Re: [tor-relays] Do they use their own modem/router?
BTW, feel free to refer back to my 2014 blog statement on this at https://corporate.comcast.com/comcast-voices/setting-the-record-straight-on-tor. Jason From: tor-relays on behalf of "Livingood, Jason via tor-relays" Reply-To: "tor-relays@lists.torproject.org" Date: Wednesday, June 14, 2023 at 14:43 To: "tor-relays@lists.torproject.org" Cc: Jason Livingood Subject: Re: [tor-relays] Do they use their own modem/router? This thread mentions “Advanced Security” and you can learn more about that at https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security<https://urldefense.com/v3/__https:/www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security__;!!CQl3mcHX2A!HeJfTFO9PYjskQKoX0pF6nd0myfZCjx1gnnXFAKVDpF_x2krlJQcBix015xoehbZcYJK4X2zGQ2b6pvQKA6Wklz1P4hIRSnkraU$>. This feature can only be used with a leased Xfinity gateway like the XB7 or XB8. There are a great many cable modems that customers can and do buy in retail stores that do not have such features – like the Arris S33 cable modem. So, a customer that has Advanced Security has in essence (1) chosen to use an XB gateway rather than buy their own modem & router in retail and manage it themselves, and (2) turned on Advanced Security. If the customer in question that is using Advanced Security wishes to turn it off, they can do so in the Xfinity app (or turn the modem into ‘bridge mode’ and use their own router, or use their own modem). I’m happy to help answer other questions. Jason Livingood Technology Policy, Product & Standards Comcast ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Do they use their own modem/router?
> On Jun 14, 2023, at 10:49, Livingood, Jason via tor-relays > wrote: > > a customer that has Advanced Security has in essence (1) chosen to use an XB > gateway rather than buy their own modem & router in retail and manage it > themselves, and (2) turned on Advanced Security. I appreciate your perspective, and taking the time to inform this list, but... I have had three Comcast installations going back over a decade, the most recent less than 3 years ago. In every single case, I was told in no uncertain terms that I had to lease (for about $10/month) and use Comcast equipment in order to get static IP addresses. I tried to escalate the issue and was told it was non-negotiable, end of story. So, no, I haven't "chosen to use an XB gateway rather than buy [my] own modem." When I placed my orders, I specifically requested NO firewall or other extra security measures. In each and every case, the default installation had various kinds of blocking and filtering enabled, which I had to disable (sometimes with a truly monumental and expensive amount of effort, often later having to turn it off again when it is arbitrarily turned back on). So, no, I haven't "turned on Advanced Security." Setting the router to bridge mode on my current install causes it to disconnect from all my static IP addresses, fetch a single address using DHCP, and respond only to that one. So that, too, is not an option. So perhaps what you describe is the way things are *supposed* to work, but at least in my area (northern California) the folks in the field haven't got the memo. That said, I've run Tor relays on my Comcast connections and never had problems with anything blocking Tor per se. ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Re: [tor-relays] Do they use their own modem/router?
This thread mentions “Advanced Security” and you can learn more about that at https://www.xfinity.com/support/articles/using-xfinity-xfi-advanced-security. This feature can only be used with a leased Xfinity gateway like the XB7 or XB8. There are a great many cable modems that customers can and do buy in retail stores that do not have such features – like the Arris S33 cable modem. So, a customer that has Advanced Security has in essence (1) chosen to use an XB gateway rather than buy their own modem & router in retail and manage it themselves, and (2) turned on Advanced Security. If the customer in question that is using Advanced Security wishes to turn it off, they can do so in the Xfinity app (or turn the modem into ‘bridge mode’ and use their own router, or use their own modem). I’m happy to help answer other questions. Jason Livingood Technology Policy, Product & Standards Comcast ___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
[tor-relays] Do they use their own modem/router?
Got a question from [seeess at riseup.net](mailto:see...@riseup.net) > I had a question about the "advanced security" and the two users you tested > with. Do either of them use their own customer provided modem, or are they > both using a Comcast-provided modem/router? Is "Advanced Security" something > that is configured locally on their networking equipment (like a > Comcast-provided modem/router) or is it cloud based? You mention "in his > Comcast router" but I wanted to double-check if it was specifically a > Comcast-provided piece of hardware. CCB says: "It is configured in the cloud. There's a limited amount of things I can do with my router, most of the settings are done through their app. So like... things like my port forwarding, I can't actually do in my router, I have to go through the app, which I can access remotely or on a different network." I think we cannot be sure where the filtering is done (router at customer's premises or inside Comcast network) unless someone tries with custom router. CCA stopped replying me, I can only speculate. He tested our connection with netcat, mentioned using wireguard, so he should be capable of configuring his custom router. But whether he does my guess would be as good as yours. --- Original Message --- On Sunday, June 11th, 2023 at 1:46 PM, xmrk2 wrote: > I'd like to raise awareness of the Comcast blocking. > > As stated in subject, I believe Comcast blocks all traffic between its > customers and public tor relay nodes. That is, the blocking is not limited to > tor-related traffic, all other services / ports on the tor relay are blocked. > > Background: I am running a lightning node, lightning is a layer 2 protocol to > scale Bitcoin. Lightning nodes need to be connected to each other ideally > 24/7. I was contacted by the operator of another Lightning node, complaining > that he cannot connect to my node. He is Comcast customer, I am not. I was > also running a tor relay on the same public IPv4 address. > > I am pretty sure that the blocking is done by Comcast and is triggered by > being in public list of tor relays. The blocking disappeared after I stopped > my tor relay and restarted my router (thus getting a new external IPv4 > address). After 1 day, I relaunched the tor relay, and the blocking > reappeared a few hours later. It was also confirmed by the said operator of > the lightning node, who said there were various rounds of blocking tor, > customers complaining and Comcast lifting the block for some time, only to > reinstate the blocking later. > > Comcast thus discourages me and similar people from running tor relays, or at > least forces me to run tor in bridge mode. So this is an insidious attack on > tor. Note that Bitcoin is not particularly relevant, Comcast is blocking tor > nodes, not bitcoin nodes. So even if you hate Bitcoin, note that the same > problem could arise even if Bitcoin never existed: e.g. a self-hosted web > server, whose owner wants to donate his free capacity to tor by running tor > relay. By doing this, he prevents any Comcast customers from accessing his > web server, and this consequence is not obvious at all. > > Any ideas on how to combat this? I was thinking about including some false > positives in tor relay list. Imagine including some Google servers' IP > addresses - Comcast customers suddenly cannot connect to Google, unless > Comcast stops this blocking... or simply whitelists Google. But those false > positives sound ugly and a bit malicious, not sure it is a good idea. > > I already wrote about this publicly, and also wrote a mail to EFF. Hope I am > not spamming, I feel this is quite important issue and am a bit frustrated by > the lack of attention it gets.___ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
