Slashdot Mirror
Telstra BigPond Passwords Leaked
Lord Cyric writes: "Telstra, DownUnder's biggest and baddest telco, has had a major security breach yesterday when a sample of its BigPond Internet password list was posted on various newsboards. The Australian Broadband Users Group (ABUG) has confirmed that this is not a hoax. This hack exposes the passwords for most of Telstra's Internet services (dialup, cable & ADSL). With all the bad press Telstra has been receiving lately over it's shoddy ADSL rollout and download caps, they certainly didn't need this ..." This site is not exactly the Telstra P.R. department.
I have a list, of IP's which have scaned my machine for an open sub7 server. There are only 3 or 4 in the last week or so. I dont think this is it.... Ive had countless other scans.. if someone wants this list, of all unwanted ports opened on my system in the last few weeks, just email me alanlee@r3nt0n.net
When someone has a problem they get person who looks good from 2 cubicles down to fix it and he/she just screwes up half the settings and services on the machine which compromise the security.
Leave your housedoor open and intruders come in.
How the fuck can it not be Telstra's fault?
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
--
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
--
"Hot lesbian witches! It's fucking genius!"
There seems to be a higher rate of crack-smoking moderators lately, but that's probably not related.
I see even classic Slashdot is now pretty much unusable on dial up anymore.
Before I start I'll just say I am a Bigpond Cable subscriber.
With out more info there is no way of knowing if this is a crack or PEBCAK. It's entirely possible that this was done with social engineering or trojan(s), not a 1337 4ax0r. So far all that's known that 70 accounts were comprimised by some method.
To put it in perspective, recently somebody sent an email to a large number Bigpond users pretending to be from Telstra asking them for their password and credit card number just so they could check their records. A depressing number of people replyed. We're not talking about the most security literate people in the world here.
Telstra uses pretty much standard PPPoE for ADSL although they do use the ADSL modems that had the security problem a while back.
We've also heard that Telstra has already caught the person responsible.
BTW the "Australian Broadband Users Group" are widely regarded among Australian broadband users to be a bunch of self-important tools who are pretty much out to make themselves look big. The only guy who's worth listening to is they guy that runs www.whirlpool.net.au The rest are just dead weight.
Nerd: Derogatory term typically directed at anybody with a lower Slashdot ID than you.
I wonder how you order one of those in a bar?
"A schooner of 4X please"
You should see the amount of network scans my poor linux box gets because it is on the ADSL network. My bet is that the network is a prime killing ground for idiot users, and the blame rests soley on Telstra. It would be almost trivial for them to stop 99% of there problems (can we say firewall..., block netbios ports,etc...).
More often the problem lies with management that won't allow the engineers to carry out best practices. This is because the best practices involve things that take extra time. Since the sales people usually commit product delivery often even before the development department ever heard of it, management gets really cranky about delivery times. Quality just goes out the window because that isn't what sales committed the company to.
Let's rake some managers and marketers over the coals first.
now we need to go OSS in diesel cars
If it was a decent system the hashes of the passwords would be stored, not the passwords themselves (encrypted or not)
Belief is the currency of delusion.
Hopefully, events such as this will serve as a wake-up call to folks.
Computer security is not a luxury to quickly become an afterthought.
Security is the foundation that everything else should rest upon...
...which, most will agree, is not that difficult to do, if planned correctly, by the proper individuals...
> If it was a decent system the passwords would all be encrypted, and it would not allow insecure passwords.
I keep seeing this sort of stuff - presumably refering to hashed passwords rather than encrypted. However there is a problem... if you use APOP or CHAP or similar the server end needs to have plaintext equivalent passwords on its end. Typically this means that the RADIUS servers have the plaintext passwords available. This is problematic - you would prefer to keep passwords hashed, but frankly its normally easier to nail down your RADIUS server than it is to nail down all the networking and other stuff to prevent sniffing of authentication sessions (and CHAP etc prevents those sniffs being useful).
So don't assume plaintext passwords on authentication servers is necessarily a bad thing.
I spoke to a Telstra support guy a little earlier.
He said that the account details were obtained by a trojan that claimed to remove the new 3GB/month cap on downloads. This would explain why it is only a few broadband accounts with the problem.
