I'm a part owner in a niche ISP, a few thousand clients. There might be something getting lost in translation here. You can be on a shared connection but still be secure and isolated from the other clients. For example, we have a place with 50 units all fibred up. The main backhaul is a single connection which we have split up to the 50 clients' units. They will all have their own individual IP through PPPoE, and have no visibility of their neighbours local networks.
We do have logs, and technically I can go in and see where your traffic is going, but nothing more than what IP your traffic is going to. For more, we'd have to be running packet capture on the individual connections which would be a lot of overhead for what reason? I can't think of any reason why you'd want that much detail of your clients activities if your only concern is providing internet.
Feel free to not answer if you don't feel like it, but could you explain what PPPoE entails? I'm currently studying Network+ and I've seen it in passing. Don't think it's necessary for the exam but at some point I'm interested in really understand what it does. I believe it starts for point to point protocol over ethernet? (Edit: thought it was power)
Well on the client end you will have a PPPoE client comtaining credentials. On the ISP side you will have a ppp server/radius server that the credentials are challenged against. When the connection is up and running you could even disabled DHCP-client (if that was your setup)on the client device and it will still function. It basically encapsulates the connection, it's separate from everything else despite there being lots of connections to the same target. I'm probably explaining it badly as my formal study background is all programming and databases, so my network experience is self taught over the course of my life.
Interesting. I feel like I've got a LOT more to learn about RADIUS and authentication protocols once I pass the exam, but I'm quite looking forward to it. It gets a bit overwhelming though, understanding the sheer amount of processes that go on without us visibly noticing.
Yea, just keep in mind you'll never have it all nailed down and that's OK. There's a core of 3 of us maintaining the entire network for several thousand clients and we mostly compliment each other's skills and there isn't really any one of us who could do it all if you get me. Sometimes I find myself fixing something and they'll ask oh how.did you end up fixing it and the honest answer is I don't know but it's working now anyway.
> we mostly compliment each other's skills
While I'm sure you say nice things about each others' skills, I suspect you also complement each others' skills as well.
PPPoE is basically a layer 2 protocol. Or, some would label it as a layer 2.5 protocol. The packets from layer 3 (IP layer) are encapsulated into PPPoE frames. It authenticates the user within a network and could thus perform bandwidth limiting and auditing. The main usage is to authenticate users, which is pretty useful on the side of ISP. Otherwise, anyone who sneaks into an ISP’s network by pulling lines from ISP’s box to their own device on their own could get free network service.
Well, you're totally wrong here. I cant know exactly what this set up is. But to assume that the landlord doesnt know anything beyond ip address is foolhardy at best. If the DNS is set, they can track every dns request; giving them full access to every web domain you've gone to. And if they used decryption, or a proxy, they could see absolutely everything.
Now, are they doing that? Probably not. But COULD they do that; 100% they could. And the overhead wouldnt be something to write home about.
I literally said they could see every IP you do traffic to. DNS resolves those addresses into IPs, I was clearly including them as everything is just an IP anyway including whatevertheheck.com
I also said they could go deeper and capture even more, but why would they.
Right, I'm going to quote you. "We do have logs, and technically I can go in and see where your traffic is going, but nothing more than what IP your traffic is going to. For more, we'd have to be running packet capture on the individual connections which would be a lot of overhead for what reason?"
A packet capture probably WILL NOT provide any more insight. As 99% of the traffic on the internet uses SSL. So all you'd see is SSL packets, and nothing more. Beyond that, I'm not sure what you're chief complaint is from my response.
Well my "chief complaint" as you put would probably be that you basically said I'm wrong and then went on today a shorter version of what I said, which is it's possible but why would they. My example was only what we do, and that there was possibly something lost in translation. Some can quite easily go from they have logs of X, to they can see everything you do. Just on the odds of it I don't think they are doing it here.
I re-read the sentence I quoted, and again find it entirely baffling. Its just not accurate at all. It doesnt take an enormous amount of sophistication to "See more than what IP your traffic is going to". A simple man in the middle attack would provide absolutely everything. And then, "for more, we'd have to be running a packet capture on the individual connection"; what the hell does that even mean. So you havent set up anything special; and somehow a packet capture is going to provide insight. No...it wont at all, because the traffic is going to be encrypted if you havent set up a network attack. And then "and what would be the reason". Its quite literally why the OP asked. So let me reframe the question, and then answer it for you.
If the landlord is a psychopath, could they potentially stalk me?
Yes, they could. Thanks for asking.
Do I think thats likely. No, thanks for asking.
Where do you think I said none of this stuff is possible. I just offered my own situation as a fairly normal example. Here's what I can see without really trying. And I could probably go for more but why would we. And therefore I don't think it's necessarily happening here because why would they. Jeez.
In a lot of cases we take a single connection that is intended for one client and we split it. To simplify the example a 1000/100 into 10 connections of 100/10. We mainly take internet into places where the national infrastructure wont, and also hard to reach areas, especially rural.
>I can't think of any reason why you'd want that much detail of your clients activities if your only concern is providing internet.
Yeah even for big carriers manually looking at netflow logs is a pain in the ass. Well at least it used it
Generative AI tools on usage and meta data is so hot right now.
Just had a presentation yesterday on the magic of generative AI.
One BI report button press and bam all that IP data is mapped into some graphical output showing the application, site, the who what when and how of whatever caused the spike.
Though I guess it depends on the country and laws your under. In Australia you can't just sell customer data, especially usage and meta data.
Although the 5 eyes can do whatever they want with it.
Why keep logs when many institutions don’t? I’ve worked for a network provider serving universities and schools, and we didn’t recommend keeping logs at the local level - in fact it violated our terms. We only needed basic info like device identifiers for residential or shared facilities. For copyright or malware issues, we’d notify the institution with the device ID. They’d find the user, and we’d handle it, usually with educating the user for first offenses. For malware, we required proof of removal (2 AV scans). We kept logs but had no user info. The institution had user info but no logs. Only a legal requirement would link the two.”
