Hacker News new | comments | show | ask | jobs | submit login
ISP Spying (harrisonsand.com)
251 points by early 5 months ago | hide | past | web | favorite | 129 comments

I’ve pulled apart router firmware plenty of times, and am never surprised to see nbtscan, nmap, and all sorts of other tools on there.

A lot of ISPs will perform remote diagnosis by connecting into your router and scanning your internal hosts to see if there are any problems.

Between that capability and general appalling security of routers, you’re basically on Starbucks WiFi from a security perspective even at home.

important note: buying an off the shelf netgear/tplink/linksys/whatever might stop your ISP remoting in, but is still wildly full of vulnerabilities.

This is very informative! What router would you suggest purchasing?

Usually, anything you can install a third party firmware on like openwrt, dd-wrt or tomato (shibby's version of tomato is the one I used the most).

However, I gave up on consumer hardware and went with Ubiquiti for wifi AP and Mikrotik as my router. It was a bit of a pain to set up all my NAT rules in the Mikrotik router because unfortunately consumer devices do a lot of extra work behind that scenes (like setting up NAT reflection) to facilitate having NAT work painlessly. I'm perfectly content with the end result now though.

Opposite on me, I'm having a Mikrotik hAp ac and considering to use it as AP only then buy a Ubiquiti ER-X in front of it.

I did consider going with a pure Ubiquti solution but after borrowing a friends ER-Lite and comparing it to running RouterOS in a VM I decided that Mikrotik was a better overall fit for me from a technical standpoint. The RB3011 having a powerful cpu + the integrated 10 port (actually two different switches) switch helped push me that direction.

There was something almost zen-like watching 300Mbps of traffic transiting my RB3011 and seeing it utilize 6% cpu.

Ultimately, either is a fine solution and an ER-X is going to be a lot less fiddly to setup.

I would stay away from Ubnt routing. Which features that requires disabling packet processing off-loads and the performance impact is not well documented and varies between models and software versions.

There appears to be many bugs related to off-loading as well. The below example is what finally made me decide not to consider Ubnt routers. It may be fixed now, maybe, but even if it was broken for way too long and shrouded in too much mystery, not even making it obvious which models are effected (the thread title was not always that specific either). I can't take Ubnt seriously, even for a home environment, after seeing how basic forwarding is that poor and it's not even their highest priority.

The only good thing that this proves is that at least they don't censor their forums, trying to hide issues.


I'll never move on from a mikrotik router and UBNT wireless.

also mikrotik routers comes with a standard config that comes with NAT w/ masquerade pre configured. But I agree there is a TON that is done behind the scenes. That level of granularity is what I am looking for.

I'm in the exact same scenario. Mikrotik Router and a Ubiquiti API. I do have an older 2011, the 3011's are much faster.

The 3rd party firmwares aren't as powerful as mikrotik's RouterOS, and the Mikrotik hardware is really pretty cheap - though the UI is pretty bad for it. They're great once you get used to the UI

I built my own, several years ago, on a (fanless!) board like this:


It has 3 NIC's, for inside, outside, and DMZ. You can also put a wifi radio on it, and make it an access point.

I run a full Ubuntu on it, with local DNS, DHCP, Shorewall, etc.

I picked up a couple of these and I have to say I'm pretty impressed. They're pretty inexpensive little machines and they ship quick from pcengines.

I have openbsd on one and ubuntu on the other. I'm using the openbsd one for dns, tftp, and a handful of projects. I was thinking about making the ubuntu one into an ap but I'm not sure about what kind of performance to expect vs my current off the shelf router. Have you used it as an access point?

I have an older APU1C4 with two WLAN cards (WLE200NX) and it's hosting two physical APs and a few virtual ones (diff BSSID/subnet one running at 2.4 ghz other at 5). I just run vanilla Debian on it... The SD card has finally become corrupted over the years, however. When I reboot it, all my changes that were supposedly flushed to disk are lost. Thankfully I only reboot it occasionally when there are critical kernel updates. I just rsync over the filesystem in memory to facilitate restoring the previous configurations.

Anyway, I run various services on it, aside from hostapd... It acts as my firewall, gateway, access point, and runs some other services like nginx to proxy some services from my LAN across subnets (like plex, etc) and motiond as a security camera monitor. I've used it as an SSH style VPN at times, in a pinch. When our WAN goes down I can simply plug my phone in to the APU via USB and tweak some iptables rules to use the LTE connection from the phone over USB network interface.