Of course the problem is that they still haven't sent out a message to all the ADSL users warning them about this.
thank god i just changed to australia's other cable provider, optus :)
Lucky you, living in Sydney/Melbourne/Brisbane. For those of us in other cities, it's Telstra or it's nothing -- and I'd rather burn my money than hand it over to those leprous scabs.
deus does not exist but if he does
The stolen passwords are worth quite a bit in the right hands. ADSL business users pay about AU$.20 per 1000kbyte. That turns out to be about US$100 per gigabyte or about 33x more than standard rates.
you haven't checked a modern cracking dictonary yet have you?
From what I can tell, if Telstra resets your password its to something like "adsl####". Someone told me that they pick a new password every day.
Its also a real mess to change since theres broken software there too!
Its just how things are done on the Information Super Outback!
This is 100% correct. Not only that, after they changed it, we were told we couldn't change it to something less obvious for a few days while they "worked out a few kinks".
Telstra Bigpond has been unequivocally the WORST internet service I've ever used, of 4 ISP's tried.
FWIW I've been using linux too, rp-pppoe.
But I'm guessing you don't live in Perth?
As a BigPond ADSL user I have much to be thankful for. Thanks for the two-weeks downtime last month, changing the user agreement on download restrictions after the contract was signed, and forcing me to call every 4 days to reset my account when an authentication error on your end hangs the connection.
But most of all, thanks for leaking the account passwords through poor security and having the foresight to keep the server down right now so I can't change mine.
I prefer to not know user's passwords. If they forget them I replace the password with one thay have to change immediately, with automatic checking for crackable ones.
Unfortunately, they don't plan to roll out to newer suburbs like mine at this stage, due to the underground powerlines..
Might also point out that TransACT themselves do not provide internet service, and those that do provide it to TransACT customers (a whole 1 suburb at this stage, I think), provide it at a premium. There are links to ISP pricing on the TransACT site.
>Unfortunately, they don't plan to roll out to newer suburbs like mine at this stage, due to the underground powerlines..
or even some older subburbs....which sucks...their planned coverage map shows Dunlop, Fraser, Latham and Flynn....but leaves a bloody great hole where Charnwood is....
so it's Telstra ADSL for me....
fortunately I'm not with them YET...not till friday...so i Know my username is safe....for now....heh..
Advanced users are users too!
Personally I don't care if telstra's state owned or not..I just want an alternative!....
Advanced users are users too!
People who don't know what ".exe" and ".vbs" mean are idiots? I've seen several slashdotters say that before, but I can't imagine why anyone would think that. Not everyone knows everything about their computers, and you shouldn't expect them to.
The shareholder is always right.
From NineMSN;
Telstra is evil, but this looks more like the work of idiot users.
Keep the pitchfork and flaming torches handy though, they'll fuck up sooner or later.
Another bad thing about the Telstra passwords is that they don't use any SSL to cover any of the access to subscribers' info. Therefore it just might be that the passwords were obtained from the net in transit - not necessarily from an in-situ source. At least, they don't use any SSL when I'm using my accounts, for which I've just changed my passwords, of course.
city: Adelaide, South Australia
with only 3 gigs a month (upstream and down) the adsl and cable *unlimited* accounts are just about useless. Maybe this will force someone in the Government (who still own 51% of telstra) to do something.
Someday, we'll look back on this, laugh nervously and change the subject.
The recent rise in cracking in the last couple of months is probably a result of US summer holidays... But Telstra doesn't make it hard for wannabes - when I recently changed my password, it required: 8 letters max, only from charsets [az][AZ], numbers and _ Not brilliant for security...
-- "For every complex problem, there is a solution that is simple, neat and wrong." -- HL Mencken
Telstra's claiming that the 96 passwords published represented the entire list, not a sample. They've cancelled all the accounts concerned and re-provisioned (translation: re-generated random passwords) and contacted everyone concerned. They're saying it was the result of a trojan, which they've found installed on every one of the users' devices.
On some of the Australian mailing lists, we've had individuals claiming that whatever it is, it must be Telstra's fault. Come on, they're not particularly nice guys as far as responsible corporations go, but poor security must be the fault of the software vendors and lack of vigilance on the users' parts.
Just trying to install some sanity before all of this stuff gets repeated here once again....
toeslikefingers.com - because
Yeah, they decided to send the plaintext password over the wire instead. Yeah, that'll work. Not.
Bob, the reason is that the CHAP authentication protocol requires that the server know the plaintext password.
Just keeping a hash isn't good enough.
