ISP Spying (opens in new tab)

Usually, anything you can install a third party firmware on like openwrt, dd-wrt or tomato (shibby's version of tomato is the one I used the most).

However, I gave up on consumer hardware and went with Ubiquiti for wifi AP and Mikrotik as my router. It was a bit of a pain to set up all my NAT rules in the Mikrotik router because unfortunately consumer devices do a lot of extra work behind that scenes (like setting up NAT reflection) to facilitate having NAT work painlessly. I'm perfectly content with the end result now though.

I built my own, several years ago, on a (fanless!) board like this:

http://www.pcengines.ch/apu3a4.htm

It has 3 NIC's, for inside, outside, and DMZ. You can also put a wifi radio on it, and make it an access point.

I run a full Ubuntu on it, with local DNS, DHCP, Shorewall, etc.

A very secure solution is building your own box to run OpenBSD. There are some good guides on how to set up OpenBSD as a typical NAT router / firewall here: https://www.openbsd.org/faq/pf/example1.html

I like PF a lot more than IPTables. I've found it to be far simpler to configure.

Plenty of routers can be flashed with open source third-party firmware like OpenWRT.

I built my own.

These days, you can rely on Linux on fairly low-end CPUs to handle a gigabit of traffic, including IPv4 NAT, IPv6, firewalling, DHCP and DNS.

For serious firepower, Jetway sells a 10 x 1 Gbit tiny fanless machine with a J1900 Celeron and up to 8GB of RAM, under $400 (without RAM or disk). All most people need is 2 gigabit ports and maybe a good WiFi interface -- although I prefer to scatter consumer WiFi boxes around my house in bridge mode.

I've gone with a Ubiquiti UniFi Security Gateway.

It's not too fancy (but getting fancier as updates are delivered) and does the job well. I wasn't satisfied with the VPN options, so I port-forward to an internal host and set up static routes as required.

I do the same.

You might try this: https://github.com/jaysoffian/eap_proxy

You have to enable `set system offload ipv4 vlan enable` else your routing performance will suffer.

I get wirespeed routing from my ERL on my 1Gps connection. If it’s maxing out at 100 Mbps, those folks have it configured so that it’s having to route with the CPU.

End-to-end encryption like SSL (https) is meant to limit the middle man's ability to 'see everything'. Instead of seeing the details of your Google search, all they see is that you accessed Google at [x] time, and exchanged [y] amount of data.

This is why there is such a push for end to end encryption on web traffic, chat apps, etc.

Using their CPE routers implies (but does not guarantee) that you are using them for NAT and firewalling, and thus the ISP has a device inside your security perimeter.

Not an issue when you run your own VPN with a cheap VPS - meaning the data is exiting in a datacenter in a location of your choice. While they or their upstream providers will certainly have some 'lawful interception' capability they are usually not interested in analyzing / selling the data on their wires as the consumer-facing ISPs.

Can you provide more background on your blanket statement?

There are good and bad VPNs but ISPs are much larger corporations with direct ties to governments. I fail to see how a good VPN is worse than ISP + Governments.

Depends on where the VPN connects to.

I control the other end of the VPN, I'm not using a public VPN service. All I care about is routing around my ISP. (Which is Comcast - whom I do not trust.)

The URLs [1] [2] describe the content. I thought [1] was interesting but not answering your question. [2] Answers your question, and shows black and white and thermal pictures.

[1] https://www.medgadget.com/2014/06/mits-wifi-system-detects-p... (June 2014)

[2] https://hackaday.io/project/5452-wifi-thermal-camera (2015)

[EDIT] I stand corrected, [2] is unrelated. My bad! Here's some good sources as alternative.

"MIT turns Wi-Fi Into Indoor GPS New tech from CSAIL lab lets one Wi-Fi device locate another to within centimeters" [3]

"RF-Capture: Capturing the Human Figure Through a Wall

It can know who the person behind a wall is. It can trace a person's handwriting in air from behind a wall. It can determine how a person behind a wall is moving." [4]

They also contain further resources.

[3] https://spectrum.ieee.org/tech-talk/telecom/wireless/mit-tur...

[4] http://rfcapture.csail.mit.edu/

I saw this guy the other day - very interesting tech, but doesn’t address your specific question.

https://m.youtube.com/watch?v=rDC34awd0f8

There are a lot of people doing research in this space:

https://scholar.google.com/scholar?hl=en&as_sdt=0%2C47&q=hum...

> otherwise a custom configured ONT could snoop on other peoples traffic on the same segment.

Why would an ISP care about that?

If there's already encryption, how did the author snoop on the content?

> it's not making it out onto the public internet, it's entirely within the ISP network.

What if technical support is outsourced to a call-center in India?

Well, in general, you'd want to draw a casual link between real physical measurement and network traffic; so yeah, if you own the client (and can accurately determine whether or not it's running in a VM, and/or manipulated by a robot, which is tricky) you can filter out the data flak. If I worked for a data-collection org I'd probably ignore (or blacklist, if I could get away with it) a known source of noise.