I also have a newer APU2C4, along w/ an AC WLAN card and an msata drive... have had it for years just sitting there, grr. I really only got the newer one since it has AES-NI support on the processor and I can do much heavier VPN traffic, but the SD card issues have become annoying, so I think this post has encouraged me to finally set it up this weekend... Thanks :P

Anyway, I wouldn't hesitate to pull the trigger on any of the pcengines stuff... Go for it!

Just make sure the WLAN cards you use are well supported via hostapd. :)

I installed OpenBSD on my apu and picked up a Ubiquiti AP AC Pro for wifi. I also picked up a couple wifi nics that I'd intended to use with hostapd as you suggested. However, I had some spare amazon pts to throw at the Ubitquiti hardware, so I figured I'd give it a shot. It was all super simple to set up, and I'm more than happy with it so far.

Previously I was using an ASUS RT-N66U with tomato/shibby, but it had been acting a little flaky for a while - 5ghz would stop a few times a week, eth connections would drop, overall wifi connectivity was mediocre at best. The performance was pretty similar before flashing with tomato.

My new solution is likely drawing a little more power, but I've had no problems with it. Also, I'm impressed with OpenBSD's simplicity. I've tinkered with FreeBSD in the past and found it a little complex. OpenBSD has proven to be significantly more straightforward and easy to configure.

Thanks for the encouragement!

I was planning to build a firewall/router using an ESPRESSObin http://espressobin.net/

They cost 50$ and have 3Gigabit ethernet ports

Whats the power consumption of this setup?

Negligible... I run an APU1 w/ dual WLAN cards, and am using all of the internal NICs, and running a pile of services on it. It uses less power than a light bulb, even under full load.

A very secure solution is building your own box to run OpenBSD. There are some good guides on how to set up OpenBSD as a typical NAT router / firewall here: https://www.openbsd.org/faq/pf/example1.html

I like PF a lot more than IPTables. I've found it to be far simpler to configure.

Once you use PF, you can't really go back to iptables. The fact that you still can't create anchors or anything equivalent in iptables blows my mind. I can look at any of my older configurations from PF and understand what I was doing very quickly compared to iptables which is much harder to read and much less intuitive.

Can you briefly explain how a PF anchor is not equivalent to a iptables chain? From a very short perusal of the PF documentation it appears to be the same concept to me (i.e. a set of filtering rules you can branch to from another part of the ruleset...)

Usually the issue in setting up a PC to do this kind of stuff is power consumption. Typically it's a minimum of 60W to run an idle PC, while an ARM router would run at 1-5W and have multiple ethernet ports.

Correct me if I'm wrong - I haven't tried it - but it looks like you should be able to run OpenBSD on ARM https://www.openbsd.org/armv7.html

I'll check what the energy consumption on my router is. I'm using an AMD chip which I had lying around. You're probably right that it uses a bit more power than necessary.

I was thinking about getting something like this: https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Bare... which uses 10W. It should be easy to install *BSD on something similar.

Plenty of routers can be flashed with open source third-party firmware like OpenWRT.

I built my own.

These days, you can rely on Linux on fairly low-end CPUs to handle a gigabit of traffic, including IPv4 NAT, IPv6, firewalling, DHCP and DNS.

For serious firepower, Jetway sells a 10 x 1 Gbit tiny fanless machine with a J1900 Celeron and up to 8GB of RAM, under $400 (without RAM or disk). All most people need is 2 gigabit ports and maybe a good WiFi interface -- although I prefer to scatter consumer WiFi boxes around my house in bridge mode.

I've gone with a Ubiquiti UniFi Security Gateway.

It's not too fancy (but getting fancier as updates are delivered) and does the job well. I wasn't satisfied with the VPN options, so I port-forward to an internal host and set up static routes as required.

There is varying levels of difficulty when you want to BYO router. The situation for AT&T U-Verse isn't too fun. If you want to use your own hardware, you only have a few options:

1. They offer "IP Passthrough" which is fake Bridge Mode. They still do routing and you'll still hit NAT table limits of 4096. Connection falls apart for anything over 3000.

