A lot of ISPs will perform remote diagnosis by connecting into your router and scanning your internal hosts to see if there are any problems.
Between that capability and general appalling security of routers, you’re basically on Starbucks WiFi from a security perspective even at home.
important note: buying an off the shelf netgear/tplink/linksys/whatever might stop your ISP remoting in, but is still wildly full of vulnerabilities.
However, I gave up on consumer hardware and went with Ubiquiti for wifi AP and Mikrotik as my router. It was a bit of a pain to set up all my NAT rules in the Mikrotik router because unfortunately consumer devices do a lot of extra work behind that scenes (like setting up NAT reflection) to facilitate having NAT work painlessly. I'm perfectly content with the end result now though.
There was something almost zen-like watching 300Mbps of traffic transiting my RB3011 and seeing it utilize 6% cpu.
Ultimately, either is a fine solution and an ER-X is going to be a lot less fiddly to setup.
There appears to be many bugs related to off-loading as well. The below example is what finally made me decide not to consider Ubnt routers. It may be fixed now, maybe, but even if it was broken for way too long and shrouded in too much mystery, not even making it obvious which models are effected (the thread title was not always that specific either). I can't take Ubnt seriously, even for a home environment, after seeing how basic forwarding is that poor and it's not even their highest priority.
The only good thing that this proves is that at least they don't censor their forums, trying to hide issues.
also mikrotik routers comes with a standard config that comes with NAT w/ masquerade pre configured. But I agree there is a TON that is done behind the scenes. That level of granularity is what I am looking for.
The 3rd party firmwares aren't as powerful as mikrotik's RouterOS, and the Mikrotik hardware is really pretty cheap - though the UI is pretty bad for it. They're great once you get used to the UI
It has 3 NIC's, for inside, outside, and DMZ. You can also put a wifi radio on it, and make it an access point.
I run a full Ubuntu on it, with local DNS, DHCP, Shorewall, etc.
I have openbsd on one and ubuntu on the other. I'm using the openbsd one for dns, tftp, and a handful of projects. I was thinking about making the ubuntu one into an ap but I'm not sure about what kind of performance to expect vs my current off the shelf router. Have you used it as an access point?
Anyway, I run various services on it, aside from hostapd... It acts as my firewall, gateway, access point, and runs some other services like nginx to proxy some services from my LAN across subnets (like plex, etc) and motiond as a security camera monitor. I've used it as an SSH style VPN at times, in a pinch. When our WAN goes down I can simply plug my phone in to the APU via USB and tweak some iptables rules to use the LTE connection from the phone over USB network interface.
I also have a newer APU2C4, along w/ an AC WLAN card and an msata drive... have had it for years just sitting there, grr. I really only got the newer one since it has AES-NI support on the processor and I can do much heavier VPN traffic, but the SD card issues have become annoying, so I think this post has encouraged me to finally set it up this weekend... Thanks :P
Anyway, I wouldn't hesitate to pull the trigger on any of the pcengines stuff... Go for it!
Just make sure the WLAN cards you use are well supported via hostapd. :)
Previously I was using an ASUS RT-N66U with tomato/shibby, but it had been acting a little flaky for a while - 5ghz would stop a few times a week, eth connections would drop, overall wifi connectivity was mediocre at best. The performance was pretty similar before flashing with tomato.
My new solution is likely drawing a little more power, but I've had no problems with it. Also, I'm impressed with OpenBSD's simplicity. I've tinkered with FreeBSD in the past and found it a little complex. OpenBSD has proven to be significantly more straightforward and easy to configure.
Thanks for the encouragement!
They cost 50$ and have 3Gigabit ethernet ports
I like PF a lot more than IPTables. I've found it to be far simpler to configure.
I'll check what the energy consumption on my router is. I'm using an AMD chip which I had lying around. You're probably right that it uses a bit more power than necessary.