No. DSL-providers are legally obliged to let the customers use their own equipment (which includes the account details / passwords to establish the connection). Most of them even provide the details for the SIP connection that is included most of the times. If I remember correctly cable providers were fighting this - not sure about the final outcome...

You should not trust anyone handling your traffic, that's why things like HTTPS and SSH exist.

The problem here is not that the ISP can not be trusted, you should never trust them anyway. The problem is that the ISP is using their router to force their way into what is supposed to be the trusted part of your network, your LAN.

This is exactly why I don't use the ISP provided router, and every piece of equipment of theirs I have to use (mainly the IPTV box) is in a separate, untrusted, VLAN.

Personally I very much agree that using a vpn service for all your traffic is probably not a good idea. As well as other objections, some have been confirmed to sell fine grain traffic information, and may have an easier time justifying that as it is arguably anonymised.

That said, if you set up your own vpn on a digital ocean node, moving your network boundary to the datacentre, then the cloud hosting companies network that you end up trusting is less likely to be set up to spy on you then a consumer isp.

I get bad speed though when I do this. The processibg speed required to encrypt a connection at 300mbps just isn't there in my router.

Sure I am, but they're a VPN service with a long history of protecting users from snooping. And they don't do business from the jurisdiction that I'm subject to. So targeted surveillance would be harder. Not impossible, of course, by major national intelligence organizations. But hey.

Also, I dont rely on just the one VPN service. I use nested chains of VPNs, and so distribute trust among multiple providers. Doing business from different jurisdictions. Just as Tor does with three-relay circuits. Sometimes I use private VPNs running on anonymously leased VPS.

Finally, each of my personas uses a different nested VPN chain, or Tor (Whonix) through other nested VPN chains. So linking my various personas would be nontrivial.

It's easy to move your VPN to an arbitrary VPS anywhere in the world, but there's only a handful of residential ISPs available in any given area, and they are almost univerally scummy.

As discussed in the thread[0] on this from the other day it's largely FUD.

Fundamentally a VPN service allows you greater control over who you trust with your traffic. You always have to trust someone[1]. For example I trust F-Secure and the Finnish court system much more than I trust Virgin Media, GHCQ and the British court system which is why I run Freedome and route my traffic through Finland. As pointed out in another subthread here UK ISP are required to collect a bunch of data by the Snooper's Charter, the same is not true in Finland.

0: https://news.ycombinator.com/item?id=16371030

1: The default for many people is their local ISP which might or might not be a good entity to trust based on where you are. In many place you also have very few choice when it comes to your ISP.

absolutely not.

gdpr is a nightmare for websites, because of the consent rule.

but guess what is the first thing you with a ISP. You sign a contract. done. it's all legal with gdpr or not.

As far as I can tell we should just be safety first. This does indeed mean getting as much information about how to browse privately.

If we all use tor, it will help the tor project because then it's harder to spot individuals using it.

Tor is slightly slower, but it's pretty much a perfect browser replacement. The only reason I don't use it all the time is that I like my browser history. Plus I've got a self built VPN which is about as good as I can hope for.

My apologies, I did read the article and then commented. The author is obviously privacy focused and is writing for a similar audience. Unfortunately, here in India, things are quite different as there are very few legal measures to protect privacy and there is a general lack of awareness regarding why digital privacy actually matters. Things are so bad at some places that even local ISPs (even with no BGP AS) are able to collect data, and sell it to markets in gaffar for as low as 2 USD (for instance a list of 25K users with their browsing habits). A small, cottage industry of data mining and selling operates with zero implications and even the cops can't do anything about it as they are brutally unaware about the privacy laws and shrug it off. I have my own VPN setup (openVPN to tinc mesh over scaleway/hetzner) for my general surfing and have configured it for my whole family through a raspberry pi as well. But again, the when the smallest of enterprises can operate with zero ramifications for mining, there is little you can do en masse without the backings of an informed government.

Unfortunately people are simply unaware about their rights in general regarding privacy and the locals laws are not stringent. They are not even aware that their data is being collected, and even if they knew, they can do little about it. Privacy focused users create their own infrastructure or get VPN, rest all contribute to a small cottage industry of data collection, analysis and selling unknowingly.

Good point, my bad, I'd skimmed it and not read the bit after the XML text. The title was somewhat misleading, and the HN admins have changed it now.

I'd still be more concerned about my unencrypted HTTP traffic though.

This site [0] explicitly says that VPN over Tor is a bad idea. It's quite possible it's wrong. But I don't understand why?

[0]: https://www.expressvpn.com/how-to-use-vpn/tor-vpn

Why on Earth would you visit plain HTTP sites with JavaScript enabled?

I could figure out that "you" doesn't refer to me personally, and so can the rest of HN. There's nothing "linkbait" about it.

You can express your opinion about the original title in a comment. There's no need it impose this (twisted, IMO) view on everyone.