2. You can dump and reverse the router-gateway firmware and 802.1X/EAP authentication. Oh goodie.

3. There's a history of exploits for the NVG510, NVG589 and NVG599. Try your luck. [1] [2]

4. Create some "magic" to split the 802.1X and untag VLAN0. Works in Linux at least. [3]

5. But good luck if you want to do this in pfSense or FreeBSD. There's an open BTC bounty if you've got any netgraph / networking chops. [4]

[1]: http://earlz.net/view/2012/06/07/0026/rooting-the-nvg510-fro...

[2]: https://www.nomotion.net/blog/sharknatto/

[3]: http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NA...

[4]: https://forum.pfsense.org/index.php?topic=111043.0

In the UK, they're legally required to spy on you (but not through your router).


That is why I've been running all my devices exclusively through a VPN while I'm in the UK. And yes, I'd much rather trust a commercial company with my data than the British government and the ISPs.

I do the same.

I plugged French Orange's GPON FTTH ONT into my Debian router's RJ-45 port, added a VLAN interface, added a couple of lines to my DHCP client configuration to pretend my router is some Sagem device and pass authentication to the server... And that's all - sweet 500/200 Mb/s throughput, no ISP CPE in sight (well, technically the ONT...) and Orange even waived the 3€/month CPE rental fee !

Former provider offered FTTB and I used the coaxial cable CPE as a bridge - and even when I do not have that option, I insist on having a router of my own as my network's demarcation: it is basic hygiene.

Other option for GPON would have been to plug a GPON SFP module into one of my switches - the friendly guy who laid the fiber to my apartment even left me one in case I changed my mind... But going through the switch to the router and back to the switch on a different VLAN is unnecessarily complicated in my case. Anyone wants a free GPON SFP module ?

I thought about bridging an Ubiquit EdgeRouter and putting in front of the AT&T gateway. You must pass authentication back to the gateway. Users were also reporting around 100megs max speed which wasn’t acceptable for me since I pay for gigabit.

There is a new line of EdgeRouters out and maybe it has some acceleration for bridging. I would like this setup.

You might try this: https://github.com/jaysoffian/eap_proxy

You have to enable `set system offload ipv4 vlan enable` else your routing performance will suffer.

Hey that’s me! I’m glad it’s working for you. All credit to the folks who figured out this bypass. I just coded it up in Python when I couldn’t get some of the other solutions to work for me.

Ha! Small world on HN. I haven't personally tried the Edgerouter solution. I've been trying to replicate on pfSense/BSD, but it isn't as simple as you might think. :/


Yeah that seems like a bit of a headache. I appreciate your dedication to sticking with pfSense.

I get wirespeed routing from my ERL on my 1Gps connection. If it’s maxing out at 100 Mbps, those folks have it configured so that it’s having to route with the CPU.

I can’t find the dslreports link but here is one on the Ubiquiti forums . You can see the comments below about 100Mbps. The dslreports was slightly different but same results.


That post configures the ERL in bridging mode. The ERL simply isn't suitable for that. Don't buy an ERL if you need to use it in a configuration that it can't offload and expect more than 100Mbps performance. It's got a minimal CPU, so yes, performance will suffer if it can't offload.

You don't need to use bridging mode to bypass the AT&T RG. That post probably predates the EAP proxy solution.


Is there a portal like-place to share our findings of ISPs generally in the world so that others can work together with better transparency?

I do data analytics and data engineering and a couple of months ago indirectly I have been contacted by an ISP in Spain and they literally were collecting every bit of data that their customers were seeing on internet (websites, timestamps, how much data were transferred and etcetera with the user's id and basically in another table name and address). I was shocked how easy they were talking about it. I didn't accept but for sure someone has done it! I never heard the name of the ISP, I wish I didn't bark at them so fast and I could collect more information about them.

When I bought my fist house a few years ago here in the Bay. Comcast tried to give me one of their new routers wifi and everything built in. I let them but I wasn't happy. I hooked up my own router and ended up double natting it. After a few hours of frustration I went out bought my own cable modem. Installed that and returned the one comcast had provided. When asked why I sighted security and privacy concerns. Working for a fortune 500 means they could easily do some sneaking and see a lot of stuff that I worked on. Either way I use Ubiquity hardware throughout my house. Its a bit expensive but god is it good.

I had one of those icky things from a cable company. It is not possible to get rid of it. So the thing is sitting inside a home made Faraday cage with a Linux box acting as a router/firewall.

Does not using their own routers make ISP traffic sniffing that much harder?

I'd assume if you're using their pipes, they can see what goes through it, regardless.

