-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi there,
maybe you followed the Compulsory Routers topic in Germany during the last months [1] and even read my blog entry about the entanglements between Compulsory Routers and the latest NSA leaks [2].
tl;dr: Compulsory Routers are routers provided by Internet Service Providers which cannot be replaced because of technical or legal barriers. This causes on the one hand many problems with competition, technical innovation, and compatibility, but on the other hand also great security risks for everyone of us: If we and many others are forced to use one router model, ISPs create monocultures which can be attacked more easily by miscreants and special tools by intelligence agencies.
I know the situation in Germany pretty well because I worked on this issue. But gaining some knowledge of the ISPs' regulations in other countries is harder than I thought in the first place.
Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.
I'm looking forward to reading your replies!
Best, Max
[1] https://blogs.fsfe.org/mk/status-of-compulsory-routers-in-germany/ [2] http://blog.max-mehl.com/2014/why-free-choice-of-routers-is-an-unnegotiable-...
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
My blog entry about Swisscom backdooring their routers has been extremely popular
If it goes on in Switzerland then it can be happening anywhere
On 16/01/14 14:55, Max Mehl wrote:
Hi there,
maybe you followed the Compulsory Routers topic in Germany during the last months [1] and even read my blog entry about the entanglements between Compulsory Routers and the latest NSA leaks [2].
tl;dr: Compulsory Routers are routers provided by Internet Service Providers which cannot be replaced because of technical or legal barriers. This causes on the one hand many problems with competition, technical innovation, and compatibility, but on the other hand also great security risks for everyone of us: If we and many others are forced to use one router model, ISPs create monocultures which can be attacked more easily by miscreants and special tools by intelligence agencies.
I know the situation in Germany pretty well because I worked on this issue. But gaining some knowledge of the ISPs' regulations in other countries is harder than I thought in the first place.
Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.
I'm looking forward to reading your replies!
Best, Max
[1] https://blogs.fsfe.org/mk/status-of-compulsory-routers-in-germany/ [2] http://blog.max-mehl.com/2014/why-free-choice-of-routers-is-an-unnegotiable-...
Discussion mailing list Discussion@fsfeurope.org https://mail.fsfeurope.org/mailman/listinfo/discussion
Am 16.01.2014 14:58, schrieb Daniel Pocock:
My blog entry about Swisscom backdooring their routers has been extremely popular
link?
If it goes on in Switzerland then it can be happening anywhere
Also in Switzerland: I'm presently using a Swisscom analog phone line (copper, self-powered, works without external electricity) and a provider called VTX, basically a reseller for Swisscom like all ISPs in Sitzerland, I believe. I'm able to use any analog phones (even 50 year-old ones) and any analog modems/routers. (They are of course digital, but the line is called analog.)
Besides the freedom/security issues mentioned, I am able to switch it on and off at will in order to use less electricity or indeed use models which are more efficient, solar-powered, etc.
I want to switch to a different provider because VTX:
- use Credit Suisse banking - use "dumbo"-advertising, always quoting speeds in "Megas" but now saying what "Megas" - try very hard to switch us to IP-telephones and more speed (which we do not need) without telling us the consequences, e.g. a compulsory locked-up router.
But from your experience, Daniel, switching to Swisscom would be just as bad.
Anybody Swiss here have a good alternative to either Swisscom or VTX?
Cheers, Theo
PS Cablecom UPC have just announced a nefarious scheme to provide free Wifi eveywhere there are private Cablecom UPC routers, but *only* for Cablecom UPC customers.
On 17/01/14 11:49, theo.schmidt@wilhelmtux.ch wrote:
Am 16.01.2014 14:58, schrieb Daniel Pocock:
My blog entry about Swisscom backdooring their routers has been extremely popular
link?
If it goes on in Switzerland then it can be happening anywhere
Also in Switzerland: I'm presently using a Swisscom analog phone line (copper, self-powered, works without external electricity) and a provider called VTX, basically a reseller for Swisscom like all ISPs in Sitzerland, I believe. I'm able to use any analog phones (even 50 year-old ones) and any analog modems/routers. (They are of course digital, but the line is called analog.)
Besides the freedom/security issues mentioned, I am able to switch it on and off at will in order to use less electricity or indeed use models which are more efficient, solar-powered, etc.
