RE: CRIME ISP Password Security Practices at Earthlink

From: Rocky Gregory (rocky@private)
Date: Wed Jun 12 2002 - 09:10:23 PDT

  • Next message: Todd Ellner: "CRIME Amusing sting reported in the Register"

    The ISP I worked at used Radius as well, and we had NO access to user
    passwords.
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf
    Of Ryan Nutick
    Sent: Wednesday, June 12, 2002 7:59 AM
    To: CRIME
    Subject: Re: CRIME ISP Password Security Practices at Earthlink
    
    
    Having worked for Teleport (when they were still thier own entity) none 
    of the front line technicians had access to root, nor did they have 
    access to view the passwords.  We were running a radius server at the 
    time, so those things can be done correctly (with the right engineers 
    and security policies in place).  I find it abominable that Earthlink 
    uses these practices.
    
    Ryan Nutick
    
    -----Original Message-----
    From: Steve Beattie <steve@private>
    To: Crispin Cowan <crispin@private>
    Date: Wed, 12 Jun 2002 02:17:21 -0700
    Subject: Re: CRIME ISP Password Security Practices at Earthlink
    
    > On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote:
    > > >How common it is among ISPs to allow tech support to have access to
    > such
    > > >a plaintext database even one user id at a time, I have no idea
    > (I've
    > > >never worked in an ISP).  But I agree that it's probably a bad
    > practice.
    > > >
    > > "allow" is an interesting concept in settings where admins have root
    > > (because they need it) and one is not running secure operating
    > systems
    > > that can separate root privileges ...
    > 
    > Uh, if you've given your front line tech support people root passwords
    
    > in a non-compartmentalized system, then the game is over and you 
    > already implicitly trust them.  Since the alternative dial-up 
    > authentication protocol to CHAP is PAP which sends the password in 
    > plaintext over the dial-up line/serial port, a trojaned ISP Point Of 
    > Presence will still collect the ISP users' passwords.
    > 
    > I'd like to assume a sane world where front line people don't have 
    > root/Administrator privileges, but the world has proven my assumptions
    
    > about its sanity wrong so many times...
    > 
    > -- 
    > Steve Beattie                               Don't trust programmers? 
    > <steve@private>                         Complete StackGuard distro
    at
    > http://NxNW.org/~steve/                            immunix.org
    > http://www.personaltelco.net -- overthrowing QWest, one block at a 
    > time.
    > 
    



    This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 10:18:27 PDT