Re: Comcast storing WiFi passwords in cleartext?

[Mark Foster <blakjak () blakjak net>]

On 25/04/2019 3:13 AM, Benjamin Sisco wrote:
> I think we all understand the value of using one’s own equipment and keeping the firmware up to date if one is in any way 
> concerned about security.  We all should also understand that in a managed environment such as an ISP there should be no 
> reasonable expectation of privacy regarding the configuration of the equipment attached to the ISP's network (rented or 
> customer owned).

Accepting i'm not a North American...
The reasonable expectation of privacy should be that the customer knows 
precisely what is private, and what is not.  If the ISP makes it very 
clear that every configuration item on the edge device is known to, or 
accessible by, the ISP for support purposes, then there's no problem. At 
which point everyone's "reasonable expectations" are the same, and 
there's no issue.

(Those for whom the support provided by the ISP is key, will enjoy this 
service. Those who don't, have the option of doing their own thing.  
Even better.. provide the user the means to disable the sharing of this 
information by choice?? Would save buying and running additional 
hardware for those who don't feel the need to have their creds shared, 
for example).
First thing i've done with all ISP-provided CPE is disable all the 
remote-login stuff that's enabled by default for tech support purposes. 
Full knowledge and disclosure is all that's needed!


> The bigger concern should be the cleartext portion of the subject.  There’s ZERO reason to store or transmit any 
> credentials (login, service, keys, etc.), in any location, in an unencrypted fashion regardless of their perceived 
> value or purpose.  Unless you like risk.


As someone else said, the problem is the level of trust you're placing 
in your ISP and in their own security... a large aggregate of private 
information is just waiting to be pwned.

Mark.