Discussion:
Compulsory Routers in your country
Max Mehl
2014-01-16 13:55:10 UTC
Permalink
Hi there,

maybe you followed the Compulsory Routers topic in Germany during the last
months [1] and even read my blog entry about the entanglements between
Compulsory Routers and the latest NSA leaks [2].

tl;dr:
Compulsory Routers are routers provided by Internet Service Providers which
cannot be replaced because of technical or legal barriers. This causes on the
one hand many problems with competition, technical innovation, and
compatibility, but on the other hand also great security risks for everyone of
us: If we and many others are forced to use one router model, ISPs create
monocultures which can be attacked more easily by miscreants and special tools
by intelligence agencies.

I know the situation in Germany pretty well because I worked on this issue.
But gaining some knowledge of the ISPs' regulations in other countries is
harder than I thought in the first place.

Could you please give me some insights if there are ISPs in your country with
Compulsory Router policies? Or maybe you want to share your thoughts about
this topic at all and the implications for Free Software users.

I'm looking forward to reading your replies!

Best,
Max


[1] https://blogs.fsfe.org/mk/status-of-compulsory-routers-in-germany/
[2]
http://blog.max-mehl.com/2014/why-free-choice-of-routers-is-an-unnegotiable-must/

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Daniel Pocock
2014-01-16 13:58:45 UTC
Permalink
My blog entry about Swisscom backdooring their routers has been
extremely popular

If it goes on in Switzerland then it can be happening anywhere
Post by Max Mehl
Hi there,
maybe you followed the Compulsory Routers topic in Germany during the last
months [1] and even read my blog entry about the entanglements between
Compulsory Routers and the latest NSA leaks [2].
Compulsory Routers are routers provided by Internet Service Providers which
cannot be replaced because of technical or legal barriers. This causes on the
one hand many problems with competition, technical innovation, and
compatibility, but on the other hand also great security risks for everyone of
us: If we and many others are forced to use one router model, ISPs create
monocultures which can be attacked more easily by miscreants and special tools
by intelligence agencies.
I know the situation in Germany pretty well because I worked on this issue.
But gaining some knowledge of the ISPs' regulations in other countries is
harder than I thought in the first place.
Could you please give me some insights if there are ISPs in your country with
Compulsory Router policies? Or maybe you want to share your thoughts about
this topic at all and the implications for Free Software users.
I'm looking forward to reading your replies!
Best,
Max
[1] https://blogs.fsfe.org/mk/status-of-compulsory-routers-in-germany/
[2]
http://blog.max-mehl.com/2014/why-free-choice-of-routers-is-an-unnegotiable-must/
_______________________________________________
Discussion mailing list
Discussion at fsfeurope.org
https://mail.fsfeurope.org/mailman/listinfo/discussion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20140116/a8019c0f/attachment.html>
theo.schmidt
2014-01-17 10:49:52 UTC
Permalink
Post by Daniel Pocock
My blog entry about Swisscom backdooring their routers has been
extremely popular
link?
Post by Daniel Pocock
If it goes on in Switzerland then it can be happening anywhere
Also in Switzerland: I'm presently using a Swisscom analog phone line
(copper, self-powered, works without external electricity) and a
provider called VTX, basically a reseller for Swisscom like all ISPs in
Sitzerland, I believe. I'm able to use any analog phones (even 50
year-old ones) and any analog modems/routers. (They are of course
digital, but the line is called analog.)

Besides the freedom/security issues mentioned, I am able to switch it on
and off at will in order to use less electricity or indeed use models
which are more efficient, solar-powered, etc.

I want to switch to a different provider because VTX:

- use Credit Suisse banking
- use "dumbo"-advertising, always quoting speeds in "Megas" but now
saying what "Megas"
- try very hard to switch us to IP-telephones and more speed (which we
do not need) without telling us the consequences, e.g. a compulsory
locked-up router.

But from your experience, Daniel, switching to Swisscom would be just as
bad.

Anybody Swiss here have a good alternative to either Swisscom or VTX?

