His experience is similar to one I had a long while back when trying to report to Comcast that I found one of their sysadmin's home directory on GitHub. It had ssh keys, passwords, configs, scripts, etc etc. When I reported it on their support forum, some random dude responded basically saying I found nothing, insulting me, etc. It's wild to me how quickly people will go to insult in these situations.<p>I ended up making a big stink elsewhere and they got the repo down. Funny enough, their heads of security told me they'd use my disclosure to push the execs into building a big bounty program. Long story short, their CISO told me on the phone that what I found wasn't a "bug", and that if they did a bug bounty program, they'd go bankrupt.
I don't know the new context, but I will always be thankful to badmodems.com for highlighting the original Puma 6 issue.<p>I was given a modem by my ISP that had a Puma 6 chipset and it was a nightmare - it would completely cut out multiple times per day, latency was all over the place, and it was a truly terrible experience.<p>Doing a bit of digging I was able to short-circuit a lot of troubleshooting and replace the modem, which immediately solved the problem. It truly was negligent how bad those chipsets work - even for basic tasks it was nearly unusable.
"What is the issue?" <a href="https://web.archive.org/web/20210506114456/https://badmodems.com/Issue3.htm" rel="nofollow">https://web.archive.org/web/20210506114456/https://badmodems...</a><p>> Some chip makers have hidden latency and jitter issues from common tests that are in use by consumers and even ISPs. Ping CANNOT be used reliably to test for latency or jitter.
Looking through the site and the history around it, the level of obsession, the conspiratorial thinking, the grandiose claims of "defeating" Intel -- this guy probably needs help with some mental health issues.
I don't know the background but the dude seems both passionate but also honest about just being done.<p>Sometimes you're just done. Makes sense to be clear to everyone involved and put it behind you.
<i>"Flounce, v. To leave an internet group or thread with exaggerated drama; deleting posts, notifying mods and or group users, and cross-posting on other groups to draw attention to the drama. Comes from the original use of gathering up skirts and petticoats and leaving in dramatic, impatient and exaggerated movements."</i> - <a href="https://www.urbandictionary.com/define.php?term=Flounce" rel="nofollow">https://www.urbandictionary.com/define.php?term=Flounce</a>
The guy comes off as kind of childish and the people on the site he links appear to know what they're talking about which makes me a bit skeptical.
Sad but true, we need wackos/mentats/obsessed people to help us all, because we don't have the stomach for it.<p>Society progresses, one battle at the time...
Maybe it would help the OP if he imagined that his antagonist was <i>hired</i> to disrupt his efforts, and so by reacting in this way is giving his opponents exactly what they want. This story is evidence of how vulnerable passion projects are to influence.
Unfortunately Ive seen a few other FOSS projects go the same way. Troll/bad-actor management is difficult and time consuming and takes a toll.<p>Thanks for all the fish!
I agree with many other takes here: this person really is getting too worked up, and therefore should take a break.<p>On the other hand, it seems the issue that was the straw that broke the camel's back is saying that ICMP equals access, and access could mean just ICMP to some (I can access this thing via ICMP), or access could mean full takeover to others (now I know it's there, and therefore it's exploitable to anyone with time & energy).<p>It's really stupid to get upset about self-proclaimed security experts arguing about stuff where they haven't even clarified what they're arguing about.<p>Honestly, though, it's a non-issue. Some ISPs use RFC 1918 addresses, and some of those addresses are reachable (via ICMP) from consumer endpoints. So what? That's no less and no more secure that any other set of intermediate hops in ISPs' networks.