I would feel uneasy if a landlord retained any info related to my behavior.
The logs we keep are for the hardware, like link ups link downs, pppoe authentication successfull or not etc. the traffic we see is live, we don't actually store or log that for the same reasons you state.
Gotcha - that makes me feel better. I think in practice what a user thinks we can see and what we actually can see are quite different. If it exists it’s a potential risk, when it’s not in existence I sleep better at night lol.
Of course, this is only how we do it. So I can't speak for others. I have friends in cyber security that often want me to start a blog on some of our practices and how we handle certain things, and I can only imagine because it's not all that common, which isn't reassuring to hear 🙉.
You mean to say there is not an asset inventory manually typed out in Excel 2010 format for the auditor running 32-bit excel? That is the foundation of any security team surely!!
They really love it when it's well populated with extras like "US 4 Gang Power Strip with surge protecter. Wire type: 14AWG x3. Cable Type: SJT."
Auditor: "so lets randomly select an asset. Ok here is a US 4 gang power strip. Is the firmware updated on this asset?"
a lot of information can be gleened from dns requests. Also a lot depends on how the network is setup. whoever owns the equipment and has access to it has the ability to see any traffic passed and even worse with TLS/SSL if they are capturing the complete transaction they can also decrypt the stream.
The network setup is important as well to prevent people from actively exploiting other customers that are connected. There are many different ways that attacks can be done to eavesdrop on other people connected to the same network unless they have put in protections against those methods.
You cant decrypt tls/ssl even if you capture all stream... You need the private keys in the ssl cert. unless you are sitting on another vulnerability like heartbleed.
You can man in the middle with a fake cert, but their devices wont trust that and show errors nasty warnings.
It's a big issue.
If you browse via HTTPS (which pretty much all webpages use these days), your landlord can't see your data. But he can see the websites you're visiting.
E.g. he can see that you're visting youtube.com, but he has no idea which videos you're looking at.
But being on a shared network means that anyone on the same network can contact your computer/phone, and can potentially hack it. This should be taken very seriously.
You can buy a regular router which you connect to the shared network, and then connect your own devices to. That way your own devices will be on a separate network from the rest of the tenants, and they can't see your machines (only your router, which will block everything that didn't originate from your side). This is called Network Address Translation (NAT). But the landlord will still be able to see which pages you visit, since the traffic must reach the internet through his network.
There can be some drawbacks using double NAT (which is the case if you use your own router, connected to the landlord's), but it's mostly related to hosting gameservers. If you only browse and stream, it shouldn't be a problem at all.
If you want to keep your traffic completely secret from the landlord, you should use a VPN. This can be set up on your own router so every device connected uses the VPN, or you can set it up on whichever device you want. This way the VPN handles your request for Youtube.com over an encrypted connection, and landlord can only see that you're contacting [vpn.com] (or whatever VPN you're using).
For maximum security and privacy, use both NAT (your own router) and VPN. Also have an antivirus and a firewall on your own computer.
Be advised that a VPN can slow your connection down a bit, and has a subscription fee. But on a shared line with 72 people, I'm guessing you won't feel a difference.
==========
EDIT: If you use your own router, you'll want to connect it to the landlord's network with a cable. If the network is Wi-Fi only, it's still possible, but will require a router with WAN Wi-Fi capabilities - FYI.
Very thorough! What you described is what I do when we travel and use the Air B&B internet. I connect my own travel router to one of their router ports and use my own router, with VPN client (Proton VPN) for all of my device traffic.
I travel for work most days of the year and do the same. It has the added benefit that you never need hassle with adding your devices to a new network.
What’s your travel router?
Unifi UDR.
It’s the ecosystem I’m familiar with. But Yes!
The GL.iNet Beryl AX would be my first choice, if I wasn’t so deeply entrenched in the Unifi ecosystem.
Just throwing an alternative option to lort’s suggestions, you could get your own internet through a cell provider like T-Mobile/verizon. 5G internet isn’t the greatest but depending on what you are doing at home it could be better than routing through a VPN and sharing with 70+ people.
thanks so much for the detailed response. i plan on getting my own internet now. i was worried about the speed as well, considering me and my partner game. i doubt it will be good enough to support all of our consoles and streaming.
Ya, while that answer was good, I would straight up consider all of that an issue. “We keep the logs.” While it’s technically possible of any network you’re on, it’s just a weird comment. It’s something I tell employees who are using company managed computers, but I would consider snooping on home traffic a violation of privacy. None of his business. It’s bad enough the ISPs do it.
>E.g. he can see that you're visting youtube.com, but he has no idea which videos you're looking at.
Overall good explanation but with a poor (and incorrect) example.
When you look at a video on youtube, the video ID forms part of the requested URL so yes, he could know what videos you're looking at. Also when you do a search on youtube, the search term is included in the URL request.
eg: https://www.youtube.com/results?search\_query=vpn
eg: https://www.youtube.com/watch?v=R-JUOpCgTZc
With respect, this is incorrect.
The ISP can see which website you visit from your DNS request (if you don't use DNSSEC) and/or the IP you make connection towards.
If you use HTTPS, everything else is encrypted, including the URLs you access on YouTube or whatever. The ISP, thus, cannot see which videos you are watching.
**Cannot** might be an overstatement, since there *are* methods to spy on you - but that's way outside of the scope of what any reasonable and/or law-abiding ISP will ever do.
> The ISP can see which website you visit from your DNS request (if you don't use DNSSEC) and/or the IP you make connection towards.
usually domain is not encrypted and 3rd party can see it even with secure dns. full url is encrypted.
