Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Plans Cable Boxes with Integrated Wi-Fi and Snooping

Posted by michael on from the all-in-one dept.

Kaa writes "Short version: Comcast's cable modem/802.11g base station that is made by Linksys has capabilities to 'phone home' to Comcast and tell them how many devices are connected to your WiFi base station, how much bandwidth they are using, etc. It also has the capability to 'disable LAN segments' which, I assume, means they can kick your devices off your home network if they choose to do so. Something tells me this particular device won't make it into my house..."

33 of 427 comments (clear)

  1. Smoothwall by Anonymous Coward · · Score: 5, Informative

    Simple Solution:
    Put a smoothwall box or another router between your home network and the new cable modem (as I'm sure many of us already do). Although the wireless access would be nice to use, 802.11b/g access points are pretty cheap these days.

    1. Re:Smoothwall by MandoSKippy · · Score: 2, Informative

      Will Comcast allow ports coming in to be opened? I could see them not allowing us to SSH and TS into our home boxes. (I suppose that techincally is against their TOS) I LOVE having remote access to home. It's a wonderful way to browse sites that may or may not be work related without leaving gobs of cookie dough all over the work PC :)

    2. Re:Smoothwall by Anonymous Coward · · Score: 4, Informative

      I just got Speakeasy. It's awesome, although a little pricey. However, you can get static IP's and NO port blocking! Leaving Comcast behind and never looking back.

    3. Re:Smoothwall by JofCoRe · · Score: 2, Informative

      obscure ports like 39492 (not the one I actually use, wouldn't want to give away my top secret network secrets!),

      Using obscure ports doesn't really matter anymore... All I need is a recent version of nmap, and I can find out what services you're running and what ports they are on :)

      --

      Place sig here.
    4. Re:Smoothwall by jrockway · · Score: 4, Informative

      It doesn't help. A full nmap run will take maybe thirty seconds. Any script kiddie can scan you. Also, you probably shouldn't be worried about script kiddies. They won't know what ssh is. Someone may really want your data, and changing ports ain't gonna stop 'em from trying to get at it.

      It does break all internet standards, though. That's always a great thing (*rolls eyes and looks at M$*)

      --
      My other car is first.
    5. Re:Smoothwall by Allen+Zadr · · Score: 4, Informative
      Er, actually, if you read further down, [specifically, Table 5-6 (page 37)], you will find that most ports and protocols will be entierly uneffected by these technical extensions.

      If you use SMTP, yes, so too will this. Unless you let the CableHome system access the SMTP of your devices, you have nothing to worry about.

      It uses DHCP, well, so does my current Cable-Modem. In fact, all DOCSIS cable-modems can offer DHCP. No surprise there.

      Ping - yep, looks like it will block pings into your network (or answer for you). Nothing every DSL modem doesn't already do.

      TFTP, slightly more worrisome, but a good standard to allow remote updating of devices that they own (and need to manage).

      This is about selling more network devices into your home that the average user won't know how to set up with an old Linux box and a pack of bubble-gum. They will get to sell more stuff, and make more money. Many users will get the benefit of neat network appliances in there home .. that they merely have to pay a separate subscription fee for.

      The network segment shut-down is there to cut-off devices that they own but you are trying to use anyway, but don't want to pay the subscription service for.

      Yes, there is room for abuse, but it's not nearly as bad cutting off all other WiFi. It wouldn't be technically capable of telling a WiFi router apart from an in-home network switch or a NATting Linux box. I suppose the built-in WiFi would block your own WiFi's signal, but that doesn't point to a conspiracy.

      --
      Kinetic stupidity has a new brand leader: Allen Zadr.
    6. Re:Smoothwall by STrinity · · Score: 2, Informative

      Exactly. Comcast doesn't make you use their router -- landline or wifi -- so why pay extra when it's cheaper to buy your own.

      --
      Les Miserables Volume 1 now up with my reading of
    7. Re:Smoothwall by mOdQuArK! · · Score: 2, Informative

      Your mistake is assuming that the ports are being scanned sequentially. nmap scans all 65000 (or so) ports concurrently (it doesn't have to wait for a port to respond before initiating the connection to the next one), and the 30 second delay mentioned in the message you responded to is probably long enough for nmap to register all the ports that are going to respond.

