Nobody should use ISP provided equipment for anything security sensitive, ever. ISPs don't care about security at all, aside from "security" as a sales term, and aside from when they're getting a bad name because of egregious failures.
ARRIS shouldn't be given a year embargo, either. They're the same company who've known since 2016 about hardware issues which cannot be corrected in software in the Intel PUMA chipsets, yet they still to this day sell devices with them. They don't care about fixing things - they care about selling things.
I think generally you don't get a choice when it comes to DOCSIS equipment. You can't just connect up your own (or at least no to Virgin Media's network)
This is one of the few positives I'll give to Comcast/Xfinity. I'm able to purchase my own DOCSIS modem (as long as it's on their compatibility list) instead of renting one from them.
AT&T U-verse I couldn't bring my own modem, and I understand that they're not a DOCSIS network either.
I brought my own modem to WideOpenWest, and it wasn't even on the compatibility list. Just gave them the MAC, and a few moments later I had DHCP. Been solid for 9 years now.
Although as of a few weeks ago, WOW has announced bandwidth caps, so I have to rescind my former glowing recommendation. Le sigh.
It's worth pointing out that not all Arris modems are affected. As the link provided describes - issue is with chipset inside and there are other brands that use it [1]
Holy shit. I've been dealing with this for the past 2 years and it's infuriating. I've tried everything and eventually diagnosed it as a bug in my modem. Random latency spikes, unbelievably jittery internet calls, hard to diagnose.
Heck, AT&T won't even let you change the wifi password if you use their router. Well, you can change it, but it will revert to whatever's on the sticker when the router updates itself. And they will tell you this with a straight face. Incredible.
Correct, but in this case, it sounds like you didn't need to use the ISP router as your VPN gateway.
If I understand the DNS rebinding attack reference correctly, you could be running the VPN software on your desktop/laptop and still have your IP revealed by your ISP router.
Arguably, a setup using a VPN for anonymity purposes is badly flawed if it allows traffic to anything but the VPN gateway. This includes the local network.
Mediocre home appliances or (as in this case) ISP CPEs can easily deanonymize you.
I was happy when I switched to gigabit internet from Verizon because MoCA can't handle that speed, so they made an ethernet run from the ONT to my apartment (well sort of, they couldn't actually make a new run, but they were able to use the wiring that had been used for the telephone lines). Ever since then I've had my own OPNSense box handling routing. The Verizon router is stuffed away in a closet. I don't know if the Verizon router has backdoor remote control capabilities, and now I don't have to care at all if does.
For context. This is Virgin Media which demands your passwords (including e-mail passwords) must be no longer than 10 characters, must begin with a letter, not a number and cannot include any special characters.
That happened to me. I wanted to reset my account password so they agreed to send a "password reminder" via post. I thought that was weird. I expected a temporary password which I will be forced to change upon login. To my surprise they printed my existing account password and sent it to me via postal mail! WTF! I went on Trustpilot immediately and saw they had 1/5 stars from 40k reviews.
Having no rules means you have a maximum search space. However, a general audience means that the top X% (lets say 70 to be arbitrary) are going to be in a very small search space... An English word with maybe some numbers substituted in for a letter or two.
OTOH, having password rules means that you eliminate the smallest areas of the search space, so every password resides in a restricted version of the larger space. Fewer possible passwords, but all at a larger complexity to guess.
Then, there are password rules like "no special characters" or "maximum length of 10 characters" which are fantastically stupid and lazy, and only serve to make brute forcing them that much easier.
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces."
...
"A Slug has no IP address, cannot be reached on the network, and does not increment IP TTL."
...
So, for instance, I have a port 22 slug that I can insert anywhere in the physical chain of a network that passively, and silently, blocks all traffic except for TCP 22.[2]
You could clamp down further and restrict it to port 22 and your specific VPN endpoint IP.
Foolproof ? Perhaps not - but a huge piece of defense-in-depth that makes the use of a (port 22) VPN much safer.
Why is the web browser allowing the Javascript program to access a different server than the one it was loaded from? They call this a "DNS rebinding attack", and it seems it could compromise any router that doesn't have a password set, not just this router? So isn't the real problem here the browser running untrusted code and giving it access to your local network because it didn't check if the DNS had changed?
I wish browsers would solve the problem by using TLS (ok that’s a website operator issue) and discarding any javascript loaded from a different certificate for the same domain.
I would consider the router untrusted when using a VPN, so blaming it for the attack seems misplaced. I'd go even one step further, and say that unprivileged applications using the VPN should have no way of discovering your real IP. Applications not using the VPN shouldn't be able to discover the VPN IP, at minimum not use/leak it by accident (e.g. via webrtc).