I want to switch to a different provider because VTX:
- use Credit Suisse banking
- use "dumbo"-advertising, always quoting speeds in "Megas" but now
saying what "Megas"
- try very hard to switch us to IP-telephones and more speed (which we
do not need) without telling us the consequences, e.g. a compulsory locked-up router.
But from your experience, Daniel, switching to Swisscom would be just as bad.
Anybody Swiss here have a good alternative to either Swisscom or VTX?
I should have been more clear: I have the Swisscom router, yes. The backdoor is gone and it is no longer connected to Swisscom, I use it with Init7 http://www.init7.net
I am using their DSL service, I hear they have fibre in some cities
Cheers, Theo
PS Cablecom UPC have just announced a nefarious scheme to provide free Wifi eveywhere there are private Cablecom UPC routers, but *only* for Cablecom UPC customers.
This has already happened in other countries too
What is really needed is an independent router based or mesh solution to compete with that
What is really needed is an independent router based or mesh solution to compete with that
The freedom box?
https://freedomboxfoundation.org/ http://en.wikipedia.org/wiki/FreedomBox
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/16/2014 02:55 PM, Max Mehl wrote:
Hi there,
maybe you followed the Compulsory Routers topic in Germany during the last months [1] and even read my blog entry about the entanglements between Compulsory Routers and the latest NSA leaks [2].
tl;dr: Compulsory Routers are routers provided by Internet Service Providers which cannot be replaced because of technical or legal barriers. This causes on the one hand many problems with competition, technical innovation, and compatibility, but on the other hand also great security risks for everyone of us: If we and many others are forced to use one router model, ISPs create monocultures which can be attacked more easily by miscreants and special tools by intelligence agencies.
I know the situation in Germany pretty well because I worked on this issue. But gaining some knowledge of the ISPs' regulations in other countries is harder than I thought in the first place.
Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.
I have a fiber box, a socalled residential gateway or Home Access Gateway which supplies phone, Internet and TV.
Should that be considered as a compulsory router?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
# Carsten Agger agger@modspil.dk [ 16. Jan 2014 @ 15:00 +0100]:
I have a fiber box, a socalled residential gateway or Home Access Gateway which supplies phone, Internet and TV.
Should that be considered as a compulsory router?
It depends on if you're able to replace the box given by the ISP completely without losing any functionality or being disciminated in the usage of your services.
Maybe I was to unprecise in both my mail and the blog post, so here's some examples: Some ISPs in Germany are suspected to throttle certain services of competitors, or they disable the possibility to replace the (telephony) box to use other phones. Some of them cannot be replaced but are unable to give full IPv6 support. Some ISPs do not even give internet access data (i.e. PPPoE user and password) to replace just the internet modem, or they disallow flashing another firmware.
To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.
Hope this explained a little bit. I know, the topic is quite complex and you can go deep into depth (I wrote around 14 pages to our national network agency...), but I consider it as very important.
Best, Max
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/16/2014 03:26 PM, Max Mehl wrote:
To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
The ISP (which is also the phone and power company) has supplied fiber cables into the house. At the ender of the fiber, there's a box which is not owned by me, but by them, and which they can service remotely.
(As far as I can tell there's no throttling, though, and as it supplies 60/60MB I haven't so far had any reason to be unhappy about it. I don't know why they do it that way, though).
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
# Carsten Agger agger@modspil.dk [ 16. Jan 2014 @ 16:03 +0100]:
On 01/16/2014 03:26 PM, Max Mehl wrote:
To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].
(As far as I can tell there's no throttling, though, and as it supplies 60/60MB I haven't so far had any reason to be unhappy about it. I don't know why they do it that way, though).
Well, at least in Germany some ISP were suspected to prioritise their own services and to throttle other services (like streaming platforms) or simply don't support them (like other Dynamic DNS services). But going into detail means opening the net neutrality topic which is even more complicated. But you see, all these topics are connected somehow.
Best, Max
[1] https://wiki.fsfe.org/CompulsoryRouters
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/16/2014 04:12 PM, Max Mehl wrote:
To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see http://www.verdo.dk/privat/kompetencer/tele.aspx
I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control.
On the other hand, it's a gadget at the end of a fiber optical connection. I suppose there need to me *some* device to convert that to Ethernet, and I don't know the technology well enough to know what my options are.