      Bitbucketing port replies won't do diddlysquat (and will actually probably make it easier for the attacker, since the attacker will get back replies for only those ports which are open & active.)

  2. Easy fix. by grub · · Score: 4, Informative

    Simple, just put another firewall between that snoop box and your LAN.

    --
    Trolling is a art,
    1. Re:Easy fix. by Anonymous Coward · · Score: 1, Informative

      Aconymous Noward/David Syes...

      Well, can't they fingerprint the packets? I mean, isn't there a way the number of unique machines can be determined?

      Suppose you have 15 computers chewing the limit of bandwidth, not crushingly, but maybe 80%. Then, one person is shopping mstewart, another pron, and another Home Depot, another on globaldefense.org, and so on. How likely is it that just one person can type in all the URLs (talkn' 'bout by hand), respond to the information/requests, and keep surfing?

      Can't the MAC addresses be queried at some level? thought that some bad NICs could be tricked. If it is not possible at all, the apologies. But, I am wary. Ever since the CIA and Telcos have been in bed, it's likely that even cell phones TURNED OFF can be tracked. Just embed a cell-polling chip or interrogator chip in the battery pack. Of course, I've not rigged and radio direction finding gear near my cell to test this, but I think eventually it will be in all phones "as an augmentation to 9/11 rescue assistance for the disabled motorist or stranded pedestrian...". Yep...

      Ever wonder if the day will come that paper money's metal strip will act as a collective antenna? I mean, why use exploding dye packs when some cell domes or cones in a financial district or atop high-value transactions-oriented buildings can home in on huge wads of cash moving at one time in a tracked direction. The trigger would be the failure on the part of a human to deactivate the frequency checked for the pallet, bundle, or stack.

      Ever wonder if a modem is embedded in Kinko's copiers? Imagine all the criminals (from copyright abusers to bonafide nefarios) who think an "offline" copier is safer than a networked printer... I imagine the day will arrive soon (if not already here) where your convenient money-card will tie in with the store surveillance camera, which are both tied to the card reader on the copier. Photograph anything and it's scanned. Copy and bulk-print things, and they are scanned. Now, the copyright industry as well as the various domestic surveillance units, from LAPD to CIA and those of which we'll never know the names, will have a bead on every person who uses technology.

      Maybe a way to combat it is to surf nonsense, deliver nonsense, and swap cards with others. Maybe Father John or Sister Imelda will, for a cash donation, swap cards so I can break the purchase trail....

      Just some ideas been runnin' thru my mind the past 2 years...

      David Syes
      Citizen of Earth, resident of whatever nation.

  3. More Devices = More MONEY by WordODD · · Score: 3, Informative

    All this idea does is allow Comcast to suck even more money out of its customers without having to change the amount of money they spend per account.

    --
    Please do not let scientific accuracy interfere with the intended humourous/interesting/insightful value of this comment
  4. Beyond the pale..... by erick99 · · Score: 4, Informative
    This is beyond the pale. It's like the RIAA in the sense that there is an arrogance about what they can do while selling you a service. Here is the pertinent part of the docment that is labeled "The goals for the CAbleHome Management Portal include:"

    * Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP)

    * Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP)

    * Provide the capability to disable LAN segments

    I hope that at some point, we, as users, can vote with our wallets and stop this nonsense. The more we give into this kind of seller-bullying, the more we can expect.

    Happy Trails!

    Erick

    --
    http://www.busyweather.com/
  5. This can't be mandatory. by LostCluster · · Score: 2, Informative

    There's no way that Comcast can require users of their cable Internet services to use cable modems provided by them. The FCC simply doesn't allow that...

    So long you buy your own DOCSIS-compatible modem, you can attach whatever hardware to your network you want.

  6. easy solution -- $19 wifi router, no rebates by Jaeger- · · Score: 4, Informative

    router @ compusa

    cheapest i've seen considering there's no rebates involved...