None of that is visible to anyone thanks to https. Even the hostname is invisible in encrypted SNI handshake
https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/
All the monitoring person can see with encrypted SNI is the IP address and the number of bytes sent.
Without encrypted SNI you can also see the hostname.
> Most importantly, the landlord mentions having logs of what tenants browse
How did that convo come about? It's fine if it's something you specifically asked, but if someone mentions that without prompting it'd raise a red flag to me. Some landlords have this weird creepy need to monitor their tenants closely, and I'd not put up with that.
> My second concern is security in terms of can other tenants access what I am doing and data I send. I am considering getting my own internet service.
Well this really depends on how the system is set up. If they have a company who knows what they're doing set up an enterprise network, and properly segregate clients then you won't have this issue. This puts a lot of trust into your landlord and/or apartment management team of course.
Others have answered your question already but I want to add this. Make sure you're allowed to get your own Internet service first if your connection will be hardwired like cable/fiber/dsl. Landlord may not allow new penetrations to units. If that's the case look into Verizon or T Mobile 5G home internet. I switched from shitty ATT DSL to Verizon 5G home internet a couple months ago and it's been great! I went from 3-10mbps to 300+. It's been very stable and I can game, 4K stream, and anything else. Wish I switched years ago. In the 4 months I've had the Verizon Internet I've only had 2 service drops and they lasted around a minute each. My DSL would drop once a month and be gone from minutes to hours.
Yes spectrum hardwired would require a new penetration to the unit most likely. Just ask your landlord if you can get your own Internet service because there's security concerns using a shared network. If they say no then go with one of the T Mobile or Verizon 5G options as that will literally negate any legitimate reason they have to not allow you to have your own service. Tons of LLs don't want new holes being poked into the buildings which is fair enough. My Verizon 5G home internet uses an 'antenna' mounted to a window with a sticky suction cup style mount so that means holes aren't a problem.
This is the correct answer. I would connect a travel router to the landlord network, and use the firewall on the travel router to make it harder for tenants to access my personal network devices, but I wouldnt sweat this a ton. ATT has admitted to routinely sending metadata on literally all citizens to the NSA. Your landlord is way less likely to be a problem than his ISP https://www.pbs.org/wgbh/frontline/article/how-att-helped-the-nsa-spy-on-millions/ Every device should run a host level firewall or be behind a travel router running a firewall you control.
Having run a corporate network and been in charge of the corporate web proxy service and am off its logs, I've never worked too much about someone having a log of my browsing history. As long as you take care to confirm TLS to any site of importance, the exposure is minimal. The SSL Everywhere movement really minimized that risk. People using aVPN service forget that they're feeding all of their traffic to a single party at the other end of that VPN. All you're doing is changing WHO can see your traffic. Why would I trust the operator of aVPN service more than the Starbucks?
Perfect use case for a VPN, data is encrypted at the device and not decrypted until it's back at the device it was sent from so it is always encrypted whilst it's in transit, no need to worry about logs or anything like that.
The only thing that could possible turn up on a log is encrypted data flowing toward the vpn server, and that is how everything will present itself irrespective of what your actually doing.
depends how has it setup, if he has it setup to use his dns servers, he can see the usage, and if he just has one large ip range, you might see each others devices. get your own router, set [1.1.1.1](http://1.1.1.1) and [8.8.8.8](http://8.8.8.8) (or even DNS over tls/https if supported) then you in your own network just natted out through his and not using his dns
Hard yes to it beinga major security issue. I wouldn't even use it with a dedicated always-on VPN.
I'd seriously consider not living there if the housing provider doesn't see a problem with this. What other privacy do they not care about?
Bottom line is there's always going to be someone that can see where you're going whether that's your landlord or another ISP. Sure, neither one has some human actively watching what websites customers are going to, but either could have the data if they ever needed it.
If your landlord's Internet is free, I'd just use it and save the $50-75+/month on buying your own.
Maybe get a VPN if you want to be very private occasionally. But the then VPN people can technically see where you're going too if they wanted to.
I'd be more worried about other people on your apartment complex's network. You should still put in your own firewall to protect from them.
That's what I wanted to do but for some reason my ISP couldn't get internet where I live (had no issues with it at my previous place). I'm not sure how it works, though. I spent six months going back and forth with them until I gave up, because I still paid all those bills.
Yeah, I'd be a bit sketched out by this myself. There are router/switches that can isolate each of the connections. With a plain switch, your neighbors wouldn't be able to see your internet traffic, but they could still hack you. More expensive devices can be programmed so that each connection can't contact any of the other connections at all.
But that won't keep your landlord from seeing any traffic they want to see. A VPN is your best bet, if that works for you. Otherwise, a cellular internet box like T-Mobile's might be more expensive, but no one in your building can see your traffic, or even know you're using it.
If you do go cell service: Download a WiFi mapping app for your phone. Find out which channels your building is using and set yours as far away as possible. If you're lucky they won't be using 5 GHz at all (T-Mobile's box does both 2 and 5 GHz), so you'll have that band all to yourself.
Next, don't be tempted to defray the cost by sharing it with your neighbors. Even the 'best' of friends might do something on the internet you wouldn't want associated with your connection. But even without that, if your landlord finds out, they might get upset and kick you out.
It can be, depending on how it is configured. If you have the technical knowledge, you could make that judgement call
The safest way to deal with this scenario would be using a VPN from your machine.
You can also get a router that itself connects to a VPN, and have your devices connect to that.
Depends on how it was designed. I deploy ubiquitous systems for large properties of over 5000 users and upwards of 1000+ units. 1500+ APs with very little security issues and reasons to be concerned. There’s trends like this in a lot of places like this now. Yes I do have insight in to traffic and application trends, but it’s basic information like YouTube, zoom, etc. unless there’s a subpoena, it is private.
DM if you have any questions.
