I should think that your communication is secure as far as being intercepted by other cable modems is concerned. The baseline privacy standard in DOCSIS 1.0 specifies CBC-DES. Also, the cable head termination for your connection is restricted to your cable modem's MAC address, so man-in-the-middle attacks are difficult.

Of course, I'd be curious as to your concern over privacy to the Internet, which is public, since Secure HTTP and other SSL/TLS protocols provide more than sufficient security.

My concern I guess is really just:

1) a curiosity as I did not know that encryption was involved between the Cable Modem and Terminal Head (I always used to explain that cable internet had one draw-back to DSL as DSL was point-to-point between DSL modem and Central Office, but with encryption, the LAN style nature of Cable Internet seems to be effectively the same.)

2) although I am aware that SSL, etc. are effective encryption schemes, it is nice to know that for my unencrypted communications that others on my 'Cable LAN' segment are not snooping on me via some sort of promiscuous mode like you can do on a regular LAN.

I would assume if someone was technically able enough that they could spoof a MAC address on a 'permiscuous' Cable Modem, but I am not that worried or concerned about the very small chance of that happening to me as my communications are not that important. And of course I am aware that once the communication leaves the Terminal Head and is dropped on to the Internet backbone, all is open if not encrypted. It is just nice to know that any nosey neighbors will have a hard time snooping.

Eric

> It is just nice to know that any nosey neighbors will have a
> hard time snooping.

I'd be concerned more with "snooping" on people's network activities over set-to-default-more-often-than-not WiFi than cable...

> draw-back to DSL as DSL was point-to-point between
> DSL modem and Central Office, but with encryption,
> the LAN style nature of Cable Internet seems to be
> effectively the same.)

Yep. DSL uses a star topology that centers around a switch (the DSLAM). Cable uses a shared medium (the cable), but the logical connections are kept separate.

> unencrypted communications that others on my 'Cable
> LAN' segment are not snooping on me via some sort of
> promiscuous mode like you can do on a regular LAN.

The asymmetrical nature of the technology would make that difficult. Unlike a normal Ethernet LAN, a cable modem cannot be made to act like the cable head in the same way that an Ethernet NIC can act in a server or a workstation role. You would need to commandeer a CMTS to do that; presumeably the cable system operator would notice a rogue CMTS fairly quickly. A 'promiscuous' cable modem would only receive downstream traffic, since it would be incapable of receiving the upstream RF bands.

What this means in practical terms is that someone can only "snoop" on one half of the conversations. They wouldn't be able to capture the mail you're sending, but they could spy on the mail you're receiving (but you can use SSL to access the Comcast POP server). And they wouldn't be able to capture the passwords you send to web sites, but they'd be able to see the content you're downloading from them (again, unless they're secure web sites).

Barmar,

How about expanding on the concept of downstream snooping on a cable system?

I am not interest in "how to", but rather, any precautions that a reasonable person should take. There are some awfully bright kids out there with not enough to do.

I'm not sure how one would put a cable modem into "promiscuous" mode, where it passes everything through. I suppose it would require using a hacked modem.

But if you wanted to snoop on just one customer's traffic, you could do it if you knew their MAC address, which you could get by pinging their IP and then checking "arp -a". You then trick your cable modem into passing through traffic for that MAC instead of your own: power down the modem, reprogram your PC NIC or router with the other customer's MAC, then power up the modem. The modem passes traffic through for the first MAC it sees on the LAN, so it will start passing through the "stolen" MAC. Then configure the PC or router back to its normal MAC, and start sniffing.

Unless he's purchased multiple IPs, the snooper won't be able to access the Internet while in this state.

Hey Barmar, were you a hacker/cracker in a former life??

Nah, just a guy who knows enough about networks to know what's possible.

Let me see if I understand this correctly. So if someone had nothing better to do, lonely and bored and extremely curious, they could lock themselves up in their apartment for the weekend and in the evenings, and snoop on the down traffic from their next door neighbors. (From this thread I'm assuming the upstream traffic is already encrypted?) Then if they made note of when the next door neighbors came home and left, they could assume which neighbor is downloading what data (i.e. websites, emails and such) Even if they aren't getting complete information (like a cell phone call that keeps breaking up in mid-conversation, but you can still sort of figure out what the topic is) that neighbor could get a general idea of what that persons interests are and such, by the down traffic of the URL's and maybe some data from emails to piece together? I guess they could visit those URL's and see what they are about. Perhaps get sort of a neighbors profile. In this day in age it sort of makes sense to be overly cautious, because there are so many people out there being overly irresponsible and malicious.