On the other hand, the box is clearly a part of *their* infrastructure, not as much of mine. When I moved into the house there was some problems with the box, and they had to take tha "package" off it and put it back again. The "package" is the combination of Internet, phone and many or few TV channels chosen by the customer.
This means that they control which services they provide to me by a setting on that box. I think it's a little bit stupid that they choose to do so on a box in my house and not in a box on their own premises, but I'm too ignorant of the specific technology to be sure it's a bad choice.
But that clearly means that the box is *their* infrastructure, not mine - my infrastructure begins at the box' Ethernet, phone and TV outlets (and I've put up a wireless network behind it - am shopping for one which supports OpenVPN to connect to AirVPN or a similar privacy-conscious provider. The Ethernet has a public IBv4 address so there's no NAT issue. I haven't tested IPv6.)
So in that respect, I think that security and privacy wise I'm no worse off than if they'd placed their infrastructure on their own premises. Then there's the environmental thing - their box consumes about 10W of power and is always on, and that does cost me (30€ a year, I believe) and is undesirable.
But well, feel free to comment. The compulsory router issue is new for me, and I'm unsure about the issues.
Best, Carsten
I think that if the router could be a bridge (making it no more than an ADSL interface) I would not care much as I can isolate it from my network using my own choice of router.
If it were stuck as a router then I would be annoyed, although I could insert a bridge between their router and my network.
Sam
On Fri, Jan 17, 2014 at 9:41 AM, Carsten Agger agger@modspil.dk wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/16/2014 04:12 PM, Max Mehl wrote:
To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see http://www.verdo.dk/privat/kompetencer/tele.aspx
I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control.
On the other hand, it's a gadget at the end of a fiber optical connection. I suppose there need to me *some* device to convert that to Ethernet, and I don't know the technology well enough to know what my options are.
On the other hand, the box is clearly a part of *their* infrastructure, not as much of mine. When I moved into the house there was some problems with the box, and they had to take tha "package" off it and put it back again. The "package" is the combination of Internet, phone and many or few TV channels chosen by the customer.
This means that they control which services they provide to me by a setting on that box. I think it's a little bit stupid that they choose to do so on a box in my house and not in a box on their own premises, but I'm too ignorant of the specific technology to be sure it's a bad choice.
But that clearly means that the box is *their* infrastructure, not mine - my infrastructure begins at the box' Ethernet, phone and TV outlets (and I've put up a wireless network behind it - am shopping for one which supports OpenVPN to connect to AirVPN or a similar privacy-conscious provider. The Ethernet has a public IBv4 address so there's no NAT issue. I haven't tested IPv6.)
So in that respect, I think that security and privacy wise I'm no worse off than if they'd placed their infrastructure on their own premises. Then there's the environmental thing - their box consumes about 10W of power and is always on, and that does cost me (30€ a year, I believe) and is undesirable.
But well, feel free to comment. The compulsory router issue is new for me, and I'm unsure about the issues.
Best, Carsten
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLY+r0ACgkQletyW1YzdSE0uwCfQaNAXK7twEdbxbMg3eVV7Jlm XbEAni1oQuIv7yLx6VlrC6U30jeaZwbw =fNXQ -----END PGP SIGNATURE----- _______________________________________________ Discussion mailing list Discussion@fsfeurope.org https://mail.fsfeurope.org/mailman/listinfo/discussion
I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control. [...]
On the other hand, the box is clearly a part of *their* infrastructure, not as much of mine.
[...]
So in that respect, I think that security and privacy wise I'm no worse off than if they'd placed their infrastructure on their own premises.
I think your analysis is correct.
But well, feel free to comment. The compulsory router issue is new for me, and I'm unsure about the issues.
The compulsory router is a serious issue, but I agree it doesn't apply to your use case. As you say, there must be a line between the service provider and the service customer. In your case, the line is at the near end of the "router" (i.e., the router is theirs). And you can connect what you want to the outlets, so so have your own wireless, your own telephone set and your own tv set. That's right.
I think satellite tv is similar: the decoder is theirs.
The issue blessed "compulsory routers" is different: with a normal DSL line the situation is similar to old telephone or power lines: the company offers a cable that carries data or power and you use those resources as you want. Owned phone recording tools, own ups, own microwave oven and cordless device, etc. Sure the phone number and power limits are agreed by contract and are limited, but the limit is on the far end of the cable. The line between theirs and mine is at the local end of the cable, before the equipment (for power, after the circuit safety breaker, to prevent disruption of the far end).