IMO the safest way to access a VPN is from a VM which is restricted to that VPN. Like whonix, but using a VPN instead of Tor.
In theory, deep integration into the OS (like Tails does for Tor) could work, but is much easier to get wrong, especially if you want direct network access for other applications.
(Only talking about VPNs used for hiding your IP. Tunneling into a company network via VPN is a very different use-case)
I have a seedbox set up on freebsd with two jails. One jail runs wireguard and pf. The other jail runs transmission. They are connected by a virtual Ethernet cable (epair). The transmission jail can only talk to the internet via the VPN jail, which it is not aware of.
Just need to make sure host applications don't see the network interface provided by the VPN gateway, so they don't accidentally leak it (linking it to your real IP). A typical example are browsers when using WebRTC.
So all the while, for almost two years, Virgin didn't do squat about this. Gives me flashbacks to some of our disclosure interactions with PayPal and others.
Wonder why issues like this are so common - do they just de-prioritize vulnerabilities reported by researchers to death?
Virtually no legal consequences for them. Virgin is also one of the worst consumer business I have ever interacted with (and this includes many big US ISPs with bad reputations). The company is beyond dysfunctional.
Readit News
ARRIS shouldn't be given a year embargo, either. They're the same company who've known since 2016 about hardware issues which cannot be corrected in software in the Intel PUMA chipsets, yet they still to this day sell devices with them. They don't care about fixing things - they care about selling things.
AT&T U-verse I couldn't bring my own modem, and I understand that they're not a DOCSIS network either.
Although as of a few weeks ago, WOW has announced bandwidth caps, so I have to rescind my former glowing recommendation. Le sigh.
Here's the list with modems affected by the hardware bug you mentioned: https://www.badmodems.com/
[1]https://approvedmodemlist.com/intel-puma-6-modem-list-chipse...
Deleted Comment
If I understand the DNS rebinding attack reference correctly, you could be running the VPN software on your desktop/laptop and still have your IP revealed by your ISP router.
Mediocre home appliances or (as in this case) ISP CPEs can easily deanonymize you.
Security is not their priority.
[0] https://twitter.com/virginmedia/status/1162756227132198914?l...
Deleted Comment
Quick! Let's outlaw poverty, violence, theft and coercion, and we're good!
I think they now only ask for the X, Y, and Zth characters, but they used to ask for the whole thing
Having no rules means you have a maximum search space. However, a general audience means that the top X% (lets say 70 to be arbitrary) are going to be in a very small search space... An English word with maybe some numbers substituted in for a letter or two.
OTOH, having password rules means that you eliminate the smallest areas of the search space, so every password resides in a restricted version of the larger space. Fewer possible passwords, but all at a larger complexity to guess.
Then, there are password rules like "no special characters" or "maximum length of 10 characters" which are fantastically stupid and lazy, and only serve to make brute forcing them that much easier.
Deleted Comment
"A Network Slug, or "Slug", is a transparent layer 2 firewall running on a device with only two interfaces."
...
"A Slug has no IP address, cannot be reached on the network, and does not increment IP TTL."
...
So, for instance, I have a port 22 slug that I can insert anywhere in the physical chain of a network that passively, and silently, blocks all traffic except for TCP 22.[2]
You could clamp down further and restrict it to port 22 and your specific VPN endpoint IP.
Foolproof ? Perhaps not - but a huge piece of defense-in-depth that makes the use of a (port 22) VPN much safer.
[1] https://john.kozubik.com/pub/NetworkSlug/tip.html
[2] https://john.kozubik.com/pub/NetworkSlug/images/sg-1000-back...
IMO the safest way to access a VPN is from a VM which is restricted to that VPN. Like whonix, but using a VPN instead of Tor.
In theory, deep integration into the OS (like Tails does for Tor) could work, but is much easier to get wrong, especially if you want direct network access for other applications.
(Only talking about VPNs used for hiding your IP. Tunneling into a company network via VPN is a very different use-case)
Just need to make sure host applications don't see the network interface provided by the VPN gateway, so they don't accidentally leak it (linking it to your real IP). A typical example are browsers when using WebRTC.
This way all I need to do is tag packets on whichever device they come from and they only go out via that interface.
I also have separate Wi-Fi SSIDs for each of those so changing my exit node is as simple as choosing a different one.
Wonder why issues like this are so common - do they just de-prioritize vulnerabilities reported by researchers to death?