What do you all think this means: A coincidence or sniffing? I was researching for a project for about a week on the net. I later talked with one of my apartment neighbors about my findings. They said: "OH!, your next-door neighbor (who happens to be in the computer field), just mentioned to me how they found that same information on the internet too! You should talk together!" A few days after that, I took a couple of vacation days off from work. My neighbor noticed I didn't go to work so he stayed home at the same time, locked up in his appartment. Other times when I've come home from work, my neighbor sees me and dodges into his appartment. That all makes me go "humm". I never really thought much about all that until I read about data sniffing. Even with my non-broadcast wireless network name, wireless network passwords, and computer firewalls installed, it still made me wonder. Those don't protect you from sniffing, right? So what does all that mean? I wonder if packet sniffing is like the new cocaine -- Even though it's stupid and a waste of time to the general public, even a little sniff becomes addicting to some? If I want people to know what I'm doing, I'll tell them myself, thank you!

I've heard of anonymizing websites which create a secure, https or SSH-encrypted connection, for like $30 to $100 bucks a year. Do they keep people from reading data when they sniff? Heck, I'd pay it give my nosy neighbors the brush off!, I'm sure neighbors could still sniff, but they would get unreadable data right? Or can they sniff your data traffic at all with that service? Can anyone explain how this technology works, and if it would keep our broadband connections more private?

BTW...If I find out my neighbor is planning a trip to the Caribbean, I'm gonna scream! LOL!

> Even with my non-broadcast wireless network name, wireless network passwords

If there is ANY wireless involved, you are still broadcasting information in the open. It does not matter if SSID broadcasting is turned off. Whenever you use your wireless connection you are broadcasting radio signals which can be intercepted by any other radio receiver... Basically WiFi is the equivalent of running a network line to each of your neighbor's apartments and asking them to promise not to connect anything to it.

Now WiFi tries to use several methods to prevent other users from using your "wireless" network lines. However...

However, if you use WEP as your encryption, tools such as Airsnort or Kismet and a supported WiFi adapter make it fairly easy to obtain one's WEP key. Due to a flaw in WEP all one needs to do is intercept approximately 5million packets (which can take several minutes or several days depending on activity of the network) and they can decrypt your encryption key.

WPA is also flawed. Some people are under the belief WPA is more secure. Yes, the encryption itself is more secure, and using an enterprise WPA+Server solution provides very reliable protection. However WPA-PSK has flaws that make it EASIER to crack than WEP.

I don't mean to be a harbinger of doom, but that is the way things are. Do some Google searches on "WEP flaw" and "WPA flaw".

> I've heard of anonymizing websites which create a secure,
> https or SSH-encrypted connection, for like $30 to $100
> bucks a year. Do they keep people from reading data when
> they sniff?

No clue. Never used such a service. If they introduce an additional layer of encryption, then yeah they probably work. However, they will not stop the neighbor from using your broken WiFi for other purposes. If he's in your network, he can do other things beyond simply eavesdropping on your web surfing habits. Got any file shares on your PC? Do you mind them using the Internet connection you pay for??

I've not had any troubles myself, living in a fairly geriatric neighborhood, but I have considered the situation. If the time comes the solution I'll probably implement will be to isolate the WiFi behind a firewall and force some sort of additional authentication in order to get into my private network and out onto the Internet. Clients would need to login through some sort of VPN before they would be allowed onto the rest of the network. The theory is even if someone unauthorized got onto my WiFi access point, they wouldn't be able to "go anywhere" without a login. And since all other clients are using an additional layer of encryption, it makes it more difficult to eavesdrop (but nothing is perfect. Given enough time and resources, anything can be cracked).

This is possible using freely available applications, but their setup usually isn't for the faint of heart. I believe there are commercial products that do just this, but they are meant for enterprise environment... eg. not cheap. Depends on how much trouble you're willing to go through to protect your web surfing habits.

So, there it is... You have some choices. Reconsider your use of WiFi. Line your walls with tinfoil. Start implementing some additional layer of protection. Maybe you should confront the neighbor. Not in an aggessive manner. Just say hi. Let them know you know they are there. If you get to know the person you might find that it is indeed completely coincidence.

Edit - This is where being social with ones neighbors is handy...

Thanks Ed for the explanation. Even if you are friendly with neighbors, some people are just plain nosy. In my opinion, the only way to be totally private and safe is to do the following:

1) hard-wire your computer via ethernet to your modem and hardware. If you wanted it neat and tidy in the walls, like an electrical outlet is, an independent electrician / networking person could do that. Not sure how much that would cost, but If it's for a home, and you plan on living there a while, it might be worth the investment. For renters, you could just use wire moulding and run an ethernet cable along the baseboard or corner of the celling and such. I did that with my surround sound, home theater when I was renting, and it didn't look that bad. There are local networking companies or cable companies on the web who can custom make an extra long ethernet cable. I think most computer store cables are 12-25 feet at the max.

2) subscribe to an anonymizer type company which will connect you to the internet, using your ISP through their secured, 256 bit encrypted, VPN type tunnel, and mask your IP address from the world with dynamic, never recycled IP addresses. All data is purged from their servers every night. They are inexpensive (less than $10 bucks a month) and easy to set up. You can turn the encrypted tunnel on or off with a click of a button on the tunnel software.