A DSL line is the same: the PPPoE being provided is a general-purpose service, that can be exploited in several ways, without disrupting the far end. Just like I wouldn't accept a mandatory phone set on my desk or a mandatory microwave oven, I don't accept a compulsory router.
Sure I can accept a "complimentary" microwave oven from the power company or a complimentary pbx from the phone company, and even the option to rent each of them, as long as I control those devices. Thus, providers that offer a router for an extra cost or give you the router included in the base contract are fine for me, as long as the thing is under my control.
I refuse a phone that lowers voice volume when connecting to certain regions or an oven that denies cooking unhealthy meals. Similarly, I refuse to be unable to control the data sent to and from their equipment (the remote one).
It's mainly a matter of net neutrality, which turns out being a matter of freedom. But a freedom that's easy to circumvent, by contractual offers: people accept a black box in their cars to pay less insurance costs, they would accept mandatory healthy-only ovens or night-only lamps if that would decrease the cost of a kWh, they accept mandatory routers if the cost of the dsl line is less.
The problem with routers is worse, because the difference between Carsten's very-high-tech and not-yet-standard device and my very-standard DSL signalling to a conventional owned router[1] is tiny to most people. Technology is more and more depicted as black magic, a picture well received by non-technical people. So I expect soon to be unable to ssh out of a friends ethernet because of a limited device -- but the limit may well be on the far side of the cable, and it would make no difference.
So yes, compulsory routers are an issue, but mainly an issue of net neutrality. And such neutrality is a concern for so little a fraction of the user base, that it is going to be a very difficult battle.
/alessandro, too verbose as usual
[1] I told an half lie: my router is actually theirs because it include telephone services, but I chose a company that gives me full access to the local device. So am I affected by the compulsory router illness or not?
On Fri, 2014-01-17 at 11:36 +0100, Alessandro Rubini wrote:
[1] I told an half lie: my router is actually theirs because it include telephone services, but I chose a company that gives me full access to the local device. So am I affected by the compulsory router illness or not?
I choose this method:
[my network]--[my router]--[ISP box]--[internet]
Initially the ISP box was a full router managed by the ISP, but I changed it with a dumb cable modem that the ISP controls, and manage my own router now. So technically the ISP box is sort of compulsory, but it doesn't affect me, as I simply do not trust it and put my own router downstream.
Simo.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
# Carsten Agger agger@modspil.dk [ 17. Jan 2014 @ 10:41 +0100]:
On 01/16/2014 04:12 PM, Max Mehl wrote:
So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see http://www.verdo.dk/privat/kompetencer/tele.aspx
Thanks for that, I'll add it to the wiki soon.
On the other hand, it's a gadget at the end of a fiber optical connection. I suppose there need to me *some* device to convert that to Ethernet, and I don't know the technology well enough to know what my options are.
In most cases, these are standardised technologies: PPPoE, PPPoA, PPTP, DOCSIS (and all should be Open Standards AFAIK). So another vendor would be able to build an own box to make internet access possible. Unfortunately, phones and TV is non-standardised in some cases, but at this point my technical knowledge ends as well...
I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control. [...] But that clearly means that the box is *their* infrastructure, not mine - my infrastructure begins at the box' Ethernet, phone and TV outlets (and I've put up a wireless network behind it - am shopping for one which supports OpenVPN to connect to AirVPN or a similar privacy-conscious provider. The Ethernet has a public IBv4 address so there's no NAT issue. I haven't tested IPv6.)
Exactly this was the center of discussion in Germany: Where does the ISPs' infrastructure end and where does the customers' begin?
Many ISPs wanted their infrastructure end at the boxes ports where you can plug in your Ethernet, TV and phones. We wanted their infrastructure to end at the TAE connector [1], the port in the wall. Some of the most important reasons for our line of arguments were named in several emails in this thread, but the wiki should list them all [2].
But I understand your point if I haven't mistaken you: The first box "behind the wall" is critical because it converts the complex signals into something your equipment (TV, Phones) understands. If something in the up- and downstream is wrong, the box may have to do with it. And with this box, they can control you access rights to different services. It's easier for most of the users, and for ISPs of course as well. And do not get me wrong: I think it's good that ISP offer such services because it makes it easier for non-techies to get internet connection and up-to-date technologies.
