Greetings: Problem: The @Home network assigns IP addresses on a fairly permanent basis to its subscribers, but it does use DHCP for IP address assignment. It is trivial matter, however, to take over another @Home account's IP address by simply providing another customer's ID for the hostname parameter in DHCP. It is also trivial to acquire this hostname parameter, since all it requires is 'host @HomeIPaddress' to determine what the customer ID is. Notification: I have notified @Home of this problem twice in the last two months. Not being an expert in DHCP, I do not know what could be done to fix this. I figure at least using something different than my actual hostname for my hostname parameter would at least raise the bar to sniffing for DHCP packets, instead of the trivial hack it currently is. Reason for this message: I have had my @Home connection hijacked from me repeatedly in the last six months. Given @Home's aparent lack of concern for this problem, and the current mood of ISPs shutting down users without warning whenever the MPAA rattles it saber, I felt that the larger community needed to be aware of this potential problem. It should not be this trivially easy for someone to break the law in your name. Randy
This archive was generated by hypermail 2b30 : Sat Aug 25 2001 - 19:13:52 PDT