Cheers, Theo

PS Cablecom UPC have just announced a nefarious scheme to provide free
Wifi eveywhere there are private Cablecom UPC routers, but *only* for
Cablecom UPC customers.
Daniel Pocock
2014-01-17 13:02:42 UTC
Permalink
Post by theo.schmidt
Post by Daniel Pocock
My blog entry about Swisscom backdooring their routers has been
extremely popular
link?
Post by Daniel Pocock
If it goes on in Switzerland then it can be happening anywhere
Also in Switzerland: I'm presently using a Swisscom analog phone line
(copper, self-powered, works without external electricity) and a
provider called VTX, basically a reseller for Swisscom like all ISPs
in Sitzerland, I believe. I'm able to use any analog phones (even 50
year-old ones) and any analog modems/routers. (They are of course
digital, but the line is called analog.)
Besides the freedom/security issues mentioned, I am able to switch it
on and off at will in order to use less electricity or indeed use
models which are more efficient, solar-powered, etc.
- use Credit Suisse banking
- use "dumbo"-advertising, always quoting speeds in "Megas" but now
saying what "Megas"
- try very hard to switch us to IP-telephones and more speed (which we
do not need) without telling us the consequences, e.g. a compulsory
locked-up router.
But from your experience, Daniel, switching to Swisscom would be just
as bad.
Anybody Swiss here have a good alternative to either Swisscom or VTX?
I should have been more clear: I have the Swisscom router, yes. The
backdoor is gone and it is no longer connected to Swisscom, I use it
with Init7
http://www.init7.net

I am using their DSL service, I hear they have fibre in some cities
Post by theo.schmidt
Cheers, Theo
PS Cablecom UPC have just announced a nefarious scheme to provide free
Wifi eveywhere there are private Cablecom UPC routers, but *only* for
Cablecom UPC customers.
This has already happened in other countries too

What is really needed is an independent router based or mesh solution to
compete with that
Alessandro Rubini
2014-01-17 13:15:18 UTC
Permalink
Post by Daniel Pocock
What is really needed is an independent router based or mesh solution to
compete with that
The freedom box?

https://freedomboxfoundation.org/
http://en.wikipedia.org/wiki/FreedomBox
Carsten Agger
2014-01-16 14:00:25 UTC
Permalink
Post by Max Mehl
Hi there,
maybe you followed the Compulsory Routers topic in Germany during
the last months [1] and even read my blog entry about the
entanglements between Compulsory Routers and the latest NSA leaks
[2].
tl;dr: Compulsory Routers are routers provided by Internet Service
Providers which cannot be replaced because of technical or legal
barriers. This causes on the one hand many problems with
competition, technical innovation, and compatibility, but on the
other hand also great security risks for everyone of us: If we and
many others are forced to use one router model, ISPs create
monocultures which can be attacked more easily by miscreants and
special tools by intelligence agencies.
I know the situation in Germany pretty well because I worked on
this issue. But gaining some knowledge of the ISPs' regulations in
other countries is harder than I thought in the first place.
Could you please give me some insights if there are ISPs in your
country with Compulsory Router policies? Or maybe you want to share
your thoughts about this topic at all and the implications for Free
Software users.
I have a fiber box, a socalled residential gateway or Home Access
Gateway which supplies phone, Internet and TV.

Should that be considered as a compulsory router?
Max Mehl
2014-01-16 14:26:49 UTC
Permalink
I have a fiber box, a socalled residential gateway or Home Access Gateway
which supplies phone, Internet and TV.
Should that be considered as a compulsory router?
It depends on if you're able to replace the box given by the ISP completely
without losing any functionality or being disciminated in the usage of your
services.

Maybe I was to unprecise in both my mail and the blog post, so here's some
examples: Some ISPs in Germany are suspected to throttle certain services of
competitors, or they disable the possibility to replace the (telephony) box to
use other phones. Some of them cannot be replaced but are unable to give full
IPv6 support.
Some ISPs do not even give internet access data (i.e. PPPoE user and password)
to replace just the internet modem, or they disallow flashing another firmware.