    2.4GHz 11Mbps Wireless Router with 4 Port Switch, 802.11b
    Manufacturer: FMI
    Mfg Part #: WE711APR
    Product Number: 295106
    Original Price: $89.99 (79% Off)
    Regular Price: $69.88
    Internet Special: $18.99

    --
    E V E R Y T H I N G I W R I T E I S F A L S E
    1. Re:easy solution -- $19 wifi router, no rebates by TellarHK · · Score: 2, Informative

      I have one of these. It's pretty shitty. No support for static IP addresses. Best I've had so far is a Netgear MR314, but I was foolish enough to loan that one to my brother and haven't gotten it back yet. The Netgear was pretty basic, but it at least seemed somewhat stable.

      Also, the FMI/CompUSA branded model has shit support. And any change to the firmware settings requires a restart. ANY change.

      --
      My own pointless vanity vintage computing page
  7. COMCAST: I don't know.... by dnahelix · · Score: 4, Informative

    When I signed up for COMCAST broadband I was told I could have up to 5 computers connected (using a server assigned DHCP address on each machine)
    Well, last week I got a letter from COMCAST telling me that they have determined I have more than on machine connected to my cable modem and that if I don't respond by June-something they will terminate any other IP addresses beyond one. Although, for and extra $9.99 a month, I can have up to 4 extra (5 total) IP address.
    I think those sons-of-bitches are pulling a scam and have bait-and-switched me. I was very up-front with the rep when I signed up and told him I needed to have 5 computers connected and would that be a problem... "No, of course not," I was told, "You can connect up to 5 computers, we just don't support and LAN/ethernet-hub problems you might have."
    FUCKING LIARS

    --
    Slashdot Eds Link Anonymous Posts With Logged Posts
    They Are Vermin Feeding On Each Other's Feces.
    I Hate \.
    1. Re:COMCAST: I don't know.... by LostCluster · · Score: 2, Informative

      Nah, it's just a case that something that was a free service is about to become a $9.99 a month service. Either pay the fee for real IP space, or set yourself up a NAT server. An off-the-shelf $50 consumer router will do the job as a DHCP and NAT server just fine...

    2. Re:COMCAST: I don't know.... by Anonymous Coward · · Score: 1, Informative

      they have never allowed for more than 1 IP connected to the cable modem at any one time.

      You can have a router with NAT and how many ever computers you want. That does not mean that you can have an individual IP for all of them.

      You always had the option of purchasing additional dynamic IPs from them.

    3. Re:COMCAST: I don't know.... by whodunnit · · Score: 2, Informative

      Umm, It's pretty clear on their website that if you want more than one external IP then you have to pay more money. Just buy a firewall/router with NAT and poof... you can have as many computers on your home network as you want. And if you get a deacent router it will have port forwrding in case you are running any servers on your boxes.

    4. Re:COMCAST: I don't know.... by donovangn · · Score: 2, Informative

      I think there may have been miscommunication there. They probably don't care (also, can't and won't know) if you have your own broadband router eating only one of their IP's and using NAT to serve numerous computers. But from what you say above it seems that you're eating 5 of their ips and they want you to pay for each one. It sounds like their sales people should have made the clear instead of using the simple answer of "sure, that's fine."

    5. Re:COMCAST: I don't know.... by Geoffreyerffoeg · · Score: 4, Informative

      You missed something. There's an important difference.

      You are using multiple IP addresses. This means you're using a hub, not a router. Multiple IPs are commonly extra priced.

      You want to use multiple devices with NAT. Buy a proper router and plug it in, then plug your devices into there. They'll all use the same IP, and Comcast will be happy.

      The only mistake on their part is not stating that multiple computers must share one IP.

    6. Re:COMCAST: I don't know.... by Merlinium · · Score: 2, Informative

      Its a Form letter, I also received one of these, my response? Ignore it, I recently purchased a NAT/FIREWALL Switch for security purposes, because I used to have DSL as my main connection, and comcast cable as a DL/backup connection, I finally got tired of Qwest's "Customer Service" and told them where they can stick their phone and DSL service. At the time I only had a 8 port Hub which was used for the DSL service, but when I went to Cable I was not wanting to put a Software firewall on every machine. So I was on with a hub for a few days until I got the NAT/FIREWALL.