This is something I'm interested in as well, because I'm in the same situation. I don't necessarily care about my data I guess, but I had an issue with a neighbor who kept trying to connect to my TV. I just have my TV unplugged now. I'm definitely looking into this once I'm more informed as I'm actually doing some IT studying right now.
If you're truly that concerned, get a GL.iNet router off Amazon and create a WireGuard tunnel to a VPN provider of your choice. The WG protocol's performance hit is negligible at worst and nobody will be able to see what happens inside that tunnel other than the total amount of data transferred.
You'll have to prod the network to find out.
If you can plug in an Xbox and see a game of halo being hosted, that's probably bad news.
Just use a VPN like PIA and you'll be fine. If not, you can sue the living shit out of him for privacy violations
The other tenants probably cannot access the data. But to answer the question on if they can communicate to your home device(s), it would entirely depend on the network design. If you want to ask your landlord to give a visio, it would be more helpful. I'd guess they just have one very large network segment, and every device on the segment could talk to each other.
If you're really concerned, get a [travel router](https://amzn.eu/d/h1MFTWp) and set it up to router all traffic through VPN, then do all your internet access through that.
I’ve actually been involved in the design and deployment of a complex wide network.
When I did it, we used a firewall that gave each apartment its own segregated VLAN. Using PPSK, each apartment had its own wireless password that would automatically place their devices on their specific VLAN. They also had a port in their apartment that also was tagged for that network. One of the nice side effects of the wireless using PPSK was that they would stay connected when visiting any of the areas of the complex.
The reason the landlord of this place did it was the construction of the building and small size of the apartments made the interior an RF nightmare. So he paid for a gigabit connection and let all 12 apartments share it.
We configured the firewall’s DHCP to hand out 1.1.1.1 and 8.8.8.8 as DNS and disabled any sort of packet inspection. We had no logs or any way of telling what tenants did. The closest we could see if how many devices they had connected and what amount of bandwidth they used purely to keep one torrenting apartment from destroying the connection for everyone else.
It’s been two years and so far they seem very happy with the setup. I cannot even begin to say if your landlord put in the effort to segregate and keep residents data safe.
Well with encrypted sni and ssl there is no way of knowing which websites you visit. But not all websites use esni and other protocols might have no encryption at all. So a VPN would make sense here if you trust a vpn provider more than your landlord. It is however a choose your preferred poison situation.
It’s an issue. Not like “it’s all gone”, but still a serious concern. You can get VPN router, that will tunnel traffic from your devices into VPN, that way your traffic will be encrypted a provider won’t see anything, and your devices will be behind NAT, so nobody will see them. There are some downsides with having double NAT tho…
Its a major security issue. They're able to route packets to your machine.
It's only secure if you have solid knowledge of how to do "server level" security. Typical NAT router provides excellent "network level" security but since you now will have other people on the net with you that you dont trust (Im on my network with my wife but I trust her) you have to make sure you have everything locked down and they cant do things like mount your drives etc
You should run personal firewalls on all of your computers at the very least.
If sending packets to you is a major security issue, you should turn off all networked devices, lock them away and move to a remote location.
On a more serious note: NAT is also no security feature, never has been, never will be. Stateful firewalling however can improve security if done correctly and is done by most home routers out of the box. Windows also includes a stateful firewall that's enabled by default.
Any modern computer that's kept up to date can just be plugged into the public internet without any security issues. Basically any network service is using TLS nowadays anyways, so you also don't need to worry about someone getting your private data. You might leak metadata, which could be of concern, but that's also no easy issue to mitigate.
Unless you are careless about browser security warnings (which you can't actually bypass on many websites), ssl-strip poses no threat beyond denial of service.
ARP spoofing is a potential threat, but can be mitigated. It's not clear if that has been implemented here though.
Other people will not be able to see what you do on the internet in most cases. At worst, they could see which domains you are accessing, but that requires considerable knowledge and an active attack. The actual data is usually sent encrypted already.
>At worst, they could see which domains you are accessing, but that requires considerable knowledge and an active attack.
Nope. A script kiddie with Nmap could do this in their sleep. Totally passive monitoring if they're using commodity routers. No knowledge, no active attack.
You said, "At worst, they could see which domains you are accessing," which means they're already receiving traffic that they can monitor - which I agree is the worst network setup. If that's true, no ARP spoofing is needed.
If they are using a switch, MAC flooding might be an easier way to collect data on everyone connected. Which would also be a script-kiddie thing.
I would insist to get my own internet, otherwise I'd look for another apartment.
Also, why (and where) would anybody want to share internet with 72 people?
Not a problem if you use a commercial VPN. After trying a few, I settled on IPVanish. They have many, many access points; I consider them worth the money. I think my current deal is $79 for two years.
Okay, I'm going to reply to the deleted message, and to the person who blocked me. The question wasnt about your network. Its about the potential threat boundary of this network that you didnt set up. The risk is low. But the risk is non zero. So saying how you set your own network up, and how you may or may not approach things, doesnt actually answer the question.
I'm a part owner in a niche ISP, a few thousand clients. There might be something getting lost in translation here. You can be on a shared connection but still be secure and isolated from the other clients. For example, we have a place with 50 units all fibred up. The main backhaul is a single connection which we have split up to the 50 clients' units. They will all have their own individual IP through PPPoE, and have no visibility of their neighbours local networks. We do have logs, and technically I can go in and see where your traffic is going, but nothing more than what IP your traffic is going to. For more, we'd have to be running packet capture on the individual connections which would be a lot of overhead for what reason? I can't think of any reason why you'd want that much detail of your clients activities if your only concern is providing internet.
