Web security

[Dave Zellers]

Another one bites the dust.

So a thread about web page pop-up ads slowly evolves into a web security discussion, and a moderator shuts it down. Presumably because it became too personal between two members. Perhaps because it strayed too far off topic from the original post but I've never understood why threads are not allowed to evolve. The offended member stated his desire to end his participation so I really didn't see any problem.

Anyhoo, Web security is extremely important and I for one would like to see this topic continue to be discussed.

So please, those who know, and those who want to know, continue.

My question is this- We have chosen to not cut the cord and stay within the Comcast system. We use their provided router. Is it safe to assume that there is a level of protection within that sphere? IOW, if their routers were to be compromised, I would assume they would notify me, and if possible, issue a patch or at the very least, a heads up and then eventually a new router.

Is this naive?

[Nicholas Lawrence]

Comcast sells a lot of different products in a lot of different markets. The best you will get here is some informed speculation. If you really care about it you should call and ask them.

My guess would be no, you are putting too much faith in them. I have had wireless routers from service providers dating back to about 2003 or so. I have never had any of them call, email, or do anything to indicate the security was obsolete, hacked, etc.

[Roy Petersen]

The offended member stated his desire to end his participation so I really didn't see any problem.

My apologies (pretty sure that was me). It did stray from the topic, and probably should have been split to a new thread, but mods have the final say.

My question is this- We have chosen to not cut the cord and stay within the Comcast system. We use their provided router. Is it safe to assume that there is a level of protection within that sphere? IOW, if their routers were to be compromised, I would assume they would notify me, and if possible, issue a patch or at the very least, a heads up and then eventually a new router.

I'd like to think they would, but I'd say there's a better than average chance they won't unless someone finds a weakness and makes it very public. They might then be shamed/forced to provide a fix. Much more likely they'd give the least expensive advice of powering down frequently. Another site I saw they went further to state you should also hit the rest button on the device, which would wipe settings along with cache (if any). No chance I'll be recreating all my settings each day (even to restore saved ones from a file).

Personally, I don't trust the cable company has my best interest at heart, so I use my own modem and router with them. Simply looked to see what model was compatible, what level of DOCSIS they're on (they were on 2, I bought one with 3 for future expansion) and so on. That's the public facing device (Dlink, which has a simple firewall). Behind that (in between the modem and me) is an ASUS router. I use that to provide the splitting of service to all local gadgets. Has all sorts of built in goodies like another firewall that help. Lastly on all PCs and laptops behind it, another firewall.
Maybe that's enough.

[roger wiegand]

I've never had any cable company ever upgrade or update a router voluntarily. I assume they do the absolute minimum possible. I connect my FIOS router to my own firewall and then everything else to that.

My older Netgear firewall was damaged in a recent thunderstorm and I'm thinking of replacing it with one of these. I recently switched my wifi APs to the Ubiquiti Unifi products and am very happy with the performance and ability to now roam seamlessly throughout the house and shop. Thought it might make sense to keep it in the family and administer everything from the Unifi controller.

[Jim Becker]

You cannot depend upon your ISP to do very much relative to "protecting" the gateway/router from a notification standpoint. Once in your home, "you" are the administrator. It's your responsibility to install a strong password on it, re-boot it from time to time and in the case of Comcast, decide if you want to turn off the "public" Xfinity WiFi feature, etc. Most ISPs will still have management access to a device they provide and will likely from time to time force firmware upgrades, but otherwise, you have to be vigilant yourself.

Some folks do choose to purchase and install 3rd party gateway/routers for their home networks for more flexibility, but before doing so, be sure to check that this will not materially affect other features you may be subscribing to. Some ISPs, for example, require "their" gateway/router to be in the network to provide information to the TV STBs (set top boxes) or to support mobility features to devices, etc., In a few cases, the ISP-provided gateway/router must be first in line from the demark of the home to provide those services.

[Pat Barry]

I have no clue about how to change the password on my router. Its already a 14 digit random number and alpha sequence that came with it. Is that the password that the hackers already know and is easy to exploit? I can't imagine coming up with anything more complicatef.

[Bob Grier]

If living near or in an area that has TV stations, I just don't understand why people pay for cable TV. It seems to me that entertainment can be streamed across the internet and live TV for sports and news can be had for free using an antennae. There are other alternatives, often less expensive, for phone, security, entertainment, email and other bundled extras. Also, alternatives to these bundled features are often less expensive and have better function. Better routers can be had for home networking than the modem/routers supplied by Comcast or any other cable company.

[Stephen Tashiro]

In the 1980's it was well know among the security conscious that someone with the proper equipment and proximity to your location could spy on what your computer monitor was showing. That was before the days of LCD monitors and wireless networks. I wonder if old fashioned analog snooping is obsolete.