The requirement for plaintext passwords is a drawback for many challenge-response protocols. You trade-off the value of never sending the password over the net (instead using challenge-response) with having to store the actual password on the server (instead of the result of a one-way hash).
Encrypting the passwords doesn't help. If the authentication program needs the plaintext value it must be able to decrypt the password, so the attacker simply steals the encrypted passwords and a memory-dump of the executing decryptor program.
-- veni vidi nuclei deceri --- I came, I saw, I dumped core.
Does anyone else notice a higher-than-normal cracking rate this past month/2 months?
Irrespective of where fault lies, anyone not familiar with Australia should realise that "Telstra Bashing" is virtually a national sport, and typically involves a lack of objectivity. This usually clouds any issue involving the company.
-- Matthew - matthew.gream@pobox.com, http://matthewgream.net
Name of Plan: Freedom Plan - What???? how come there are different types of freedom (ie Standard and Deluxe - freedom in Capping up/down stream transfer rates and enforcing 3 gigs limit, come'on Telstra! Advantage of Telstra's ADSL (quoted from web page): "Convenient - ....As soon as you turn on your PC, you can be online...." - Urm *BRRRR*... network outages I have experienced within the past month is shocking! Did someone forget to power-cycle the systems today?!?
Telstra's Corporate Slogan: "Making Life Easier" - NOT
Hope things change in the future.
My BigPond Cable-connected system regularly gets portscanned by other cable/DSL users. This seems to be just a lot of FUD caused by the deceptions of script kiddie. Telstra don't do anything to protect their users systems from attack, but then how many other ISPs do?
What? The site which originally broke the story (CORE) have now posted another article saying Telstra's servers were probably not cracked. Specifically:
Sub7 or some other "netbus" program has been used to leech the accounts of the users machines. This is at the moment the scenario I favour...
Sure, Telstra fucked up their ADSL network and extremely pissed off many users with their download caps, but there isn't proof yet that they screwed up on this too.
Telstra is in an interesting situation in Australia. It used to be a wholly government owned corporation, which was the only telco in aus. Through deregulation + the rise of ISPs + cable tv services and other factors, there are now many telcos and ISPs. As far as Broadband is concerned, Cable and xDSL are both available. xDSL is being offered by Telstra and a few other lesser known ISPs. Cable is available from Telstra and Optus. Coverage rates aren't that great, and through interesting circumstances, only suburbs with above-ground wiring are able to access Optus. Telstra therefore has an effective monopoly in certain areas, and can pretty well do as they please. Even in areas where both carriers are available, the duopoly forces mean that if Telstra can get away with it, Optus will do it too.
We don't have to *buy* it back. We can *take* it back without paying. Check all the details associated with the way it was privatised. There's a clause to the effect of "any time in the future telstra can be reclaimed"
As a resident of Australia, this doesn't come as a big suprise to me. Ever since the Liberal government decided that selling off Telstra would actually be a *good* idea, the service has just gone completely downhill. Of course, in some ways it was never great to begin with but privatising it just makes it worse.
The point that successive governments (state and federal) don't understand is when you privatise a service, you change whatever the service is responsible to. Public-sector services are responsible to the government, who are in turn responsible (at least, they used to be) to the people. Politicians can be very sensitive to voter dissatisfaction (so the theory goes), especially around election times. But when you privatise the service, it becomes a private-sector entity whose responsibility is to the shareholders, not the people. Profits become the primary focus, and the quality of service declines. Witness such effects with the electricity and natural gas industries in Australia, and the electrical industry in California (the one currently being bailed out with taxpayers' money). What's worse is that as Telstra, being the government body in charge of telecommunications, was the one that set up and maintained all the infrastructure (phone lines etc). This puts them in a wonderful monopoly position as they own practically most of the telecommunications infrastructure in Australia (Optus has some infrastructure of their own as well as leasing from Telstra), and therefore can effectively charge what they like. Not only do the customers pay high prices for inferior service from Telstra, they have to pay high prices to Telstra's competitors because Telstra also charges high prices for them to use their network.
Telstra should have never been privatised to begin with. It was a simple election ploy for little Johnny Howard so that he would have some money to throw around, a way to buy votes. The Liberal government will spend the money on grand election promises and when they are voted out (it's only a matter of time, really) they will leave the successive Labor government with a dilemma. Raise income taxes/GST or sell off Telstra completely (the latter being the most likely). The sad reality of this is that while Telstra is responisble to the shareholders, the "mum-and-dad" shareholders that were meant to be the main beneficiaries of the sale hold precious little stock and can do absolutely nothing to influence the way the company is run.
The same Liberal government that sold Telstra is also unable (more likely they are unwilling) to send in the ACCC (Australian Competition and Consumer Commission, the same people who said "no thank you" to DVD regional zoning) and put the hard word on Telstra to improve their service. So, to be honest, this whole sorry saga has been an ill-conceived, money-motivated botch from the word go. Unless we either send in the ACCC and try to get some real results, or buy back the 51% of Telstra already sold (and pay for it later through higher national debt), this situation is unlikely to change.
Self Bias Resistor
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
I just can't wait for hailstorm and .net, atleast now it's a two step prosses to hack my life, al la The Net.
Does anyone actually have a Java program designed to control air traffic, or for the operation of a nuclear facility?
If you believe the hype... and look at the small (I have found 37!!!) collection of trojans that are readily encountered when investigating "3l33t h4X0r t00Lz"... The carefully constructed password lists are actually the result of trojan infection of (There is no silent L in)users systems. Course, Telstra themselves are inferring this, which leads me to assume it is not true... unfortunately it SOUNDS true... either way, my box is happily changing my ADSL password randomly at wildly variable intervals just in case :) Ok, I felt the need to write a silly script and why do *I* need to know my login password if my box does??? :)
:)
I realise that this information may have been posted earlier and, indeed, in a more ledgible and less commaed fashion, but I couldnt be bothered checking...
Have an otherwise normal day,
err!
jak.
---
"A man who has to be chained to a bed has issues."
David Eddings.
A dictionary attack would probably use a dictionary 5 or 10 times that size, and wouldn't take all that much time to run. A 500 Mhz system can process a lot of ~12 character strings in an hour.
I strongly suggest you try a different scheme.
--
In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
- had crappy security
- got hacked, hurting their users and customers in a tangable way
- were sued by thier customers
- lost/settled with their customers
As far as I can tell, the hackers are the ones considered culpable, not the incompitant admins who let them in. Is there a legal basis for this, or is it just the way things work? Or am I being paranoid?--
In spite of the suggestions and all the tests that I have made, I have not cavato a spider from the hole.
Apparently, Telstra is not to blame for this, it was caused by Trojen/sub7 viruses installed on client computers, since there was only 69 users effected (accounts have been disabled/fixed etc so dont bother trying to use the u/p if you find them, its not hard to find the list online.) this effected mainly ADSL users, but also a few dialup & cable users were effected aswell, also pushing the fact that it was a virus and infact nothing to blame of telstra, its very un-likely that ALL services of bigpong would have passwords cracked.. some git has mearly picked out the bigpond users & passwords in order to make telstra look to blame my 2 cents.. Adam
The people at AT&T figured this one out 32 years ago!
I hope that the company is held responsible for this. It's not completely the fault of the "hacker" who posted the passwords!
Comment removed based on user account deletion
Comment removed based on user account deletion
Allright, I'll bite.
What specific circumstances does "changing passwords regularly" protect against?
Assume that my passwords are all "very strong", they are not written down anywhere, and they're never transmitted in the clear over an un-secure network.
The only circumstance I can forsee this "helping" with (besides idiotic ones like people loosing the pices of paper they have their passwords written on), is where it's already in the hands of a "criminal". But AFAIK if someone already has a single user account, further user accounts (existing and specially-created) and the root account isn't far behind.
Can anyone point me to a scholarly analysis of the exact merits of regular password changing?
Why? Because I don't do it. If I were, with 20 different passwords and all of them of the "Strong" type, I'd be forced to write them down, or spend hours and hours figuring out 'mind games' to try and remember them, and even worse it would (and did in past years) result in an ever increasing number of "confused and forgotten" passwords. (Frequently occurs within 1-2 weeks of a change, when you just happened to not use that account, and so now you're mind is groping in among not only all your current passwords but the previous 1-3 rounds of passwords, and suddenly you're screwed. No fun.)
Note that /. 's passwords are/were stored in plaintext. This was why the breakin was so annoying. Everybody had to increment the number after their password by 1.
- Ando
You are the weakest link, goodbye.
haven't looked anything up about it, as I don't live there, but they're doing some strange kind of deal with cable and free phone calls, ACT Electricity and Water are doing it... ACTEW...
anyone heard anything else about it?
Hey, if that's all you get for your hard earned cash, what better way to even the score with the fascist telco than by stealing an account and sucking it dry? Lather, rinse, repeat.
From hell's heart I fstab at /dev/hdc
I think this moderator system is broken or something. I got some points and drop down boxes but appparently don't have any way to submit potential moderations. I would have dropped a point. I though it was pretty funny, too.
I know something similar to this gets posted in nearly every discussion of passwords, but here's a simple way to generate fairly strong passwords that you can remember, so you can stop worrying about how hard it is to remember your strong passwords and change them regularly:
- Flip open the Bible, or the complete works of Shakespeare, or similar, to random page, random line. Read the phrase on said page and line.
- Commit that phrase to memory.
- Now 1337ify the phrase. "To be or not to be" becomes fairly-strong password "70b30rN0770b3" (granted it repeats a lot of characters, but you get the idea). Flipped open John 3:16? "ph0r60d$010v3d7h3W0r1d" seems strong to me.
If you stay suitably random in your replacement of letters with symbols and your switching of lower-case for capitals, you'll avoid normal English distribution of characters (which might otherwise be a problem), and you'll have a fairly strong, easy-to-remember password.In addition, this system can be safely posted here and used by anyone who likes it, because the important part of the system is the book used, not the process (think cryptosystems - publish your algorithm, keep the key secret). Just don't use the same book consistently, and it should be secure and easy.
And of course, it uses script-kiddie-speak to hold off script kiddies, so it's poetic justice of a sort, too...
This is the forum where the usernames were posted. Apparently it only affects teltra bigbond ADSL users.
--
0x00
l33t cl0wnZ
As you can read here Telstra are in fact denying any crack taking place. They're blaming it on the users!
Then the story made it to broadband.org.au and then to whirlpool (link in /. article).
Now I have put the latest article up on my site to put some facts back into this thread. No-one can prove that a Bigpond Account server was hacked - what we know is that 69 user account passwords from what predominantly appear to be to be the much troubled Telstra ADSL service have been posted on a number of sites. Just how these passwords were gathered is subject to wild speculation.
The case for a Account server failure
Most (if not all) of the accounts seem to be ADSL accounts - a Trojan should not be so selective (but it could be). There have been a LOT of troubles on the ADSL network - it is not inconceivable that something slipped hough the cracks (if just temporarily).
The case against
69 passwords are wayyyy to few to consitute a large hack - all the posted lists where the same. Once posted these accounts would become useless to the cracker(s) - but not if he/she/they had access to the accounts via remote control clients.
The fact remains that unless one of the affected accounts tells us that they were infected with one of those trojans or Telstra comes clean on the whole thing (hahahaha!) we remain guessing. I'll keep my site up-to-date with the info as I get it.
--
Jon - TheSpork
First post is even more impressive now that we know that you typed it with only one hand!
0h t3h h0rr0r!
Mac OS X and Windows XP working side by side to fight back the night.
Okay!
:)
Knock knock.
Who's there?
Orange.
Orange who?
Orange I lame joke-maker?
Is that better?
Do you like German cars?
... The passwords getting out could have been prevented by using strong encryption.
Or, if nothing else, encryption could have delayed the attackers getting the list...
Do you like German cars?
Wow... Someone just picked up the new copy of 2600 w/ the article on Password Authentication
--- My Karma is bigger than your...
------ This sentence no verb
Someday the virtues of engineering best practices, and, dare I say it, even formal methods and correctness proofs, will be apparent to all. Ask yourself: why do we require the designers of our septic systems to have engineering licenses, but don't require the same from those who write the software that controls significant parts of our information infrastructure?
Laws affecting technology will always be bad until enough techies become lawyers.
Has anyone else noticed that the links in the 'bigpond' area on the telstra.com homepage do not work? It has been 3 months since I signed up and they have have never worked for me.
:)
More amusing is when the guy came out to hook us up, the entire 'bigpond' section was missing. He had to make calls to their helpdesk to find out how to change our initial password. Apparently this is normal practice to remove entire sections rather than publish problems...
Important Note for Telstra Shareholders: The all billing links still function
Are you drunk, stoned or just insane? What right do you have to unlimited DSL? I mean you don't even have the 'right' to a roof over your head, daily meals etc, and you are spouting off about 'unlimited DSL'.
Tool.
Not Meta-modding due to apathy.
luckily telstra has embraced the obvious future of authentication on the internet and decided on a unilateral capitulation to microsoft's passport service. resistance is futile! duh!
;-)
/default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801% u9090%u6858%ucbd3%u7801%u9090%u6858%uc bd3%u7801% u9090%u9090%u8190%u00c3%u0003%u8b00%u531 b%u53ff% u0078%u0000%u00=a HTTP/1.0
all of their subscribers have been sent an email saying to get a new user name and password by just sending the following simple http request to www.passport.com
GET
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Did timothy all of a sudden become the only one to post stories? Did he go on a killing spree?
grin
Reb
And I just joined them, due to OneNet falling by the wayside. I only wish I had the choice for Optus, but living in Adelaide provides a rather limited subset of options. Hell, we don't even have the Cable option over here! And word has it from a very reliable source in Optus that they simply arn't willing to roll out in Adelaide due to financial reasons.
I did a google check against my username, and it didn't show up there ... which is a good thing.
--
McCarrum!
Robert Anton Wilson
How 'bout a right to keep and bear arms? Bare arms are, in fact, short sleeved shirts.
I haven't had many problems with Telstra Bigpond at all. I run it on Linux, with Roaring Penguin PPPoE and it works most of the time. The only time I have seen problems is when trawlers pull up their cables. The 3 gig limit is annoying, but I can survive until they increase it.
David
You know why there are only 69 accounts hacked? Its because there are approximately 69 people left using Tel$tra's ADSL plan :)
They all left after the implementatioon of the 3gb CAP.
For all those non-aussies out there think of Tel$tra as a cross breed between Microsoft (but 1000 times more agressive) & The Communist Party.
I can't count how many times these companies have told me to change my passwords regularly for security. But hell, I'm not worried about my roommate staring over my shoulder everyday as I sign on to AIM. If my ISP can't beef up it's security to keep my password from hackers then I can't put up much of a fight now can I?
My other comp. is a Cadillac.
If it was a decent system the passwords would all be encrypted, and it would not allow insecure passwords.
Throw in caps, a number and a bit of punctuation and you won't be getting anywhere fast. 95^8 = 6634204312890625 possible passwords.
However, having users use all possible chars might not be practical.
Let's say we limit ourselves to [A-Z][a-z][0-9], and a length of at least 6 chars: 62^6 = 56800235584
On your average 1GHz x86 based system you can expect about 60K attempts a second. About 10957 days, 30 years.
It all boils down to humans though. They forget passwords, simple as that. You need something secure, but which won't swap your tech support centre with calls. Though imagine all the work they'll need to do now, contacting all the users and getting them to choose (or assigning) new passwords.
Perhaps you could add something to the agreement to this effect. Pick a simple password, don't blame us if your account is hijacked.
But this is all old news, isn't it?
These servers are not unix servers you can download the password file from. Many of the users hit were not using ADSL. The passwords given were NOT in this format. They were STRONG passwords.
There is a good article, and a good discussion thread available at http://www.whirlpool.net.au. It outlines the fact that the passwords would never be stored in plaintext (the passwords are stored on industry-standard enterprise servers), and that many of the released passwords were extremely strong (suggesting the passwords were not cracked).
It seems only natural to assume someone has spent some time collecting logins and passwords via another method, and is posting their results with the view of creating FUD over Telstra's service. Just because 69 passwords have been obtained, doesn't mean there exists a vunerability for the tens or hundreds of thousands of subscribers of the service.
I don't particularly like Telstra, nor do I use their internet, but I dont believe they are this stupid.
As an Australian, I admit that I'm not pleased about some of the laws, or suggested laws, I've read about on /., but I don't think for me the US would even be a nice place for me to visit - knowing that anywhere I am, 95% of the people I see are capable of killing me instantly from a distance, I don't need that.
This is a joke, honestly. In fact, I wasn't really impressed with ADSL from day one when the "technical" guy came to my place to install it...I knew more about installing the damn thing than he did! He had no idea, he was reading instructions out of a manual! What annoyed me more was the fact that I e-mailed Telstra beforehand saying "why do I need to pay so much for installation when I can do it myself?" To which they replied "It is more complicated than you think". My arse it is complicated. I've had to reinstall it all several times since the initial installation, 10 times quicker than the "techincal" guy did. Topped with this was the fact that they only knew how to set it up on internet explorer and outlook express. Honestly, it wasn't that hard to get it working on netscape. Losers. My point exactly. White_Pointer
Who is General Failure, and why is he reading my drive A:?