Genuinely intrigued in this.

End-to-end encryption like SSL (https) is meant to limit the middle man's ability to 'see everything'. Instead of seeing the details of your Google search, all they see is that you accessed Google at [x] time, and exchanged [y] amount of data.

This is why there is such a push for end to end encryption on web traffic, chat apps, etc.

ISP can very easily see what you searched for even with SSL. SSL encrypts the TRAFFIC so they can't see the content of the webpages, But your search terms are right there naked in the URL even though it is https secured. This is unfortunately the case for Google, Bing and even DuckDuckGo. Try it and you can see for yourself.

At least DDG offers in their options to scramble the URL but one has to know about that feature AND enable it. It is in their settings under Privacy and you have to turn OFF GET (2nd option). https://duckduckgo.com/settings#

> But your search terms are right there naked in the URL even though it is https secured

You are correct that the terms are in the URL, however only the browser and endpoint can see them. All your ISP sees is that you accessed example.com, and not example.com/search-terms-here. The TLS handshake is for the domain only, then encryption kicks in, then everything after is encrypted.

Your ISP cannot see what you are searching for, they can only see which sites you use for search.

URLs are not sent in plaintext under HTTPS. Only the hostname is, and only for SNI.

Using their CPE routers implies (but does not guarantee) that you are using them for NAT and firewalling, and thus the ISP has a device inside your security perimeter.

I've been forwarding all outgoing connections on port 80 (and a selection of other commonly-unencrypted ports) through a VPN (in the router) for a while now - but leaving all other ports (including most importantly 443) connecting directly.

It feels like a good compromise between privacy and speed.

(I realise this is not the subject of the article exactly but I figured it's a related issue.)

Interesting approach.

It has the happy property that the performance penalty will trend toward zero over time, as fewer and fewer holdout websites stick with unencrypted HTTP. Even Netflix streaming uses HTTPS these days.

By the end of the year I figure we'll have virtually no such holdouts. https://www.theregister.co.uk/2018/02/08/google_chrome_http_...

Why do you feel that way? VPNs are vastly more likely to actually read your traffic than any ISP.

Not an issue when you run your own VPN with a cheap VPS - meaning the data is exiting in a datacenter in a location of your choice. While they or their upstream providers will certainly have some 'lawful interception' capability they are usually not interested in analyzing / selling the data on their wires as the consumer-facing ISPs.

Can you provide more background on your blanket statement?

There are good and bad VPNs but ISPs are much larger corporations with direct ties to governments. I fail to see how a good VPN is worse than ISP + Governments.

Depends on where the VPN connects to.

I control the other end of the VPN, I'm not using a public VPN service. All I care about is routing around my ISP. (Which is Comcast - whom I do not trust.)

Another cool thing about WiFi routers is that you can use them as radars to monitor people in a home. The 2.4ghz frequency is perfect for reflecting off water bodies while having great penetration through walls.

I recently listened to a podcast with the founders of a startup by the name of Aerial (https://aerial.ai) that that is doing real-time location mapping and activity detection using wifi and deep learning.

NOTE: I'm in no way related to this company or the podcast (aside from being an occasional listener).

Episode page: https://twimlai.com/talk/107

Direct episode link: https://feeds.soundcloud.com/stream/393602724-twiml-twiml-ta...

Episode description:

In this episode I’m joined by Michel Allegue and Negar Ghourchian of Aerial.ai. Aerial is doing some really interesting things in the home automation space, by using wifi signal statistics to identify and understand what’s happening in our homes and office environments.

Michel, the CTO, describes some of the capabilities of their platform, including its ability to detect not only people and pets within the home, but surprising characteristics like breathing rates and patterns. He also gives us a look into the data collection process, including the types of data needed, how they obtain it, and how it is parsed. Negar, a senior data scientist with Aerial, describes the types of models used, including semi-supervised, unsupervised and signal processing based models, and how they’ve scaled their platform, and provides us with some real-world use cases.

How can I try this? How can I use my router as a radar? Is there any specific software (better if open source)?

I wonder what kind of resolution you can achieve.

Would it be ghostly figures or more like black and white photos?

The URLs [1] [2] describe the content. I thought [1] was interesting but not answering your question. [2] Answers your question, and shows black and white and thermal pictures.