To be short: You have a Compulsory Routers, if you're not able to replace
parts or everything of your infrastructure needed for internet access and
related services like VoIP/TV. If the ISPs does not give you full privileges
or information (or uses closed standards) for using completely different
hardware, you have a Compulsory Router in your rooms.

Hope this explained a little bit. I know, the topic is quite complex and you
can go deep into depth (I wrote around 14 pages to our national network
agency...), but I consider it as very important.


Best,
Max

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Carsten Agger
2014-01-16 15:03:49 UTC
Permalink
Post by Max Mehl
To be short: You have a Compulsory Routers, if you're not able to
replace parts or everything of your infrastructure needed for
internet access and related services like VoIP/TV. If the ISPs does
not give you full privileges or information (or uses closed
standards) for using completely different hardware, you have a
Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.

The ISP (which is also the phone and power company) has supplied fiber
cables into the house. At the ender of the fiber, there's a box which
is not owned by me, but by them, and which they can service remotely.

(As far as I can tell there's no throttling, though, and as it
supplies 60/60MB I haven't so far had any reason to be unhappy about
it. I don't know why they do it that way, though).
Max Mehl
2014-01-16 15:12:29 UTC
Permalink
Post by Carsten Agger
Post by Max Mehl
To be short: You have a Compulsory Routers, if you're not able to replace
parts or everything of your infrastructure needed for internet access and
related services like VoIP/TV. If the ISPs does not give you full
privileges or information (or uses closed standards) for using completely
different hardware, you have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which service
provider you use? I just thought about adding all this information by you and
others in this thread to the wiki page [1].
Post by Carsten Agger
(As far as I can tell there's no throttling, though, and as it supplies
60/60MB I haven't so far had any reason to be unhappy about it. I don't
know why they do it that way, though).
Well, at least in Germany some ISP were suspected to prioritise their own
services and to throttle other services (like streaming platforms) or simply
don't support them (like other Dynamic DNS services). But going into detail
means opening the net neutrality topic which is even more complicated.
But you see, all these topics are connected somehow.

Best,
Max

[1] https://wiki.fsfe.org/CompulsoryRouters

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Carsten Agger
2014-01-17 09:41:24 UTC
Permalink
Post by Max Mehl
Post by Carsten Agger
Post by Max Mehl
To be short: You have a Compulsory Routers, if you're not able
to replace parts or everything of your infrastructure needed
for internet access and related services like VoIP/TV. If the
ISPs does not give you full privileges or information (or uses
closed standards) for using completely different hardware, you
have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which
service provider you use? I just thought about adding all this
information by you and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ -
see http://www.verdo.dk/privat/kompetencer/tele.aspx

I'm undecided as what to think of it. On the one hand, it's a piece of
equipment in my house which I can't control.

On the other hand, it's a gadget at the end of a fiber optical
connection. I suppose there need to me *some* device to convert that
to Ethernet, and I don't know the technology well enough to know what
my options are.

On the other hand, the box is clearly a part of *their*
infrastructure, not as much of mine. When I moved into the house there
was some problems with the box, and they had to take tha "package" off
it and put it back again. The "package" is the combination of
Internet, phone and many or few TV channels chosen by the customer.

This means that they control which services they provide to me by a
setting on that box. I think it's a little bit stupid that they choose
to do so on a box in my house and not in a box on their own premises,
but I'm too ignorant of the specific technology to be sure it's a bad
choice.

But that clearly means that the box is *their* infrastructure, not
mine - my infrastructure begins at the box' Ethernet, phone and TV
outlets (and I've put up a wireless network behind it - am shopping
for one which supports OpenVPN to connect to AirVPN or a similar
privacy-conscious provider. The Ethernet has a public IBv4 address so
there's no NAT issue. I haven't tested IPv6.)

So in that respect, I think that security and privacy wise I'm no
worse off than if they'd placed their infrastructure on their own
premises. Then there's the environmental thing - their box consumes
about 10W of power and is always on, and that does cost me (30? a
year, I believe) and is undesirable.

