumer complaints.


5. On April 4, CMA Communications updated their "Acceptable Use Policy" to include a new section which covers their injection practices. It is here: http://www.cmaaccess.com/Internet/acceptable-use-policy/ (Section 10). In my opinion it is a frightening read and I'd encourage you to take a look.


Overall, no progress has been made towards changing the questionable practices of this ISP. Being just one person with no ties to journalists or the major companies affected, I seem to have exhausted all of my avenues. So I'm asking for your help in this.

If you have ties with anyone who might be able to assist with this situation, the many customers of CMA Communications would be very appreciative of anything they could do. I am happy to provide answers to any questions, as well as evidence of the injection practices. Feel free to contact me using my gmail email address, which is zhenkel.

The one thing I would like to emphasize is that in many of the areas served by CMA Communications, they are likely to be the only broadband provider. This means customers would need to revert to dialup internet to make a point, which is a difficult choice to make for many.

TO Redditors:
In the spirit of good Reddiquette, I'd like to assure you that I have been a regular member of the community for a little over a year now. Unfortunately, I did not want my username linked to my real world identity, so I created a new account to submit this story. I would like to assure you that this is my last submission of this nature, and I am not looking to use the community as my soapbox. Thank you all for bringing your expertise and suggestions to this issue.

Friday, March 29, 2013

ISP Advertisement Injection - CMA Communications

Apple Inc. endorsing H&R Block with a beautiful bright green banner ad, compliments of CMA Communications.

Tired from the day’s events and travel, I had planned to quickly look up the specifications of a Mac Mini, respond to a few emails and then get some sleep. But as Apple.com rendered in my browser, I realized I was in for a long night. What I saw was something that would make both designers and computer programmers wince with great displeasure. At the bottom of the carefully designed white and grey webpage, appeared a bright neon green banner advertisement proclaiming: “File For Free Online, H&R Block”. I quickly deduced that either Apple had entered in to the worst cross-promotional deal ever, or my computer was infected with some type of malware. Unfortunately, I would soon discover there was a third possibility, something much worse.

Assuming I had somehow managed to install malware on my MacBook Pro, running OS X, I quickly turned off the wifi connection and began to investigate. I was visiting my parents for spring break, so I moved to one of their computers to run internet searches while I examined the evidence on my Mac. Opening Chrome, I was directed to Bing.com. I laughed to myself briefly, thinking: “who uses Bing?”, and then realized I was a computer science grad student who had managed to get malware on a Mac, so I wasn’t in a position to judge. But, just as I was about to navigate to Google, I noticed something familiar. At the bottom of Bing.com, there it sat, a banner advertisement in orange in white for AT&T Wireless. It was identical in positioning and size to the one on my Mac.

Bing sporting a classy AT&T Wireless Ad, courtesy of CMA Communications
I pulled out my phone, which runs an Android operating system, and navigated this time to Yahoo.com. At the bottom of the page: a misplaced banner ad which matched the proportions of the others. I am not great at statistics, but I was fairly certain the probability of identical malware on all of these devices was low. So, I moved to thing that these devices all shared: the same wireless network. 

I turned off wifi on my phone, and refreshed the Yahoo.com page. This time no banner ad. I refreshed a few more times, checked a few other sites, all was well. As soon as the phone was back on wifi, the banner ads appeared again, I had found the source. I pulled up the web inspector in Chrome and examined the source of a page which had the ad. Appended to the very end of the HTML file for the webpage, was a single line which called to r66t.com for a JavaScript file. 

This small line of code, added by CMA Communications wreaks havoc on most websites.

I investigated further and realized that the JavaScript file would not only place banner ads at the bottom of pages, but also replace existing advertisements on the page with new advertisements (sometimes even for a competing product). This was an aggressive move by someone, but who?

What's that Huffington Post? You sold ad space on your site? So did we! - CMA Communications

I needed to rule out that my parent’s router hadn’t somehow been compromised to modify websites. I hadn’t ever seen router malware in the wild, but I supposed with some effort it would be possible. First though, I ran a traceroute to see the route my internet requests were taking. There it was: an extra stop at a private IP address. I was soon able to show that HTTP internet traffic was being routed through a Squid proxy server.

A small tag that let's us know what CMA Communications is up to.

The proxy server had been setup by a company, R66T, that specializes in a few things, one being advertisement injection into webpages. I was soon able to confirm with one other person (via Reddit) using the same internet service provider that they were seeing the uninvited advertisements too. It was apparent at this point, that my parent’s ISP, CMA Communications, had started injecting advertisements into websites requested by their customers. I felt dissatisfied to say the least. So I spun into damage control mode, blocking all R66T owned domains on our network and preparing for battle the next day.

You might not be surprised to know that CMA Communications won’t confirm or deny that they are injecting advertisements into their customer’s web traffic. You also could probably guess that there aren’t any regulatory agencies that care either and that a complaint to the Better Business Bureau is not an effective remedy to the situation. Nor does the Electronic Frontier Foundation have resources or desire to assist in a case like this. But, I think there are some entities who should care. Who? How about Apple or Microsoft? It is their trademarks and brands which are being tarnished by this scheme. When a naive user experiences a bright green banner ad on an otherwise pristine Apple.com, they do not understand that Apple is not responsible for the content. After all, Apple must be endorsing H&R Block, as it’s right there on their website, with their logo next to it.  

Target's color scheme actually fits the Verizon ad placed by CMA Communications
For those of you who are still skeptical of this situation: suppose I started an advertising company based around the idea of me putting one company’s ad next another company’s logo, without their agreement. To take it further, suppose I started a service which opened people’s mail before it got to them, carefully replaced all the advertisements inside with different ones, and then sealed it back up and delivered it as if the original sender intended for it to be that way. I would probably go to jail for something like this. So why is CMA Communications allowed to perform a similar process in the digital world, without consequence? 

Oh, you sold ad space to Allstate? Here, let me cover that with our Progressive Ad. - CMA Communications

I would urge anyone who may be in a similar situation to file complaints, and let your voice be heard. If CMA Communications succeeds at this venture, it is certain that more ISPs will join in.  

UPDATE: For the super curious, here's a zip file of many more affected sites, as well as the BBB complaint info and the FCC complaint and response. Download it at: https://zmhenkel.com/CMAInjection.zip

Below are screenshots of a couple more of the many websites that are being actively modified by CMA Communications:

Amazon.com, ads by CMA Communications
LinkedIn proudly endorses Verizon. Thanks CMA Communications!