[ale] OT: What the hell is XSS in Comcast land?

Lightner, Jeff JLightner at water.com
Mon Aug 12 11:34:26 EDT 2013


I'll admit I haven't read the other 300 emails in this thread so forgive me if this has already been covered.
I want to note that last week we'd had a cable outage in our area for several hours.   When it came back up I was able to get my network service back by power cycling my old Motorola Surfboard (docsis 2.0 compliant) cable modem.

My neighbor however lost phone and internet.   (Phone went away because it relies on internet.)
She had the Comcast all in one box.  Findings from my work and call to Comcast:
1)  There is a batter in this box.  It can be removed from the bottom to completely power cycle it as simply removing power doesn't help.
2)  There is a reset button on the back of the box (on hers it was covered by a little green sticker that said something like verified or checked that I had to remove).   After power cycling (including removal of the battery) I had to do this.
3)  Even after doing the above they had to send a signal to reset from their side.
4)  The default SSID and password for the router came back after the reset.  It is recorded on a label at the bottom of the box.

Using the default SSID and password I was able to get in to do admin to change both.

What was really disturbing to me was that this admin page is available via WiFi connection rather than requiring direct wired connection.   I'd rather prefer people with cantenna's not be able to not only steal WiFi but actually be able to lock out the real user by changing security information.   (It of course drops the currently connected WiFi session when you do the change of SSID but then you log back in with the new SSID and password you set.)





-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of JD
Sent: Monday, August 12, 2013 11:13 AM
To: ale at ale.org
Subject: Re: [ale] OT: What the hell is XSS in Comcast land?

On 08/12/2013 09:49 AM, Ron Frazier (ALE) wrote:
> That leads to an interesting question.  I wonder how the telephony
> traffic gets mixed in and what ip it has when it exits.  I wonder if
> it even uses ip to get to the comcast data center.

I don't know what Comcast does, but I know how I'd architect this.
Voice is on a guaranteed bandwidth IP channel and provided with the highest QoS possible on the network. It uses a different subnet than normal IP traffic and it is probably tagged to a specific VLAN to get higher QoS across the entire Comcast WAN.  DOCSIS 3 has some great features that DOCSIS 2 and lower didn't support. v3 makes bandwidth management much easier for cable network providers - dynamic QAM hops are the coolest - well, with more channel bonding support too and IPv6 support. DOCSISv2 doesn't do those things. As long as anyone uses a v2 device, it makes taking advantage of the v3 capabilities much harder.

I'm positive that U-Verse does something very similar. Bandwidth is reserved on different DSL frequencies just for VoIP, just for TV, and then ISP traffic gets whatever is left for that specific run. It all uses IP from the main u-verse box.

The goal for all the service providers is that any extra service you specifically think of as "Comcast" or "TPC" work as well as possible. With internet, they can blame upstream providers for the experience sucking. Hard to shift blame for TV or phone service that are 100% internal services, right?

I had Comcast phone service for a year or so. It had issues:
* Service outages almost every Thursday afternoon at the same time for an hour.
TV and internet still worked, just VoIP didn't. An hour outage wouldn't normally be an issue, except this happened at the specific time when a weekly business meeting was scheduled.
* Couldn't call certain numbers on TW and other VoIP services.
* Call quality sucked about 20% of the time. I think that was related to the very long run from the curb to my demarcation point. Even with huge coax, they couldn't get a signal that met specs in the room where I wanted service. It was close enough that it worked most of the time, so I left it.

When the 12 months of cheap phone service was up and comcast had re-run new, larger, coax to my home, I canceled the VoIP. Bought a $5/month wholesale plan and never looked back.  About a year later, I switch the internet from residential to business - got another new coax - needed 2 lines for some reason
- residential TV can't share business lines, I guess.  About 6 months later, killed the residential TV completely. OTA I receive about 70 TV channels using a home-built $20 DB4 antenna.

It seems that the trick to getting new coax run for free is to add a new service and if there is **any** issue at all, have them fix it in the first 30-60 days.
If they can't, cancel.

On the SMC business class modem - Comcast owns it - I plug my routers into it with the static IPs configured.  If I attach a non-static IP device, the SMC provides a 10.1.x.x IP automatically.  According to the tier 3 guy, Comcast changes the root password on these routers daily to ensure that fired router configuration techs can't do anything bad 1 day later.  Setting a local-admin password on the router has never worked correctly. I won't bore you, but after an hour with a teir3 person, we couldn't solve it. They refused to replace it without a truck roll for $90.  I treat that router as a hostile network now.
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo




Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer

---------------------------------
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you.
----------------------------------




More information about the Ale mailing list