Re: Plain text password for Microsoft (icwip.dun)

["Roland Postle" <mail () blazde co uk>]

> When a user wishes to access the internet but doesn't have a specific
> ISP in mind a user a can use microsofts connection wizzard to download
> a list of ISPs. This wizzard dials to a free phone number stored in
> phone.icw and then uses one of the icw*.dun files to authenicate itself
> to the network (depending on where in the world you are depends on
> which icw*.dun dile is used) Under normal circumstances the connection
> wizzard connects to ispreferals.microsoft.com (207.46.152.15) and
> downloads a list of local ISP's via series of cab files stored in
> various 4 letter directories on the server. The username stored in the
> icw*.dun file is "icw5 () gn microsoft com" and the password is "icw5".
> One of the dial up servers connected to was tnt59.lnd1.uk.uudial.net.
> As you can see this is not a microsoft machine but it does allow you to
> access various microsoft machines. (If you are in the UK you connect to
> the science park in Cambridge, one of Microsofts research centers).
>
> Recommendations
> ---------------
> Store passwords in an encrypted form

I investigated this a couple of years back. If I remember correctly the
freephone connection you get is extremely limited. I  could access about 3
hosts, do a DNS lookup and download the cab files you mention. I couldn't
find any way to break out of it, (though I was a bit clueless back then). If
anyone's poked around with some more success I'd love to hear about it.

As for storing the plain text passwords of regular .ins files, I agree it's
not ideal. But, given that ISPs love to give you a personalised .ins file
with your username/password in it, and it's not a mamoth task to extract
them from the registry, or from the connect dialog box, it doesn't seem
worth worrying about.

- Blazde