      --
      If firefighters fight fire and crime fighters fight crime, what do Freedom fighters fight?
  8. Re:Continue BOYCOTT by YanceyAI · · Score: 4, Informative

    They just doubled my connection speed. For free.

    --
    Can I bum a sig?
  9. I've got one now. by bl1st3r · · Score: 4, Informative

    Comcast on the whole is not that bad. They actually had a knowledgable tech out here to help get shit set up. The problem exists at the corporate level where policy is made. They have stuff set up upstream to make it so that only Windows and Mac machines can use their service. The tech here got them to disable that for me.

    I currently have the Wireless Gateway that they are discussing and while I don't know about the stuff they claim it can do, I do know a little about it's use.

    192.168.0.0/24 == NAT range used.
    192.168.0.1 == Router admin interface
    192.168.100.1 == Router tech summary interface

    Both those interfaces == HTTP. Both interfaces use the same password by default.
    User: comcast
    Pass: 1234

    That's the default. They also recommend at install time that you don't change that.

    I think that's fishy as hell so that was the first thing I changed. Luckily the tech here on site was competant enough to ask me what WEP key I wanted to use and let me pick whatever phrase I wanted. That showed intelligence.

    On the whole, I have no complaints with them. If they fuck with my service, maybe I'll have problems. But Charter (local competition) isn't much better.

    --
    hrrm.
  10. Re:This is a product for the lusers... by Anonymous Coward · · Score: 2, Informative

    I work for comcast and I can assure you their not gonna spend a penny having some tech snoop through modems when they can be put to better uses. The only time these features are gonna be used is if someone calls in and is having issues.

  11. Re:I'm out. by rusty_rusty_rusty · · Score: 3, Informative

    Have a look at Speakeasy. Their resedential service is excellent. No blocked ports, a TOS which allows and frankly, even encourages the running of servers, a TOS which definitely encourages sharing of your circuit via WiFi with anyone you please (in fact they will even help you bill your "customers" for this if you want), and friendly, informed, and accesible service reps.

  12. Re:This is a product for the lusers... by falcon5768 · · Score: 3, Informative

    maybe so, but they have already twice under two different administrations (clinton and regan) forced the cable companies to adhear to this policy.

    --

    "Slashdot, where telling the truth is overrated but lying is insightful."

  13. Re:FCC by MichaelKaiserProScri · · Score: 2, Informative

    No, it just means you have to deal with it if the shielding is insufficient. Most consumer grade electronics specify this.

  14. From someone inside by Anonymous Coward · · Score: 5, Informative

    Disclaimer: I am a Comcast employee. I am not trying to defend this product/standard/company, but will clarify a few things.

    The cablehome pro standard shown in the article show what it can do, but not what Comcast is actually doing. What is currently implemented does not intrude in the ways suggested. Comcast employees can view basic information like current DHCP leases, # of WLAN clients and router config (parental settings, etc) The cablehome standard implementation is currently very limited, only in certain areas at this time.

    I also want to say that I disagree with many Comcast policies, but we don't care what is connected to the gateway unit. The gateway is set in the firmware to only give 5 DHCP leases. If one wants more devices they need to set it staticly, but non-Comcast installed devices are not supported anyway.

    Also keep in mind who this product is marketed to - the average family lacking the technical ability to configure their own wireless network.

  15. Communites need to own the infrastructure... by sadler121 · · Score: 3, Informative

    Damn, was a ll set to moderate, but just had to comment.

    This is even more of a reason to support community owned infrastructures such as UTOPIA in Utah, and the iProvo network in Provo. Utah can and is wrong on so many social issues, but this one they actually got right. So much so that Comcast and Qwest are lobbying HEAVLY to prevent such a network from going into place. They (Comcast and Qwest) have succeeded in scaring away Salt Lake City from the initative, an I suspect many more. >br>
    I may dispise with a fiery passion the local Univiersity that makes Provo its home, but iProvo has already been given approval and should be city wide in 2 years. A very BIG incentive for me to stay here in Utah and live in Provo.

