On Fri, Apr 26, 2019, 9:31 PM Rich Kulawiec wrote:
> Also, given that this is a public mailing list, lots of people who didn't
> know the target existed last week could certainly know it now.
>
Yup, the dependency on an obscurity was inadvertently broken here. Sorry
for that.
Hope no one was
On Thu, 25 Apr 2019 at 20:17, Doug Barton wrote:
> There are two mindsets that desperately need changing in the tech world:
>
> 1. Do not store data that you don't have a legitimate requirement to store
> 2. Do not store anything even remotely sensitive in the clear
#2 might be quite complex
On Fri, Apr 26, 2019 at 07:06:40PM +0300, T??ma Gavrichenkov wrote:
> Also, I've seen people who use the same password (sometimes with few easily
> reversible modifications) for virtually all the purposes, from the WiFi
> router up to their e-mail and banking accounts.
This is one of the many
Peace,
On Thu, Apr 25, 2019, 4:53 PM Stephen Satchell wrote:
> > not only does someone have to 'hack' the database,
> > they also need to drive up to your house and sit in your driveway to get
> > free Internet.
>
> Sounds like you live in a single-family home, in a low-density
> neighborhood.
On Thu, Apr 25, 2019, 9:51 PM Valdis Klētnieks
wrote:
> This assumes that the customer has a spare CAT-5 cable and knows how to
> use it.
>
This is assuming that no customer's device has an access to the same
network, in which case you just happily reset the password or even the
device as a
That is not related to the Gateway at all, nor done on the local network
are missing with the local network as I was describing. That is further
Upstream.
Brandon Jackson
On Thu, Apr 25, 2019, 14:50 Mel Pilgrim wrote:
> On 2019-04-23 18:32, Brandon Jackson via NANOG wrote:
> > I'm not saying
On Thu, 25 Apr 2019 21:42:25 +0300, T�ma Gavrichenkov said:
> Isn't it just better to have it always displayed, in a 40pt sized font, on
> some LAN-accessible Web page, reachable without authentication by default,
This assumes that the customer has a spare CAT-5 cable and knows how to use it.
On Thu, Apr 25, 2019, 3:57 PM Mike Bolitho wrote:
> Grandma Smith calls in because she changed her WPA2 password two years
> ago. Her grandson just bought her a new iPad and she can't connect. Tier I
> support says "I have your 'WiFi password' right here. It's hunter22." The
> call take 45
Tom,
No, and I would hope that they were storing it in an encrypted format and
then decrypting it on the fly for display in the customer portal.
Scott Helms
On Thu, Apr 25, 2019 at 1:55 PM Tom Beecher wrote:
> As much as it pains me to Devil's Advocate for Comcast... Has anyone
> proven
As much as it pains me to Devil's Advocate for Comcast... Has anyone proven
that they are storing this PSK in cleartext? From the original
StackExchange post :
" When I went to the account web page, it showed me my password. I changed
the password and it instantly showed the new password on the
Doug,
I don't disagree, but things are pretty complicated, much more so than they
might seem from the outside. First, if the configuration isn't stored
there's literally no way to have a backup for most of the CPE vendors so
there's definitely reason to have it duplicated in the service
On 4/25/19 8:04 AM, K. Scott Helms wrote:
Just so you know, if you have an embedded router from a service provider
all of that data is _already_ being transmitted and has been for a long
long time.
Responding to a pseudo-random message ...
If you are an average consumer and purchase a
s your
> login, port forwarding, DMZ, and other details that are far more useful to
> a remote attacker than your WiFi password.
>
>
>
>
> -Original Message-
> From: NANOG On Behalf Of Seth Mattinen
> Sent: Wednesday, April 24, 2019 10:34 AM
> To: nanog@nanog.org
&
details that are far more useful to a remote
attacker than your WiFi password.
-Original Message-
From: NANOG On Behalf Of Seth Mattinen
Sent: Wednesday, April 24, 2019 10:34 AM
To: nanog@nanog.org
Subject: Re: Comcast storing WiFi passwords in cleartext?
Notice: This message origi
On 4/24/19 9:32 PM, Mike Bolitho wrote:
>>
>> "than the relatively low risk of a database compromise leading to a
>> miscreant getting ahold of their wireless password and using their access
>> point as free wifi."
