Having worked for Teleport (when they were still thier own entity) none of the front line technicians had access to root, nor did they have access to view the passwords. We were running a radius server at the time, so those things can be done correctly (with the right engineers and security policies in place). I find it abominable that Earthlink uses these practices. Ryan Nutick -----Original Message----- From: Steve Beattie <steve@private> To: Crispin Cowan <crispin@private> Date: Wed, 12 Jun 2002 02:17:21 -0700 Subject: Re: CRIME ISP Password Security Practices at Earthlink > On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote: > > >How common it is among ISPs to allow tech support to have access to > such > > >a plaintext database even one user id at a time, I have no idea > (I've > > >never worked in an ISP). But I agree that it's probably a bad > practice. > > > > > "allow" is an interesting concept in settings where admins have root > > (because they need it) and one is not running secure operating > systems > > that can separate root privileges ... > > Uh, if you've given your front line tech support people root passwords > in a non-compartmentalized system, then the game is over and you > already > implicitly trust them. Since the alternative dial-up authentication > protocol to CHAP is PAP which sends the password in plaintext over the > dial-up line/serial port, a trojaned ISP Point Of Presence will still > collect the ISP users' passwords. > > I'd like to assume a sane world where front line people don't have > root/Administrator privileges, but the world has proven my assumptions > about its sanity wrong so many times... > > -- > Steve Beattie Don't trust programmers? > <steve@private> Complete StackGuard distro at > http://NxNW.org/~steve/ immunix.org > http://www.personaltelco.net -- overthrowing QWest, one block at a > time. >
This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 08:41:28 PDT