Previous discussion :<p><a href="https://news.ycombinator.com/item?id=15781474" rel="nofollow">https://news.ycombinator.com/item?id=15781474</a><p>> Some chip makers have hidden latency and jitter issues from common tests (badmodems.com)
220 points by based2 on Nov 26, 2017 | hide | past | favorite | 42 comments
Wowee...<p>So I am the Badmodems.com guy. I started getting emails to the badmodems email and I came looking for this thread.<p>I did fight the good fight. I took out a whole division of Intel. They sold off the connected home div and the Puma. Then the Puma has now pretty much died out.<p>That last battle tho, with the cable co admin network. OMG. That was some crazy shit. My health is better now and putting all that crap behind me was the right thing to do for my sanity..<p>My fav part of the whole Intel battle was when i did a 6 hour deposistion in the class action lawsuit. Arris lawyers and Intel battering me for 6 hours. All under oath and videoed. That was SO AWESOME. It was a intense battle. I won all of it. They never pinned me down once. I can also now discuss it and Intel did internal testing and even hired a outside testing lab. They did this really early. The discovery process got emails that confirmed horrendous performance and in email they decided to keep selling it with defects they knew they could not fix.<p>The cable co admin network thing,, oh gawd what a mess. There was a HUGE comcast network faceplant right when I was working with a guy in europe and with Comcast. Comcast as a whole pretty much fell over in most cities. I never found out what happened. I think Comcast was trying to patch holes and borked their own network.<p>I am glad to hear people got something from all my efforts. I did save everyone on cableCo systems worldwide from the Puma/Intel. They literally had plans to dominate the world and take over the home while destroying the only competition, Broadcom.I did, pretty much single handed, prevent really nasty devices from polluting the world and now have sent that whole chip into a grave.
Do people have issues with these modems in real use cases?<p>The code that makes these devices fail uses up lots of UDP ports which suggests that the issue may be with the NAT implementation. I have done some searching online but haven't got a definitive answer on what exactly the issue is (other than it causes latency and hitter under certain conditions).<p>I'm slightly sceptical these modems (really modem routers) are as bad as this site previously suggested. It seems like the only use case that breaks them is some specific games where there is a huge amount of latency critical UDP traffic.
Notes for those pushing forward - the last working wayback machine snapshot before he FFR'ed the website and let the blue smoke out of his fight:<p><a href="http://web.archive.org/web/20211002154145/https://www.badmodems.com/" rel="nofollow">http://web.archive.org/web/20211002154145/https://www.badmod...</a><p>---<p>I feel bad for him. Fighting for good security or even a better product shouldn't cost people years of their lives but as long as it doesn't come at the expense of the product's bottom line, there is little reason to compel change as it doesn't impact the bottom line which is what decides whether something is made for most big corporate outputs.<p>The same argument could be said about "Tech Debt" or non-UL labeled products and a myriad of other causes.<p>Zero fucks will be paid to anything not socially cool even if it is the responsible thing to do.<p>That's why we live in the world we live in now.<p>It doesn't take a rocket scientist to figure out why the world is crap. But for the most part, it takes that "title" just to have a microphone loud enough to move the needle.<p>This little part of life is what I'm currently struggling with in my post-Covid decision making.
Last snapshot on Oct 02 2021 before page was changed: <a href="https://web.archive.org/web/20211002154145/https://www.badmodems.com/" rel="nofollow">https://web.archive.org/web/20211002154145/https://www.badmo...</a><p>The site seems to be focusing on latency/jitter issues: <a href="https://web.archive.org/web/20210506114456fw_/https://badmodems.com/Issue3.htm" rel="nofollow">https://web.archive.org/web/20210506114456fw_/https://badmod...</a><p>I'm not entirely sure what to make of the information presented. The page above includes an embedded video demonstrating a difference between ICMP and TCP load-testing: <a href="https://www.youtube.com/watch?v=15cJ400yR_E" rel="nofollow">https://www.youtube.com/watch?v=15cJ400yR_E</a><p>I'm not knocking that there is interesting data, I'm rather trying to consider potential confounding factors that could call the conclusions being drawn into question.<p>In particular, I have two questions:<p>- This doesn't talk about "bufferbloat" (<a href="https://en.wikipedia.org/wiki/Bufferbloat" rel="nofollow">https://en.wikipedia.org/wiki/Bufferbloat</a>) or internal buffering happening inside the modem, only latency/jitter. I'm honestly completely naive about the relationship between the two concepts, but I thought they had reasonable overlap, and could even potentially go some way to explaining the dynamics of what's going on. Why not?<p>- The video seems to just be TCP- and ICMP-pinging 8.8.8.8. Surely that address is sufficiently hammered that it probably implements fairly aggressive rate control algorithms...?