[1] https://www.medgadget.com/2014/06/mits-wifi-system-detects-p... (June 2014)

[2] https://hackaday.io/project/5452-wifi-thermal-camera (2015)

[EDIT] I stand corrected, [2] is unrelated. My bad! Here's some good sources as alternative.

"MIT turns Wi-Fi Into Indoor GPS New tech from CSAIL lab lets one Wi-Fi device locate another to within centimeters" [3]

"RF-Capture: Capturing the Human Figure Through a Wall

It can know who the person behind a wall is. It can trace a person's handwriting in air from behind a wall. It can determine how a person behind a wall is moving." [4]

They also contain further resources.

[3] https://spectrum.ieee.org/tech-talk/telecom/wireless/mit-tur...

[4] http://rfcapture.csail.mit.edu/

[2] is a thermal camera with WiFi connectivity, it's completely unrelated.

Thank you for the correction, I updated the post with new information whilst keeping the discussion intact w/your post.

I would like more details on this. Especially links to any software that lets you "see" in the 2.4ghz spectrum.

I saw this guy the other day - very interesting tech, but doesn’t address your specific question.


There are a lot of people doing research in this space:


That router looks like its control panel is hosted on an external server. Router control panels usually show what devices are connected. So for router control panel functionality, they need to have the router report all connected devices to the server. Obviously they should be doing this encrypted, not unecrypted.

But ignoring encryption, this is the price you pay for cloud management: the could knows your data.

Remember, the TR-069 traffic starts at your device, and terminates at their end, it's not making it out onto the public internet, it's entirely within the ISP network.

That's not to say it still shouldn't be encrypted, but with a FTTH connection using a PON network there's already physical layer encryption going on typically, otherwise a custom configured ONT could snoop on other peoples traffic on the same segment.

> otherwise a custom configured ONT could snoop on other peoples traffic on the same segment.

Why would an ISP care about that?

If there's already encryption, how did the author snoop on the content?

> it's not making it out onto the public internet, it's entirely within the ISP network.

What if technical support is outsourced to a call-center in India?

Is it just me or does this look like a huge opportunity? Last I checked we still have control over our devices, and if they are stupid enough to trust the data they collect, then we should feel free to poison the well. I'm talking about opening random connections to endpoints (either random or those we want to protect), to inject noise into the system. I call the idea "data flak". It could be something as simple as a daemon running in the background, or a browser plugin. You want to spy on my traffic? Fine, good luck picking out my real behavior from the gigabytes of utter crap I'm shoving into your sensors. This works not just at the ISP level, but at every intermediate host, too.

The only counter is for an adversary to own your box, which is far more expensive.

>The only counter is for an adversary to own your box, which is far more expensive.

or require your clients to run your software, like in AOL days

Well, in general, you'd want to draw a casual link between real physical measurement and network traffic; so yeah, if you own the client (and can accurately determine whether or not it's running in a VM, and/or manipulated by a robot, which is tricky) you can filter out the data flak. If I worked for a data-collection org I'd probably ignore (or blacklist, if I could get away with it) a known source of noise.

In Germany you are able to use any router you want, regardless of which ISP you use.


Do ISPs actually prevent you from doing that? At the very leas you can hook your router to the ISP's router and set up DMZ?

No. DSL-providers are legally obliged to let the customers use their own equipment (which includes the account details / passwords to establish the connection). Most of them even provide the details for the SIP connection that is included most of the times. If I remember correctly cable providers were fighting this - not sure about the final outcome...

I always assume that they might be. So I always use my own perimeter router/firewall running pfSense. Plus I use VPN services. And so my ISps don't end up seeing anything except encrypted streams. And have no visibility into my vLANs.

You're just paying some extra third-party that handles all your traffic now. What's to prevent them from doing the same? You're moving trust to another actor.

You should not trust anyone handling your traffic, that's why things like HTTPS and SSH exist.

The problem here is not that the ISP can not be trusted, you should never trust them anyway. The problem is that the ISP is using their router to force their way into what is supposed to be the trusted part of your network, your LAN.

This is exactly why I don't use the ISP provided router, and every piece of equipment of theirs I have to use (mainly the IPTV box) is in a separate, untrusted, VLAN.

Personally I very much agree that using a vpn service for all your traffic is probably not a good idea. As well as other objections, some have been confirmed to sell fine grain traffic information, and may have an easier time justifying that as it is arguably anonymised.

That said, if you set up your own vpn on a digital ocean node, moving your network boundary to the datacentre, then the cloud hosting companies network that you end up trusting is less likely to be set up to spy on you then a consumer isp.