Whereas in my opinion, one should always have to possibility to throw out all "untrusted" devices and only plug in his own technology without losing any functionality. And at this point, it should not matter what the reasons are: security concerns, environmental or ecological ones, ethical issues or compatibility problems.
The downside of this whole topic is the complexity (just have a look at the mass of mails in this thread), and the fact that most of the people do not want to have the free choice, so it's hard to address the public. The upside is that you have hardware producers and vendors, very technical people and IT magazines on your side and that you can argue with many different points, depending on the people you talk with.
Thanks for your thoughts, Carsten. I really enjoy the exchange of opinions here!
Best, Max
[1] https://en.wikipedia.org/wiki/TAE_connector [2] https://wiki.fsfe.org/CompulsoryRouters
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
On 16 January 2014 13:55, Max Mehl max.mehl@fsfe.org wrote:
Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.
I believe Sky Broadband used to require using their modem with their DSL. This was basically for supportability reasons - the less possible things to go wrong, the better they could supply a turnkey service. I understand you can in fact use a generic modem with their service now, though, since it's just generic DSL.
- d.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi David,
# David Gerard dgerard@gmail.com [ 16. Jan 2014 @ 15:18 +0100]:
On 16 January 2014 13:55, Max Mehl max.mehl@fsfe.org wrote:
Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.
I believe Sky Broadband used to require using their modem with their DSL. This was basically for supportability reasons - the less possible things to go wrong, the better they could supply a turnkey service. I understand you can in fact use a generic modem with their service now, though, since it's just generic DSL.
Sorry to ask but in which country did Sky Broadband do this? As far as I know, Sky operates in many european countries.
In fact, many ISPs do this for compatibility reasons. Some of them totally restrict replacing the modem/router/box by keeping the login credetials secret, some of them give no support at all if something goes wrong (even if the problem has nothing to do with the hardware used).
My personal opinion is that it's not basically bad that ISPs give routers by default to their customers. Of course, only one model makes maintainability easier and some customers do not even want to choose a router theirselves. But some people do, and imagine the situation that the vendor of your router is suspected to install backdoors for western intelligence agencies - and you cannot switch the hard- or firmware. Is this a nightmare only for me?
Best, Max
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
On 16 January 2014 14:38, Max Mehl max.mehl@fsfe.org wrote:
Sorry to ask but in which country did Sky Broadband do this? As far as I know, Sky operates in many european countries.
I'm talking about the UK here.
In the UK, BT also sell a completely-supported but utterly locked modem. I have one here, a BT HomeHub 3. It's quite a nice router, and I'd like to jailbreak it ...
My personal opinion is that it's not basically bad that ISPs give routers by default to their customers. Of course, only one model makes maintainability easier and some customers do not even want to choose a router theirselves. But some people do, and imagine the situation that the vendor of your router is suspected to install backdoors for western intelligence agencies - and you cannot switch the hard- or firmware. Is this a nightmare only for me?
I'm not sure that's the most likely threat model - the NSA cracks catalogue lists cracks for generic Huawei modems. So we come to the problem of embedded systems that don't get security updates.
- d.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/16/2014 03:38 PM, Max Mehl wrote:
My personal opinion is that it's not basically bad that ISPs give routers by default to their customers. Of course, only one model makes maintainability easier and some customers do not even want to choose a router theirselves. But some people do, and imagine the situation that the vendor of your router is suspected to install backdoors for western intelligence agencies - and you cannot switch the hard- or firmware. Is this a nightmare only for me?
If you can change your router (ideally to one running only free software, using protocols specified by the ISP), you can protect yourself in the case where you trust your ISP, but not the router it supplies you.
In that scenario, if you don't trust your ISP all is lost unless you use VPN or Tor.
How to trust your ISP would be the "next problem" after getting rid of compulsory routers, I suppose.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
# Carsten Agger agger@modspil.dk [ 16. Jan 2014 @ 16:11 +0100]:
If you can change your router (ideally to one running only free software, using protocols specified by the ISP), you can protect yourself in the case where you trust your ISP, but not the router it supplies you.
In that scenario, if you don't trust your ISP all is lost unless you use VPN or Tor.
How to trust your ISP would be the "next problem" after getting rid of compulsory routers, I suppose.