I don't know about the work he's been doing or what fight he's been part of. But the text itself seems bitter and psychotic, it's good that he leaves the battle behind and takes a break. I know that too much truth can be tough to handle, but don't singlehandedly try and fix the bad corners of the world. I'm just typing my honest opinion at risk of sounding insensitive, but it truly is great to just let go and move on.
As a default, you should not consider your gateway network device in your trusted zone. This is one of many reasons why you should VPN (including personal, commercial, Tor, whatever your cup of tea) all traffic elsewhere.<p>You might think "that only moves the attack surface" , you are both right and wrong. Technically it is moved but you eliminate LAN based, wireless (think wpa) and untrusted network devices from the equation and reduce them to one attack surface. Not only that, the threat actors most relevant to most people's threat models are not able to operate or operate with reduced capability to the most part when the attack surface is not a home network/device managed by individuals (and crappy vendors,isps,etc...).<p>It can pay for itself, don't worry about network device security, just get the cheapest yet fastest stack amd VPN through it.
I remember reading about his discoveries on the Puma chipset and that was actually really useful information when I was debugging cable issues myself.<p>No idea what his most recent issue is but hey, thanks for your work bud, it was useful to many. Time to take a break!
I can understand some of the concern. And while I will admit havent dove too deeply into the minutia how many of these DOCSIS manage modems at scale, after watching his presentation i felt most of that could or should be inferred.<p>For example:<p>I was well aware that you needed to get a MAC address whitelisted and then from there a config, including your speed tier would be pushed. I somewhat assumed DHCP reservations were used for that, on a management network, with TFTP for the config file. It makes sense.<p>This was also solidified by that fact that in most cases during an internet outage, my routers IP would revert back to an RFC1918 address.<p>Ive never used "landline" services from these providers so SIP wouldn't really be in scope but its not surprising that would be on a separate network and there may be some ability there to "sim-ring" calls. Thats standard in a lot of SIP implementations and probably a feature even a home user would want (ie: ring my cell phone and allow it to connect if phones on the modem dont work).<p>Things like redirecting traffic etc would get noticed with a ton of stuff being SSL/TLS encrypted. But i would agree some/a lot of this should be using TLS as well.<p>That said I have never mucked with any of it because.<p>1. I consider the modem, which i own, to be untrusted and while its inside my DMARC, its outside my security perimeter. Its not directly managed or controlled by me. Anything on it or passing through it should be considered hostile and subject to inspection or filtering.<p>1a. This is 100% of the reason why i run my own firewall, separately, from a device managed by the ISP and why i avoid AIO style modem/router/firewall devices.<p>2. I am unsure what mechanisms an ISP may employ to ensure certain things (like upstream/downstream configs) are not tampered with. This could be as simple as a hash check monthly or when billing rolls over to ensure my version is the same as theirs on their servers. Changing that could get be out of bounds with the TOS and canceled, which i have few other options.<p>So its incumbent of me to basically mind my business. I can also see me "unleashing" my speed tier could impact others on my node, which may cause calls from other customers and an investigation shows that theres a sudden over subscription outside of their norms/standards. Again could be considered malicious and cancel my service/blacklist me or the address.<p>WITH that said, i do understand the concern with respect to AIO style devices. But again i would consider anything on the ISP network to be "red" and no different from the relative hostility of the greater internet. But i dont see the concern with DHCP traffic and arp traffic, that seems normal, even on a ISP net, its how devices get online and authenticate and find the next hops on the network.<p>ISP's should do better about segmenting that though, and should probably not provide an AIO solution in general or if they do have one with actual phsyical segementation (ie a box with 2 boards independent of each other connected the same way a modem and router would separately) but I understand why they may want to have simpler setups as well from a customer support standpoint considering the average technical prowess of their userbase.
The optimistic side of me was briefly elated that, perhaps, since all modems had since become good, there <i>were no longer any bad modems</i>!
Alas, reality.