On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote: > >How common it is among ISPs to allow tech support to have access to such > >a plaintext database even one user id at a time, I have no idea (I've > >never worked in an ISP). But I agree that it's probably a bad practice. > > > "allow" is an interesting concept in settings where admins have root > (because they need it) and one is not running secure operating systems > that can separate root privileges ... Uh, if you've given your front line tech support people root passwords in a non-compartmentalized system, then the game is over and you already implicitly trust them. Since the alternative dial-up authentication protocol to CHAP is PAP which sends the password in plaintext over the dial-up line/serial port, a trojaned ISP Point Of Presence will still collect the ISP users' passwords. I'd like to assume a sane world where front line people don't have root/Administrator privileges, but the world has proven my assumptions about its sanity wrong so many times... -- Steve Beattie Don't trust programmers? <steve@private> Complete StackGuard distro at http://NxNW.org/~steve/ immunix.org http://www.personaltelco.net -- overthrowing QWest, one block at a time.
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 02:12:54 PDT