But well, feel free to comment. The compulsory router issue is new for
me, and I'm unsure about the issues.

Best,
Carsten
Sam Liddicott
2014-01-17 10:26:57 UTC
Permalink
I think that if the router could be a bridge (making it no more than
an ADSL interface) I would not care much as I can isolate it from my
network using my own choice of router.

If it were stuck as a router then I would be annoyed, although I could
insert a bridge between their router and my network.

Sam
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Max Mehl
Post by Carsten Agger
Post by Max Mehl
To be short: You have a Compulsory Routers, if you're not able
to replace parts or everything of your infrastructure needed
for internet access and related services like VoIP/TV. If the
ISPs does not give you full privileges or information (or uses
closed standards) for using completely different hardware, you
have a Compulsory Router in your rooms.
Then I do have a compulsory router, I believe.
So even in Denmark (I guess?), that's a pity. Can I ask you which
service provider you use? I just thought about adding all this
information by you and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ -
see http://www.verdo.dk/privat/kompetencer/tele.aspx
I'm undecided as what to think of it. On the one hand, it's a piece of
equipment in my house which I can't control.
On the other hand, it's a gadget at the end of a fiber optical
connection. I suppose there need to me *some* device to convert that
to Ethernet, and I don't know the technology well enough to know what
my options are.
On the other hand, the box is clearly a part of *their*
infrastructure, not as much of mine. When I moved into the house there
was some problems with the box, and they had to take tha "package" off
it and put it back again. The "package" is the combination of
Internet, phone and many or few TV channels chosen by the customer.
This means that they control which services they provide to me by a
setting on that box. I think it's a little bit stupid that they choose
to do so on a box in my house and not in a box on their own premises,
but I'm too ignorant of the specific technology to be sure it's a bad
choice.
But that clearly means that the box is *their* infrastructure, not
mine - my infrastructure begins at the box' Ethernet, phone and TV
outlets (and I've put up a wireless network behind it - am shopping
for one which supports OpenVPN to connect to AirVPN or a similar
privacy-conscious provider. The Ethernet has a public IBv4 address so
there's no NAT issue. I haven't tested IPv6.)
So in that respect, I think that security and privacy wise I'm no
worse off than if they'd placed their infrastructure on their own
premises. Then there's the environmental thing - their box consumes
about 10W of power and is always on, and that does cost me (30? a
year, I believe) and is undesirable.
But well, feel free to comment. The compulsory router issue is new for
me, and I'm unsure about the issues.
Best,
Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlLY+r0ACgkQletyW1YzdSE0uwCfQaNAXK7twEdbxbMg3eVV7Jlm
XbEAni1oQuIv7yLx6VlrC6U30jeaZwbw
=fNXQ
-----END PGP SIGNATURE-----
_______________________________________________
Discussion mailing list
Discussion at fsfeurope.org
https://mail.fsfeurope.org/mailman/listinfo/discussion
Max Mehl
2014-01-17 10:51:26 UTC
Permalink
Post by Max Mehl
So even in Denmark (I guess?), that's a pity. Can I ask you which service
provider you use? I just thought about adding all this information by you
and others in this thread to the wiki page [1].
I'm using Verdo Tele, which have a collaboration with www.waoo.dk/ - see
http://www.verdo.dk/privat/kompetencer/tele.aspx
Thanks for that, I'll add it to the wiki soon.
On the other hand, it's a gadget at the end of a fiber optical connection.
I suppose there need to me *some* device to convert that to Ethernet, and I
don't know the technology well enough to know what my options are.
In most cases, these are standardised technologies: PPPoE, PPPoA, PPTP, DOCSIS
(and all should be Open Standards AFAIK). So another vendor would be able to
build an own box to make internet access possible. Unfortunately, phones and
TV is non-standardised in some cases, but at this point my technical knowledge
ends as well...
I'm undecided as what to think of it. On the one hand, it's a piece of
equipment in my house which I can't control. [...] But that clearly means
that the box is *their* infrastructure, not mine - my infrastructure begins
at the box' Ethernet, phone and TV outlets (and I've put up a wireless
network behind it - am shopping for one which supports OpenVPN to connect
to AirVPN or a similar privacy-conscious provider. The Ethernet has a
public IBv4 address so there's no NAT issue. I haven't tested IPv6.)
Exactly this was the center of discussion in Germany: Where does the ISPs'
infrastructure end and where does the customers' begin?

