topic Re: Unintended consequences in Plusnet Feedback

Unintended consequences

plutox — Mon, 20 Jun 2016 14:01:47 GMT

About a week ago I had to perform a password reset while away from my usual desk and computer (for reasons that are irrelevant here). All went OK and life went on. The following morning, back home, I duly amended my note of the Plusnet web site password accordingly and checked my access to the site and this forum.

This morning, no Internet access. Fifteen minutes later, Plusnet support advised me that my PPP access password was incorrect. After a moment or two, the penny dropped but I was hugely surprised that what I (erroneously) thought was a password change that only applied to Plus's web/mail logins etc. also applied to my PPP login -- something so deeply buried (and rarely touched) within my router/modem system that I had completely forgotten about it.

I now see that the e-mail generated to enable the password reset did contain the words

...Resetting your password will also change the password for your other Plusnet services such as

Your broadband connection password...

but that advice too, was rather deeply buried within what appeared, prima facie, to be a routine password reset e-mail message.

So, given that nearly a week separated the password reset and consequent failure of Internet access, I suggest that this consequence of a password reset be given more prominence in the note sent to subscribers following a password reset.

Perhaps a first sentence along the lines of

The change you have just made will affect your Internet connection

would be useful and appropriate to prevent what might be construed as unnecessary telephone support time.

And, if possible, a warning when logging on to the website, that the related PPP password is out of sync and should be urgently changed, would be very handy.

Plaudits, telephone support, for a quick and easy diagnosis.

Re: Unintended consequences

HarryB — Mon, 20 Jun 2016 14:43:38 GMT

@plutox wrote:

The change you have just made will affect your Internet connection

If customers are using automatic hardware setup and our router, it shouldn't have any effect on the broadband connection as it will be updated through the auto hardware setup.

However I'm happy to pass your feedback on.

Re: Unintended consequences

ScottStorey — Mon, 20 Jun 2016 17:02:33 GMT

When you are changing your password it already tells you on a separate page, so it isn't hidden amongst anything else, that doing so will alter your router password.

Re: Unintended consequences

plutox — Tue, 21 Jun 2016 11:18:44 GMT

The above is all true when one is using a Plusnet-supplied router, which I am not. Likewise, I had to perform a password reset (i.e. the procedure for a forgotten password) as opposed to a more-organized routine password change.

It is obviously a compromise whether one accepts the convenience and loss of security of allowing an ISP remote control of its client's modems. Perhaps I am paranoid, but, for me, this is a security lapse too far.

But perhaps it's a good time to ask: why, when providing a service to a fixed line at a known location, is it necessary to add the complication of any kind of authentication at all? The telephone system has worked for 100+ years without any real need for authentication - why does the addition of DSL change this?

Re: Unintended consequences

chenks76 — Tue, 21 Jun 2016 12:00:16 GMT

are you seriously asking why user authentication is required?

Re: Unintended consequences

plutox — Tue, 21 Jun 2016 13:20:41 GMT

On a fixed, hard-wired telephone line, yes. I have had ADSL services that did not require any kind of authentication.

As I said, the telephone service has never required authentication in over a hundred years and spread over five continents. While, in some circumstances, it is possible to bridge-tap another's line and make use of such for voice services, the legitimate user would quickly be reporting faults if a felon attempted such tactics on a DSL line.

Re: Unintended consequences

chenks76 — Tue, 21 Jun 2016 13:50:08 GMT

the ADSL service would have required authentication. it may just have been hard coded into the modem or router (similar to how sky routers are configured).

Re: Unintended consequences

Browni — Tue, 21 Jun 2016 14:06:14 GMT

I used to be a Sky broadband user when they bought O2 and the username/password was the same for everybody that came from O2 LLU, it's hardly authentication!

There was no authentication with O2 LLU, I think IPOE was the connection method IIRC

Re: Unintended consequences

plutox — Tue, 21 Jun 2016 14:27:01 GMT

@chenks76 wrote:
the ADSL service would have required authentication. it may just have been hard coded into the modem or router (similar to how sky routers are configured).

I was with BEthere before they went south and used a generic Netgear modem - no authentication required. In fact, BEthere were quite progressive insofar as they were truly happy for punters to use their own modems. Quite unlike Sky which did implement a truly awkward and deliberately tricky authentication scheme.

