Re: CRIME ISP Password Security Practices at Earthlink

From: Steve Beattie (steve@private)
Date: Wed Jun 12 2002 - 02:17:21 PDT

  • Next message: Steve Beattie: "Re: CRIME ISP Password Security Practices at Earthlink"

    On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote:
    > >How common it is among ISPs to allow tech support to have access to such
    > >a plaintext database even one user id at a time, I have no idea (I've
    > >never worked in an ISP).  But I agree that it's probably a bad practice.
    > >
    > "allow" is an interesting concept in settings where admins have root 
    > (because they need it) and one is not running secure operating systems 
    > that can separate root privileges ...
    
    Uh, if you've given your front line tech support people root passwords
    in a non-compartmentalized system, then the game is over and you already
    implicitly trust them.  Since the alternative dial-up authentication
    protocol to CHAP is PAP which sends the password in plaintext over the
    dial-up line/serial port, a trojaned ISP Point Of Presence will still
    collect the ISP users' passwords.
    
    I'd like to assume a sane world where front line people don't have
    root/Administrator privileges, but the world has proven my assumptions
    about its sanity wrong so many times...
    
    -- 
    Steve Beattie                               Don't trust programmers? 
    <steve@private>                         Complete StackGuard distro at
    http://NxNW.org/~steve/                            immunix.org
    http://www.personaltelco.net -- overthrowing QWest, one block at a time.
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:12:54 PDT