nanog mailing list archives
Re: Comcast storing WiFi passwords in cleartext?
From: Doug Barton <dougb () dougbarton us>
Date: Thu, 25 Apr 2019 10:14:47 -0700
On 4/25/19 8:04 AM, K. Scott Helms wrote:
Just so you know, if you have an embedded router from a service provider all of that data is _already_ being transmitted and has been for a long long time.
Responding to a pseudo-random message ...If you are an average consumer and purchase a managed solution (in this case a WAP that comes as part of your package) I think it's perfectly reasonable for the vendor to manage it accordingly, even if said consumer doesn't fully understand the implications of that decision.
In my mind, the problem here is not that the vendor has access to this data, it's that they are STORING it in the first place, and storing it in the clear to boot. In the hypothetical service call that we've speculated is the driver for this, the extra 15 or 20 seconds that it would take to pull the data via SNMP is in the noise.
There are two mindsets that desperately need changing in the tech world: 1. Do not store data that you don't have a legitimate requirement to store 2. Do not store anything even remotely sensitive in the clearWe live in a world of all breaches, all of the time. So we need to start thinking not in terms of just protecting said data from the outside, but rather in terms of limiting the attack surface to start with, and protecting the data at rest. So that WHEN there is a breach, whether from within or without, the damage will be minimal.
As many have pointed out, this information is freely available via SNMP, so it's a classic example of something that didn't need to be stored in the first place.
Doug
Current thread:
- Re: Comcast storing WiFi passwords in cleartext?, (continued)
- Re: Comcast storing WiFi passwords in cleartext? Stephen Satchell (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Sean Figgins (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Yang Yu (Apr 23)
- Re: Comcast storing WiFi passwords in cleartext? Brandon Jackson via NANOG (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Aaron C. de Bruyn via NANOG (Apr 24)
- Message not available
- Re: Comcast storing WiFi passwords in cleartext? Brandon Jackson via NANOG (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Benjamin Sisco (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? Seth Mattinen (Apr 24)
- RE: Comcast storing WiFi passwords in cleartext? Benjamin Sisco (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Doug Barton (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Tom Beecher (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Saku Ytti (Apr 26)
- Re: Comcast storing WiFi passwords in cleartext? Seth Mattinen (Apr 24)
- Re: Comcast storing WiFi passwords in cleartext? K. Scott Helms (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? James R Cutler (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Mike Bolitho (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Töma Gavrichenkov (Apr 25)
- Re: Comcast storing WiFi passwords in cleartext? Valdis Klētnieks (Apr 25)