Many ISPs wanted their infrastructure end at the boxes ports where you can
plug in your Ethernet, TV and phones. We wanted their infrastructure to end at
the TAE connector [1], the port in the wall.
Some of the most important reasons for our line of arguments were named in
several emails in this thread, but the wiki should list them all [2].

But I understand your point if I haven't mistaken you: The first box "behind
the wall" is critical because it converts the complex signals into something
your equipment (TV, Phones) understands. If something in the up- and
downstream is wrong, the box may have to do with it. And with this box, they
can control you access rights to different services.
It's easier for most of the users, and for ISPs of course as well. And do not
get me wrong: I think it's good that ISP offer such services because it makes
it easier for non-techies to get internet connection and up-to-date technologies.

Whereas in my opinion, one should always have to possibility to throw out all
"untrusted" devices and only plug in his own technology without losing any
functionality. And at this point, it should not matter what the reasons are:
security concerns, environmental or ecological ones, ethical issues or
compatibility problems.

The downside of this whole topic is the complexity (just have a look at the
mass of mails in this thread), and the fact that most of the people do not
want to have the free choice, so it's hard to address the public.
The upside is that you have hardware producers and vendors, very technical
people and IT magazines on your side and that you can argue with many
different points, depending on the people you talk with.

Thanks for your thoughts, Carsten. I really enjoy the exchange of opinions here!


Best,
Max


[1] https://en.wikipedia.org/wiki/TAE_connector
[2] https://wiki.fsfe.org/CompulsoryRouters

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Alessandro Rubini
2014-01-17 10:36:15 UTC
Permalink
Post by Carsten Agger
I'm undecided as what to think of it. On the one hand, it's a piece of
equipment in my house which I can't control. [...]
On the other hand, the box is clearly a part of *their*
infrastructure, not as much of mine.
[...]
So in that respect, I think that security and privacy wise I'm no
worse off than if they'd placed their infrastructure on their own
premises.
I think your analysis is correct.
Post by Carsten Agger
But well, feel free to comment. The compulsory router issue is new
for me, and I'm unsure about the issues.
The compulsory router is a serious issue, but I agree it doesn't apply
to your use case. As you say, there must be a line between the
service provider and the service customer. In your case, the line is
at the near end of the "router" (i.e., the router is theirs). And you
can connect what you want to the outlets, so so have your own
wireless, your own telephone set and your own tv set. That's right.

I think satellite tv is similar: the decoder is theirs.

The issue blessed "compulsory routers" is different: with a normal DSL
line the situation is similar to old telephone or power lines: the
company offers a cable that carries data or power and you use those
resources as you want. Owned phone recording tools, own ups, own
microwave oven and cordless device, etc. Sure the phone number and
power limits are agreed by contract and are limited, but the limit is
on the far end of the cable. The line between theirs and mine is at
the local end of the cable, before the equipment (for power, after the
circuit safety breaker, to prevent disruption of the far end).

A DSL line is the same: the PPPoE being provided is a general-purpose
service, that can be exploited in several ways, without disrupting the
far end. Just like I wouldn't accept a mandatory phone set on my desk
or a mandatory microwave oven, I don't accept a compulsory router.

Sure I can accept a "complimentary" microwave oven from the power
company or a complimentary pbx from the phone company, and even the
option to rent each of them, as long as I control those devices.
Thus, providers that offer a router for an extra cost or give you the
router included in the base contract are fine for me, as long as the
thing is under my control.

