On 17/01/14 11:49, theo.schmidt@wilhelmtux.ch wrote:

Am 16.01.2014 14:58, schrieb Daniel Pocock:

...

My blog entry about Swisscom backdooring their routers has been extremely popular

link?

...

If it goes on in Switzerland then it can be happening anywhere

Also in Switzerland: I'm presently using a Swisscom analog phone line (copper, self-powered, works without external electricity) and a provider called VTX, basically a reseller for Swisscom like all ISPs in Sitzerland, I believe. I'm able to use any analog phones (even 50 year-old ones) and any analog modems/routers. (They are of course digital, but the line is called analog.)

Besides the freedom/security issues mentioned, I am able to switch it on and off at will in order to use less electricity or indeed use models which are more efficient, solar-powered, etc.

I want to switch to a different provider because VTX:

• use Credit Suisse banking
• use "dumbo"-advertising, always quoting speeds in "Megas" but now

saying what "Megas"

• try very hard to switch us to IP-telephones and more speed (which we

do not need) without telling us the consequences, e.g. a compulsory locked-up router.

But from your experience, Daniel, switching to Swisscom would be just as bad.

Anybody Swiss here have a good alternative to either Swisscom or VTX?

I should have been more clear: I have the Swisscom router, yes. The backdoor is gone and it is no longer connected to Swisscom, I use it with Init7 http://www.init7.net

I am using their DSL service, I hear they have fibre in some cities

Cheers, Theo

PS Cablecom UPC have just announced a nefarious scheme to provide free Wifi eveywhere there are private Cablecom UPC routers, but *only* for Cablecom UPC customers.

This has already happened in other countries too

What is really needed is an independent router based or mesh solution to compete with that

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/16/2014 03:26 PM, Max Mehl wrote:

To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.

Then I do have a compulsory router, I believe.

The ISP (which is also the phone and power company) has supplied fiber cables into the house. At the ender of the fiber, there's a box which is not owned by me, but by them, and which they can service remotely.

(As far as I can tell there's no throttling, though, and as it supplies 60/60MB I haven't so far had any reason to be unhappy about it. I don't know why they do it that way, though).

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/16/2014 04:12 PM, Max Mehl wrote:

...

...

To be short: You have a Compulsory Routers, if you're not able to replace parts or everything of your infrastructure needed for internet access and related services like VoIP/TV. If the ISPs does not give you full privileges or information (or uses closed standards) for using completely different hardware, you have a Compulsory Router in your rooms.

...

Then I do have a compulsory router, I believe.

So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].

I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see http://www.verdo.dk/privat/kompetencer/tele.aspx

I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control.

On the other hand, it's a gadget at the end of a fiber optical connection. I suppose there need to me *some* device to convert that to Ethernet, and I don't know the technology well enough to know what my options are.

On the other hand, the box is clearly a part of *their* infrastructure, not as much of mine. When I moved into the house there was some problems with the box, and they had to take tha "package" off it and put it back again. The "package" is the combination of Internet, phone and many or few TV channels chosen by the customer.

This means that they control which services they provide to me by a setting on that box. I think it's a little bit stupid that they choose to do so on a box in my house and not in a box on their own premises, but I'm too ignorant of the specific technology to be sure it's a bad choice.

But that clearly means that the box is *their* infrastructure, not mine - my infrastructure begins at the box' Ethernet, phone and TV outlets (and I've put up a wireless network behind it - am shopping for one which supports OpenVPN to connect to AirVPN or a similar privacy-conscious provider. The Ethernet has a public IBv4 address so there's no NAT issue. I haven't tested IPv6.)

So in that respect, I think that security and privacy wise I'm no worse off than if they'd placed their infrastructure on their own premises. Then there's the environmental thing - their box consumes about 10W of power and is always on, and that does cost me (30€ a year, I believe) and is undesirable.

But well, feel free to comment. The compulsory router issue is new for me, and I'm unsure about the issues.

Best, Carsten

I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control. [...]

On the other hand, the box is clearly a part of *their* infrastructure, not as much of mine.

[...]

So in that respect, I think that security and privacy wise I'm no worse off than if they'd placed their infrastructure on their own premises.

I think your analysis is correct.

But well, feel free to comment. The compulsory router issue is new for me, and I'm unsure about the issues.

The compulsory router is a serious issue, but I agree it doesn't apply to your use case. As you say, there must be a line between the service provider and the service customer. In your case, the line is at the near end of the "router" (i.e., the router is theirs). And you can connect what you want to the outlets, so so have your own wireless, your own telephone set and your own tv set. That's right.

I think satellite tv is similar: the decoder is theirs.