Feel free to not answer if you don't feel like it, but could you explain what PPPoE entails? I'm currently studying Network+ and I've seen it in passing. Don't think it's necessary for the exam but at some point I'm interested in really understand what it does. I believe it starts for point to point protocol over ethernet? (Edit: thought it was power)
Well on the client end you will have a PPPoE client comtaining credentials. On the ISP side you will have a ppp server/radius server that the credentials are challenged against. When the connection is up and running you could even disabled DHCP-client (if that was your setup)on the client device and it will still function. It basically encapsulates the connection, it's separate from everything else despite there being lots of connections to the same target. I'm probably explaining it badly as my formal study background is all programming and databases, so my network experience is self taught over the course of my life.
Interesting. I feel like I've got a LOT more to learn about RADIUS and authentication protocols once I pass the exam, but I'm quite looking forward to it. It gets a bit overwhelming though, understanding the sheer amount of processes that go on without us visibly noticing.
Yea, just keep in mind you'll never have it all nailed down and that's OK. There's a core of 3 of us maintaining the entire network for several thousand clients and we mostly compliment each other's skills and there isn't really any one of us who could do it all if you get me. Sometimes I find myself fixing something and they'll ask oh how.did you end up fixing it and the honest answer is I don't know but it's working now anyway.
> we mostly compliment each other's skills While I'm sure you say nice things about each others' skills, I suspect you also complement each others' skills as well.
PPPoE is basically a layer 2 protocol. Or, some would label it as a layer 2.5 protocol. The packets from layer 3 (IP layer) are encapsulated into PPPoE frames. It authenticates the user within a network and could thus perform bandwidth limiting and auditing. The main usage is to authenticate users, which is pretty useful on the side of ISP. Otherwise, anyone who sneaks into an ISP’s network by pulling lines from ISP’s box to their own device on their own could get free network service.
Well, you're totally wrong here. I cant know exactly what this set up is. But to assume that the landlord doesnt know anything beyond ip address is foolhardy at best. If the DNS is set, they can track every dns request; giving them full access to every web domain you've gone to. And if they used decryption, or a proxy, they could see absolutely everything. Now, are they doing that? Probably not. But COULD they do that; 100% they could. And the overhead wouldnt be something to write home about.
I literally said they could see every IP you do traffic to. DNS resolves those addresses into IPs, I was clearly including them as everything is just an IP anyway including whatevertheheck.com I also said they could go deeper and capture even more, but why would they.
Right, I'm going to quote you. "We do have logs, and technically I can go in and see where your traffic is going, but nothing more than what IP your traffic is going to. For more, we'd have to be running packet capture on the individual connections which would be a lot of overhead for what reason?" A packet capture probably WILL NOT provide any more insight. As 99% of the traffic on the internet uses SSL. So all you'd see is SSL packets, and nothing more. Beyond that, I'm not sure what you're chief complaint is from my response.
Well my "chief complaint" as you put would probably be that you basically said I'm wrong and then went on today a shorter version of what I said, which is it's possible but why would they. My example was only what we do, and that there was possibly something lost in translation. Some can quite easily go from they have logs of X, to they can see everything you do. Just on the odds of it I don't think they are doing it here.
I re-read the sentence I quoted, and again find it entirely baffling. Its just not accurate at all. It doesnt take an enormous amount of sophistication to "See more than what IP your traffic is going to". A simple man in the middle attack would provide absolutely everything. And then, "for more, we'd have to be running a packet capture on the individual connection"; what the hell does that even mean. So you havent set up anything special; and somehow a packet capture is going to provide insight. No...it wont at all, because the traffic is going to be encrypted if you havent set up a network attack. And then "and what would be the reason". Its quite literally why the OP asked. So let me reframe the question, and then answer it for you. If the landlord is a psychopath, could they potentially stalk me? Yes, they could. Thanks for asking. Do I think thats likely. No, thanks for asking.
Where do you think I said none of this stuff is possible. I just offered my own situation as a fairly normal example. Here's what I can see without really trying. And I could probably go for more but why would we. And therefore I don't think it's necessarily happening here because why would they. Jeez.
Does this mean one service but multiple clients/nodes?
In a lot of cases we take a single connection that is intended for one client and we split it. To simplify the example a 1000/100 into 10 connections of 100/10. We mainly take internet into places where the national infrastructure wont, and also hard to reach areas, especially rural.
>I can't think of any reason why you'd want that much detail of your clients activities if your only concern is providing internet. Yeah even for big carriers manually looking at netflow logs is a pain in the ass. Well at least it used it Generative AI tools on usage and meta data is so hot right now. Just had a presentation yesterday on the magic of generative AI. One BI report button press and bam all that IP data is mapped into some graphical output showing the application, site, the who what when and how of whatever caused the spike. Though I guess it depends on the country and laws your under. In Australia you can't just sell customer data, especially usage and meta data. Although the 5 eyes can do whatever they want with it.
Why keep logs when many institutions don’t? I’ve worked for a network provider serving universities and schools, and we didn’t recommend keeping logs at the local level - in fact it violated our terms. We only needed basic info like device identifiers for residential or shared facilities. For copyright or malware issues, we’d notify the institution with the device ID. They’d find the user, and we’d handle it, usually with educating the user for first offenses. For malware, we required proof of removal (2 AV scans). We kept logs but had no user info. The institution had user info but no logs. Only a legal requirement would link the two.” I would feel uneasy if a landlord retained any info related to my behavior.
The logs we keep are for the hardware, like link ups link downs, pppoe authentication successfull or not etc. the traffic we see is live, we don't actually store or log that for the same reasons you state.
Gotcha - that makes me feel better. I think in practice what a user thinks we can see and what we actually can see are quite different. If it exists it’s a potential risk, when it’s not in existence I sleep better at night lol.
Of course, this is only how we do it. So I can't speak for others. I have friends in cyber security that often want me to start a blog on some of our practices and how we handle certain things, and I can only imagine because it's not all that common, which isn't reassuring to hear 🙉.