I refuse a phone that lowers voice volume when connecting to certain
regions or an oven that denies cooking unhealthy meals. Similarly, I
refuse to be unable to control the data sent to and from their
equipment (the remote one).

It's mainly a matter of net neutrality, which turns out being a matter
of freedom. But a freedom that's easy to circumvent, by contractual
offers: people accept a black box in their cars to pay less insurance
costs, they would accept mandatory healthy-only ovens or night-only
lamps if that would decrease the cost of a kWh, they accept mandatory
routers if the cost of the dsl line is less.

The problem with routers is worse, because the difference between
Carsten's very-high-tech and not-yet-standard device and my
very-standard DSL signalling to a conventional owned router[1] is tiny to
most people. Technology is more and more depicted as black magic, a
picture well received by non-technical people. So I expect soon to be
unable to ssh out of a friends ethernet because of a limited device --
but the limit may well be on the far side of the cable, and it would
make no difference.

So yes, compulsory routers are an issue, but mainly an issue of net
neutrality. And such neutrality is a concern for so little a fraction
of the user base, that it is going to be a very difficult battle.

/alessandro, too verbose as usual

[1] I told an half lie: my router is actually theirs because it include
telephone services, but I chose a company that gives me full access to
the local device. So am I affected by the compulsory router illness
or not?
simo
2014-01-18 19:35:43 UTC
Permalink
Post by Alessandro Rubini
[1] I told an half lie: my router is actually theirs because it include
telephone services, but I chose a company that gives me full access to
the local device. So am I affected by the compulsory router illness
or not?
I choose this method:

[my network]--[my router]--[ISP box]--[internet]

Initially the ISP box was a full router managed by the ISP, but I
changed it with a dumb cable modem that the ISP controls, and manage my
own router now.
So technically the ISP box is sort of compulsory, but it doesn't affect
me, as I simply do not trust it and put my own router downstream.

Simo.

David Gerard
2014-01-16 14:18:49 UTC
Permalink
Post by Max Mehl
Could you please give me some insights if there are ISPs in your country with
Compulsory Router policies? Or maybe you want to share your thoughts about
this topic at all and the implications for Free Software users.
I believe Sky Broadband used to require using their modem with their
DSL. This was basically for supportability reasons - the less possible
things to go wrong, the better they could supply a turnkey service. I
understand you can in fact use a generic modem with their service now,
though, since it's just generic DSL.


- d.
Max Mehl
2014-01-16 14:38:00 UTC
Permalink
Hi David,
Post by Max Mehl
Could you please give me some insights if there are ISPs in your country
with Compulsory Router policies? Or maybe you want to share your thoughts
about this topic at all and the implications for Free Software users.
I believe Sky Broadband used to require using their modem with their DSL.
This was basically for supportability reasons - the less possible things to
go wrong, the better they could supply a turnkey service. I understand you
can in fact use a generic modem with their service now, though, since it's
just generic DSL.
Sorry to ask but in which country did Sky Broadband do this? As far as I know,
Sky operates in many european countries.

In fact, many ISPs do this for compatibility reasons. Some of them totally
restrict replacing the modem/router/box by keeping the login credetials
secret, some of them give no support at all if something goes wrong (even if
the problem has nothing to do with the hardware used).

My personal opinion is that it's not basically bad that ISPs give routers by
default to their customers. Of course, only one model makes maintainability
easier and some customers do not even want to choose a router theirselves. But
some people do, and imagine the situation that the vendor of your router is
suspected to install backdoors for western intelligence agencies - and you
cannot switch the hard- or firmware. Is this a nightmare only for me?

Best,
Max

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
David Gerard
2014-01-16 14:43:46 UTC
Permalink
Post by Max Mehl
Sorry to ask but in which country did Sky Broadband do this? As far as I know,
Sky operates in many european countries.
I'm talking about the UK here.