I was thinking about getting something like this: https://www.amazon.com/Firewall-Micro-Appliance-Gigabit-Bare... which uses 10W. It should be easy to install *BSD on something similar.
These days, you can rely on Linux on fairly low-end CPUs to handle a gigabit of traffic, including IPv4 NAT, IPv6, firewalling, DHCP and DNS.
For serious firepower, Jetway sells a 10 x 1 Gbit tiny fanless machine with a J1900 Celeron and up to 8GB of RAM, under $400 (without RAM or disk). All most people need is 2 gigabit ports and maybe a good WiFi interface -- although I prefer to scatter consumer WiFi boxes around my house in bridge mode.
It's not too fancy (but getting fancier as updates are delivered) and does the job well. I wasn't satisfied with the VPN options, so I port-forward to an internal host and set up static routes as required.
1. They offer "IP Passthrough" which is fake Bridge Mode. They still do routing and you'll still hit NAT table limits of 4096. Connection falls apart for anything over 3000.
2. You can dump and reverse the router-gateway firmware and 802.1X/EAP authentication. Oh goodie.
3. There's a history of exploits for the NVG510, NVG589 and NVG599. Try your luck.  
4. Create some "magic" to split the 802.1X and untag VLAN0. Works in Linux at least. 
5. But good luck if you want to do this in pfSense or FreeBSD. There's an open BTC bounty if you've got any netgraph / networking chops. 
Former provider offered FTTB and I used the coaxial cable CPE as a bridge - and even when I do not have that option, I insist on having a router of my own as my network's demarcation: it is basic hygiene.
Other option for GPON would have been to plug a GPON SFP module into one of my switches - the friendly guy who laid the fiber to my apartment even left me one in case I changed my mind... But going through the switch to the router and back to the switch on a different VLAN is unnecessarily complicated in my case. Anyone wants a free GPON SFP module ?
There is a new line of EdgeRouters out and maybe it has some acceleration for bridging. I would like this setup.
You have to enable `set system offload ipv4 vlan enable` else your routing performance will suffer.
You don't need to use bridging mode to bypass the AT&T RG. That post probably predates the EAP proxy solution.
I do data analytics and data engineering and a couple of months ago indirectly I have been contacted by an ISP in Spain and they literally were collecting every bit of data that their customers were seeing on internet (websites, timestamps, how much data were transferred and etcetera with the user's id and basically in another table name and address). I was shocked how easy they were talking about it. I didn't accept but for sure someone has done it! I never heard the name of the ISP, I wish I didn't bark at them so fast and I could collect more information about them.
I'd assume if you're using their pipes, they can see what goes through it, regardless.
Genuinely intrigued in this.
This is why there is such a push for end to end encryption on web traffic, chat apps, etc.
At least DDG offers in their options to scramble the URL but one has to know about that feature AND enable it. It is in their settings under Privacy and you have to turn OFF GET (2nd option). https://duckduckgo.com/settings#
You are correct that the terms are in the URL, however only the browser and endpoint can see them. All your ISP sees is that you accessed example.com, and not example.com/search-terms-here. The TLS handshake is for the domain only, then encryption kicks in, then everything after is encrypted.
Your ISP cannot see what you are searching for, they can only see which sites you use for search.
It feels like a good compromise between privacy and speed.
(I realise this is not the subject of the article exactly but I figured it's a related issue.)
It has the happy property that the performance penalty will trend toward zero over time, as fewer and fewer holdout websites stick with unencrypted HTTP. Even Netflix streaming uses HTTPS these days.
By the end of the year I figure we'll have virtually no such holdouts. https://www.theregister.co.uk/2018/02/08/google_chrome_http_...
There are good and bad VPNs but ISPs are much larger corporations with direct ties to governments. I fail to see how a good VPN is worse than ISP + Governments.
NOTE: I'm in no way related to this company or the podcast (aside from being an occasional listener).
Episode page: https://twimlai.com/talk/107
Direct episode link: https://feeds.soundcloud.com/stream/393602724-twiml-twiml-ta...