I get bad speed though when I do this. The processibg speed required to encrypt a connection at 300mbps just isn't there in my router.

> in my router

That's probably the issue. A general purpose machine (with AES-NI), slap OpenBSD on it, disable DHCP server on your ISP router, let OpenBSD handle that... and done! (not for the faint of heart though)

You might even add a NIC to it, and act as another physical hop for firewalling, etc.

I've had good luck with pfSense as a VPN client. Either as VMs, or on dedicated hardware with a decent CPU. If you're wanting more than 100 mbps, however, you probably also want a cryptoprocessor chip.

Thanks for the tip - I'll try out a connection with AES-NI CPUs at both ends and see if that helps...

Sure I am, but they're a VPN service with a long history of protecting users from snooping. And they don't do business from the jurisdiction that I'm subject to. So targeted surveillance would be harder. Not impossible, of course, by major national intelligence organizations. But hey.

Also, I dont rely on just the one VPN service. I use nested chains of VPNs, and so distribute trust among multiple providers. Doing business from different jurisdictions. Just as Tor does with three-relay circuits. Sometimes I use private VPNs running on anonymously leased VPS.

Finally, each of my personas uses a different nested VPN chain, or Tor (Whonix) through other nested VPN chains. So linking my various personas would be nontrivial.

It's easy to move your VPN to an arbitrary VPS anywhere in the world, but there's only a handful of residential ISPs available in any given area, and they are almost univerally scummy.

> and they are almost univerally scummy

Source? I do not think most of the ISPs in my area are particularly scummy. They provide reliable plain internet service with no data caps (and also TV/phone service if you so desire) for a reasonable monthly fee, and in my experience, most of them hire enough customer service workers on their support phone. All of them also resisted internet filtering until the legal system forced them to do so. What more is there to ask of an ISP?

Good for you.

In my area none of them provide reliable internet service, most of them enforce some censorship and have poor customer service, and all of them perform the legally-mandated surveillance.

> What more is there to ask?

Taking care of insecure IoT devices would be a start: https://news.ycombinator.com/item?id=15946095

> there's only a handful of residential ISPs available in any given area

Depends on where you live, I haven't exactly counted them but I have at least 20 options. Worst-case you can start your own ISP.

scummy often by law, if it was up to many ISPs, like in the early days of the internet, they only cared if you paid your monthly bill.

> there's only a handful of residential ISPs available

Where I live the nationwide fiber network has around 100 ISPs available of varying reputation.

Wikipedia says that PPPoE "offers encryption" but now I'm curious if this is effective, and actually used by anyone...

Having the wire, especially if it's fibre, between your home and ISP encrypted is probably of extremely limited value. Your ISP has access to the (unencrypted) endpoint anyway, and any adversary with the resources to actually tap your fibre probably have higher value and more easily accessible means of spying on you anyway.

mikrotik devices are also very nice for this (router). not too expensive, stable and well supported

Commercial VPN services are not a good idea in the first place https://gist.github.com/joepie91/5a9909939e6ce7d09e29

As discussed in the thread[0] on this from the other day it's largely FUD.

Fundamentally a VPN service allows you greater control over who you trust with your traffic. You always have to trust someone[1]. For example I trust F-Secure and the Finnish court system much more than I trust Virgin Media, GHCQ and the British court system which is why I run Freedome and route my traffic through Finland. As pointed out in another subthread here UK ISP are required to collect a bunch of data by the Snooper's Charter, the same is not true in Finland.

0: https://news.ycombinator.com/item?id=16371030

1: The default for many people is their local ISP which might or might not be a good entity to trust based on where you are. In many place you also have very few choice when it comes to your ISP.

I don't know if it's true, but I've heard that some ISPs route your entire traffic through their machines. They even have access to your IP packets. Very shady!

ISP's intercepting HTTP traffic to modify it is far from unheard of. In the best case, this is to notify customers of required changes. This is actually used by comcast [1]. In the worst case, this is a service sold to advertisers, or a service that includes arbitrary java-script injection. For something close to the worst case, see [2] (previously discussed on HN [3]).

[1] https://tools.ietf.org/html/rfc6108

[2] https://defplex.wordpress.com/2017/08/15/how-a-south-african...

[3] https://news.ycombinator.com/item?id=15423393

Why on Earth would you visit plain HTTP sites with JavaScript enabled?