The issue blessed "compulsory routers" is different: with a normal DSL line the situation is similar to old telephone or power lines: the company offers a cable that carries data or power and you use those resources as you want. Owned phone recording tools, own ups, own microwave oven and cordless device, etc. Sure the phone number and power limits are agreed by contract and are limited, but the limit is on the far end of the cable. The line between theirs and mine is at the local end of the cable, before the equipment (for power, after the circuit safety breaker, to prevent disruption of the far end).

A DSL line is the same: the PPPoE being provided is a general-purpose service, that can be exploited in several ways, without disrupting the far end. Just like I wouldn't accept a mandatory phone set on my desk or a mandatory microwave oven, I don't accept a compulsory router.

Sure I can accept a "complimentary" microwave oven from the power company or a complimentary pbx from the phone company, and even the option to rent each of them, as long as I control those devices. Thus, providers that offer a router for an extra cost or give you the router included in the base contract are fine for me, as long as the thing is under my control.

I refuse a phone that lowers voice volume when connecting to certain regions or an oven that denies cooking unhealthy meals. Similarly, I refuse to be unable to control the data sent to and from their equipment (the remote one).

It's mainly a matter of net neutrality, which turns out being a matter of freedom. But a freedom that's easy to circumvent, by contractual offers: people accept a black box in their cars to pay less insurance costs, they would accept mandatory healthy-only ovens or night-only lamps if that would decrease the cost of a kWh, they accept mandatory routers if the cost of the dsl line is less.

The problem with routers is worse, because the difference between Carsten's very-high-tech and not-yet-standard device and my very-standard DSL signalling to a conventional owned router[1] is tiny to most people. Technology is more and more depicted as black magic, a picture well received by non-technical people. So I expect soon to be unable to ssh out of a friends ethernet because of a limited device -- but the limit may well be on the far side of the cable, and it would make no difference.

So yes, compulsory routers are an issue, but mainly an issue of net neutrality. And such neutrality is a concern for so little a fraction of the user base, that it is going to be a very difficult battle.

/alessandro, too verbose as usual

[1] I told an half lie: my router is actually theirs because it include telephone services, but I chose a company that gives me full access to the local device. So am I affected by the compulsory router illness or not?

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

# Carsten Agger agger@modspil.dk [ 17. Jan 2014 @ 10:41 +0100]:

On 01/16/2014 04:12 PM, Max Mehl wrote:

...

So even in Denmark (I guess?), that's a pity. Can I ask you which service provider you use? I just thought about adding all this information by you and others in this thread to the wiki page [1].

I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see http://www.verdo.dk/privat/kompetencer/tele.aspx

Thanks for that, I'll add it to the wiki soon.

On the other hand, it's a gadget at the end of a fiber optical connection. I suppose there need to me *some* device to convert that to Ethernet, and I don't know the technology well enough to know what my options are.

In most cases, these are standardised technologies: PPPoE, PPPoA, PPTP, DOCSIS (and all should be Open Standards AFAIK). So another vendor would be able to build an own box to make internet access possible. Unfortunately, phones and TV is non-standardised in some cases, but at this point my technical knowledge ends as well...

I'm undecided as what to think of it. On the one hand, it's a piece of equipment in my house which I can't control. [...] But that clearly means that the box is *their* infrastructure, not mine - my infrastructure begins at the box' Ethernet, phone and TV outlets (and I've put up a wireless network behind it - am shopping for one which supports OpenVPN to connect to AirVPN or a similar privacy-conscious provider. The Ethernet has a public IBv4 address so there's no NAT issue. I haven't tested IPv6.)

Exactly this was the center of discussion in Germany: Where does the ISPs' infrastructure end and where does the customers' begin?

Many ISPs wanted their infrastructure end at the boxes ports where you can plug in your Ethernet, TV and phones. We wanted their infrastructure to end at the TAE connector [1], the port in the wall. Some of the most important reasons for our line of arguments were named in several emails in this thread, but the wiki should list them all [2].

But I understand your point if I haven't mistaken you: The first box "behind the wall" is critical because it converts the complex signals into something your equipment (TV, Phones) understands. If something in the up- and downstream is wrong, the box may have to do with it. And with this box, they can control you access rights to different services. It's easier for most of the users, and for ISPs of course as well. And do not get me wrong: I think it's good that ISP offer such services because it makes it easier for non-techies to get internet connection and up-to-date technologies.

Whereas in my opinion, one should always have to possibility to throw out all "untrusted" devices and only plug in his own technology without losing any functionality. And at this point, it should not matter what the reasons are: security concerns, environmental or ecological ones, ethical issues or compatibility problems.

