Comcast Plans Cable Boxes with Integrated Wi-Fi and Snooping

Kaa writes "Short version: Comcast's cable modem/802.11g base station that is made by Linksys has capabilities to 'phone home' to Comcast and tell them how many devices are connected to your WiFi base station, how much bandwidth they are using, etc. It also has the capability to 'disable LAN segments' which, I assume, means they can kick your devices off your home network if they choose to do so. Something tells me this particular device won't make it into my house..."

Smoothwall

Simple Solution:
Put a smoothwall box or another router between your home network and the new cable modem (as I'm sure many of us already do). Although the wireless access would be nice to use, 802.11b/g access points are pretty cheap these days.

Re:Smoothwall

I just got Speakeasy. It's awesome, although a little pricey. However, you can get static IP's and NO port blocking! Leaving Comcast behind and never looking back.

Re:Smoothwall

[jrockway]

It doesn't help. A full nmap run will take maybe thirty seconds. Any script kiddie can scan you. Also, you probably shouldn't be worried about script kiddies. They won't know what ssh is. Someone may really want your data, and changing ports ain't gonna stop 'em from trying to get at it.

It does break all internet standards, though. That's always a great thing (*rolls eyes and looks at M$*)

Re:Smoothwall

[Allen+Zadr]

Er, actually, if you read further down, [specifically, Table 5-6 (page 37)], you will find that most ports and protocols will be entierly uneffected by these technical extensions.

If you use SMTP, yes, so too will this. Unless you let the CableHome system access the SMTP of your devices, you have nothing to worry about.

It uses DHCP, well, so does my current Cable-Modem. In fact, all DOCSIS cable-modems can offer DHCP. No surprise there.

Ping - yep, looks like it will block pings into your network (or answer for you). Nothing every DSL modem doesn't already do.

TFTP, slightly more worrisome, but a good standard to allow remote updating of devices that they own (and need to manage).

This is about selling more network devices into your home that the average user won't know how to set up with an old Linux box and a pack of bubble-gum. They will get to sell more stuff, and make more money. Many users will get the benefit of neat network appliances in there home .. that they merely have to pay a separate subscription fee for.

The network segment shut-down is there to cut-off devices that they own but you are trying to use anyway, but don't want to pay the subscription service for.

Yes, there is room for abuse, but it's not nearly as bad cutting off all other WiFi. It wouldn't be technically capable of telling a WiFi router apart from an in-home network switch or a NATting Linux box. I suppose the built-in WiFi would block your own WiFi's signal, but that doesn't point to a conspiracy.

Easy fix.

[grub]

Simple, just put another firewall between that snoop box and your LAN.

Beyond the pale.....

[erick99]

This is beyond the pale. It's like the RIAA in the sense that there is an arrogance about what they can do while selling you a service. Here is the pertinent part of the docment that is labeled "The goals for the CAbleHome Management Portal include:"

* Enable viewing of LAN IP Device information obtained via the CableHome DHCP Portal (CDP)

* Enable viewing of the results of LAN IP Device performance monitoring done by the CableHome Test Portal (CTP)

* Provide the capability to disable LAN segments

I hope that at some point, we, as users, can vote with our wallets and stop this nonsense. The more we give into this kind of seller-bullying, the more we can expect.

Happy Trails!

Erick

easy solution -- $19 wifi router, no rebates

[Jaeger-]

router @ compusa

cheapest i've seen considering there's no rebates involved...

2.4GHz 11Mbps Wireless Router with 4 Port Switch, 802.11b
Manufacturer: FMI
Mfg Part #: WE711APR
Product Number: 295106
Original Price: $89.99 (79% Off)
Regular Price: $69.88
Internet Special: $18.99

COMCAST: I don't know....

[dnahelix]

When I signed up for COMCAST broadband I was told I could have up to 5 computers connected (using a server assigned DHCP address on each machine)
Well, last week I got a letter from COMCAST telling me that they have determined I have more than on machine connected to my cable modem and that if I don't respond by June-something they will terminate any other IP addresses beyond one. Although, for and extra $9.99 a month, I can have up to 4 extra (5 total) IP address.
I think those sons-of-bitches are pulling a scam and have bait-and-switched me. I was very up-front with the rep when I signed up and told him I needed to have 5 computers connected and would that be a problem... "No, of course not," I was told, "You can connect up to 5 computers, we just don't support and LAN/ethernet-hub problems you might have."
FUCKING LIARS

Re:COMCAST: I don't know....