Because you have to be in the know-how and do work to achieve that?

you're so late to the party. verizon even adds tracking cookies to your outgoing http requests

Somewhere someone could be selling your data for money. I can imagine the below happening. After all, all corporates are hand-in-glove with each other when it comes to public's privacy.

This is probably what your ISP is doing. Take your MAC Addresses, try to find the phones in your house which is connected to the wifi, take those MAC addresses to all the telecoms, get the SIM card number and the phone number associated with those MAC numberss, send those phone numbers to the banks to find matching bank accounts and the associated credit card number, along with your registered email address, get the purchase history from the bank on the credit card number, compare it with your browsing history and sell all of this to another company and make money.

"Somewhere someone could be selling your data for money"

Depending upon country that would be illegal. I can be reasonably sure my ISP or telco isn't.

That is very soon illegal in the EU thanks to the GDPR, and it is already in some countries like Germany.

absolutely not.

gdpr is a nightmare for websites, because of the consent rule.

but guess what is the first thing you with a ISP. You sign a contract. done. it's all legal with gdpr or not.

In Recital 43, the GDPR adds a presumption that consent is not freely given if there is “a clear imbalance between the data subject and the controller, in particular where the controller is a public authority.” Importantly, a controller may not make a service conditional upon consent, unless the processing is necessary for the service. Also, data subjects have the right to withdraw given consent.

they had similar wording to the cookie things. you had to say for what feature the cookie would be used, at the time the user was actually starting use of the feature. advertising? logging in? ....in the end everyone just says "to use this website" and use for whatever (but mostly ads)

This isn't an issue if you're not using the ISP equipment, or put the ISP equipment into a bridge modem mode.

For instance, BT in the UK do the same reporting over TR-069 if you use their home hub - however - if you connect a different VDSL modem/router you can disable TR-069, and if you use a dedicated VDSL modem in bridged mode and a wireless router behind that there's no TR-069 to worry about in the first place.

Or if you just use the provided router, either in bridge mode or in regular mode, the only device it will ever see and report on is your own router, which is hardly a critical leak.

I recently learned about this when I reported Internet speed issues to my home ISP (upload was basically impossible, while download was at 100 MBit/s).

They said they'd look into it, but they couldn't process my claim unless they could prove something was connected via Ethernet to their router. (They apparently never trust customer WiFi speed test results, probably because WiFi on their crappy routers can be notoriously unreliable.)

I ultimately had to connect something to the router's Ethernet port, so I grabbed another WiFi router, configured it as an access point, plugged it in, and voilà, they could verify that a device was connected and processed my complaint.

Obviously customer service reps can easily get access to a list of what is connected to the router.

One time the next-tier tech shut off my WiFi while I was troubleshooting with the entry-level phone support; I hadn't been warned this was an option or would happen so it really rubbed me the wrong way.

Problem is in the US ISP they can sell your data without telling you. So I prefer to keep my data away from them. I trust Google more to not sell my data and fine with them renting it out. Others might not. So use them for DNS for example so it does not go to my ISP.

https://www.usatoday.com/story/tech/news/2017/04/04/isps-can... ISPs can now collect and sell your data: What to know about Internet ...

Two huge cases from previous years:



Your router is critical, and choosing them wisely is one of the most important things if you care about some security.

Every now and then, we are reminded that our router remains the prominent data collector for our online presence. And ISP, the prominent data aggregator. And neither are really too keen to protect our data online.

My ISP provides an online user interface where I can remotely change my Wi-Fi password even if I haven't explicitly enabled port forwarding. If they have access to that, I don't see why they can't easily see my network shares and its contents (I don't password protect the directories for convenience reasons).

I've long ago lost the PPPoE password and this same router gets it automatically somehow. When I install another router, it won't do that.

well, who isn't? Even at the most basic level, my local ISP is injecting ads into browsers.

The original title before the admins changed it was "Your ISP is Probably Spying On You", and you wrote:

> well, who isn't?

I can understand that we all get weary from the constant news of yet another privacy intrusion, surveillance method being discovered, or new government law eroding privacy. But why be dismissive? When Snowden revealed what he knew, it confirmed what I had already suspected. But I didn't go and say, "well of course, we all knew that we were being illegally spied on us". I thought that getting the specific information was very important.

As far as I can tell we should just be safety first. This does indeed mean getting as much information about how to browse privately.