>>
>
> And this is the thing, not only does someone have to 'hack' the database,
>
James,
By the DOCSIS standard and every North American MSO's ToS I've seen (I've
worked with or for about 200 different cable operators over the last 20
years) your cable modem is always managed and the cable operator _always_
has access to its configuration and settings via SNMP. The
> On Apr 25, 2019, at 8:26 AM, K. Scott Helms wrote:
>
> People are missing the point here. This is _not_ a Comcast "issue" this same
> data is available to every single cable operator in the US who deploys
> bundled modem/router/APs that follow the CableLabs standard. They may or may
> not
People are missing the point here. This is _not_ a Comcast "issue" this
same data is available to every single cable operator in the US who deploys
bundled modem/router/APs that follow the CableLabs standard. They may or
may not expose the data to their end customers, but it's stored in their
On Thu, Apr 25, 2019, 3:06 AM William Herrin wrote:
> Risk is threat times vulnerability times impact. No impact, no risk. For
> example, if the credentials for my grocery store loyalty card are
> compromised, I do not actually care. It has no impact.
>
A fun fact: my employer has a product
On Wed, Apr 24, 2019 at 8:33 PM Mike Bolitho wrote:
> "than the relatively low risk of a database compromise leading to a
>> miscreant getting ahold of their wireless password and using their access
>> point as free wifi."
>>
>
> And this is the thing, not only does someone have to 'hack' the
>
> "than the relatively low risk of a database compromise leading to a
> miscreant getting ahold of their wireless password and using their access
> point as free wifi."
>
And this is the thing, not only does someone have to 'hack' the database,
they also need to drive up to your house and sit
On Wed, 24 Apr 2019 17:04:22 -0700, William Herrin said:
> I take no position on what risk the comcast wifi passwords issue carries.
> I'm posting only to point out that an absolutist model which says, "stuff
> of type X must always be encrypted," is probably not well tuned to the
> customer's
On Wed, Apr 24, 2019 at 9:10 AM Benjamin Sisco
wrote:
> There’s ZERO reason to store or transmit any credentials (login,
service, keys, etc.),
> in any location, in an unencrypted fashion regardless of their perceived
value or
> purpose. Unless you like risk.
Risk is threat times
On 25/04/2019 3:13 AM, Benjamin Sisco wrote:
I think we all understand the value of using one’s own equipment and keeping
the firmware up to date if one is in any way concerned about security. We all
should also understand that in a managed environment such as an ISP there
should be no
On Wed, Apr 24, 2019 at 03:13:33PM +, Benjamin Sisco wrote:
> The bigger concern should be the cleartext portion of the subject.
Yes, and the availability of all this to anyone who hacks Comcast
customer support.
---rsk
On 4/24/19 8:13 AM, Benjamin Sisco wrote:
The bigger concern should be the cleartext portion of the subject. There’s
ZERO reason to store or transmit any credentials (login, service, keys, etc.),
in any location, in an unencrypted fashion regardless of their perceived value
or purpose.
On Wed, Apr 24, 2019 at 9:05 AM Brandon Jackson via NANOG
wrote:
> I'm not saying they are doing anything nefarious or packet capping the
> local network or anything of that nature that is a little on the tin foil
> hat side for me personally, but you should always consider that any
>
I think we all understand the value of using one’s own equipment and keeping
the firmware up to date if one is in any way concerned about security. We all
should also understand that in a managed environment such as an ISP there
should be no reasonable expectation of privacy regarding the
On 4/23/19 8:35 PM, Peter Beckman wrote:
Get your own router if you're worried about your Wifi Password being
known
by Comcast. Or change to WPA2 Enterprise, but I'm guessing that isn't
supported on the router...
Original post seems to be someone that bought a used modem/router
combo.
This has been a thing for quite a while with Comcast. It is also available
to a customer service rep. It is retrieved from the Gateway via SNMP if I'm
not mistaken. Customer service reps can also reset your wireless
password either to a default or a specific one of yours or their choosing
if
On 4/24/19 7:24 AM, Tom Beecher wrote:
> This is why, in my opinion, people should avoid modem/router combo units
> whenever possible. Any information/configuration entered into such a device
> could be accessible to the MSO (intentionally or otherwise) , as is
> happening here. I'm sure they
> you've seen TR-069 right?
that was 2004, security had not been invented yet. oh wait.