Yes, you're completely right. After the NSA leaks, the usage of Tor/VPN increased heavily and people started to secure their online privacy and security in different ways. But paradoxically less people care about their basic network security. One can also use plain HTTP instead of sophisticated anonymisation techniques if his "inner circle" is compromised. The leaks before the end of 2013 stated that NSA successfully redirected network traffic to shadow servers with cloned content if the hardware is backdoored/insecure. So if your router isn't secure, your traffic is neither, no matter which tools you use - Man-in-the-middle says hello.
I really hope the importance of this topic will be stressed in the upcoming months in some other IT magazines and on conferences.
Best, Max
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
On 16/01/14 15:30, Max Mehl wrote:
Yes, you're completely right. After the NSA leaks, the usage of Tor/VPN increased heavily and people started to secure their online privacy and security in different ways. But paradoxically less people care about their basic network security. One can also use plain HTTP instead of sophisticated anonymisation techniques if his "inner circle" is compromised. The leaks before the end of 2013 stated that NSA successfully redirected network traffic to shadow servers with cloned content if the hardware is backdoored/insecure. So if your router isn't secure, your traffic is neither, no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference whether your router compromised by the NSA or your ISP's servers compromised by the NSA attempt to snoop on you. The endpoints need to do the encryption, not some intermediary device.
Of course, compromised routers have implications beyond those of compromised ISP servers for LAN traffic, but assuming the use of strong cryptography, those have more to do with effectively having no firewall against certain agencies. If this concerns you and your ISP does not permit you to use your own router, you can always do ISP router @ home → your router and firewall @ home → LAN. However, chances are that NSA knows a vulnerability or two in your router, so you probably need a better plan if you are seriously worried about this. (Of course, breaking into non-backdoored routers on massive scale is most likely impossible, as some very clever people would probably spot the attacks and patch the attack vectors.) If you simply wish to stop making it easy for the NSA to snoop on your local traffic and your ISP is being a douche, just put your own router after the ISP's.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
# Heiki "Repentinus" Ojasild repentinus@fsfe.org [ 16. Jan 2014 @ 16:44 +0100]:
On 16/01/14 15:30, Max Mehl wrote:
The leaks before the end of 2013 stated that NSA successfully redirected network traffic to shadow servers with cloned content if the hardware is backdoored/insecure. So if your router isn't secure, your traffic is neither, no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference whether your router compromised by the NSA or your ISP's servers compromised by the NSA attempt to snoop on you. The endpoints need to do the encryption, not some intermediary device.
On a technical and theoretical level, that's right. MITM isn't as easy as it sounds if proper certificate management practices are used. However, I would feel safer if I knew that I can check my router for security flaws and backdoors. Having attacks against some CAs and the knowledge/ignorance of avarage IT users in mind, using certificates/encryption does not seem to be the one and only solution for this problem in my opinion.
If you simply wish to stop making it easy for the NSA to snoop on your local traffic and your ISP is being a douche, just put your own router after the ISP's.
True, we also had this idea when thinking about the implications of Compulsory Routers in Germany. The problem with this solution is that some things possibly won't work even if using another router behind the ISP's one. For example, some default routers do not allow port forwarding. One volunteer had problems with IPv6 even after using another router, because the default one did not support it completely. Some routers aren't even compatible with VPN, Tor and/or VoIP...
- From the security perspective, this may be suitable somehow, from the compatibility, environmental, economical, and user-friendly perspective, Compulsory Routers are the devil in your house.
Best, Max
- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com
On 16/01/14 16:07, Max Mehl wrote:
- From the security perspective, this may be suitable somehow, from the
compatibility, environmental, economical, and user-friendly perspective, Compulsory Routers are the devil in your house.
All of those are valid reasons to support non-compulsory routers, and personally I prefer those reasons to the supposed security gains as the latter are minimal at best. :-)
* Carsten Agger:
If you can change your router (ideally to one running only free software, using protocols specified by the ISP), you can protect yourself in the case where you trust your ISP, but not the router it supplies you.
The flip side is that if you can change your router, you may also be able to see which web sites your neighbor accesses. Shared media networks (mobile, broadband cable, and cheaply implemented DSL and metro Ethernet) tend to require regulated and deliberately crippled end devices to prevent that.
+ 2014-01-16 Thu 16:11, Carsten Agger agger@modspil.dk:
How to trust your ISP would be the "next problem" after getting rid of compulsory routers, I suppose.
Or, instead of choosing to trust your master, be your own master. ;)