baseline privacy ... not

[John S. Denker]

Hi --

1) In a cable-modem system, the layer-1 signal to/from
your cable is physically present in your neighbors' homes.

2) To defend against the obvious privacy problems this
implies, the standards provide for Baseline Privacy (BPI)
which encrypts the signals.

So you're safe, right?

3) Evidence suggests that most cable-modem customers in
the US are not protected.  Many service providers have
Baseline Privacy turned off.  Defeated.  Disabled.
Skipped.  No privacy.

The evidence for this comes from
  -- directly examining the configuration of a few modems
  -- talking to The Cable Guy
  -- noting that when certain small providers do implement
     BPI, they brag about it and claim this gives them an
     advantage over the "established" providers.
        http://gemnets.com/c5_technical.html#question5

4) From this it appears that in most cases, all that
protects your privacy is security-by-obscurity.

And if you want an upper bound on how much obscurity
there is, note that there is a vibrant community of
cable-modem firmware hackers:
   http://www.cablemodemhack.com/


5) It's interesting to think what customers ought to
do about this, short-term and/or long-term.
  -- Obviously end-to-end security is needed.  But it is
not always feasible at present.  I would connect to google
via SSL if I could, but google doesn't implement https.
And that would still leave me open to traffic analysis.
  -- Link-by-link security is never a substitute for
overall security, but you need some link-by-link security
just to cut down on traffic analysis and DoS attacks,
including ARP poisoning and the like.

One idea that comes to mind is to use IPsec to secure the
connections to an onion routing system.  Or mist / crowd /
whatever.

Comments?  Suggestions?


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com