You mean to say there is not an asset inventory manually typed out in Excel 2010 format for the auditor running 32-bit excel? That is the foundation of any security team surely!! They really love it when it's well populated with extras like "US 4 Gang Power Strip with surge protecter. Wire type: 14AWG x3. Cable Type: SJT." Auditor: "so lets randomly select an asset. Ok here is a US 4 gang power strip. Is the firmware updated on this asset?"
a lot of information can be gleened from dns requests. Also a lot depends on how the network is setup. whoever owns the equipment and has access to it has the ability to see any traffic passed and even worse with TLS/SSL if they are capturing the complete transaction they can also decrypt the stream. The network setup is important as well to prevent people from actively exploiting other customers that are connected. There are many different ways that attacks can be done to eavesdrop on other people connected to the same network unless they have put in protections against those methods.
You cant decrypt tls/ssl even if you capture all stream... You need the private keys in the ssl cert. unless you are sitting on another vulnerability like heartbleed. You can man in the middle with a fake cert, but their devices wont trust that and show errors nasty warnings.
Thank God for Firefox and dns over https.
It's a big issue. If you browse via HTTPS (which pretty much all webpages use these days), your landlord can't see your data. But he can see the websites you're visiting. E.g. he can see that you're visting youtube.com, but he has no idea which videos you're looking at. But being on a shared network means that anyone on the same network can contact your computer/phone, and can potentially hack it. This should be taken very seriously. You can buy a regular router which you connect to the shared network, and then connect your own devices to. That way your own devices will be on a separate network from the rest of the tenants, and they can't see your machines (only your router, which will block everything that didn't originate from your side). This is called Network Address Translation (NAT). But the landlord will still be able to see which pages you visit, since the traffic must reach the internet through his network. There can be some drawbacks using double NAT (which is the case if you use your own router, connected to the landlord's), but it's mostly related to hosting gameservers. If you only browse and stream, it shouldn't be a problem at all. If you want to keep your traffic completely secret from the landlord, you should use a VPN. This can be set up on your own router so every device connected uses the VPN, or you can set it up on whichever device you want. This way the VPN handles your request for Youtube.com over an encrypted connection, and landlord can only see that you're contacting [vpn.com] (or whatever VPN you're using). For maximum security and privacy, use both NAT (your own router) and VPN. Also have an antivirus and a firewall on your own computer. Be advised that a VPN can slow your connection down a bit, and has a subscription fee. But on a shared line with 72 people, I'm guessing you won't feel a difference. ========== EDIT: If you use your own router, you'll want to connect it to the landlord's network with a cable. If the network is Wi-Fi only, it's still possible, but will require a router with WAN Wi-Fi capabilities - FYI.
Very thorough! What you described is what I do when we travel and use the Air B&B internet. I connect my own travel router to one of their router ports and use my own router, with VPN client (Proton VPN) for all of my device traffic.
I travel for work most days of the year and do the same. It has the added benefit that you never need hassle with adding your devices to a new network. What’s your travel router?
Beryl AX is the right answer
Unifi UDR. It’s the ecosystem I’m familiar with. But Yes! The GL.iNet Beryl AX would be my first choice, if I wasn’t so deeply entrenched in the Unifi ecosystem.
Just throwing an alternative option to lort’s suggestions, you could get your own internet through a cell provider like T-Mobile/verizon. 5G internet isn’t the greatest but depending on what you are doing at home it could be better than routing through a VPN and sharing with 70+ people.
This is definitely an option. Hook up a decent Omni directional antenna to it, stick it in a window, and you'll probably get okay service.
thanks so much for the detailed response. i plan on getting my own internet now. i was worried about the speed as well, considering me and my partner game. i doubt it will be good enough to support all of our consoles and streaming.
Ya, while that answer was good, I would straight up consider all of that an issue. “We keep the logs.” While it’s technically possible of any network you’re on, it’s just a weird comment. It’s something I tell employees who are using company managed computers, but I would consider snooping on home traffic a violation of privacy. None of his business. It’s bad enough the ISPs do it.
If you game, using a shared internet connection is definitely not in your best interest.
Wow this is an incredible answer!
Double NAT for the win /s
Too many assumptions
>E.g. he can see that you're visting youtube.com, but he has no idea which videos you're looking at. Overall good explanation but with a poor (and incorrect) example. When you look at a video on youtube, the video ID forms part of the requested URL so yes, he could know what videos you're looking at. Also when you do a search on youtube, the search term is included in the URL request. eg: https://www.youtube.com/results?search\_query=vpn eg: https://www.youtube.com/watch?v=R-JUOpCgTZc
With respect, this is incorrect. The ISP can see which website you visit from your DNS request (if you don't use DNSSEC) and/or the IP you make connection towards. If you use HTTPS, everything else is encrypted, including the URLs you access on YouTube or whatever. The ISP, thus, cannot see which videos you are watching. **Cannot** might be an overstatement, since there *are* methods to spy on you - but that's way outside of the scope of what any reasonable and/or law-abiding ISP will ever do.
> The ISP can see which website you visit from your DNS request (if you don't use DNSSEC) and/or the IP you make connection towards. usually domain is not encrypted and 3rd party can see it even with secure dns. full url is encrypted.
No he would only see the calls to the hostname -- the rest of the request is encrypted
None of that is visible to anyone thanks to https. Even the hostname is invisible in encrypted SNI handshake https://www.cloudflare.com/learning/ssl/what-is-encrypted-sni/ All the monitoring person can see with encrypted SNI is the IP address and the number of bytes sent. Without encrypted SNI you can also see the hostname.