In the UK, BT also sell a completely-supported but utterly locked
modem. I have one here, a BT HomeHub 3. It's quite a nice router, and
I'd like to jailbreak it ...
Post by Max Mehl
My personal opinion is that it's not basically bad that ISPs give routers by
default to their customers. Of course, only one model makes maintainability
easier and some customers do not even want to choose a router theirselves. But
some people do, and imagine the situation that the vendor of your router is
suspected to install backdoors for western intelligence agencies - and you
cannot switch the hard- or firmware. Is this a nightmare only for me?
I'm not sure that's the most likely threat model - the NSA cracks
catalogue lists cracks for generic Huawei modems. So we come to the
problem of embedded systems that don't get security updates.


- d.
Carsten Agger
2014-01-16 15:11:11 UTC
Permalink
Post by Max Mehl
My personal opinion is that it's not basically bad that ISPs give
routers by default to their customers. Of course, only one model
makes maintainability easier and some customers do not even want to
choose a router theirselves. But some people do, and imagine the
situation that the vendor of your router is suspected to install
backdoors for western intelligence agencies - and you cannot switch
the hard- or firmware. Is this a nightmare only for me?
If you can change your router (ideally to one running only free
software, using protocols specified by the ISP), you can protect
yourself in the case where you trust your ISP, but not the router it
supplies you.

In that scenario, if you don't trust your ISP all is lost unless you
use VPN or Tor.

How to trust your ISP would be the "next problem" after getting rid of
compulsory routers, I suppose.
Max Mehl
2014-01-16 15:30:44 UTC
Permalink
If you can change your router (ideally to one running only free software,
using protocols specified by the ISP), you can protect yourself in the case
where you trust your ISP, but not the router it supplies you.
In that scenario, if you don't trust your ISP all is lost unless you use
VPN or Tor.
How to trust your ISP would be the "next problem" after getting rid of
compulsory routers, I suppose.
Yes, you're completely right.
After the NSA leaks, the usage of Tor/VPN increased heavily and people started
to secure their online privacy and security in different ways. But
paradoxically less people care about their basic network security. One can
also use plain HTTP instead of sophisticated anonymisation techniques if his
"inner circle" is compromised.
The leaks before the end of 2013 stated that NSA successfully redirected
network traffic to shadow servers with cloned content if the hardware is
backdoored/insecure. So if your router isn't secure, your traffic is neither,
no matter which tools you use - Man-in-the-middle says hello.

I really hope the importance of this topic will be stressed in the upcoming
months in some other IT magazines and on conferences.

Best,
Max

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Heiki &quot;Repentinus&quot; Ojasild
2014-01-16 15:44:44 UTC
Permalink
Post by Max Mehl
Yes, you're completely right.
After the NSA leaks, the usage of Tor/VPN increased heavily and people started
to secure their online privacy and security in different ways. But
paradoxically less people care about their basic network security. One can
also use plain HTTP instead of sophisticated anonymisation techniques if his
"inner circle" is compromised.
The leaks before the end of 2013 stated that NSA successfully redirected
network traffic to shadow servers with cloned content if the hardware is
backdoored/insecure. So if your router isn't secure, your traffic is neither,
no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference
whether your router compromised by the NSA or your ISP's servers
compromised by the NSA attempt to snoop on you. The endpoints need to do
the encryption, not some intermediary device.

