[147899] in cryptography@c2.net mail archive
Re: [Cryptography] DSL modems - how would we detect wholesale
daemon@ATHENA.MIT.EDU (Bill Stewart)
Wed Oct 30 14:53:20 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 29 Oct 2013 15:03:45 -0700
To: John Gilmore <gnu@toad.com>
From: Bill Stewart <bill.stewart@pobox.com>
In-Reply-To: <201310281956.r9SJurqQ032287@new.toad.com>
Cc: Cryptography <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
At 12:56 PM 10/28/2013, John Gilmore wrote:
>And most DSL modems are provided by your giant telco DSL provider --
...
>How hard would it be, really, for
>them to subvert all their DSL modems to wiretap your LAN?
DSL modems normally don't have a lot of spare CPU horsepower,
and if you have old-style DSL
(as opposed to fiber, or U-Verse DSL-to-the-box, or cable modem)
there's not a lot of spare upstream bandwidth for them to abuse.
And it would cost them a lot to do all the processing to handle the data,
which isn't going to happen in a price-sensitive consumer business.
If they're trying to specifically wiretap *you*, that's a different case,
so if a large van marked "TPC" comes up to your door and
asks to replace your cable modem with a faster one, be suspicious :-)
>And even better that consumers have
>no idea what packets are going up and down over that DSL signalling,
>because they have no equipment for monitoring raw 2-wire DSL lines
It's annoying to us in the business as well;
that stuff is a pain to debug except from a DSLAM.
...
>You can guard against this threat by only plugging one Ethernet jack
>into your DSL modem, and having that lead directly to a Linux or BSD
>gateway box that is under your own control. That way, the DSL modem
>has no physical access to the rest of your LAN, and you can monitor
>the upstream Ethernet to make sure that the only packets going to the
>DSL modem are those that you intended to go upstream.
You should probably be doing that anyway (at least with a
consumer firewall appliance, if not a Linux/BSD/DD-WRT box.
And in many case, the broadband provider isn't including a switch,
or only offers that for an extra fee with managed Wifi, and you can do better.)
That lets you upgrade the wifi yourself, if you use wifi,
and gives you some vague chance of security if you want to have a
LAN-attached printer or file server supporting your machines at home,
and it also gives you the ability to have separate guest wifi.
Thanks; Bill Stewart
-------
Disclaimer: This is only my personal opinion, not the opinion of
my current or former employers, TPC, Big Cable, etc.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