I think most people use wireless for their desktop, that's all I use it for. If people do use it for their laptop, I wonder how many people actually need to walk around their house all the time or go outside? Even then, like I said, you could install an ethernet jack in each room and use a long ethernet extension cable to kick-back on the patio. Sounds a little cumbersome being tied to a line, or always having to unplug and plug back in when moving around with the laptop, but who really does that all the time anyway? nothing is 100% foolproof, but in my opinion, this is as close to total privacy and security as you can get right now. I guess it's better to be safe than sorry.

> Let me see if I understand this correctly. So if
> someone had nothing better to do, lonely and bored
> and extremely curious, they could lock themselves up
> in their apartment for the weekend and in the
> evenings, and snoop on the down traffic from their
> next door neighbors. (From this thread I'm assuming
> the upstream traffic is already encrypted?) Then if

Both upstream and downstream traffic paths are encrypted. This theoretical neighbor would have to be extremely bored and be a total recluse to be able to manipulate a typical cable modem. Much of the security relies on Comcast's configuration that is downloaded by the modem during its login to the cable network. Presumeably, without this configuration, the cable head won't permit the modem to connect. Then this neighbor would have to force the modem to listen to one of the other downstream bands - not easy, since that means manipulating proprietary hardware. This also assumes that this curious neighbor can get your modem's hardware (MAC) address and then determines which frequency to which it is listening.

It is much easier setting up a phone tap or use a pair of binoculars to find out what you are up to. If you have wireless and you are like most people, monitoring your Internet traffic is simply a matter of configuring a wireless card.

Quote: "If you have wireless and you are like most people, monitoring your Internet traffic is simply a matter of configuring a wireless card."

Okay so it seems like the sniffing risk really lies in the wireless networking? And as the previous reply said, even if the network name is not broacast, and WEP passwords are set up, someone can still break into it fairly easy?

But what I don't undersand about wireless, is that my wireless card and base station use strong encryption when sending the information through the air from the computer to the base station. So if someone was to sniff and intercept my wireless air traffic, it would just be a scrambeled mess of data to them right? If they were able to break through my wireless network password and connect to my wireless network, what could they do? send a file to my printer? browse the net with my connection? I'm assuming they would only have access to my wireless base station, not my computer right? I don't understand how they can snoop on your internet habbits just by having access to your wireless connection? Also they couldn't get access to the computer itself if the computer's access passwords and firewalls are on right?

> Okay so it seems like the sniffing risk really lies
> in the wireless networking? And as the previous
> reply said, even if the network name is not broacast,
> and WEP passwords are set up, someone can still break
> into it fairly easy?

The biggest weakness in most wireless configs is that they are left at the default settings. The default settings for most wireless gateways are known by anyone who cares to browse the documentation available online.

The second largest is poor encryption key selection or encryption keys that are not changed frequently enough (WEP and WPA-PSK/TKIP). Software such as AirSnort can be used to collect enough transmitted data to crack poorly selected keys. This is why it is so important to create the longest, most complicated key possible for the wireless security being used. This also why it is important to be picky about the brand and model of wireless gateway and wireless cards (if any) you purchase; all manufacturers do not make equally secured products. The default configuration makes wireless interception a rudimentary task, since the encryption and authentication functions are disabled.

> But what I don't undersand about wireless, is that my
> wireless card and base station use strong encryption
> when sending the information through the air from the

If you use WEP, then key management is TKIP with MD5, which was successfully cracked a couple of years ago (though the crackers involved needed a lot of computer power and an entire week to do it). If you use WPA, at least the keys change during the session (though not from session to session). If you have a newer model, then you might have WPA with AES, which is much more difficult to crack.

> computer to the base station. So if someone was to
> sniff and intercept my wireless air traffic, it would
> just be a scrambeled mess of data to them right? If

See the keys paragraph above. The data is jumbled, but if you have the key or you can guess the key, then it can be decoded.

> they were able to break through my wireless network
> password and connect to my wireless network, what
> could they do? send a file to my printer? browse the
> net with my connection? I'm assuming they would only

Taking the information stored on your computer or joy-riding your printer is not nearly as valuable as using your Internet connection to, say, hack into the Pentagon or transfer warez from one place to another. Monitoring your wireless traffic for passwords and account numbers (bank, SS number, etc.) is another purpose.

> have access to my wireless base station, not my
> computer right? I don't understand how they can snoop

Anyone who successfully intercepts your wireless traffic may just as well be plugged into your Internet gateway. They have the same kind access as anything else plugged into that gateway.

> on your internet habbits just by having access to
> your wireless connection? Also they couldn't get

They are not as interested in your habits as in obtaining your credit-card numbers and bank account or using your Comcast account to hide their identity.

> access to the computer itself if the computer's
> access passwords and firewalls are on right?

Firewall software and quality passwords would make life hard for them, but remember that they don't care as much about what resides on your computer as they want to use your Comcast account for their own purposes and for free.