On 25/04/2019 3:13 AM, Benjamin Sisco wrote:
I think we all understand the value of using one’s own equipment and keeping
the firmware up to date if one is in any way concerned about security. We all
should also understand that in a managed environment such as an ISP there
should be no reasonable expectation of privacy regarding the configuration of
the equipment attached to the ISP's network (rented or customer owned).
Accepting i'm not a North American...
The reasonable expectation of privacy should be that the customer knows
precisely what is private, and what is not. If the ISP makes it very
clear that every configuration item on the edge device is known to, or
accessible by, the ISP for support purposes, then there's no problem. At
which point everyone's "reasonable expectations" are the same, and
there's no issue.
(Those for whom the support provided by the ISP is key, will enjoy this
service. Those who don't, have the option of doing their own thing.
Even better.. provide the user the means to disable the sharing of this
information by choice?? Would save buying and running additional
hardware for those who don't feel the need to have their creds shared,
for example).
First thing i've done with all ISP-provided CPE is disable all the
remote-login stuff that's enabled by default for tech support purposes.
Full knowledge and disclosure is all that's needed!
The bigger concern should be the cleartext portion of the subject. There’s
ZERO reason to store or transmit any credentials (login, service, keys, etc.),
in any location, in an unencrypted fashion regardless of their perceived value
or purpose. Unless you like risk.
As someone else said, the problem is the level of trust you're placing
in your ISP and in their own security... a large aggregate of private
information is just waiting to be pwned.
Mark.