  16. From the inside. by Anonymous Coward · · Score: 5, Informative
    I'm currently doing a project for a contractor that works for Comcast. I also do trouble calls for them on occasion when they get really stumped by a customer's computer, but I'm expensive so they usually send 5 or 6 of their techs before they call me. (Mac DHCP issues, LSP problems, INF overloads...)

    I can say with authority that these devices suck. They have custom firmware with the vast majority of the normal Linksys functionality stripped out. The end user isn't even supposed to be able to access the web interface. (The login is comcast/1234 if anybody needs it...) About the only good thing is that they come with WEP enabled with no key by default, so if the install technician (who usually knows only slightly more than the end user) forgets to go in and set a WEP key, no wireless clients can connect. I'm not even sure it's possible to disable WEP on them... I know it's not through the normal technician 'install' interface, but there is an avanced WEP screen I haven't played with too much.

    Comcast wants to charge something to the effect of $20 for the network + $10 per additional computer monthly, depending on your region. They want the install technicians to call in the MAC of each connected device, which are stored in the space in Comcast's system where additional outlet information usually goes. I am not sure whether this actually does anything. One of Comcast's lead technicians explained to me that the first time they went out (3 of them) to try to get one of these devices installed, they spent 6 hours working on it, only to discover that the problem was they hadn't called in the MAC addresses. Contrast that with my own experience, having installed 4 of these (showing the contractor's techs how to do it), all of which have worked just fine wireless without calling in the MACs. I don't know if that's a permanent solution though, in each case the customer took my recommendation that they get a normal cable modem and buy their own router to save money, so we removed all 4 of the ones I installed within a day or two. (Obviously I won't be telling you exactly who I am, someone at Comcast might be reading this...)

    Anyways, if they've got some grand scheme to restrict access to approved and payed-for devices, it looks to me like it's not working yet...

  17. Not the TechTV stuff again by AvantLegion · · Score: 2, Informative
    Comcast is rehiring 80 TechTV members. Of course they're not keeping everyone - they don't need double janitors, double cameramen, double everything...

    All the blind "OMFG THEY'RE KILLING TECHTV!!!111" nonsense has been the inspiration of my new sig.

  18. Re:Lord - please stop the FUD by Allen+Zadr · · Score: 3, Informative
    That's a great viewpoint, but technically wrong.

    By DOCSIS standard, the cable company has to be able to interact directly with your cable modem, and know (to a certain extent) what it's doing. So if the cable modem is your router, your argument can't work. However, assuming your router is on your side of the cable modem, well it's still technically wrong.

    First, if you are running your own Network Address Translation service - then this modem won't be able to see past it anyway. Anything the cable company would sell on said HomeConnect services would have to be on their side of your intenal router. By definition these devices would not be able to directly interact with your PCs (only to your router). Second, if you are not running your own Network Address Translation service then you are asking the cable company for IP addresses. That means that every time you turn a system on, they have to give you an IP.

    My cable service allows me 5 IP addresses, they have the right to cut me off after I've hooked up 5 computers with their IP addresses.

    Finally, assuming you are running a switch and not a hub (external to the device they control) anything you move from one device inside your home to another would not be seen by the cable modem anyway.

    The HomeConnect standards document does not have anything in it about how to profile network traffic. It does describe how to request SNMP connections to devices, identify those devices that answer (this is a configuration chioce you can set for your own devices), and manage those devices that allow management.

    I really don't see this as being a conspiracy product. Like I said, there is potential for abuse. This is the same potential for abuse by the phone company to monitor all phone calls you make, identify where they are to, and bill you if they are outside of your area.

    I'm sorry, I don't see the issue here. If you can show me one, I'll be happy to listen, but please don't thump on the conspiracy theories without even explaining the technical side, HOW. My job is IT, I can take the technical details if you can conjure them.

    --
    Kinetic stupidity has a new brand leader: Allen Zadr.