> According to Jerry Popek at Locus, PCI uses a proprietary encoding --
> you'd have to know what they're using to sniff and decode the password
> exchange.
Unless the encoding is really good (which is hard), it's probably a low
barrier, since it would at least be subject to both decompilation and
chosen plaintext attacks. Poor encryption can be better than no
encryption, but if you don't trust it.
> From a practicle standpoint, if you have someone sniffing your
> net, you have bigger problems than just someone finding a PC connecting
> to AFS's password....
It is prudent practice to work from the presumption that your network
can be (is being) sniffed, this is especially true for large networks
in public installations (like a university campus). Limiting the types
of data that are snoopable limits your risk of exposure to sniffers.
Plaintext data is dangerous, but plaintext (or trivially decoded)
passwords are worse, since it affords current and future access to all
of the person's files and privileges (perhaps on multiple systems or
cells).
mark poepping