In this episode I’m joined by Michel Allegue and Negar Ghourchian of Aerial.ai. Aerial is doing some really interesting things in the home automation space, by using wifi signal statistics to identify and understand what’s happening in our homes and office environments.
Michel, the CTO, describes some of the capabilities of their platform, including its ability to detect not only people and pets within the home, but surprising characteristics like breathing rates and patterns. He also gives us a look into the data collection process, including the types of data needed, how they obtain it, and how it is parsed. Negar, a senior data scientist with Aerial, describes the types of models used, including semi-supervised, unsupervised and signal processing based models, and how they’ve scaled their platform, and provides us with some real-world use cases.
Would it be ghostly figures or more like black and white photos?
 https://www.medgadget.com/2014/06/mits-wifi-system-detects-p... (June 2014)
 https://hackaday.io/project/5452-wifi-thermal-camera (2015)
[EDIT] I stand corrected,  is unrelated. My bad! Here's some good sources as alternative.
"MIT turns Wi-Fi Into Indoor GPS
New tech from CSAIL lab lets one Wi-Fi device locate another to within centimeters" 
"RF-Capture: Capturing the Human Figure
Through a Wall
It can know who the person behind a wall is.
It can trace a person's handwriting in air from behind a wall.
It can determine how a person behind a wall is moving." 
They also contain further resources.
There are a lot of people doing research in this space:
But ignoring encryption, this is the price you pay for cloud management: the could knows your data.
That's not to say it still shouldn't be encrypted, but with a FTTH connection using a PON network there's already physical layer encryption going on typically, otherwise a custom configured ONT could snoop on other peoples traffic on the same segment.
Why would an ISP care about that?
What if technical support is outsourced to a call-center in India?
The only counter is for an adversary to own your box, which is far more expensive.
or require your clients to run your software, like in AOL days
The problem here is not that the ISP can not be trusted, you should never trust them anyway. The problem is that the ISP is using their router to force their way into what is supposed to be the trusted part of your network, your LAN.
This is exactly why I don't use the ISP provided router, and every piece of equipment of theirs I have to use (mainly the IPTV box) is in a separate, untrusted, VLAN.
That said, if you set up your own vpn on a digital ocean node, moving your network boundary to the datacentre, then the cloud hosting companies network that you end up trusting is less likely to be set up to spy on you then a consumer isp.
I get bad speed though when I do this. The processibg speed required to encrypt a connection at 300mbps just isn't there in my router.
That's probably the issue. A general purpose machine (with AES-NI), slap OpenBSD on it, disable DHCP server on your ISP router, let OpenBSD handle that... and done! (not for the faint of heart though)
You might even add a NIC to it, and act as another physical hop for firewalling, etc.
Also, I dont rely on just the one VPN service. I use nested chains of VPNs, and so distribute trust among multiple providers. Doing business from different jurisdictions. Just as Tor does with three-relay circuits. Sometimes I use private VPNs running on anonymously leased VPS.
Finally, each of my personas uses a different nested VPN chain, or Tor (Whonix) through other nested VPN chains. So linking my various personas would be nontrivial.
Source? I do not think most of the ISPs in my area are particularly scummy. They provide reliable plain internet service with no data caps (and also TV/phone service if you so desire) for a reasonable monthly fee, and in my experience, most of them hire enough customer service workers on their support phone. All of them also resisted internet filtering until the legal system forced them to do so. What more is there to ask of an ISP?
In my area none of them provide reliable internet service, most of them enforce some censorship and have poor customer service, and all of them perform the legally-mandated surveillance.
Taking care of insecure IoT devices would be a start: https://news.ycombinator.com/item?id=15946095
Depends on where you live, I haven't exactly counted them but I have at least 20 options. Worst-case you can start your own ISP.
Where I live the nationwide fiber network has around 100 ISPs available of varying reputation.
