Re: CRIME ISP Password Security Practices at Earthlink

From: Crispin Cowan (crispin@private)
Date: Wed Jun 12 2002 - 01:42:39 PDT

  • Next message: Steve Beattie: "Re: CRIME ISP Password Security Practices at Earthlink"

    Steve Beattie wrote:
    
    >Um, there is a wider world than just UNIX and Windows and their host
    >authentication schemes. What's far more likely is that Earthlink is
    >using a radius protocol server for user authentication.
    >
    >According to the FAQ of at least one of the free implementations of
    >a radiusd, Cistron/Freeradius, the way the CHAP protocol is specified
    >*requires* that passwords be stored in the clear on the radius server --
    >see <http://www.freeradius.org/faq/cistron.html#4.4>. For the voice of
    >authority, see section 2.2 "Disadvantages" of RFC 1994 which specifies
    >the CHAP protocol: <http://www.ietf.org/rfc/rfc1994.txt>.  CHAP, as I
    >recall, is pretty widely used.
    >
    I knew things like CHAP and RADIUS were common, but I didn't realize 
    they sucked so hard.
    
    >How common it is among ISPs to allow tech support to have access to such
    >a plaintext database even one user id at a time, I have no idea (I've
    >never worked in an ISP).  But I agree that it's probably a bad practice.
    >
    "allow" is an interesting concept in settings where admins have root 
    (because they need it) and one is not running secure operating systems 
    that can separate root privileges ...
    
    Crispin
    
    -- 
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com/~crispin/
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:06:20 PDT