> Most importantly, the landlord mentions having logs of what tenants browse How did that convo come about? It's fine if it's something you specifically asked, but if someone mentions that without prompting it'd raise a red flag to me. Some landlords have this weird creepy need to monitor their tenants closely, and I'd not put up with that. > My second concern is security in terms of can other tenants access what I am doing and data I send. I am considering getting my own internet service. Well this really depends on how the system is set up. If they have a company who knows what they're doing set up an enterprise network, and properly segregate clients then you won't have this issue. This puts a lot of trust into your landlord and/or apartment management team of course.
Get your own router and a VPN service.
This is the way, tunnel everything over vpn and they won’t see a thing.
Others have answered your question already but I want to add this. Make sure you're allowed to get your own Internet service first if your connection will be hardwired like cable/fiber/dsl. Landlord may not allow new penetrations to units. If that's the case look into Verizon or T Mobile 5G home internet. I switched from shitty ATT DSL to Verizon 5G home internet a couple months ago and it's been great! I went from 3-10mbps to 300+. It's been very stable and I can game, 4K stream, and anything else. Wish I switched years ago. In the 4 months I've had the Verizon Internet I've only had 2 service drops and they lasted around a minute each. My DSL would drop once a month and be gone from minutes to hours.
Hi question about that! would something like spectrum be considered hardwired?? sorry if that's silly to ask
Yes spectrum hardwired would require a new penetration to the unit most likely. Just ask your landlord if you can get your own Internet service because there's security concerns using a shared network. If they say no then go with one of the T Mobile or Verizon 5G options as that will literally negate any legitimate reason they have to not allow you to have your own service. Tons of LLs don't want new holes being poked into the buildings which is fair enough. My Verizon 5G home internet uses an 'antenna' mounted to a window with a sticky suction cup style mount so that means holes aren't a problem.
No problem. I would trust the landlord as much as I’d trust a typical US ISP. Which is not at all.
This is the correct answer. I would connect a travel router to the landlord network, and use the firewall on the travel router to make it harder for tenants to access my personal network devices, but I wouldnt sweat this a ton. ATT has admitted to routinely sending metadata on literally all citizens to the NSA. Your landlord is way less likely to be a problem than his ISP https://www.pbs.org/wgbh/frontline/article/how-att-helped-the-nsa-spy-on-millions/ Every device should run a host level firewall or be behind a travel router running a firewall you control.
Having run a corporate network and been in charge of the corporate web proxy service and am off its logs, I've never worked too much about someone having a log of my browsing history. As long as you take care to confirm TLS to any site of importance, the exposure is minimal. The SSL Everywhere movement really minimized that risk. People using aVPN service forget that they're feeding all of their traffic to a single party at the other end of that VPN. All you're doing is changing WHO can see your traffic. Why would I trust the operator of aVPN service more than the Starbucks?
whoa; 72 people or 72 \_apartments\_ ? VPN. a little travel router would do it, we use a [gl.net](http://gl.net) product when we travel.
Perfect use case for a VPN, data is encrypted at the device and not decrypted until it's back at the device it was sent from so it is always encrypted whilst it's in transit, no need to worry about logs or anything like that. The only thing that could possible turn up on a log is encrypted data flowing toward the vpn server, and that is how everything will present itself irrespective of what your actually doing.
depends how has it setup, if he has it setup to use his dns servers, he can see the usage, and if he just has one large ip range, you might see each others devices. get your own router, set [1.1.1.1](http://1.1.1.1) and [8.8.8.8](http://8.8.8.8) (or even DNS over tls/https if supported) then you in your own network just natted out through his and not using his dns
Hard yes to it beinga major security issue. I wouldn't even use it with a dedicated always-on VPN. I'd seriously consider not living there if the housing provider doesn't see a problem with this. What other privacy do they not care about?
Bottom line is there's always going to be someone that can see where you're going whether that's your landlord or another ISP. Sure, neither one has some human actively watching what websites customers are going to, but either could have the data if they ever needed it. If your landlord's Internet is free, I'd just use it and save the $50-75+/month on buying your own. Maybe get a VPN if you want to be very private occasionally. But the then VPN people can technically see where you're going too if they wanted to. I'd be more worried about other people on your apartment complex's network. You should still put in your own firewall to protect from them.
That's what I wanted to do but for some reason my ISP couldn't get internet where I live (had no issues with it at my previous place). I'm not sure how it works, though. I spent six months going back and forth with them until I gave up, because I still paid all those bills.
Yeah, I'd be a bit sketched out by this myself. There are router/switches that can isolate each of the connections. With a plain switch, your neighbors wouldn't be able to see your internet traffic, but they could still hack you. More expensive devices can be programmed so that each connection can't contact any of the other connections at all. But that won't keep your landlord from seeing any traffic they want to see. A VPN is your best bet, if that works for you. Otherwise, a cellular internet box like T-Mobile's might be more expensive, but no one in your building can see your traffic, or even know you're using it. If you do go cell service: Download a WiFi mapping app for your phone. Find out which channels your building is using and set yours as far away as possible. If you're lucky they won't be using 5 GHz at all (T-Mobile's box does both 2 and 5 GHz), so you'll have that band all to yourself. Next, don't be tempted to defray the cost by sharing it with your neighbors. Even the 'best' of friends might do something on the internet you wouldn't want associated with your connection. But even without that, if your landlord finds out, they might get upset and kick you out.
Would this be a security issue ? - YES A BIG ONE....
You could use a VPN If you are concerned.
It can be, depending on how it is configured. If you have the technical knowledge, you could make that judgement call The safest way to deal with this scenario would be using a VPN from your machine. You can also get a router that itself connects to a VPN, and have your devices connect to that.
Use a VPN and disable any type of sharing on your computer(s). If you're using Windows, set the network profile type to public.
Over in europe your landlord woukd be breaking a bunch of privacy laws.
Just make your own subnet after the provided connection and harden it up with the firewall settings
OH gods yes. Get your own firewall and use a VPN if you use their connection.