Re: Unintended consequences

chenks76 — Tue, 21 Jun 2016 14:39:31 GMT

sky let you use any router for the ADSL connections.
it's only FTTC were they say you need to use their router, however there is no system in place that physically stops you from using your own router (and the required user/pass is reasonably easy to acquire from their supplied router).

plusnet, of course, let you use whatever you want.

Re: Unintended consequences

plutox — Tue, 21 Jun 2016 14:55:20 GMT

So let's get back to my question. Precisely what purpose is served by requiring authentication on a xDSL system that is hard-wired to a permanent address i.e. using much the same wiring method that has been used for phones, without authentication, for a hundred years?

Re: Unintended consequences

chenks76 — Tue, 21 Jun 2016 15:17:05 GMT

don't recall ADSL being used for a hundred years.
unless the telephone number of the line is transmitted at the time of connection then how else would the ISP know it's you that is connected, and thus bill you accordingly for useage etc.

can you offer a reason why user authentication shouldn't be there other than it has apparently caused you to get your knickers in a twist due to you not understanding the consequences of your actions?

Re: Unintended consequences

plutox — Thu, 23 Jun 2016 12:48:16 GMT

@chenks76 wrote:
don't recall ADSL being used for a hundred years.

You do yourself no credit with sarcasm.

@chenks76 wrote:
unless the telephone number of the line is transmitted at the time of connection then how else would the ISP know it's you that is connected, and thus bill you accordingly for useage etc.

For a fixed-line installation, the mechanics of authenticating an xDSL line are little different from authenticating for the purpose of billing telephone calls. Because a given line is hard-wired to a particular subscriber at a known address, what purpose is served by further authentication? Even if data consumption is sold per megabyte, the ISP knows, at any one time, the amount of data served to a given subscriber at the end of a particular phone line. Throughout the history of telecomms, one thing that suppliers traditionally developed exceedingly well is the billing system

In many respects, the need for authentication on a fixed-line phone/DSL installation is not far removed from the idea of ‘authenticating’ your gas or electricity supply.

OK, it is possible to bridge-tap a telephone line somewhat more easily than it is to ‘bridge-tap’ your neighbours' gas supply, but whereas doing so on a voice only line could be quite an effective way of nicking someone else's phone service, such a technique is unlikely to work well enough to be worthwhile when xDSL is involved – creating a bridge-tap will almost certainly play such havoc with the legitimate user's service that the engineers would be out like a shot and discover the felony.

Despite the relative ease of stealing usage from a neighbour's voice line it is interesting to note that, for the most part, Telecom suppliers worldwide have hardly felt the need to authenticate the users of fixed-line installations for the past hundred years.

While my parallel between fixed-line phone supply and electricity supply is not supposed to be taken too literally, the only functional difference from the billing perspective is that the latter places the metering in or near the subscribers' premises while the former meters within the Telcom's private property and is, in that respect, rather more secure. So why bother with authentication?

Re: Unintended consequences

Lurch — Sat, 25 Jun 2016 11:01:49 GMT

Regardless of the mechanics of the line and the authentication requirements in general I find it rather strange having the PPP password the same as the control panel password. I spent a morning trying to find the PPP password on a new connection only to find that it was the account password.

Probably not a problem for most connections with a Plusnet supplied pre-configured router but I was at a clients premises waiting for them to give me their PPP details. In the end they had to reveal to me their Plusnet account password, which they should never reveal to anyone, and this password is now viewable from the control panel of the router used.

So from a security practice PoV this is terrible, if a customer complained about having details compromised and told this story I would say it all sounds like a scam and I am not surprised you have been compromised. I would also say that if it was one of my own customers I would say if you have given your password to some random person (OK, they are in the customers employ I suppose but still) then they are at fault for whatever happens from that point forwards.

So in short, I don't see why the PPP password needs to match the account. I have never ever seen this with any provider (after setting up hundreds of connections with many tens of ISPs).

Re: Unintended consequences

plutox — Sat, 25 Jun 2016 10:42:22 GMT

Lurch wrote:...from a security practice PoV this is terrible,

Indeed. I'm also concerned about the possibility of this password being hacked directly out of the router/modem; recent history supports the argument that the security of such devices is, typically, not what it ought to be.