On Sat, Nov 11, 2000 at 01:30:18AM -0500, Jesse Goerz wrote:
> I don't have a real problem with the plain text password issue. I know this
> is
> crappy security. But here's the real problem. This is a *huge* isp. One
> that
> has a nationally branded name. (Which means I have to worry just as much
> about who's inside their network as well, right? I probably shouldn't even
> mention this as I'm sure this info can be used by someone motivated enough to
> check my mail headers...) They are forcing me to use the same
> username/password
> for ftp web page uploads as my user account!!!! I could care less if someone
> compromises my "ftp web page upload" and turns my pitiful little site into
> some
> manifesto for the cUltOFfreeQqinessOhyEah! But I do care if I have the FBI
> knocking on my door telling me I hacked such and such site, see, here are the
> logs, it's your account.
And just who is going to be inside their network? If they're like most
reasonably sized ISP's, they don't give out shell accounts, they don't
put their colocated customers anywhere near their dialups, etc. The
only one who can snoop your password would be someone who owned one of
the servers at your ISP.
Hint: if someone can snoop the wire at your ISP and you use PAP to
login, they can snoop your password. The password is obfuscated but can
still be decrypted if you know the secret.... and if they know some
legit passwords, they can derive the secret.
> Thanks for all the advice though. I'm going to start shopping around and see
> what else is available. In the mean time I've sent emails to every possible
> combination of [EMAIL PROTECTED] that I think will get through to an
> administrator. Who knows, maybe my email will give some administrator some
> ammo to take to the next board meeting ;-)
To the best of my knowledge there isn't a common secure replacement for
FTP (yes, I know about scp and 'sftp', both of which rely on ssh, and
both of which make it a rule that you need a shell on the remote machine
-- which adds a huge security risk in most ISP setups).
Blame the US Gov't for their crappy crypto policy stifling crypto
development for years. Blame them for the RSA patent for holding it up
some more. Blame RSA for many years of claiming to own any and all PK
crypto, whether it had any relation to RSA and DH or not. Blaming the
ISP because they haven't written a secure replacement for FTP (and the
attendant server and clients) that doesn't add new security problems
seems really stupid.
--
CueCat decoder .signature by Larry Wall:
#!/usr/bin/perl -n
printf "Serial: %s Type: %s Code: %s\n", map { tr/a-zA-Z0-9+-/ -_/; $_ = unpack
'u', chr(32 + length()*3/4) . $_; s/\0+$//; $_ ^= "C" x length; } /\.([^.]+)/g;