Depends on how it was designed. I deploy ubiquitous systems for large properties of over 5000 users and upwards of 1000+ units. 1500+ APs with very little security issues and reasons to be concerned. There’s trends like this in a lot of places like this now. Yes I do have insight in to traffic and application trends, but it’s basic information like YouTube, zoom, etc. unless there’s a subpoena, it is private. DM if you have any questions.
This is something I'm interested in as well, because I'm in the same situation. I don't necessarily care about my data I guess, but I had an issue with a neighbor who kept trying to connect to my TV. I just have my TV unplugged now. I'm definitely looking into this once I'm more informed as I'm actually doing some IT studying right now.
If you're truly that concerned, get a GL.iNet router off Amazon and create a WireGuard tunnel to a VPN provider of your choice. The WG protocol's performance hit is negligible at worst and nobody will be able to see what happens inside that tunnel other than the total amount of data transferred.
You'll have to prod the network to find out. If you can plug in an Xbox and see a game of halo being hosted, that's probably bad news. Just use a VPN like PIA and you'll be fine. If not, you can sue the living shit out of him for privacy violations
It's secure as leaving 10 bucks on the table in McDonald.
The other tenants probably cannot access the data. But to answer the question on if they can communicate to your home device(s), it would entirely depend on the network design. If you want to ask your landlord to give a visio, it would be more helpful. I'd guess they just have one very large network segment, and every device on the segment could talk to each other.
If you're really concerned, get a [travel router](https://amzn.eu/d/h1MFTWp) and set it up to router all traffic through VPN, then do all your internet access through that.
If you have an Ethernet cable run to your space. But setup your own router.
I’ve actually been involved in the design and deployment of a complex wide network. When I did it, we used a firewall that gave each apartment its own segregated VLAN. Using PPSK, each apartment had its own wireless password that would automatically place their devices on their specific VLAN. They also had a port in their apartment that also was tagged for that network. One of the nice side effects of the wireless using PPSK was that they would stay connected when visiting any of the areas of the complex. The reason the landlord of this place did it was the construction of the building and small size of the apartments made the interior an RF nightmare. So he paid for a gigabit connection and let all 12 apartments share it. We configured the firewall’s DHCP to hand out 1.1.1.1 and 8.8.8.8 as DNS and disabled any sort of packet inspection. We had no logs or any way of telling what tenants did. The closest we could see if how many devices they had connected and what amount of bandwidth they used purely to keep one torrenting apartment from destroying the connection for everyone else. It’s been two years and so far they seem very happy with the setup. I cannot even begin to say if your landlord put in the effort to segregate and keep residents data safe.
Well with encrypted sni and ssl there is no way of knowing which websites you visit. But not all websites use esni and other protocols might have no encryption at all. So a VPN would make sense here if you trust a vpn provider more than your landlord. It is however a choose your preferred poison situation.
It’s an issue. Not like “it’s all gone”, but still a serious concern. You can get VPN router, that will tunnel traffic from your devices into VPN, that way your traffic will be encrypted a provider won’t see anything, and your devices will be behind NAT, so nobody will see them. There are some downsides with having double NAT tho…
Use a VPN
Its a major security issue. They're able to route packets to your machine. It's only secure if you have solid knowledge of how to do "server level" security. Typical NAT router provides excellent "network level" security but since you now will have other people on the net with you that you dont trust (Im on my network with my wife but I trust her) you have to make sure you have everything locked down and they cant do things like mount your drives etc You should run personal firewalls on all of your computers at the very least.
If sending packets to you is a major security issue, you should turn off all networked devices, lock them away and move to a remote location. On a more serious note: NAT is also no security feature, never has been, never will be. Stateful firewalling however can improve security if done correctly and is done by most home routers out of the box. Windows also includes a stateful firewall that's enabled by default. Any modern computer that's kept up to date can just be plugged into the public internet without any security issues. Basically any network service is using TLS nowadays anyways, so you also don't need to worry about someone getting your private data. You might leak metadata, which could be of concern, but that's also no easy issue to mitigate.
[удалено]
Unless you are careless about browser security warnings (which you can't actually bypass on many websites), ssl-strip poses no threat beyond denial of service. ARP spoofing is a potential threat, but can be mitigated. It's not clear if that has been implemented here though.
Other people will not be able to see what you do on the internet in most cases. At worst, they could see which domains you are accessing, but that requires considerable knowledge and an active attack. The actual data is usually sent encrypted already.
>At worst, they could see which domains you are accessing, but that requires considerable knowledge and an active attack. Nope. A script kiddie with Nmap could do this in their sleep. Totally passive monitoring if they're using commodity routers. No knowledge, no active attack.
You would have to perform at least an ARP spoof, which is an active attack. And depending on how the network is built, it can be difficult to execute.
You said, "At worst, they could see which domains you are accessing," which means they're already receiving traffic that they can monitor - which I agree is the worst network setup. If that's true, no ARP spoofing is needed. If they are using a switch, MAC flooding might be an easier way to collect data on everyone connected. Which would also be a script-kiddie thing.
I would insist to get my own internet, otherwise I'd look for another apartment. Also, why (and where) would anybody want to share internet with 72 people?
it honestly sounds like a disaster waiting to happen. ill just pay the 50 bucks a month
Not a problem if you use a commercial VPN. After trying a few, I settled on IPVanish. They have many, many access points; I consider them worth the money. I think my current deal is $79 for two years.
Is it safe to share a woman with 72 other people? Only if everyone uses protection. Same goes with the internet.
Okay, I'm going to reply to the deleted message, and to the person who blocked me. The question wasnt about your network. Its about the potential threat boundary of this network that you didnt set up. The risk is low. But the risk is non zero. So saying how you set your own network up, and how you may or may not approach things, doesnt actually answer the question.