RE: CRIME ISP Password Security Practices at Earthlink

From: Rocky Gregory (rocky@private)
Date: Wed Jun 12 2002 - 09:10:23 PDT

Next message: Todd Ellner: "CRIME Amusing sting reported in the Register"

Previous message: Ryan Nutick: "Re: CRIME ISP Password Security Practices at Earthlink"
In reply to: Ryan Nutick: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: Steve Beattie: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The ISP I worked at used Radius as well, and we had NO access to user
passwords.

-----Original Message-----
From: owner-crime@private [mailto:owner-crime@private] On Behalf
Of Ryan Nutick
Sent: Wednesday, June 12, 2002 7:59 AM
To: CRIME
Subject: Re: CRIME ISP Password Security Practices at Earthlink


Having worked for Teleport (when they were still thier own entity) none 
of the front line technicians had access to root, nor did they have 
access to view the passwords.  We were running a radius server at the 
time, so those things can be done correctly (with the right engineers 
and security policies in place).  I find it abominable that Earthlink 
uses these practices.

Ryan Nutick

-----Original Message-----
From: Steve Beattie <steve@private>
To: Crispin Cowan <crispin@private>
Date: Wed, 12 Jun 2002 02:17:21 -0700
Subject: Re: CRIME ISP Password Security Practices at Earthlink

> On Wed, Jun 12, 2002 at 01:42:39AM -0700, Crispin Cowan wrote:
> > >How common it is among ISPs to allow tech support to have access to
> such
> > >a plaintext database even one user id at a time, I have no idea
> (I've
> > >never worked in an ISP).  But I agree that it's probably a bad
> practice.
> > >
> > "allow" is an interesting concept in settings where admins have root
> > (because they need it) and one is not running secure operating
> systems
> > that can separate root privileges ...
> 
> Uh, if you've given your front line tech support people root passwords

> in a non-compartmentalized system, then the game is over and you 
> already implicitly trust them.  Since the alternative dial-up 
> authentication protocol to CHAP is PAP which sends the password in 
> plaintext over the dial-up line/serial port, a trojaned ISP Point Of 
> Presence will still collect the ISP users' passwords.
> 
> I'd like to assume a sane world where front line people don't have 
> root/Administrator privileges, but the world has proven my assumptions

> about its sanity wrong so many times...
> 
> -- 
> Steve Beattie                               Don't trust programmers? 
> <steve@private>                         Complete StackGuard distro
at
> http://NxNW.org/~steve/                            immunix.org
> http://www.personaltelco.net -- overthrowing QWest, one block at a 
> time.
>

Next message: Todd Ellner: "CRIME Amusing sting reported in the Register"
Previous message: Ryan Nutick: "Re: CRIME ISP Password Security Practices at Earthlink"
In reply to: Ryan Nutick: "Re: CRIME ISP Password Security Practices at Earthlink"
Next in thread: Steve Beattie: "Re: CRIME ISP Password Security Practices at Earthlink"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 12 2002 - 10:18:27 PDT