Wikipedia says that PPPoE "offers encryption" but now I'm curious if this is effective, and actually used by anyone...
Fundamentally a VPN service allows you greater control over who you trust with your traffic. You always have to trust someone. For example I trust F-Secure and the Finnish court system much more than I trust Virgin Media, GHCQ and the British court system which is why I run Freedome and route my traffic through Finland. As pointed out in another subthread here UK ISP are required to collect a bunch of data by the Snooper's Charter, the same is not true in Finland.
1: The default for many people is their local ISP which might or might not be a good entity to trust based on where you are. In many place you also have very few choice when it comes to your ISP.
This is probably what your ISP is doing. Take your MAC Addresses, try to find the phones in your house which is connected to the wifi, take those MAC addresses to all the telecoms, get the SIM card number and the phone number associated with those MAC numberss, send those phone numbers to the banks to find matching bank accounts and the associated credit card number, along with your registered email address, get the purchase history from the bank on the credit card number, compare it with your browsing history and sell all of this to another company and make money.
Depending upon country that would be illegal. I can be reasonably sure my ISP or telco isn't.
gdpr is a nightmare for websites, because of the consent rule.
but guess what is the first thing you with a ISP. You sign a contract. done. it's all legal with gdpr or not.
For instance, BT in the UK do the same reporting over TR-069 if you use their home hub - however - if you connect a different VDSL modem/router you can disable TR-069, and if you use a dedicated VDSL modem in bridged mode and a wireless router behind that there's no TR-069 to worry about in the first place.
They said they'd look into it, but they couldn't process my claim unless they could prove something was connected via Ethernet to their router. (They apparently never trust customer WiFi speed test results, probably because WiFi on their crappy routers can be notoriously unreliable.)
I ultimately had to connect something to the router's Ethernet port, so I grabbed another WiFi router, configured it as an access point, plugged it in, and voilà, they could verify that a device was connected and processed my complaint.
Obviously customer service reps can easily get access to a list of what is connected to the router.
ISPs can now collect and sell your data: What to know about Internet ...
Your router is critical, and choosing them wisely is one of the most important things if you care about some security.
I've long ago lost the PPPoE password and this same router gets it automatically somehow. When I install another router, it won't do that.
> well, who isn't?
I can understand that we all get weary from the constant news of yet another privacy intrusion, surveillance method being discovered, or new government law eroding privacy. But why be dismissive? When Snowden revealed what he knew, it confirmed what I had already suspected. But I didn't go and say, "well of course, we all knew that we were being illegally spied on us". I thought that getting the specific information was very important.
If we all use tor, it will help the tor project because then it's harder to spot individuals using it.
Tor is slightly slower, but it's pretty much a perfect browser replacement. The only reason I don't use it all the time is that I like my browser history. Plus I've got a self built VPN which is about as good as I can hope for.
This is why you used https to hide the full URL, VPN to push the problem to a 3rd party who might care a bit more about privacy and then Tor on top of it all.
Here's the good old EFF explanation 
Did you read the article? The ISP-provided modem/router automatically sends an overview of devices actively connected to the router (with their MAC address, name, and whether they are currently connected) to the ISP.
This is a different issue than private browsing and using a VPN/HTTPS/Tor is not going to solve this particular problem. The solution to this problem is replacing the router or putting another router between the ISP router and your internal network to hide your internal network from the ISP-provided router.
I'd still be more concerned about my unencrypted HTTP traffic though.
Tor provides anonymity, VPN provides privacy.
You want anonymity between you and the VPN, and privacy between you and internet hosts.
From the OpSec for xyz series:
• TOR connection to a VPN => OK
• VPN connection to TOR => GOTO JAIL
I feel like the original title "Your ISP is Probably Spying On You" better describes what this post is about. Not using the original router can be due to all kinds of reasons, not just privacy
You can express your opinion about the original title in a comment. There's no need it impose this (twisted, IMO) view on everyone.