[Geoffreyerffoeg]

You missed something. There's an important difference.

You are using multiple IP addresses. This means you're using a hub, not a router. Multiple IPs are commonly extra priced.

You want to use multiple devices with NAT. Buy a proper router and plug it in, then plug your devices into there. They'll all use the same IP, and Comcast will be happy.

The only mistake on their part is not stating that multiple computers must share one IP.

Re:Continue BOYCOTT

[YanceyAI]

They just doubled my connection speed. For free.

I've got one now.

[bl1st3r]

Comcast on the whole is not that bad. They actually had a knowledgable tech out here to help get shit set up. The problem exists at the corporate level where policy is made. They have stuff set up upstream to make it so that only Windows and Mac machines can use their service. The tech here got them to disable that for me.

I currently have the Wireless Gateway that they are discussing and while I don't know about the stuff they claim it can do, I do know a little about it's use.

192.168.0.0/24 == NAT range used.
192.168.0.1 == Router admin interface
192.168.100.1 == Router tech summary interface

Both those interfaces == HTTP. Both interfaces use the same password by default.
User: comcast
Pass: 1234

That's the default. They also recommend at install time that you don't change that.

I think that's fishy as hell so that was the first thing I changed. Luckily the tech here on site was competant enough to ask me what WEP key I wanted to use and let me pick whatever phrase I wanted. That showed intelligence.

On the whole, I have no complaints with them. If they fuck with my service, maybe I'll have problems. But Charter (local competition) isn't much better.

From someone inside

Disclaimer: I am a Comcast employee. I am not trying to defend this product/standard/company, but will clarify a few things.

The cablehome pro standard shown in the article show what it can do, but not what Comcast is actually doing. What is currently implemented does not intrude in the ways suggested. Comcast employees can view basic information like current DHCP leases, # of WLAN clients and router config (parental settings, etc) The cablehome standard implementation is currently very limited, only in certain areas at this time.

I also want to say that I disagree with many Comcast policies, but we don't care what is connected to the gateway unit. The gateway is set in the firmware to only give 5 DHCP leases. If one wants more devices they need to set it staticly, but non-Comcast installed devices are not supported anyway.

Also keep in mind who this product is marketed to - the average family lacking the technical ability to configure their own wireless network.

From the inside.

I'm currently doing a project for a contractor that works for Comcast. I also do trouble calls for them on occasion when they get really stumped by a customer's computer, but I'm expensive so they usually send 5 or 6 of their techs before they call me. (Mac DHCP issues, LSP problems, INF overloads...)

I can say with authority that these devices suck. They have custom firmware with the vast majority of the normal Linksys functionality stripped out. The end user isn't even supposed to be able to access the web interface. (The login is comcast/1234 if anybody needs it...) About the only good thing is that they come with WEP enabled with no key by default, so if the install technician (who usually knows only slightly more than the end user) forgets to go in and set a WEP key, no wireless clients can connect. I'm not even sure it's possible to disable WEP on them... I know it's not through the normal technician 'install' interface, but there is an avanced WEP screen I haven't played with too much.

Comcast wants to charge something to the effect of $20 for the network + $10 per additional computer monthly, depending on your region. They want the install technicians to call in the MAC of each connected device, which are stored in the space in Comcast's system where additional outlet information usually goes. I am not sure whether this actually does anything. One of Comcast's lead technicians explained to me that the first time they went out (3 of them) to try to get one of these devices installed, they spent 6 hours working on it, only to discover that the problem was they hadn't called in the MAC addresses. Contrast that with my own experience, having installed 4 of these (showing the contractor's techs how to do it), all of which have worked just fine wireless without calling in the MACs. I don't know if that's a permanent solution though, in each case the customer took my recommendation that they get a normal cable modem and buy their own router to save money, so we removed all 4 of the ones I installed within a day or two. (Obviously I won't be telling you exactly who I am, someone at Comcast might be reading this...)

Anyways, if they've got some grand scheme to restrict access to approved and payed-for devices, it looks to me like it's not working yet...