The downside of this whole topic is the complexity (just have a look at the mass of mails in this thread), and the fact that most of the people do not want to have the free choice, so it's hard to address the public. The upside is that you have hardware producers and vendors, very technical people and IT magazines on your side and that you can argue with many different points, depending on the people you talk with.

Thanks for your thoughts, Carsten. I really enjoy the exchange of opinions here!

Best, Max

[1] https://en.wikipedia.org/wiki/TAE_connector [2] https://wiki.fsfe.org/CompulsoryRouters

- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi David,

# David Gerard dgerard@gmail.com [ 16. Jan 2014 @ 15:18 +0100]:

On 16 January 2014 13:55, Max Mehl max.mehl@fsfe.org wrote:

...

Could you please give me some insights if there are ISPs in your country with Compulsory Router policies? Or maybe you want to share your thoughts about this topic at all and the implications for Free Software users.

I believe Sky Broadband used to require using their modem with their DSL. This was basically for supportability reasons - the less possible things to go wrong, the better they could supply a turnkey service. I understand you can in fact use a generic modem with their service now, though, since it's just generic DSL.

Sorry to ask but in which country did Sky Broadband do this? As far as I know, Sky operates in many european countries.

In fact, many ISPs do this for compatibility reasons. Some of them totally restrict replacing the modem/router/box by keeping the login credetials secret, some of them give no support at all if something goes wrong (even if the problem has nothing to do with the hardware used).

My personal opinion is that it's not basically bad that ISPs give routers by default to their customers. Of course, only one model makes maintainability easier and some customers do not even want to choose a router theirselves. But some people do, and imagine the situation that the vendor of your router is suspected to install backdoors for western intelligence agencies - and you cannot switch the hard- or firmware. Is this a nightmare only for me?

Best, Max

- -- Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org Schönhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290 About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com Support us: http://fsfe.org/support | Homepage: max-mehl.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

On 01/16/2014 03:38 PM, Max Mehl wrote:

My personal opinion is that it's not basically bad that ISPs give routers by default to their customers. Of course, only one model makes maintainability easier and some customers do not even want to choose a router theirselves. But some people do, and imagine the situation that the vendor of your router is suspected to install backdoors for western intelligence agencies - and you cannot switch the hard- or firmware. Is this a nightmare only for me?

If you can change your router (ideally to one running only free software, using protocols specified by the ISP), you can protect yourself in the case where you trust your ISP, but not the router it supplies you.

In that scenario, if you don't trust your ISP all is lost unless you use VPN or Tor.

How to trust your ISP would be the "next problem" after getting rid of compulsory routers, I suppose.

On 16/01/14 15:30, Max Mehl wrote:

Yes, you're completely right. After the NSA leaks, the usage of Tor/VPN increased heavily and people started to secure their online privacy and security in different ways. But paradoxically less people care about their basic network security. One can also use plain HTTP instead of sophisticated anonymisation techniques if his "inner circle" is compromised. The leaks before the end of 2013 stated that NSA successfully redirected network traffic to shadow servers with cloned content if the hardware is backdoored/insecure. So if your router isn't secure, your traffic is neither, no matter which tools you use - Man-in-the-middle says hello.

With proper certificate management practices, there is zero difference whether your router compromised by the NSA or your ISP's servers compromised by the NSA attempt to snoop on you. The endpoints need to do the encryption, not some intermediary device.

Of course, compromised routers have implications beyond those of compromised ISP servers for LAN traffic, but assuming the use of strong cryptography, those have more to do with effectively having no firewall against certain agencies. If this concerns you and your ISP does not permit you to use your own router, you can always do ISP router @ home → your router and firewall @ home → LAN. However, chances are that NSA knows a vulnerability or two in your router, so you probably need a better plan if you are seriously worried about this. (Of course, breaking into non-backdoored routers on massive scale is most likely impossible, as some very clever people would probably spot the attacks and patch the attack vectors.) If you simply wish to stop making it easy for the NSA to snoop on your local traffic and your ISP is being a douche, just put your own router after the ISP's.

On 16/01/14 16:07, Max Mehl wrote:

• From the security perspective, this may be suitable somehow, from the

compatibility, environmental, economical, and user-friendly perspective, Compulsory Routers are the devil in your house.

All of those are valid reasons to support non-compulsory routers, and personally I prefer those reasons to the supposed security gains as the latter are minimal at best. :-)

+ 2014-01-16 Thu 16:11, Carsten Agger agger@modspil.dk:

How to trust your ISP would be the "next problem" after getting rid of compulsory routers, I suppose.

Or, instead of choosing to trust your master, be your own master. ;)

http://www.diyisp.org/