Of course, compromised routers have implications beyond those of
compromised ISP servers for LAN traffic, but assuming the use of strong
cryptography, those have more to do with effectively having no firewall
against certain agencies. If this concerns you and your ISP does not
permit you to use your own router, you can always do ISP router @ home ?
your router and firewall @ home ? LAN. However, chances are that NSA
knows a vulnerability or two in your router, so you probably need a
better plan if you are seriously worried about this. (Of course,
breaking into non-backdoored routers on massive scale is most likely
impossible, as some very clever people would probably spot the attacks
and patch the attack vectors.) If you simply wish to stop making it easy
for the NSA to snoop on your local traffic and your ISP is being a
douche, just put your own router after the ISP's.
--
Heiki "Repentinus" Ojasild
FSFE Fellowship Representative
mailto:repentinus at fsfe.org
xmpp:repentinus at jabber.fsfe.org
http://blogs.fsfe.org/repentinus/
Max Mehl
2014-01-16 16:07:58 UTC
Permalink
Post by Heiki &quot;Repentinus&quot; Ojasild
Post by Max Mehl
The leaks before the end of 2013 stated that NSA successfully redirected
network traffic to shadow servers with cloned content if the hardware is
backdoored/insecure. So if your router isn't secure, your traffic is
neither, no matter which tools you use - Man-in-the-middle says hello.
With proper certificate management practices, there is zero difference
whether your router compromised by the NSA or your ISP's servers
compromised by the NSA attempt to snoop on you. The endpoints need to do
the encryption, not some intermediary device.
On a technical and theoretical level, that's right. MITM isn't as easy as it
sounds if proper certificate management practices are used. However, I would
feel safer if I knew that I can check my router for security flaws and backdoors.
Having attacks against some CAs and the knowledge/ignorance of avarage IT
users in mind, using certificates/encryption does not seem to be the one and
only solution for this problem in my opinion.
Post by Heiki &quot;Repentinus&quot; Ojasild
If you simply wish to stop making it easy for the NSA to snoop on your
local traffic and your ISP is being a douche, just put your own router
after the ISP's.
True, we also had this idea when thinking about the implications of Compulsory
Routers in Germany. The problem with this solution is that some things
possibly won't work even if using another router behind the ISP's one. For
example, some default routers do not allow port forwarding. One volunteer had
problems with IPv6 even after using another router, because the default one
did not support it completely. Some routers aren't even compatible with VPN,
Tor and/or VoIP...

- From the security perspective, this may be suitable somehow, from the
compatibility, environmental, economical, and user-friendly perspective,
Compulsory Routers are the devil in your house.

Best,
Max

- --
Max Mehl - Free Software Foundation Europe (FSFE) - fsfe.org
Sch?nhauser Allee 6/7, 10119, Berlin | Phone: +49-30-27595290
About me: http://fsfe.org/about/mehl | Blog: blog.max-mehl.com
Support us: http://fsfe.org/support | Homepage: max-mehl.com
Heiki &quot;Repentinus&quot; Ojasild
2014-01-16 16:11:43 UTC
Permalink
Post by Max Mehl
- From the security perspective, this may be suitable somehow, from the
compatibility, environmental, economical, and user-friendly perspective,
Compulsory Routers are the devil in your house.
All of those are valid reasons to support non-compulsory routers, and
personally I prefer those reasons to the supposed security gains as the
latter are minimal at best. :-)
--
Heiki "Repentinus" Ojasild
FSFE Fellowship Representative
mailto:repentinus at fsfe.org
xmpp:repentinus at jabber.fsfe.org
http://blogs.fsfe.org/repentinus/
Florian Weimer
2014-01-18 11:46:34 UTC
Permalink
Post by Carsten Agger
If you can change your router (ideally to one running only free
software, using protocols specified by the ISP), you can protect
yourself in the case where you trust your ISP, but not the router it
supplies you.
The flip side is that if you can change your router, you may also be
able to see which web sites your neighbor accesses. Shared media
networks (mobile, broadband cable, and cheaply implemented DSL and
metro Ethernet) tend to require regulated and deliberately crippled
end devices to prevent that.
Hugo Roy
2014-01-18 13:05:22 UTC
Permalink
Post by Carsten Agger
How to trust your ISP would be the "next problem" after getting rid of
compulsory routers, I suppose.
Or, instead of choosing to trust your master, be your own master.
;)

http://www.diyisp.org/
--
Hugo Roy, Free Software Foundation Europe, <www.fsfe.org>
Deputy Coordinator, FSFE Legal Team, <www.fsfe.org/legal>
Coordinator, FSFE French Team, <www.fsfe.org/fr>

Support Free Software, sign up! <https://fsfe.org/support>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: not available
URL: <http://mail.fsfeurope.org/pipermail/discussion/attachments/20140118/2fed2b79/attachment.pgp>
Continue reading on narkive:
Loading...