If we all use tor, it will help the tor project because then it's harder to spot individuals using it.

Tor is slightly slower, but it's pretty much a perfect browser replacement. The only reason I don't use it all the time is that I like my browser history. Plus I've got a self built VPN which is about as good as I can hope for.

My apologies, I did read the article and then commented. The author is obviously privacy focused and is writing for a similar audience. Unfortunately, here in India, things are quite different as there are very few legal measures to protect privacy and there is a general lack of awareness regarding why digital privacy actually matters. Things are so bad at some places that even local ISPs (even with no BGP AS) are able to collect data, and sell it to markets in gaffar for as low as 2 USD (for instance a list of 25K users with their browsing habits). A small, cottage industry of data mining and selling operates with zero implications and even the cops can't do anything about it as they are brutally unaware about the privacy laws and shrug it off. I have my own VPN setup (openVPN to tinc mesh over scaleway/hetzner) for my general surfing and have configured it for my whole family through a raspberry pi as well. But again, the when the smallest of enterprises can operate with zero ramifications for mining, there is little you can do en masse without the backings of an informed government.

That is so fucked up. That isn't the case at all over here. Why do people accept it, a monopoly in their area?

Unfortunately people are simply unaware about their rights in general regarding privacy and the locals laws are not stringent. They are not even aware that their data is being collected, and even if they knew, they can do little about it. Privacy focused users create their own infrastructure or get VPN, rest all contribute to a small cottage industry of data collection, analysis and selling unknowingly.

My ISP never gave me a router. Just an Ethernet cable coming into my apartment :)

I got a fiber cable coming in through a hole in the doorframe to the balcony, and an ONU box to convert the fiber media to Ethernet. Everything else is my own responsibility.

Who didn't think they were being spied on?

This is why you used https to hide the full URL, VPN to push the problem to a 3rd party who might care a bit more about privacy and then Tor on top of it all.

Here's the good old EFF explanation [0]

[0]: https://www.eff.org/pages/tor-and-https

This is why you used https to hide the full URL, VPN to push the problem to a 3rd party who might care a bit more about privacy and then Tor on top of it all.

Did you read the article? The ISP-provided modem/router automatically sends an overview of devices actively connected to the router (with their MAC address, name, and whether they are currently connected) to the ISP.

This is a different issue than private browsing and using a VPN/HTTPS/Tor is not going to solve this particular problem. The solution to this problem is replacing the router or putting another router between the ISP router and your internal network to hide your internal network from the ISP-provided router.

Good point, my bad, I'd skimmed it and not read the bit after the XML text. The title was somewhat misleading, and the HN admins have changed it now.

I'd still be more concerned about my unencrypted HTTP traffic though.

No, dont run Tor over VPN. Its VPN over Tor.

Tor provides anonymity, VPN provides privacy. You want anonymity between you and the VPN, and privacy between you and internet hosts.

From the OpSec for xyz series: https://grugq.github.io/presentations/Keynote_The_Grugq_-_OP... • TOR connection to a VPN => OK • VPN connection to TOR => GOTO JAIL

This site [0] explicitly says that VPN over Tor is a bad idea. It's quite possible it's wrong. But I don't understand why?

[0]: https://www.expressvpn.com/how-to-use-vpn/tor-vpn

Please use the original title.

The Original posters did use the title of the blogpost. @Admins, why did you change it?

I feel like the original title "Your ISP is Probably Spying On You" better describes what this post is about. Not using the original router can be due to all kinds of reasons, not just privacy

The HN guidelines ask: "Please use the original title, unless it is misleading or linkbait." This one was linkbait—it used the linkbait "you" twice. We took that out.


I could figure out that "you" doesn't refer to me personally, and so can the rest of HN. There's nothing "linkbait" about it.

You can express your opinion about the original title in a comment. There's no need it impose this (twisted, IMO) view on everyone.

As the people who read the most headlines here, probably by an order of magnitude, I'm afraid we have to pull rank on that. Gratuitous "you" in titles is one of the biggest linkbait tropes there is. Presumably we're all wired to direct our attention to someone saying "hey you!"; headline writers learned to take advantage of this and have been milking it ever since.

ISP Spy: Hey boss, looks this guy in Oslo has a friend called Dave who owns an Android device. ISP CEO: This is it! We're gonna be rich boys! Arrange a meeting with GlobalAdvertCorp immediately.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact