ISP Emails Customer Database To Thousands

Barence writes "British ISP Demon Internet has mistakenly sent out a spreadsheet containing the personal details of more than 3,600 customers with one of its new ebills. The spreadsheet contains email addresses, telephone numbers and what appears to be usernames and passwords for the ebilling system. It was attached to an email explaining how to use the new system. Police forces and NHS trusts are among the email addresses listed in the database. A spokesman for Demon Internet confirmed that the company "was aware this happened this morning"."

Meanwhile ... at Demon Internet Corporate Offices

[eldavojohn]

Demon Internet Yesman: Christ! We're getting murdered out there!
Demon Internet CEO: Okay, okay, calm down. We've got a little issue on our hands here and we kinda need to sweep this little thing under the carpet. Now, you're not getting paid six figures to agree with me, what have you got?
Demon Internet Yesman: I've drafted an e-mail that explains to our customers that for Halloween we decided to be evil -- after all, we are Demon Internet? Huh? Huh?
Demon Internet CEO: Not bad, not bad ... if it was fucking October! And we're dealing with internet users here, not AOL USERS! Jesus, has anyone else got something better?
Demon Internet Yesman: I've got it! We tell them that we're trying to be transparent and an "open information" company because information wants to be free and so we sent everyone everyone's log on and contact information so they can ...
Demon Internet CEO: Did you just personify the noun 'information'? That's the stupidest fucking thing I've ever heard. Who are you? Pack your shit, you're fired. Next.
Demon Internet Yeswoman: *tentatively raises her had* Well, we could tell them that we suspected one of them was an evil dirty file sharer ...
Demon Internet CEO: ... I'm listening ...
Demon Internet Yeswoman: ... and now that the evil person tried to do something evil with that data, we have caught them and they are safely behind bars but if you're receiving this message you are not evil so you have nothing to worry about and only good people have your information.
Demon Internet CEO: *nods slowly and approvingly* Yes, yes, that's good. We are law enforcers, we are providers, in their eyes we have done only good and now they fear and respect us and think they have escaped the sickle of justice. I like it. Sally, you're off of blow job duty. Frank, you're on blow job duty -- it's simple: my office every weekday at noon. Sally, I knew that equal opportunity employment shit that made me hire you was on to something. Okay folks, listen up, I want everyone in Great Britain to open their mouths 'cause I'm about to put my big fat cock in it.

Re:Meanwhile ... at Demon Internet Corporate Offic

[Reason58]

Demon's going to have hell to pay.

Free market will fix this

[cryfreedomlove]

Is there a good alternative ISP available to the same customers. If so, then I would expect a stampede away from Demon ISP to their competitor. There is no need for government intervention.

Re:Free market will fix this

Storing user passwords unencrypted in an excel spreadsheet should be a crime.

Maybe it isn't. But I consider it to be a criminal level of negligence with significant public harm.

Re:Free market will fix this

[Hatta]

That's all well and good until the ISP everyone flocks to has a data breech.

Re:Free market will fix this

[Penguinisto]

Their biggest competitor is BT ... Not quite seeing a stampede happening in that direction.

There's always Orange, I guess...

(...and to think that I bitch about Comcast...)

/P

Re:Free market will fix this

[icebike]

Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

Re:Free market will fix this

[cryfreedomlove]

If there is no stampede then maybe the customers don't care about the breach enough to jump. They are making a voluntary decision to stay.

Re:Free market will fix this

[Goldberg's+Pants]

A voluntary decision to stick with a reliable ISP. Seriously, most ISP's in England are terrible. I know people using various ones, and the only I NEVER hear complaints about is Demon.

So, do you want privacy or reliability? You only get to pick one apparently.

Re:Free market will fix this

[sgbett]

I thought it was bad when places emailed you your own password, but this is prettty 'special'...

Re:Free market will fix this

[clive_p]

I'm amazed that you never heard complaints. I was with them for 14 years, but left a few months ago, as their service deteriorated to a level that was completely intolerable. The original company was good, but was successively taken over several times, and all the competent people left. Have a look at the Usenet newsgroup demon.service and you will find plenty of complaints...

Re:Free market will fix this

[MrBandersnatch]

Demon, once upon a time at least, was a VERY good ISP (ex-customer and I don't recall leaving them due to dis-satisfaction, I think it was the move to ADSL which prompted the switch).

Anyways, http://forums.thinkbroadband.com/ is a good place to get real user feedback on ISPs. Somewhat strangely there are 666 new posts for Demon (I kid you not). I personally am unable to recommend any ISP though. Clara.net shafted me for £100 years ago when their channel bonded ISDN service just wouldn't work for me so I'd recommend you avoid them like the plague; Nildram used to be GREAT but apparently have been taken over by talktalk and users don't look happy; and personally I'm currently stuck with Virgin who routinely cause my blood pressure to rise but because they offer the best speeds blah blah blah.

On the business side I'll say that NewNet and Spitfire have done what they say on the packet overall.......

Anyways, yes, if someone finds a decent ISP let us know please.

Re:Free market will fix this

[easyTree]

Somewhat strangely there are 666 new posts for Demon

Amazingly it's still at 666 - I guess noone wants to break the magic number by posting.

Re:Free market will fix this

[sabernet]

That's one of the first things I thought of when reading the summary.

What kind of jackass stores passwords in plain text on a DB? At the least: store the hash+salt, compare the input's hashe+salt. You should NEVER store the password in a retrievable manner.

Then again, I suppose it's the same kind of jackass that doesn't do a QA run to make sure something pesky, like say, the ENTIRE client list, gets attached to your invoices.....

Someone please ID this idiots+management and post it out for the world to see so it comes up in their next job hunt.

Re:Free market will fix this

Demon is one of those formerly world-famous ISPs, like xs4all.nl. Now they're just a relic.

Re:Free market will fix this

[Anonymous+Brave+Guy]

Anyways, yes, if someone finds a decent ISP let us know please.

I've been with Zen's ADSL service for a couple of years now, since moving house. Give or take rare small glitches (and even then, they've had fewer of those than anyone else I've used) their service has always been fast and reliable. They don't have 24/7 tech support available, which did worry me to start with, but since I've never needed to call tech support once the service was set up that no longer bothers me. It does cost significantly more than the cheap providers as well, but I guess you get what you pay for. YMMV, caveat emptor, etc., but I'd sign up with them again.

Re:Free market will fix this

I remember when Demon was THE ISP for knowledgeable users. Hell their Welcome Pack used to include instructions for Amiga users!

Then they got bought by THUS and, well...you can read the story for how that worked out.

Re:Free market will fix this

[digitig]

There are a lot of ISPs available in the UK, so there's plenty of choice for fleeing customers.

Re:Free market will fix this

"Standard practice is that NOBODY, not even sysadmins can see it."

Damn, I guess I won't mention which big webhosting company I just stopped working for then...but suffice to say they just merged with another big webhosting company... fellow slashdotters, if you have webhosting at a large hosting company that has recently undergone a merger, and you value the secrecy of your passwords, tread carefully.

Re:Free market will fix this

There are quite a lot of ISPs for DSL in the UK, if you can get BT DSL then you can get the competition. There is a range of small-large ISPs which gives the UK a pretty good selection.

http://www.dslzoneuk.net/isp_ratings.php

Re:Free market will fix this

Indeed, the ADSL2+ "upgrade" was such a clusterfuck it reached BBC Radio 4 apparently.

Re:Free market will fix this

[NoYob]

Spitfire have done what they say on the packet overall....

That's right. I used to be with Messerschmidt and Spitfire beat them!

Re:Free market will fix this

[Nefarious+Wheel]

Being generous, I often allow my service providers one mistake. They never get a third.

Re:Free market will fix this

[gabba_gabba_hey]

Ugh, one of my main clients insists that their client user logins on one of their sites be stored in plain text so it can be emailed out/their admins can see the passwords.

I've tried to explain to them time and time again why this is not so great, but they won't listen...

Re:Free market will fix this

[selven]

Standard practice is that nobody knows the password - you just store the hash.

Re:Free market will fix this

[dbIII]

If even the computer knows the password somebody has made a hash of the job :)
It's not 1980 anymore and we have the hardware and software to make secure password handling with hashes instead of recorded passwords a very simple process, so that's the first link in this long chain of failure. That those doing the billing have access to the passwords show that there are a lot of links in this chain that should not be there.

Re:Free market will fix this

If even the computer knows the password somebody has made a hash of the job

Of course you mean that if even the computer knows the password, somebody failed to make a hash of it. Good call though!

Re:Free market will fix this

If even the computer knows the password somebody has made a hash of the job :)

Challenge Response protocols requires that the computer knows the cleartext passwords.

For example CHAP which are commonly used for network protocols and are more secure than sending either plaintext passwords or salted hashes.

Re:Free market will fix this

[Anci3nt+of+Days]

...which means we should ban sysadmins from getting their own coffee, lest they see the passwords taped to the monitors. not that being able to change the password could give a sysadmin access to your account.

Re:Free market will fix this

[AnonymouseClown]

Be* have the same no-contention / no limits service as demon but for less money and without fuckups like this, their tech support even has an IRC channel with REAL LIFE techies with actual power to fix stuff. i haven't needed it yet but i idle in there and it gives me massive peace of mind. i'd highly recommend them

Re:Free market will fix this

While that does make it better for the users that use the same password on multiple systems, the admin of a system that does hash passwords can just save the hash, change the password, do the dirty work in the account, then set the hash in the db directly back to what it was before.

Re:Free market will fix this

Having a company be able to SEE any user's password should be a crime.

Yes, but No, not in this case. This is the user password to the ebilling system -- there isn't any information that is private to the user AND not to the company.

Now add that difference to the /regular/ calls from customers that have forgotten their password, and you see why the company would just have an internal list of all the passwords in plain text along with other confidential client information.

It's not the same as a password to a file system or a bank account. It's actually the least useful information on the spreadsheet to a malcontent. I mean, what can you do with it? View the account balance, maybe add or remove some options. It's the other stuff on the spreadsheet that's dangerous.

Re:Free market will fix this

[Hal_Porter]

They got taken over by Thus Plc and then they became much more prone to outages unfortunately. Plus back when they were really Demon £10 a month internet access/website was quite cheap. Now they're just a brand owned by an incompetent multinational and £10 a month is kind of pricey.

Especially as you don't get much in the way of scripting, just a few ancient CGI scripts. Basically ten years ago or so they were quite good and quite cheap. Now they are selling the same product without the 100% reliability and the rest of the world has moved on a long way.

Re:Free market will fix this

[Hal_Porter]

Actually further back than that BABT used to insist on approving modems - i.e. testing them before you were allowed to import them. BT modems got approved and so did other expensive ones. Most modems did not and were illegal to use.

The law changed and it because legal to sell unapproved modems only if you had a big red triangle saying "NOT APPROVED" both on the modem and in the advert. Well Demon got in trouble for an advert where the big red triangle was used as the end of a cartoon Demon's tail. Basically they were offering a deal where you got a free modem if you signed up for their already cheap Internet access for a year.

Eventually BABT backed down and unapproved modems became legal to connect and to sell without the red triangle. Still I'm sure that was at least partially because Demon Internet pulled stunts like this. Otherwise we'd all have been stuck with a Prestel or a BT walled garden which only worked with their very expensive hardware and the law would prevent people from using other hardware.

Re:Free market will fix this

[Anne+Thwacks]

unapproved modems became legal

I shall be happy when they repeal the legislation requiring a man with a red flag to walk in front of every data packet!

Re:Free market will fix this

[badfish99]

I stayed with them for a few months after their takeover by Thus, until a new ISP installed ADSL+ in our exchange. In that time, the bandwidth I was getting deteriorated enormously, and their customer service changed from an engineer who understood "I can see your pings hitting my firewall" to a call centre worker in India who could only say "reinstall windows". And after I left, they forgot to remove me from their billing system, so they kept sending me letters threatening court action and bailiffs.

That must have been a couple of years ago now, and they were trying to get this e-billing system to work back then. They kept on sending me emails about it, but I could never log in to it. If it's taken them until now to get it working, their competence must be worse than I remember.

Re:Free market will fix this

[Zoolander]

s/breech/breach/

Courtesy, your friendly neighborhood Spelling Nazi

Re:Free market will fix this

1) A system that mails you your password when you forgot
2) An admin/programmer has to make this work "just make it work, now!"

1 + 2 = plain passwords stored somewhere.

I can assure you that there are many ISP's and telecom providers doing exactly this, and the admins can read the entire database.

When you have >1E+6 accounts, generating a new password generates more support calls than giving the customers their old password by email.

Re:Free market will fix this

[jez9999]

Actually, they're no longer known as that. Their new name is:

BE *eyes explode at fluorescent cyan*

Re:Free market will fix this

[CarpetShark]

Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

That depends on who you ask. A LOT of IT organisations keep passwords around, since users just can't take their passwords seriously enough. With company data (or any other data really) encrypted using passwords/keys, it's not simply a matter of resetting the password and continuing as if nothing had happened.

Re:Free market will fix this

[CaptainOfSpray]

In UK, it IS an offence to do this. Here's the relevant sections of our Data Protection Act 1998
Schedule 1 Part 1 Principle 7
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Section 61 Liability of Directors para 1
Where an offence under this Act has been committed by a body corporate and is proved to have been committed with the consent or connivance of or to be attributable to any neglect on the part of any director, manager, secretary or similar officer of the body corporate or any person who was purporting to act in any such capacity, he as well as the body corporate shall be guilty of that offence and be liable to be proceeded against and punished accordingly

Re:Free market will fix this

A reliable ISP you are having a laugh !

This is the ISP that has switched thousands of customers off of BT wholesale on to their own C&W unbundled lines and left their customers up the creek without a paddle forcing them to buy new hardware because they couldn't set up their central office equipment properly. Demon have been hemorraging customers for months now and they deserve to loose more for this idiotic stunt.

Re:Free market will fix this

[Xest]

Yes, if you can get Demon, you can get many other ISPs. Demon used to be awesome, but has been wank for years.

Anyone still with them deserves what they get. If you didn't ditch this ISP a few years back it shouldn't come as a suprise. This isn't the first major screwup they've made, and they've made millions of minor screwups.

They used to have a tech support centre with proper IT staff manning it that really knew their stuff, then they outsourced to India and their call centre became horrific, it became useless. They were also taken over and suddenly put arbitrary un-advertised caps on your bandwidth usage after which they'd drop you to 128kbps for an entire month. Effectively if they felt like upping profit they'd just randomly select people claiming they'd gone over this magical un-advertised cap, refusing to say exactly what the cap was then drop you to pre-broadband speeds for a month or so to save them a fortune across all customers they did it to. Prices also went up around the same time service lowered in this manner.

I struggle to have any sympathy for remaining Demon customers, the company was gutted, all competent staff removed, customer service decreased, prices increased, product quality/features decreased. Why would anyone in their right mind stay with that kind of company?

Re:Free market will fix this

[asc99c]

They were also the best ISP I ever used. Eventually I switched because I was paying £25/month for broadband, and other companies had taken prices down to £10 for the same speed. I never got the same level of service since, but then maybe you get what you pay for.

I'm now with Sky, since they offer £5/month broadband for TV subscribers and their customer service is acceptable. There is a usage cap, but it was 60GB/month last I checked, which is certainly more than I have ever needed. Also, having everything from one company has been pretty good for getting service, because you can leverage threats of cancelling the total package due to broadband problems (I think also Sky are a bit worried about the Freesat HD service).

Re:Free market will fix this

[ErroneousBee]

Is there a good alternative ISP available to the same customers.

The stampede started a couple of years ago. Demon used to be a pretty good techie ISP, their webpage was straight out of the '90s, but they were not too expensive and very reliable.

But then it seems the techies were replaced by accountants and marketing executives on high salaries. They started introducing weird billing systems, prices stayed high, net speeds remained low, free webspace stayed at 10Mb.

I eventually left for PlusNet, twice the speed at 1/2 the price. Theres a dozen other alternatives, all cheaper.

Re:Free market will fix this

Or ICUK found their service / support to as good as Zen.Not as cheap as lot of others but you get what you pay for.

Re:Free market will fix this

[Antique+Geekmeister]

"Well, if you don't trust the machine you're working on, you shouldn't be using it."

[ quote from Subversion developers about their practice of storing passwords locally in clear-text ]

Re:Free market will fix this

[TheRaven64]

If you think Demon is a reliably ISP, then either you've never used another ISP or you've not used Demon for a little under a decade. Demon in the late '90s was best of the breed. Demon now? Not so much. Oh, and even back then they stored passwords in plaintext and didn't bother with much access control on them. I knew someone who worked in their customer support division and he was able to access my password without any problems.

Re:Free market will fix this

[doobie22]

BeThere.co.uk are really quite good and their user support forums are a really nice addition to their standard support.

Re:Free market will fix this

[leenks]

Why would anyone in their right mind stay with that kind of company?

Because they don't know any better. Most people think that their broadband is slow because IE or Firefox takes 30+ seconds to start up - they wouldn't think that the ISP was to blame because the advert said that they'll get 8 megabits!

Re:Free market will fix this

[Karellen]

I moved away from Demon after the Internet Watch Foundation debacle last December to UK Free Software Network, and have no complaints about any aspect of their service.

Re:Free market will fix this

Eat my shorts :)

Re:Free market will fix this

Absolutely there is. They're called UKFSN and they're great.

Long ago I was a Demon customer (back in the early days when they were a really good ISP) but moved to UKFSN shortly after Demon were sold to Thus. As soon as Thus took over their, previously excellent, tech support started to go down the toilet with the final straw being when I was told I couldn't change my ADSL package without being disconnected and paying a new connection fee.

At this point I switched and have never looked back. Demon went from being one of the UKs best ISPs and have turned into yet another crappy clue free organisation with outsourced script reading, mindless call centre drones and no farking clue whatsoever.

Did I mention UKFSN were superior in every way ?

I truly hope Demon goes bust. Soon.

Re:Free market will fix this

[Xest]

That's true if Demon's issues were limited to speed but they're not, they include billing errors, bad customer service, larger restrictions on what can be done on the connection - all this despite them charging more than most other ISPs to boot.

Re:Free market will fix this

[Dragonslicer]

Standard practice is that nobody knows the password - you just store the hash.

Not even the user knows their own password... now that's security!

Re:Free market will fix this

[benbean]

I, too, dropped Demon earlier this year and was continually harassed for money for service after the cancellation date, and then, once I'd cleared that up, a mysterious £50 for a router they said they sent out to me two weeks after the date I went live with my new ISP. The Indians refused to give me any number at London HQ to talk to them. I had to write a letter, which they never responded to, until the case was finally dropped, a fact I had to find out about by calling the collections agency myself. Brilliant.

Re:Free market will fix this

[mftb]

Because nobody's stupid enough to use the same password in more than one place.

Re:Free market will fix this

[Anonymous+Cowpat]

I don't understand what has happened to Virgin. Well, that's not entirely true, I understand what's happened to Virgin - they became Virgin.
When they were ntl our connection was always fine and fast enough, then Virgin took over, knocked bitrates up to stupid levels and never upgraded the infrastructure behind it. Performance tanked, and it wasn't just a slow connection, it was constant dropping of packets. (which is a far worse problem if you need low latency)
At one point, I ran a speed test and our supposedly 10Mbit internet connection was running at 86kbps. (largely caused by only a fraction of packets getting all of the way through)
This continued for FOUR MONTHS.
About halfway through that time, an engineer came out, and prodded a few things and explained about the packet dropping becaue of lack of infrastructure (I'm assuming that he was honest), and blamed it on the nearby students, and made a few phone calls and told us that there was an upgrade planned for the hardware upstream which should be in by the end of the year (this is mid-November).
The new year came and went, the connection got no better, then some time a few months later, one Monday, it just suddenly started working properly. I assumed it was just one of those blips when it did work (presumably because less people were trying to use their connections) and enjoyed it for a few hours.
That afternoon Virgin called to ask if we still wanted to persue our connection problems, and when I said that we did, they put me through to some chap in India who did a short bank of tests with me and, surprise, surprise, everything was working properly. He then had a very patronising spiel about that being the correct speed, and then everything just sort of petered out while I was still busy being flabbergasted that they had called to test it at the one flaming time when it was working fine.
As it was, the connection didn't get any worse after that, so I presume that the long-awaited upgrade had finally gone in. I refuse to believe that it was a coincidence that they called to test and make a record of how our connection was on the day that their hardware upgrades fixed it. (This problem had been rumbling along with letters and phone calls for weeks, and this was the first time they called to do testing on their terms).

Re:Free market will fix this

Star.net.uk is a business only isp.
So its not just BT and orange.. theres more out there.
Not recommended for home users, but for businesses , this is a viable alternative.

Re:Free market will fix this

[RivieraKid]

That's different - the company owns the account and password, and there's a master decryption key available anyway.

Re:Free market will fix this

[dbIII]

Number 1 is done by just about everyone by generating a new password. Number 2 has not been difficult since the early 1990s since you just use the right library.
The "they all do it" argument is just a description of the extent of the problem which leads to leaks like this and not a positive statement in any way. Of course there are a string of other stupid accidents that have to happen before you email the password list to all, but I'm pointing out here that you don't need the password list in the first place so that's one way to break this chain of failure.
There are other ways but I wanted to get the hash pun out there which will hopefully soak through a few skulls stuck in the MSDOS mindset.

Re:Free market will fix this

Slashdot has a sig field. Use it so we can filter out retarded, redundant sigs -- just like yours.

Re:Free market will fix this

[Naturalis+Philosopho]

You would expect it, which is why free-market capitalism fails. Most people aren't smart enough to act in their own best interest.

Re:Free market will fix this

[odeland]

Well, send this article to your client.

Re:Free market will fix this

[philmck]

I too was with them in the beginning but they lost the plot (the founder even got a suspended jail sentence).

Agreed about the other ISPs as well - I've found bethere to be pretty good though.

So what?

[should_be_linear]

Security through obscurity never helped anyone.

Re:So what?

Lol I don't think they were referring to a list of usernames and passwords when they were thinking of obscurity.

Re:So what?

[pete-classic]

A secret, such as a password, is not the same thing as an obscure fact, like running a service on a non-standard port*.

-Peter

*I'm aware that this is actually pretty useful in practice, but it isn't a security measure per se.

Re:So what?

[selven]

It's all about the threat model. If you're defending against script kiddies who want to being down someone, anyone, then hiding your house in someone else's backyard is a good idea. Against determined attackers, however, it's pretty useless.

Re:So what?

[TheSpoom]

More importantly, hasn't this company ever heard of password hashing?

Re:So what?

[Virak]

I know this is a joke, but it should really be modded insightful instead. This just reveals the already-existing incredible insecurity of their setup. If they were doing it right, the file would only have hashes, or preferably, hashes and salts. It would certainly still not be good to have it leaked, but the results of that happening would be significantly less serious. Instead, we have this.

Re:So what?

[mysidia]

Yeah... you can't do it if your clients connect using PAP authentication.

This doesn't explain why the heck the info was in a spreadsheet however.

Maybe it was intended for support staff... still, it raises the question.. how the heck are you gonna keep a spreadsheet up-to-date?

If it was on a shared folder, I can't imagine any reason in hell it could have wound up attached to an e-mail, except an employee did something extremely evil.....

Re:So what?

[TheSpoom]

Yeah... you can't do it if your clients connect using PAP authentication.

I read that comment too. It seems... wrong to me. There absolutely must be a way of sending a hash instead of a plaintext password; even if the user is forced to send a plaintext password, it doesn't mean it has to be stored plaintext in the database.

Isn't the server completely under the control of the people running it, anyway? Don't they simply have to comply with the protocol, while all internal affairs of their connection manager are their own concern? Because that's the way that client-server programs have always worked when I've worked with them...

Re:So what?

[mysidia]

Sorry, CHAP authentication. You can store a plaintext password with PAP, but not CHAP. The security tradeoff is this: for CHAP authentication to be performed, the server has to know what the plaintext password is exactly. For PAP authentication to be performed, the password is sent in the clear, and the server can store the password using a one-way hash.

The SERVER ISPs use a RADIUS server, and does not have full control over the authentication process. The hardware the users login to sends the RADIUS server the challenge response (which is a MD5 hash) and the challenge ID. The RADIUS server has no control of which authentication protocol was used: if CHAP was used, and a plaintext password is not available, the RADIUS server can only really reject the authentication (results in user can't connect).

For a CHAP authentication request: The RADIUS server has to compute the MD5 hash of the plaintext password concatenated with the challenge response, and respond to the NAS (the network access server hardware) either YES (login ok), or No (bad login).

There is no 'use a different authentication protocol, please' option.

Typical NAS hardware will support CHAP, or the ISP will not have control over it (resold services are common). If the NAS hardware supports CHAP, you're lost, because Windows will elect CHAP, it became the default at some point.

The Windows client operating system uses CHAP if the network access server supports it, the ISP operating the RADIUS server has no control of that, only the contractor/vendor providing the access service has control, and they generally use CHAP for security reasons.

Re:So what?

[TheSpoom]

I'm still not seeing a reason of why this is done. I'm not particularly a network person, so maybe there's something I'm not seeing here, but why don't they do something similar to what's done on the open internet: use automatic, end to end encryption (e.g. SSL) in which the password is passed in the clear (but encrypted) and then hashed on the server to validate its authenticity?

Re:So what?

[mysidia]

The obvious reason is Dialup modem pools/DSL MUX gear doesn't have the capability to do it. More importantly, SSL is pretty expensive, due to the CPU horsepower required, it would slow things down, or customers (and you) would have to buy equipment with expensive crypto offload chips -- customers don't tend to like paying more, having slow connections, or having to replace equipment.

Even more importantly, your dial-up PPP or PPPoE is not a TCP connection. SSL can only be used with TCP connections (can't be used with datagram protocols), so the protocol doesn't fit. There is no standard "encrypted ethernet" protocol, really, the only real option would be PPP ECP.

In practice, there really is no option.

One more reason...

[popo]

... that privacy 'policies' don't mean squat...

Who is to blame?

[Monkeedude1212]

10 Bucks says it comes down to a cat on the keyboard.

Re:Who is to blame?

[bertoelcon]

10 Bucks says it comes down to a cat on the keyboard.

50 bucks says that cat was pictured in the act in a lolcat image.

Re:Who is to blame?

[SlashDev]

or an overworked employee, who decided to take a nap, at their desk.

Re:Who is to blame?

[easyTree]

Seems more likely to be an unhappy (ex-?) employee to me. Surely this can't have been a mistake.

Re:Who is to blame?

[Plug]

Like this?

Re:Who is to blame?

[sandmtyh]

play their passwords away keyboard cat! (insert video of keyboard cat)

Re:Who is to blame?

[Mr.+Underbridge]

50 bucks says that cat was pictured in the act in a lolcat image.

I can has passwurdz?

To err is human...

[Smidge207]

Human error is understandable, but the fact that Demon seems to have very little internal security seems very disappointing.

A spreadsheet with customers username and password should have been able to be distributed outside of the company system, I find it to be gross incompetence on the part of companies and organisations who have little or no internal document security system to prevent small breaches such as this.

Re:To err is human...

[Hatta]

There's absolutely no reason to store passwords in the first place. In fact, in a well designed system it would be impossible for the ISP to know the passwords. They'd be hashed and salted first. This is so obvious and simple to do that failing to do so should be considered criminally negligent.

Re:To err is human...

[peragrin]

they are on an excel spreadsheet. that means windows. That means security and encryption is beyond the users abilities.

In a true system that file should never have been able to be copied let alone emailed.

Re:To err is human...

[MichaelSmith]

A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on. You don't want to give them a new password at that point because their daughter isn't around to write it down again. And in practice, the password isn't protecting anything of value anyway.

Re:To err is human...

[sgbett]

You're hired!

Re:To err is human...

[certain+death]

Mmmmm....Hash and Salt, that reminds me of a good breakfast!

Re:To err is human...

mmmm, salty marijuana

Re:To err is human...

[mortonda]

Unfortunately, that's not the case. CHAP authentication requires cleartext passwords to be stored. See my other post

Re:To err is human...

[geekoid]

Email there new password to them AND their daughter.
Also give it to her over the phone.
Here's a thought, Mail it to them.

"the password isn't protecting anything of value anyway."
you seem to suffer from a lack of imagination.

Re:To err is human...

[ThePengwin]

Dear old ladies who think internet is the devil?

But seriously. If they forget the password then tough luck, you get a new one. Use it and then remember it or change it, the world goes on. These days a users password can be the same for everything. a lot of people on the internet do recycle passwords, and a password their email may very well be the password to their bank account.

Re:To err is human...

SHIT!

*changes password on email, leaving original password on bank account*

Re:To err is human...

[AHuxley]

Its England, they push MS hard. The young dumb admins are spoon fed MS from 7 yo to PhD.
Plain text is no problem for them. MS is secure and they patch and update.
If your from the UK and smart your working in the USA, the City or military/science.
Whats left for an ISP is MS slop.
Hashed and salted is bad if MS has a new feature that will take time to use. Plain text can save the day ;)

Re:To err is human...

[Chris+Burke]

A lot of their customers will be Dear Old Ladies who call their ISP when they have lost the little bit of paper their daughter wrote the password on.... the password isn't protecting anything of value anyway.

Fine. So relax the password rules and let her use her daughter's middle name as her password. That's better than storing passwords in plaintext. There's no reason to do that.

Re:To err is human...

If the ISP doesn't know the password, how does the customer ever find out?

Re:To err is human...

[mysidia]

It's surely a selling point for DLP software.. but before something like this happened, I doubt IT could justify paying the extremely high price for dataleak prevention.

Re:To err is human...

[mysidia]

Sure there is... CHAP authentication cannot be done with a hash (as opposed to the older PAP authentication which could).

The ISP has to store the plaintext password.

The advantage of CHAP is the password isn't exposed in cleartext on the wire. The disadvantage is the password has to be kept in cleartext in the password database.

You can blame Microsoft for changing the default from PAP to CHAP, because "it's more secure".

Nevermind, that "the wire" is a telco circuit, and the chance of an adversary leeching your password off of it is miniscule, compared to an adversary somehow leeching it off your ISP.

Re:To err is human...

[mysidia]

Except their e-mail address (SMTP LOGIN) which spammers can use to send mail.

That's actually worth something >$0. Not a lot of value, but some value, definitely enough to cause you (the ISP) trouble.

Re:To err is human...

[PiSkyHi]

Which is why a CHAP password is not a unified billing password.

Re:To err is human...

lol

Re:To err is human...

[Mhtsos]

Dark Helmet: That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!

later

President Skroob: That's amazing. I've got the same combination on my luggage.

Re:To err is human...

[caluml]

If your from the UK and smart your working in the USA, the City or military/science. Whats left for an ISP is MS slop.

If you're from the UK and smart, you might know the difference between your and you're, and you might also use apostrophes correctly.
I'm not working in the USA, the City, or military/science though, so what would I know - I must be dumb as bricks.

Re:To err is human...

[mortonda]

Most isp's have just one password for the account.

Re:To err is human...

[AHuxley]

From "Failed In London Try Hong Kong"
to Failed In London Try Hosting..

Re:To err is human...

[PiSkyHi]

I used Three in Australia, the PAP login was a dummy - set by them, the user doesn't need to know this one.

It may be true that most ISPs do use this as the only password - that's their risk.

They shouldn't even have the passwords

[danlip]

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

Also "the company introduced a different ebilling system some months ago, but returned to paper billing following technical difficulties". Who hasn't managed to implement an ebilling system by 2009? Especially an ISP. They must be truly incompetent.

Re:They shouldn't even have the passwords

[MichaelSmith]

Ummm. Where I work spreadsheets are called "databases". I get stupider things in my email every morning at work than the email described here.

And incidently, since POP and SMTP were switched off to force us to use outlook the number of misdirected emails has gone through the roof. Humans search by first name but Outhouse searches by last name. I have a common last name... And so does a certain senior manager.

Re:They shouldn't even have the passwords

[danlip]

Ummm. Where I work spreadsheets are called "databases".

But surely you don't have an ebilling login system trying to look up passwords in an excel spreadsheet? Or even an MS Access database? Although maybe Demon Internet does, given their extreme lack of clue.

(and spreadsheets aren't databases, you can't write SQL queries against them)

Re:They shouldn't even have the passwords

Quite clearly it was someone in marketing sending someone who sends out email marketing messages the spreadsheet of mail-merge data to put into the email telling the customer of their ebilling function, and their username and password. Unfortunately the email system/application mail-merged in the spreadsheet itself!

Appalling behaviour to have access to the unencrypted password - I definitely won't be using Demon ever because of that.

Also appalling that marketing can dredge the customer database for such information as their passwords. Marketing should come up with the blurb and the design, and someone competent should merge in the per-customer details. A simple email-template database for marketing to twiddle with, and a mass mailing system that uses the results of an sql query to populate the email template. Easy, most people here could design the guts of such a system in a day or two, maybe even with a primitive email template editor.

Re:They shouldn't even have the passwords

[RoFLKOPTr]

(and spreadsheets aren't databases, you can't write SQL queries against them)

A. Just because Excel isn't an SQL database doesn't mean it's not a database.

B. Who says you can't write SQL queries against a spreadsheet? Give me 20 minutes and I can write up a simple program that will accept basic SQL input to modify an XLS file. Spreadsheets are simply tables, columns, and rows, after all... just like SQL databases.

Re:They shouldn't even have the passwords

[MichaelSmith]

(and spreadsheets aren't databases, you can't write SQL queries against them)

I know. Where I work they would probably employ an intern to copy and paste passwords between the database and the spreadsheet because the database in complicated while everybody understands excel. SQL has been pretty much replaced by the scripting and macro languages supported by excel anyway.

Re:They shouldn't even have the passwords

[danlip]

A. It doesn't have to be SQL, but there does have to be some sort of query language. I suppose I could have said "relational database". Just rows and columns does not make it a database. MS Word has tables too :-)

B. Give me 20 minutes and I could too. I would probably find a lib that would load an excel spreadsheet into a real database and run the query against that. Although a CSV file would be easier.

Re:They shouldn't even have the passwords

[RoFLKOPTr]

So you're saying that an XLS file isn't a database. Then I say it is a database. Then you say it is a database but it's still not a database because just rows and columns does not make it a database. Well what DOES make something a database?

According to Merriam-Webster, a database is "a usually large collection of data organized especially for rapid search and retrieval (as by a computer)." Based on that definition, how is an SQL database (which, you agree, could use a spreadsheet format for storing data) AT ALL different from a "spreadsheet"?

Re:They shouldn't even have the passwords

[danlip]

According to Merriam-Webster, a database is "a usually large collection of data organized especially for rapid search and retrieval (as by a computer)." Based on that definition, how is an SQL database (which, you agree, could use a spreadsheet format for storing data) AT ALL different from a "spreadsheet"?

The "rapid search and retrieval" part. Yes, you could store a database in any fricking format you want: XLS, CSV, even English text. But Excel (the software) does not support database functionality, e.g. queries, joins, etc. Databases are software and data, and a "real" database has auxiliary data as well (e.g. indices) to help with the "rapid search and retrieval" part.

Re:They shouldn't even have the passwords

[RoFLKOPTr]

But Excel (the software) does not support database functionality, e.g. queries, joins, etc. Databases are software and data, and a "real" database has auxiliary data as well (e.g. indices) to help with the "rapid search and retrieval" part.

No, Excel does not support SQL database functionality. Those are features of SQL, and are not requirements to meet the definition of "database". And no, databases are just bases of data; It would be a database "program" or "suite" or "system" that is the software and data mechanism.

Spreadsheets have no indices? Columns and rows are indices. A column dedicated to an id (much like SQL databases) can be an index. Then you just CTRL+F to find what's in the id column, or CTRL+G (or something) to go to a certain row, and find exactly what you want... just like an SQL database. You lose.

(I know this is an idiotic debate based solely upon semantics, but I am very very bored right now, so I will continue as long as you do.)

Re:They shouldn't even have the passwords

[Tanktalus]

Excel is an SQL-queryable database.

And when I hit "Reply to This", I was merely surmising it was possible to do, not that someone was dumb/bored enough to do it. Nearly 7 years ago, even.

Re:They shouldn't even have the passwords

[danlip]

By your definition then, a dead-tree edition of the King James bible would qualify as a database. It's even indexed by book/chapter/verse. Anything that has information would be a database. It's not great for rapid search and retrieval, but neither is the manual Excel search you describe above.

(and I am not bored enough to continue this discussion further)

Re:They shouldn't even have the passwords

[he-sk]

The word you're looking for is (relational) database management system or RDBMS. You know, software that let's you manage and run queries against databases. Which could be Excel tables, if you're into that kind of stuff.

Re:They shouldn't even have the passwords

(posting anonymously for obvious reasons)

Using hashed passwords is standard practice, so that's what we did in one of our current web applications. But I was concerned about people trying to brute-force other users' passwords, so every failed login attempt was logged - complete with all the connection details, including the failed username and password parameters. I thought I was protecting our users, but what do you know... there were *many* more failed logins than I expected. And I inadvertently got to see all those passwords. A *lot* of people just automatically enter their work user names and passwords. Since the user name was an email address, I guess I've now got access to ~300 accounts on local universities and schools. I wouldn't dream of using this information; I hadn't even intended to collect it, but it was amazing to see how simple it is to get plain text passwords (not for our site, mind you). Imagine what treasure trove companies like Amazon or Google are sitting on right now...

Re:They shouldn't even have the passwords

[RoFLKOPTr]

By your definition then, a dead-tree edition of the King James bible would qualify as a database. It's even indexed by book/chapter/verse. Anything that has information would be a database. It's not great for rapid search and retrieval, but neither is the manual Excel search you describe above.

(and I am not bored enough to continue this discussion further)

NOW you get it. Good job! Although, how come that excel search isn't great for rapid retrieval? It sure beats typing 'SELECT email FROM customer_db WHERE id = 25'... you just CTRL+G to row 25 and copy what's in the field you want. Sounds pretty rapid to me.

Re:They shouldn't even have the passwords

[AHuxley]

When MI6,5 the met or some task force calls, do they really what to call the white hat in from his/her home/holiday?
They want a junior staff member with clearance to look up and IP and get that name. Why burn out your only real admin when its just reading a warrant, looking up time, ip and filling in the needed info.
Young admins in the UK only know MS.
if they had skills, they would be working in the real world.

Re:They shouldn't even have the passwords

[nacturation]

(and spreadsheets aren't databases, you can't write SQL queries against them)

You realize there's been ODBC and JDBC drivers for Excel spreadsheets for many years now, right?

Re:They shouldn't even have the passwords

[casings]

Understanding SQL isn't a requirement to be considered a database.

In fact, spreadsheets are databases. Wikipedia refers to these as end-user databases.

You are confusing the term database with an RDBMS or Relational Database Management System (and even that doesn't necessarily depend on the use of SQL).

Re:They shouldn't even have the passwords

[b4dc0d3r]

omg. Crappy database server running on old hardware does not qualify as a database? I think you've dabbled in SQL and resent Excel junkies encroaching on your skillset.

Excel has ODBC drivers, meaning you can do anything with Excel you can with Access, except primary/foreign keys. Yes, you can write SQL. Yes you can join different tabs. You can even do triggers if you want to screw around with VBA, which excel junkies are more than happy to do.

http://support.microsoft.com/kb/195951
http://support.microsoft.com/kb/178717
http://support.microsoft.com/kb/141284

And before you try it, know that the Excel driver is TERRIBLE. It makes assumptions about your data by scanning a set number of rows, instead of having column definitions. I have had to fake it by putting datetimes at the top of a column, so Excel doesn't think empty rows are text. Or the other way around, yielding import errors.

But it does work as a database.

Re:They shouldn't even have the passwords

[mcgrew]

spreadsheets aren't databases, you can't write SQL queries against them

You can't write SQL queries against NOMAD tables either, but NOMAD is not a spreadsheet, it's a relational database for mainframes. NOMAD is actually my favorite. I absolutely HATE MS Access and used to like dBase for small datasets before it died. You couldn't run SQL queries against dBase, either -- there was no such thing as SQL at the time.

You can't run SQL queries against a spreadsheet, but you CAN run queries on them (albeit very simple ones). That said, anyone who uses a spreadsheet for a database, even though you can, clearly doesn't know what he's doing. Where the GP works clearly has amateurs running things, but technically he's not incorrect.

computer billing story

[innocent_white_lamb]

I run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month.
 
This story goes back several years, as you will see.
 
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
 
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
 
18 months later I got a (manually generated) bill for $13,000.
 
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.

Re:computer billing story

[DigiShaman]

You did end up paying the bill, right?

Re:computer billing story

This story goes back several years, as you will see.

I wore an onion on my belt....which was the style at the time...you couldnt get those white ones, you could only get those big yellow ones.

Re:computer billing story

[geekoid]

Tge moral of the story is:

When sonmeone implements a crappy system , it can effect that company and customers for years afterwords.

Really, there is no reason not to modernize this shit.

Re:computer billing story

[innocent_white_lamb]

I did indeed pay the bill, but since that glitch affected all of the bus line's charge-account customers, they needed a (larger than usual) subsidy from the provincial government to keep operating.
 
And I have always wondered how many of their charge-account customers went out-of-business or otherwise disappeared before they realized what was going on and sent out the big bills for 18 months of service.
 
With all of the associated issues that come from deferred revenue: Extra interest on operating loans, lost revenue from deposit interest, and so on.
 
I'm sure it cost them a ton of money, even if all of the outstanding bills were ultimately collected, which I doubt.

Re:computer billing story

[innocent_white_lamb]

I suspect that the experience has simply scared them away from trying anything like that again. They probably lost a ton of money due to unpaid bills, lost deposit interest and disappearing customers so they retreated to a system that's worked fine for years and continue to use it.
 
Frankly, I can't find too much fault with that reasoning. Waybills get written out by ghawd-knows-who at a bus depot way out on the back 40, and it may be too much to expect a relatively uneducated minimum-wage part-time employee on a remote northern outpost to operate a computer so the proper reports sent in to the head office.
 
They have a manual system that works and has worked since about 1932, and their attempt to "modernize" was nothing short of a disaster.
 
It's possible that the system worked perfectly, if it wasn't for those pesky users...

Re:computer billing story

[fishbowl]

They lost the time value of the revenue over 18 months. If you were smart, and anticipated it, you paid the debt *and* collected interest.

Re:computer billing story

[innocent_white_lamb]

Yer damn tootin', toots!
 
I'm sure that businesses took full advantage of not having to pay for services for 18 months (and many probably didn't even notice).
 
Again, though, I'm also sure that several of them vanished before the bill ultimately showed up.
 
So the final cost to the bus company likely exceeds the "time value" by some large amount.

Re:computer billing story

Just grab Torrents instead of shipping film cans...much cheaper!

Re:computer billing story

[mpe]

run a movie theatre and send and receive a lot of freight (film cans and advertising materials) by bus. I have an account with the provincial bus company so they send me a bill once per month containing all of the waybills for that month. This story goes back several years, as you will see.
Originally, I got a monthly bill that consisted of a strip of adding machine paper stapled to an invoice that totalled up my waybills for the month. Then the bus company decided to modernize and send out bills printed by computer, which were apparently aggregated by having a computer in each bus depot send in each days transactions by modem to a central computer that printed the monthly bills.
For the next year and a half, I got bills for anywhere from $10 to $30/month, nowhere near the $600-plus that I usually spent on bus freight.
18 months later I got a (manually generated) bill for $13,000.
The bus company has since stayed with manually generated bills and has never tried to computerize that part of their operation again.

This may have been a while ago, but it still appears to follow the "modern" idea of buying lots of hardware and software then trying to do something useful with it.
As opposed to the old fashioned approach of "systems analysis".

Re:Meanwhile ... at Demon Internet Corporate Offic

[moon3]

If they follow evil corporation best practices manual -- they obviously do so, then I doubt that.

I'm glad

[Grimnir512]

I'm glad we switched away from Demon near the start of this year. >_

And this is partly why I refused eBilling

[PipingSnail]

Demon wanted all customers to take up eBilling several years ago. You had to opt out of eBilling. I opted out because I wanted a printed invoice to give to the accountants and because I thought sooner or later so cockup like this would happen. My choice has been vindicated. And no, I won't be looking for another vendor. Demon are more expensive than other vendors, but other than the eBilling foulup, they are generally good and no bandwidth restrictions or upper limits at all. And that is what I want.

Re:And this is partly why I refused eBilling

[VisualD]

Im assuming your on one of the business rates? I ask because I'm on HomeOffice 2+ (have been with demon for a good 8 years now) and have a cap of 60GB per rolling 30 day period. I've been capped to 128kbps twice now, so I rang for my mac code thinking I might try Be, and they offered me Demon Business 2+ Pro for £30 a month, which apparently is a no limits service. Would be nice to get your impressions of the service before committing to a 12 month contract, if you have the time :) BTW, I also opted out of e-billing at the time, for very similar apprehensions, it is nice to be vindicated.

Re:And this is partly why I refused eBilling

[RoFLKOPTr]

Are you guys sure that only the eBilling customers are the ones on that spreadsheet? Maybe I missed something in the article, but I'm willing to bet that all customers are on it.

Re:And this is partly why I refused eBilling

[rossi]

I'm sure Demon hit the 100,000 user mark some time ago, so 3,600 is a very small amount of people. Would be nice to get an email from Demon to confirm if you are on the list or not and force password changes for everyone who got compromised. But keeping on track... I also opted out of eBilling as I wanted a paper bill sent to me each month.

Someone had better lose their job.

[olsmeister]

Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.
I'd be curious to know if the passwords that were lost are ISP-assigned gibberish passwords, or user selected ones.
If they are passwords selected by the users, look out. Too many people use the same passwords for many or all of their accounts.

Re:Someone had better lose their job.

[ZekoMal]

Apparently you've never worked at an office. A bulk of computer complaints at such corporations tends to be from a combination of boredom and stupidity. Frankly, it's amazing that the entire world hasn't collapsed given the sheer number of "why can't I watch porn on our secure network??!!!11!!" type of inquiries; now imagine the same average cubicle corp running your internet.

Re:Someone had better lose their job.

[fishbowl]

>Apparently you've never worked at an office.Apparently you've never worked at an office.

I've worked in an office where you get fired for doing stupid things. In particular, I've worked at an ISP where I'd be the one firing you for doing this particular stupid thing.

Re:Someone had better lose their job.

[jimicus]

I've worked in an office where you get fired for doing stupid things. In particular, I've worked at an ISP where I'd be the one firing you for doing this particular stupid thing.

Then you haven't worked anywhere in Europe. Save for a few things (eg. gross misconduct), you can't sack somebody with zero notice and zero warnings.

You could argue that this comes under the heading of gross negligence, which may be something you can be summarily sacked for, but then the question arises - who was grossly negligent? The person who sent out such a spreadsheet or the person who specified a system which allowed such a spreadsheet to exist?

Things get even more complicated if after such a system comes into play, one or more people raise concerns about it with management.

Re:Someone had better lose their job.

[L4t3r4lu5]

I use one password for all of my accounts. It opens my Keepass store.

It's not a simple password.

Re:Someone had better lose their job.

Demon use the same passwords for your email account as logon so plenty of email snooping is probably going on right now.

Re:Someone had better lose their job.

Actually, it's easy to believe someone could be that careless. It happens all the time.

What I can't believe is that there is a single unencrypted spreadsheet file somewhere -- ANYWHERE -- that apparently contains all of the passwords for their user billing accounts in plain text. Smething like that shouldn't exist. The mailout was only the finale of a big series of serious mistakes that we would never have known about otherwise.

I can understand mistakenly sending out the wrong attachment. It happens. But why in heck was such a file compiled together in the first place and left laying around unencrypted? They're going to scold whoever sent it out, but whoever made it and started passing the file around should be fired too.

This is Epic

[surfdaddy]

...the country that has cameras on every corner is now sending accounts/passwords to everybody!!?? WTF? Sounds like the ISP has some major process issues; just like putting software into production, you need to have a couple of approval points to prevent this sort of thing.

Re:Meanwhile ... at Demon Internet Corporate Offic

[keytoe]

Demon Internet Yesman 2: Uh, um .... SPLUNGE!
Demon Internet CEO: What does splunge mean?
Demon Internet Yesman 2: It means it's a great idea, but possibly not, and I'm not being indecisive!
Demon Internet CEO: GOOD!

Re:Meanwhile ... at Demon Internet Corporate Offic

[girlintraining]

Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

Looking forward

[vrmlguy]

I think that we should start putting ficticious information (something blob-like, like a customer name) into sensitive databases that matches one or more virus signatures. This would cause email filters to block the content before it leaves the premises. (Yes, I realize that we'd need to be filtering out-going mail, but unless you're a spam generator, that's a small fractgion of your incoming email. Some of use are already doing this, although not for this reason.)

Re:Looking forward

[dissy]

That is going to be _awesome_ once the local antivirus program deletes it off a system with stale exception lists :D

Re:Looking forward

[sandmtyh]

something easy like X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* should do the trick

Re:Looking forward

[flyingfsck]

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X

Re:Meanwhile ... at Demon Internet Corporate Offic

[Reason58]

Six months later, the Demon Internet CEO is replaced with the Fluffy Bunny CEO, after a sexual harassment lawsuit is filed by half of the board of directors. Fluffy Bunny commits to network neutrality, and cheap, high speed internet access for all. Demon Internet CEO seen a short while after the trial on the corner wearing black boy shorts and a bow tie as the newest strawberry in the unemployment line. Fluffy Bunny calls Sally into the office, makes her the new head network administrator, and she installs linux on everything, saving the company a fortune. And since this wouldn't be slashdot without some kind of sexual commentary -- Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

The stories are funnier when they are fictitious, Sally.

no biggie

[bugs2squash]

just choose recall this message from the actions menu and the damage will be undone.

Re:Meanwhile ... at Demon Internet Corporate Offic

[eldavojohn]

Great, I just got an diabetes and an erection from reading your post.

"Too good to be true" says the empty bottle of Three Philosophers Quadruple sitting next to me.

Oops?

my bad.

That's too bad

[dave562]

My very first email address was on a ...demon.co.uk host, back in the early 1990s.

Another reason...

[SlashDev]

... why emails originating from ISPs, should be audited first then approved / denied.

Re:Meanwhile ... at Demon Internet Corporate Offic

Where was Demon Internet Noman?

My experience of the same thing...

[w0mprat]

I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

Yes some asshat will accidentally forward whatever. How this occurs is demonstrated by my example below (I witnessed this, details altered). I've see co-workers make this mistake, and I've been a customer when the same fault happend and I got sent a 700kb spreadsheet of confidental information. But anyway, here is the two step method to epic fail:

Step 1: Email staff with a template for them to send, and attach a spreadsheet of the customers

-----Original Message-----
From: Bob Smart [mailto: Bob.Smart@[-------].co.--]
Sent: Thursday, 23 September 2008 10:53
To: [-------] Outbound Contact Team
Subject: FW: eBill template


Hi Team,

Please send this template below to all customers in the attached spreadsheet. You three can divide the work amongst yourselves.

>

Dear customer-name-here,
[etc..]

.....

Step 2: Your keyboard jockeys forward the email, deletes the header and Boss's message. Inserts customer details into template. Send, Boom, Done.

By default, forwarding in pretty much all mail applications keeps the attachment.

I'm sure this is the principal way documents are leaked from just about any organisation.

Re:My experience of the same thing...

[Ronald+Dumsfeld]

I ROFLd very hard at this. Now who hasn't heard of something like this happening or been in a work place where this has happend? Of all the security measures companies fret over these days they fail to recognise the threat of abject stupidity.

Many moons ago, I was told a tale about sending out mass mailings, not this "slip of the mouse" email stuff.

The bank's marketing and finance guys have come up with this glossy brochure of stuff for their top customers, based on something like highest 5% balance holders. There's a letter drafted to accompany the brochure, it just remains to do the little personalising touches for the final run.

Someone forgets to replace the output placeholder with the salutation generation program that'll even spew out "Dear Sir Whimsey-Porpoise".

The final letters are printed, enveloped, and mailed. The salutation from the placeholder piece of code? "Dear Rich Bastard,".

Re:My experience of the same thing...

This is why when any moron half witted manager asks me for a report or a dump of users data I ALWAYS encrypt the file or zip password protect it.
If nothing else I know the weak link between two dumbasses asking for stuff they half understand don't accidentally forward it.

Hell I had one manager using "fake" password to test an email reset to a sensitive system that generates a one time password for you. He didn't see any problem sending it to some domain he figured it wasn't real nobody gets it. I had to "kindly" explain that @test.com actually goes somewhere!

Re:My experience of the same thing...

Who the fuck would do something like that by hand??
Export the Excel data to text, write a perl script that uses mutt/mail/pine/whatever to send the stuff out and go to the pub.
I mean, we are talking about a ISP here...

Re:My experience of the same thing...

[Kalriath]

That's old. And it's probably an urban legend, as it's usually a charity emailing or sending letters to their biggest donors.

Re:My experience of the same thing...

[7+digits]

Snopes says it is true.

I also like the idea of Wells Fargo sending this to customers:

You owe your soul to the company store. Why not owe your home to Wells Fargo? An equity advantage loan can help you spend what would have been your children's inheritance.

Re:My experience of the same thing...

[symbolic]

Many moons ago I used to work in the credit industry. On the evening shift things would get kind of slow, so we'd find ways to keep ourselves occupied. One such activity was doing lookups on names you know couldn't exist - and it was damn funny when they actually did. I could just see typing in the name "Bastard" and seeing a response, "Bastard, Richard M. .... "

Re:My experience of the same thing...

[Kalriath]

I actually prefer this bit:

An interesting element not generally related as part of this story just goes to prove you can never please everyone: The little UK firm responsible for the gaffe received a complaint from a potential customer who felt himself qualified to be a rich bastard yet had not received the letter he deemed appropriate to his station in life.

Re:My experience of the same thing...

[mysidia]

Suggestion: filter outgoing .DOCX, .DOC, .XLSX, .XLS, .PPT, .etc attachments to outside addresses.

1. Make it policy not to e-mail any Word documents, always place it in a .ZIP file.
2. ???
3. Profit

Re:My experience of the same thing...

[trajik2600]

I'm sure this is the principal way documents are leaked from just about any organisation.

I had a coworker that forwarded our pricing worksheet to a customer once. It basically explained how we come up with our prices, and exactly where they could squeeze us. We're a pretty big company, and that would be a pretty damaging document to leak, especially if the customer wasn't honest and decided to leak it themselves. I worked third shift, and walked in to see all of her personal items in a box. She wasn't allowed in the next day.

Re:My experience of the same thing...

[mcgrew]

The Attorney General of Michigan (iirc) was (or is) named Mike Hunt. I can't find him in Wikipedia, but there is a football player by that name listed.

Re:My experience of the same thing...

[St.Creed]

A co-worker of mine put this type of information on his blog. We mainly deal with corporations as customers so it was quite damaging. He was fired on the spot and his picture posted with the guards.

This was in The Netherlands, where you are very well-protected from randomly being fired. But he didn't have a chance.

Cleartext Passwords? Really?

[algae]

The real WTF is that all those passwords were in the clear. What the hell business does anyone have these days, doing anything more than storing a one-way hash?

Why is this even available?

I realize most people don't use negabases or other things that would prevent marketing twats from getting their filthy grubby hands on information--but why was there a password field even available to anybody to start with?

Four years ago I inherited an application with plaintext passwords. Yes, it took me *two years* to fix it because of other even worse problems--but it was fixed in the end (SHA1, salted per user in the front and tail).

Our support team bitched and moaned that they could no longer troubleshoot problems by looking up the user's password to login as them--then moaned even louder when I took away their database access entirely (I would have done that *first* if I could have gotten away with it). Now they log in as an admin and switch to a "user view" where they can't break anything without clicking an "edit account" button, and have read-only access to some predefined views on the database they can't edit. No more worrying about IT writing to my database or starting transactions they don't finish. No more tools playing with SQL on their lunch hour taking down production by dropping the wrong table... Best practices exist for a reason. Because sooner or later you grow, and the new guys don't get properly indoctrinated and do something stupid.

Our old supportteam staff wouldn't even be able to find the password column in the account table anymore--because it *doesn't exist*. It's basically a "passwordImage" table joined on accountids, with permissions set on the entire table such that only the authenticator service can read it.

For a company with an actual budget--it just seems inexcusable that plaintext passwords could be made available, much less were given to somebody who was foolish enough to let it leave a terminal.

When will people be held accountable for their complete absence of best practices and willful ignorance?

Sadly The market is the Problem

[omb]

Demon used to be the best British ISP, but they got too big and were bought out and are now owned by Thus PLC (nee Scottish Telecom) which is a clueless PHB, marketeer run POS.

The problem in the UK, unlike Switzerland, I operate in both, is that the UK only has copper local (last mile) loop. Here we have fiber and copper 'im haus' which means that ISPs can form Internet+TV+Phone at reasonable price. Off peak I see 100mB down + 10 gB up with DTV and phone. Reliability is excellent.

I use Cablecom (CH) and Tiscali Business (UK), and once I got Tiscali up, and configured for Linux (hard work, support sucks) has been quick, >8mB and reliable.

The funniest problem, but part of the hell of using multiple ISPs for mail, is that their SMTP mail acceptor dosnt understand the RFC for domain names and rejects those ending in '.' so First.Last@foo.bar. is rejected, but Cablecom requires the trailing '.'.

Really!

[joggle]

This reminds me of when I was hired to do some maintenance on a small fantasy racing team website. The website seemed pretty well implemented and the database seemed reasonable. I then took a look at the account info table and was horrified to find that everything was stored in plain text, passwords, real names, user names, CC numbers, addresses, etc. I'm not exactly a database/web guru, but come on! How hard is it to use md5() to store passwords?? And I don't like the idea of some random guy (me in this case) being entrusted with everyone's credit info. There has to be a better way.

I learned my lesson though. I will never pass my credit info to a small-time website. To think that a fairly large ISP would be this stupid in the year 2009 is mind boggling.

Re:Really!

[Kalriath]

Credit Card info? That's a violation of PCI DSS right there along the lines of the great Web Hosting Talk fuck-up of last year. You can be fined millions for that.

Re:Really!

[Alpha830RulZ]

PCI DSS isn't a law, it's a set of standards that the card industry wants you to follow if you're going to handle credit cards. There are no fines, you just lose your right to do CC business if you can't pass the audit. And the audits aren't perfect.

Re:Really!

This is why a number of credit card providers have one-time-use numbers. Depending on your provider, you can log in to their webpage, generate a number that's only good for a single transaction, and use it. Then it doesn't matter if the database in plaintext or not.

Re:Really!

[Kalriath]

Actually, in many places it is law to follow PCI DSS if handling credit card information - off the top of my head, California, Nevada and Minnesota require it. Other states and countries may also.

And there are fines. Massive fines. And since you signed a merchant agreement, you agreed to a dead tree contract saying that you'll pay them if you ever get caught violating the standards.

PCI DSS is in no way optional.

Re:Really!

[Alpha830RulZ]

Um, you, sir, are ignorant of what really happens. And of the content of the contracts.

Re:Really!

[Kalriath]

Actually, I've read a Merchant Agreement as part of a cost-benefit analysis of outsourcing my e-commerce functions. This month even. You are the ignorant one.

Noting of course that the fines only occur if there's an actual breach (which if you store card numbers in the clear is virtually guaranteed to happen) - a failed audit on its own is not sufficient to get you big numbers in fines.

Re:Really!

[Alpha830RulZ]

Dude, a fine is something that happens as a result of a government action. You are discussing contractual penalties. Which are only assessed in the context of a lawsuit. Which requires an issuer to sue you, and you to lose.

PCI DSS is a contractual obligation between the people who take credit cards and the companies who manage the CC business. You aren't bound by it, until you sign an agreement. Which is negotiable, if you're big enough.

Re:Really!

[Kalriath]

Actually, a "fine" is not something that happens as a result of government action at all. According to Oxford it's a sum of money exacted as a penalty by a court of law or other authority. Note the "or other authority" (which doesn't necessarily have to be government).

They also wouldn't have to sue you, since you signed a contract saying exactly what happens if you screw up. It's not necessary to sue someone to enforce a contract (although sueing can certainly resolve it if one party decides to get argumentative).

Oh, and PCI DSS is not negotiable, no matter how big you are. In fact, it gets harder to comply with the larger you get.

Anyone else with horror stories with Demon?

[Fredde87]

I would love to see Demon crash and burn. The most horrible company to deal with. We run a lot of our customers email and domains. We used to buy the domains through demon, then one month they forgot to send us a renewal bill for one of our many domains. Instead of calling us or emailing us like a normal company to check why we hadn't paid they decided to suspend all of our domains for this one outstanding bill. We finally got the missing bill in the post a few days later, dated the same day that they suspended all of our accounts. Then the same things happened a second time a few weeks later. Obviously after the first time we asked them to double check that there where no more outstanding bills we hadn't received and they assured us that we were all up to date. Turned out they missed one of our accounts when they checked. Awful company to deal with in general, any DNS changes to a domain has to be done via fax on a letter with the company's header. Seriously? A large ISP like Demon cant make DNS changes over the phone/email or even have a management site online where the customer can change this? Of course they refused to give us our AuthInfo codes when we requested them. They said we could not get them for 6 months as we had just bought the domains. Turned out that when they "suspended" our domains they actually just canceled all of them and then put them through as a new orders to reactivate them. Finally got the AuthInfo code but had to put through the cancellation first which was scary to do as I had a feeling they were just going to cancel it and give us the AuthInfo code at the same time as they remove all our DNS records from their NS server. Luckily the move went through smoothly. Now with Zen and 1&1 which in comparison are top notch. All of this for a stupid outstanding amount of £12 renewal fee for 1 domain. Our customers ended up having 3 days of no emails or web services. Thank you and goodbye Demon!

Re:Anyone else with horror stories with Demon?

[Alpha830RulZ]

any DNS changes to a domain has to be done via fax on a letter with the company's header.

While I can understand that this is a royal pain in the Ass, it's also a fairly good procedure. Faxes have the sending phone number on them usually, which is a decent validation component. The letterhead is another decent step, assuming they compare it to something on file. I don't think you want people changing your routing just based on a phone call without more identification somehow. These are exactly the steps that a malevolent user might find too challenging to bother with.

Re:Anyone else with horror stories with Demon?

[nOw2]

Anyone else with horror stories with Demon?

No. One of the better ISPs.

Anyway, I suspect the problem here is NOT Demon but their eBilling provider.

Re:Anyone else with horror stories with Demon?

[W3bbo]

I quite them over the 'Virgin Killers' debacle of 2008 (this wasn't the first time I had issues with their IWF implementation either), and like so many other customers I have issues with their customer support department. I wrote it up here: http://www.w3bbo.com/demonsucks.htm.

It's a shame, because their network is actually alright, I didn't get that much downtime and had no limits or caps for what I felt was a reasonable monthly fee (I was on their HomeOffice 8000 plan, the one with the static IP address).

Re:Anyone else with horror stories with Demon?

[Fredde87]

Yes I agree that fax is a secure way but there are multiple other secure ways to do this. A web portal would be extremly useful and reduce their support costs massively by allowing the users to do the changes themselves. Or at least give the power to their phone support technician to make changes if the caller answers a few security question correctly. These options are just as secure if not securer then a fax. Your number can easily be hidden on a fax and it is not hard to get a company header! We send out loads of letters everyday with our company header. Someone could easily scan it and change the contents. I could do it in 5 minutes to fake a letter from any big company like Microsoft.

Re:Anyone else with horror stories with Demon?

[Jumpin'+Jon]

I left Demon some years ago. I contacted them to inform them of a security problem I'd stumbled across - my FTP client had decided to head out and look ahead and cache some folders, however what I soon realised was, it'd stepped up a level from my own slice of hosting space and had walked down into a large number of other folder which were for other customers. When you FTPd to Demon at that time, you found yourself in a sub folder named something like ftp.demon.net/hosting/ftp/j/ju/jumpin_jon. I realised that the tree of folders was expanded from the /ftp/.. folder down into numerous others - and not just the top-level, where it should have been denied.. oh no, into people's webroots and beyond.

I called Demon and asked to be put through to the head tech guy at the time (Malcolm Muer or somesuch??) who basically told me to mind my own business. I explained further that I had accidentally strayed into other peoples webspace, which he understood, but insisted this was not their problem. His explanation was, if people has removed the security from their folders, that was not Demon's lookout.

I headed to another ISP and discovered that Demon' services had been piss-poor all those years - that leased lines actually didn't drop many times per day; that DNS changes didn't have to take days to get actioned - often they never got done until a second or third attempt.

Rubbish!

Goodbye Demon - you were once mighty, but no longer.

Notice the words carefully...

[freedom_india]

...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist.
Wow!
Talk about double standards.
Why can't the corporate be sued on SAME grounds like hackers?

Re:Notice the words carefully...

[geekoid]

intent.

A hacker didn't accidentally get into a system,

Re:Notice the words carefully...

FYI, the word "corporate" is an adjective, not a noun. There is no such thing as "a corporate". I think you mean "a corporation" or "a corporate entity".

Re:Notice the words carefully...

[shirotakaaki]

How do you know? Those hackers are crafty terrorists!

Re:Notice the words carefully...

[fishbowl]

"...when a corporate is involved it always is a MISTAKE.
When an individual hacker exposes weak security, he is a terrorist."

Solution: Instead of being an individual hacker, form a security corporation.

Re:Notice the words carefully...

[Sockatume]

Exposing your own weak security is a mistake. Exposing someone else's is what gets hackles up. If Demon had accidentally emailed out BT's customer details you can bet there'd be hell to pay.

Re:Notice the words carefully...

[freedom_india]

I don't why you were modded as Funny.
Its actually most insightful.

Re:Notice the words carefully...

[mcgrew]

I wondered the same thing when my daughter infected my computer with XCP (the Sony rootkit). If I used a trojan to introduce a rootkit to one of their computers, I'd go to prison. Why isn't anybody from Sony in prison for that awful piece of malware?

Re:Notice the words carefully...

[mcgrew]

Sony's XCP trojan rootkit didn't accidentally get into mine. They intended to plant this trojan on every computer legally purchased music CDs were inserted into. Why is nobody in prison over that?

Because Sony is a corporation.

Re:Notice the words carefully...

[freedom_india]

Corporations are the new Royalty.
They are above law.
They can commit crimes, but cannot be sent to prison BECAUSE their diffuse nature and virtual human being bullshit prevents the cops from cuffing and dragging their CEO through streets.
Best way to counter them is to file a child assault case against them for exposing in front of your daughter wilfully.

Passwords are needed - CHAP

[mortonda]

I can't believe this still happens. They shouldn't even be storing the passwords anywhere, even in their primary database, much less an Excel spreadsheet. Use a one was hash with salt, folks!

While having it in an excel document is unexusable, there is a real reason why password are stored as plain text, and I hated it as a sysadmin. Look up CHAP vs PAP authentication... Basically, PAP sends the password in plain text across the wire from the modem server to the radius server, which can then look up the salt, hash it, and then verify the password.

However, since this means sending passwords in the clear, most modem concentrators (most ISP's resell for a handful of large telcos that operate the modems nowdays) prefer to use CHAP, which hashes the password with something at the terminal server and sends both to the radius server. In order for the radius server to authenticate the session, it must have access to the original plain text to hash with the provided salt. Thus, the ISP must store all passwords in plaintext somewhere.

That said, it should be stored in a hardened and dedicated server that only handles the storage (sql or ldap) and the radius server. Any billing interaction should only be to update the password, never to read. And it should never be put into a excel or word doc!

Re:Passwords are needed - CHAP

[danlip]

Your talking about modem protocols, authentication to get onto a network - but TFA was talking about passwords onto an ebilling system. Which you should be accessing with https, so the password should be encrypted (albeit reversibly) at that point, and there should be no reason it isn't a one-way hash in the database.

Re:Passwords are needed - CHAP

can't you store the passwords encoded? from what you're saying, you need to have plaintext when authenticating, but couldn't the database obfuscate the plaintext at least a little? Unsecure from a crypto p.o.v., but at least that prevents someone being able to decode the password with their eyeballs.

Re:Passwords are needed - CHAP

[PiSkyHi]

In my mind, CHAP or PAP are only there to say you actually have an account with us, once past this stage, the billing account login should be handled with something else, something secure with an SQL backend.

Re:Passwords are needed - CHAP

[omglolbah]

Quite a lot of ISPs give you the same password for modem/hardware authentication and billing sites.

This is of course a security risk but it is better (for them..) than having to manage two systems of passwords and the confusion that obviously happens from such things with regard to the customer.

Good design and proper handling of authentication information is not a given in most companies unfortunately :(

Re:Passwords are needed - CHAP

[fractalus]

The only reason for CHAP to exist is so that you can avoid sending the password in plaintext over an unencrypted channel. Proper encryption fixes that problem without introducing the greater problem of requiring plaintext password storage.

To be fair, many systems involving end users do store passwords in plain text because a frequent tech support issue is forgotten passwords. I have never built such a system because I've always disclosed up front that this is a bad idea, and we create alternative solutions that don't involve giving out passwords (just resetting them).

Re:Passwords are needed - CHAP

[mortonda]

That would require a user to know two passwords, which is 2 more than they are capable or remembering.

Re:Passwords are needed - CHAP

[mortonda]

The only reason for CHAP to exist is so that you can avoid sending the password in plaintext over an unencrypted channel. Proper encryption fixes that problem without introducing the greater problem of requiring plaintext password storage.

True, the better solution would be to use PAP over a VPN or SSL tunnel, but have fun convincing the large telcos or modem concentrators to do that. We were given no other option than CHAP.

I think that was about the time I began to lose interest in sysadmin and network admin stuff.

Re:Cleartext Passwords? Really?

[w0mprat]

Huh? My is password cleartext it's always ******** no matter what I type, so insecure!

I can fix it if you let me at the code

[w0mprat]

[window pop up] "Are you sure you want to send this?"
[countdown timer on OK button] 5...4...3...2...1...
[user clicks OK prematurely]
[window pop up] "NO! Penalty timeout!"
[countdown timer on OK button] 39...38...37...36...

Re:Cleartext Passwords? Really?

[mortonda]

Yes, really. It's called CHAP authentication, and it requires plain text passwords. see my other post

Re:Meanwhile ... at Demon Internet Corporate Offic

[Reason58]

Great, I just got an diabetes and an erection from reading your post.

Sounds like you need an insulin erection.

You gave me a business idea

[NoYob]

I'll call The Goat, LLC.

You see, when a company fucks up, they call us at The Goat and we send them a person. Said person "works" there and takes all the blame and gets fired. The company looks good and we make money.

Legal fuck ups cost $100,000 for the goat plus our markup of 100% for a total of $200,000. The $100,000 for the goat allows him to live for a while until the public forgets about him. Goats for white collar illegal activities will run on a sliding scale. But let's say you have another Enron type of thing. That'll run you well in the tens of millions but the upside is you get away with it (and your hundreds of millions or billions) and our Goat goes to trial and maybe even jail for you (extra million per year sentenced). Sorry, we won't offer any services for violent crimes, mafia stuff, or political hanky panky - sorry Congressmen, Senators, and any ex-Presidents.

Re:You gave me a business idea

[amohat]

They've been doing this just fine for years...why would they outsource the job to you?

Re:Meanwhile ... at Demon Internet Corporate Offic

[Runaway1956]

Fluffy. Bunny. Girlintraining says fluffy bunny. /me ponders the probability that if a MAN came up with that name, he would be carted away on pedo and bestiality charges. Reality: stranger than fiction.

Re:Cleartext Passwords? Really?

[tkw954]

hey, if you type in your pw, it will show as stars

normal in the UK !

[okubax]

things like this happens regularly in the UK. If UK Government agencies can't keep our data safe, how much more an ISP that has "demon" as it's name

Why?

[Timothy+Brownawell]

Someone had better lose their job.

Why? And who, exactly?

Hard to believe that anyone in that type of position working for an ISP could be so careless. If anyone should know better, they should.

It's probably less a case of knowing better, and more a case of clicking on the wrong file (something like "attach User-list.xls, mailmerge against User-list.xls" instead of "attach User-instructions.doc, mailmerge against User-list.xls"). Knowing that all of us organic beings are subject to error, is a single incident like this something to fire someone over? Or are you saying to fire whichever programmer or spec writer or system architect didn't think to build a mass-mail function into their system?

Re:Bad start: Name the company "Demon".

[Tubal-Cain]

talents

Hollywood script writer

Oxymoron

Re:Meanwhile ... at Demon Internet Corporate Offic

[AHuxley]

Fluffy Bunny calls Sally into the office and notes support calls are up.
This Linux thing is hard.
Fluffy Bunny and Sally have new cars, flats and a lifestyle to support. Fluffy Bunny calls Sally to place admin ads.
They get a few hackers who can do the work and a few ex gchq types.
They crunch the numbers. Running an isp, the backhaul, costs and the price of the Linux brains is just so much.
The fortune saved on software will be lost to support costs.
Fluffy Bunny and Sally hire a white hat and a 26 yo woman, hoping they can keep cost down with an expert and a woman in training.
They watch the white hat fix their servers, trying to learn her skills. But the white hat is smart, she keeps her skills close.
She likes her weekend sports and fast bike. She is not going to train the 20 something to swap her out.
6 months later the 26 yo woman wants to play mummy and the white hat gets head hunted.
Fluffy Bunny and Sally become admis for a cam site in the US.

Re:Cleartext Passwords? Really?

hunter2

Best Defense....

[Viree]

The Devil made me do it.

Brainfucked

Demon internet has massively screwed the pooch on this one. Flooding the tubes with personal stuff is massively off the rails. They are and deserve to suffer in a massive way over this. Free internets for everyone for a year, with all accounts frozen, and people mailed new account logon information (to keep everyone out of everyone elses accounts). Damage control central. Sure it might cost them a few hundred million, but if people sued over this, they would loose more, oh so much more. Massively more. Free internets for 6 months would start at repairing damage. Maybe.

Not any more...

[rmdyer]

Having a company be able to SEE any user's password should be a crime. Standard practice is that NOBODY, not even sysadmins can see it. They can change it but not see it.

It is now a bit naive to think that things work like this in the industry. Years ago, this was indeed the forward thinking, "engineered" best practice, and though not directly, why systems like Kerberos were originally created.

Sadly however, with the advent of the web, SSL, LDAP, and hundreds of other possible databases to need access, most PHB types quickly bought into "identity management" schemes being pawned by multiple vendors. These schemes end up "managing" your kept password(s) into "secret stores", usually in an LDAP back end. The "secret stores" should be hashed, but you can likely de-hash them using master stores hash. This basically amounts to nothing more than Microsofts old PWL files on Win9x. Its just a temporary patch for a long term problem, but many industry PHBs throw their hands up because even after a decade and a half of Kerberos, very few products have been Kerberized.

Password management is hard. There are few easy solutions.

Re:Not any more...

[RivieraKid]

Password management is hard. There are few easy solutions.

Correct, but there *are* easy solutions, so there is really no excuse for this. I mean, really - your remote account ultimately boils down to a system account and they've successfully handled passwords for a long time now. (NTLM not withstanding)

I wonder...

[BrokenHalo]

I wonder how rare this situation actually is. The same thing happened to me in about 1998 when I was a customer of Q-net, which later got absorbed by Eftel. Some certifiable cretin emailed out the ISP's entire customer contact list to every one of its customers. The managing director of Q-Net was a total creep, and rather than admitting responsibility and eating crow, his letter of "apology" was more of an exhortation to customers to secure their passwords. Needless to say, I was unamused, and changed ISPs shortly after.

Re:I wonder...

Yes, it happened to me at my university, one of the department heads emailed out the database of ID, Name, parents name, Birth Day. Phone Number, Parents PH, Address, ...

It went to every student in the department.

Re:Cleartext Passwords? Really?

[A+famous+reader]

*******

Pretty cool huh? it shows in clear to you, but stars to us!

Tell that to Electronic Arts

[phorm]

Their "forgot my password" system happily emails you the actual password, not a token, which means that it's being stored in a non-hashed manner somewhere.

Re:Meanwhile ... at Demon Internet Corporate Offic

Well, I'm originally from Minnesota (posting AC as this is really offtopic and I'm sober now) and I must defend our breweries. I'm also half Swedish and half Belgian so I've got more than a little of the drink in me. Now that Leinenkugals is sold everywhere, I guess it's pointless for me to tell you to get that from Chippewa falls. As for the Belgium blonds and extravagant ales we might not have anything out there quite as good. But, might I suggest Grain Belt and Summit for your everyday needs and Surly's (if you can get Coffee Bender then it will be I who is jealous) for your guiness and irish-y needs? You should be able to find all of the Oberon beers out there, places in Minneapolis even sell kegs of Bell's one hearted and two hearted ales. I've gotten wrecked quite proper on those many a time. I was also a fan of Goose Island's Hex Nut Brown Ale which is from Missouri I believe.

Lastly, I come from a small town in the southwest of Minnesota where we now have a brewery in the small town of Lucan called Brau Brothers. Their scotch ale is delicious and definitely required drinking if you like scotch, whiskey or bourbon.

Hope this helps you in your quest! I loath those sconnies but miss Minnesota. Try not to become a rabid idiotic Packers fan!

-eldavojohn

Re:Cleartext Passwords? Really?

[fishbowl]

Well, it requires cleartext passwords at one layer but you can still do encrypted passwords in RADIUS or whatever you use.
Just because the device has to take in a cleartext password at the first step doesn't mean the second step isn't to encrypt that password and check it against the hashed string in your database.

Don't tell me this is hard. It's how I did it as long ago as 1993 with Livingston Portmasters and *my own* radiusd, and for somebody like the size of Demon there are *far* better options today.

Besides all that, we're not talking about dialup access passwords in the first place. These were login passwords to an HTTPS billing system.

Re:Meanwhile ... at Demon Internet Corporate Offic

If you really are a _girl_ in training, then keep the hell away from me.

Re:Meanwhile ... at Demon Internet Corporate Offic

Crtl+Z moderation...

Re:Cleartext Passwords? Really?

[chiark]

Customer: Hi, I'm having troubles with ebilling
Demon: OK, let's see if we can help. I just need to take you through security. Can you give me your username
Customer: customer1
Demon: And, without revealing your full password, characters 3 and 5 of... the MD5 hash of your password?
Customer: WTF?
Demon: sorry, that's not right.

In the case where you want to use the same password to authenticate across multiple channels, and use human interaction, storing plain passwords (with appropriate control) is unfortunately still useful. Yes, there's other ways to do it, but people are conditioned to be asked for letters of their password by humans.

This is Slashdot!

[mac1235]

1 Million user details or it's not news!

Re:Meanwhile ... at Demon Internet Corporate Offic

[lavaboy]

you left out "... and everyone got a pony"

Re:Meanwhile ... at Demon Internet Corporate Offic

[Dr_Barnowl]

diabetes and an erection

Make the most of it, diabetes causes peripheral vascular disease!

Re:Meanwhile ... at Demon Internet Corporate Offic

Sally also sets up her own dungeon between several racks of blade servers, a webcam, and begins posting her payback sessions to fund some much-needed hardware upgrades. :P

Since this is Slashdot, let's go with the obvious motivational poster:

(webcam image here)

<font=Successories>"OH SWEET!"
They're using [AMD | Intel] quad-cores in that server farm!</font>

not md5, bcrypt

[Sub+Zero+992]

You are right about not being a database / web guru.
MD5 is the wrong hash algorithm, you want to look at bcrypt.

Re:not md5, bcrypt

[joggle]

My point wasn't the algorithm, just that it's trivial to do something better than just storing plain-text passwords.

To do it correctly I'd presume you would also need to first do some sort of dictionary check and length check on the password to make sure it isn't too weak. Or require that the password have a certain number of non a-z|A-Z characters.

Of course you then run into the issue of people forgetting passwords so you'd want a method to give them a new password, but in such a way that someone couldn't simply google the person and fill in the relevant details (the way Sarah Palin's e-mail account was hacked).

This is why I prefer sticking to just programming rather than being a DB admin.

Re:not md5, bcrypt

[Sub+Zero+992]

Hi,

Well, the choice of algorithm is important. MD5 is a bad choice.

And yes you're right, if the password is weak, and the website provides no protection against brute force attacks over HTTP, then it remains a weak password. And resetting the password is a problem which has been mostly solved, you send the person a token by email or sms to their pre-validated account, with which they can create a new password.

Cheers

i'm having trouble

[memnock]

with picturing why there needed to be a spreadsheet attachment to an email explaining the bill. some kind of graphic embedded in the email wouldn't have done the job of explaining the bill or its processing?

Re:Meanwhile ... at Demon Internet Corporate Offic

[phocutus]

Totally dig! Bravo! Great use of gender & feminism spin-off! Not to mention compy talk is always hot haha

Re:Meanwhile ... at Demon Internet Corporate Offic

Hahahaha, you got an erection from a tranny.

Re:Cleartext Passwords? Really?

[algae]

I have never been asked that in my life. SSN, mother's maiden name, billing address, but never for characters of my password for the account in question. Where did you run into this, so I can make sure never to do business with them?

Re:Cleartext Passwords? Really?

[mortonda]

With CHAP or PAP?

reminds me of the McAffee scandal a few months ago

[Minion+of+Eris]

Anyone else rminded of http://it.slashdot.org/article.pl?sid=09/07/30/0337232 ? Is there anyone out there in Security who actual keeps data secure? Or should we just give them all red shirts?

Re:Cleartext Passwords? Really?

[fishbowl]

Both. Just because you have to receive plaintext passwords in PAP, doesn't mean your authentication system must store them in a database. It doesn't even mean you have to send plaintext over the wire in your network. I'm not even sure why people think PAP requires storing a password at all, but it's been a common claim in this slashdot thread. Yes, with PAP, the client sends the password and you have to receive it, but it's not like you have to send it *back*.

Re:Cleartext Passwords? Really?

[mortonda]

No you don't have to send it back, but a MITM attack could still sniff passwords. PAP can store passwords salted, yes. The problem I ran into was that the people running the modems said, CHAP, nothing else. That requires plaintext at the radius server.