[Dave Zellers]

Our only choices for internet access are Comcast or a dish. A dish would be a major downgrade from cable. We've done the math- (and so has Comcast) once we pay Comcast for internet access, adding third party phone and TV options does not really save very much over just getting Comcast's triple play when you honestly include all the extra costs involved. And if a piece of hardware does fail, they replace it for free. There is a Comcast retail office 20 minutes away staffed with very friendly folks. We are too far away to get any over the air TV and streaming wouldn't work without a solid internet connection so once we pay for that, the triple play makes the most sense for us.

Plus- is it possible to have a DVR that is independent of the service provider?

[Derek Meyer]

The most widely-known DVR that is independent of the service provider is Tivo. The units use a cablecard that is supplied by your cable company and have their own guide and service for getting programming. They are great units - I have one in my bedroom and one in my living room. They are expensive, though. You also need to subscribe to the Tivo service to get software and programming updates. On the plus side, they work with all cable providers and you don't have to rent a set-top box from the cable company. Cablecard rental is typically much less expensive than the set-top box rental.

[Carlos Alvarez]

You asked three different questions, I'll try to hit them all with some basics. I've been a network and systems engineer for a bit over 30 years. All of this applies to basic home and small business routers, not commercial/enterprise gear.

Is it safe to assume that there is a level of protection within that sphere?

For the most part, yes. A router with NAT (all home routers) offers absolute protection against anything from outside. Unless it has a defect. But a properly-working NAT router simply has no inbound access.

IOW, if their routers were to be compromised, I would assume they would notify me,

Very unlikely. They probably wouldn't know, and if they did, they might do nothing anyway.

and if possible, issue a patch or at the very least, a heads up and then eventually a new router.

Patches would come from the manufacturer, and generic ISPs like Comcast pretty much never update them.

If you really care about it you should call and ask them.

Don't do that. The person you talk to may know less than you do, and will just give you a party line with zero knowledge. You will NOT get a correct answer.

I wonder if old fashioned analog snooping is obsolete.

Pretty much, yes. WPA2 is currently considered uncrackable.

I agree with the other comments about paying for cable/satellite. Just don't get it. We dropped it over ten years ago, maybe 15. We stream on OUR schedule with no ads. I'm not willing to watch an ad or watch something live on someone else's schedule. It's not the paleolithic era.

[Curt Harms]

The most widely-known DVR that is independent of the service provider is Tivo. The units use a cablecard that is supplied by your cable company and have their own guide and service for getting programming. They are great units - I have one in my bedroom and one in my living room. They are expensive, though. You also need to subscribe to the Tivo service to get software and programming updates. On the plus side, they work with all cable providers and you don't have to rent a set-top box from the cable company. Cablecard rental is typically much less expensive than the set-top box rental.

We recently went from Verizon Fios gear to Tivo. If I did the math correctly, the payback was less than 2 years with 3 TVs. Tivo also has streaming apps so don't need something like Roku or Chromecast. I find myself watching Amazon Prime video far more than 'network' TV. I can't swap out a failed unit for free but the most likely to fail component is the hard drive and it uses a commodity hard drive, no special firmware so it's easy to swap out. I'm happy with our bargain so far.

As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.

[Dave Zellers]

As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.

WHOA! I did not know that. That will also help with our weakish signal in our bedroom. I'll be doing that since I have the router already.

[Pat Barry]

We recently went from Verizon Fios gear to Tivo. If I did the math correctly, the payback was less than 2 years with 3 TVs. Tivo also has streaming apps so don't need something like Roku or Chromecast. I find myself watching Amazon Prime video far more than 'network' TV. I can't swap out a failed unit for free but the most likely to fail component is the hard drive and it uses a commodity hard drive, no special firmware so it's easy to swap out. I'm happy with our bargain so far.

As to Dave's question about secure devices, it's possible to add a second Router/Wireless Access device 'downstream' from the cable provider's router/modem. Turn off services you don't trust on the cable company's device and use your preferred device.

Curt, please give an example of what services could be turned off and how you can go about doing that. As I mentioned earlier, I don't even know how to change the default password. Thanks

[Jim Becker]

WHOA! I did not know that. That will also help with our weakish signal in our bedroom. I'll be doing that since I have the router already.

This is a somewhat normal thing for many of us. I have to use a "mesh system" to get wireless throughout our entire home and don't use the ISP provided gateway/router for wireless at all, both because it doesn't support the more recent speed protocols which our mobile devices do support and because it's in the basement of the 250 year old portion of our home where the fiber termination is. If you are on Xfinity, Comcast has little "pods" that can be used to distribute signal in areas of the home that have weaker signals, too.