The Stackexchange post does NOT say that they got their own AP. It says
they got their own DOCSIS Modem / Router / Wifi combo device. That's an
important distinction.
When I worked at Adelphia many years ago, the only distinction between
customer owned CPE and company owned CPE was billing. All
On Wed, Apr 24, 2019 at 3:27 PM Matt Hoppes
wrote:
> If you’re really running something that requires that kind
> of security you may want to get your own wireless access point.
Like I said: the OP claims that's what s/he did.
--
Töma
are on
the latest firmware.
Luke
Ns
-Original Message-
From: Matt Hoppes [mailto:mattli...@rivervalleyinternet.net]
Sent: Wednesday, April 24, 2019 7:27 AM
To: K. Scott Helms
Cc: Luke Guillory; NANOG
Subject: Re: Comcast storing WiFi passwords in cleartext?
I don’t really see
I don’t really see the issue here. What was the concern of the O. P. ?
That a Comcast tech will know your Wifi password? If you’re really running
something that requires that kind of security you may want to get your own
wireless access point.
Otherwise, that’s just how it works for a
0.1.1.3.26.1.2.10001
> Value: F2414322EE3D9263
> Type: OctetString
>
>
>
>
>
> Ns
>
>
>
>
>
>
>
> -Original Message-
> From: Peter Beckman [mailto:beck...@angryox.com]
> Sent: Tuesday, April 23, 2019 9:35 PM
> To: Luke Guillory
>
[mailto:beck...@angryox.com]
Sent: Tuesday, April 23, 2019 9:35 PM
To: Luke Guillory
Cc: Laurent Dumont; NANOG
Subject: Re: Comcast storing WiFi passwords in cleartext?
On Tue, 23 Apr 2019, Peter Beckman wrote:
> On Wed, 24 Apr 2019, Luke Guillory wrote:
>
>> OP said they logged into t
On Tue, Apr 23, 2019 at 10:35 PM Peter Beckman wrote:
> ... such that the access of the Wifi Password which is likely stored in
> plain text on the router is accessed by Comcast in a secure manner and not
you've seen TR-069 right?
:(
On Tue, Apr 23, 2019 at 4:48 PM Töma Gavrichenkov wrote:
> Apparently there's a concern with customers that their seemingly
> private passphrases, entered in their own boxes, are being shared with
> the upstream ISP without an explicit customer consent, and are kept in
> the ISP database for an
On Tue, 23 Apr 2019, Peter Beckman wrote:
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion
of the portal. So one can assume they're the ISP or I don’t see the point
in asking how Comcast would know the info.
It is entirely
On Wed, 24 Apr 2019, Luke Guillory wrote:
OP said they logged into their account and went to the security portion
of the portal. So one can assume they're the ISP or I don’t see the point
in asking how Comcast would know the info.
It is entirely possible that an account separate and hidden
OP said they logged into their account and went to the security portion of the
portal. So one can assume they're the ISP or I don’t see the point in asking
how Comcast would know the info.
Luke
Ns
Sent from my iPad
On Apr 23, 2019, at 8:05 PM, Laurent Dumont
It's not exactly clear from the StackExchange post but if the end-user is
also using Comcast as an ISP, then I guess the modem simply re-registered
under the new customer and is happily providing the visibility to Comcast?
On Tue, Apr 23, 2019 at 8:34 PM Töma Gavrichenkov wrote:
> On Wed, Apr
On Wed, Apr 24, 2019 at 3:07 AM Seth Mattinen wrote:
> Don't use the built in wifi AP on a cable modem combo would be my first
> reaction.
Totally correct, but that's what s/he claims to have already taken care of!
--
Töma
On 4/23/19 16:46, Töma Gavrichenkov wrote:
Apparently there's a concern with customers that their seemingly
private passphrases, entered in their own boxes, are being shared with
the upstream ISP without an explicit customer consent, and are kept in
the ISP database for an unspecified period of
46 matches
Mail list logo
