First some background. I just signed up with a new ISP that gives me a fairly decent internet connection. It's a PPPoE connection, which means that I have to "dial in" before I can start surfing. The PPPoE drivers used are RASPPPOE. However, the ISP has provided me with a custom dialer program for use. The dialer program makes a PPP connection using the RASPPPOE drivers. Now for the rant.
At first, I trusted that a big ISP like this would have done a decent job on writing a dialer software which, for all practical purposes, just calls a few functions from the RASPPPOE API and provides a pretty interface. Guess what? I was wrong :fpissed: . I immediately noticed a few problems with the dialer.
1. It required admin rights to run. That generally means that a program is badly written. If I had been the sole user of this computer, I might not have minded too much. But to have to teach my Mom and Dad how to use Run As and give them the admin password is going too far.
2. Since it had placed a connection in the "Network Connections" in Windows XP, I tried using the connection. Didn't work. Great, that means it's doing some kind of voodoo before or after the connection is made. The connection would fail at "Verifying username and password" with an error message of "The supplied username or password is invalid on the domain".
3. It caused intermittent crashes on my otherwise rock solid XP box.
All this was enough to piss me off enough for me to try to do something about it. Calling Customer Service didn't help either. So, I fired up ethereal and checked the packet that the dialer sent against the one that the connection in "Network Connections" sent. It turns out that while the password itself is sent out unencrypted, the dialer performs some operations on the password before it is sent. So, a password of "abcdefg" might become "avbfgfherotbfgklghrt". However, this affords no protection against a sniffer, since the server doesn't decrypt "avbfgfherotbfgklghrt" to "abcdefg". It simply accepts "avbfgfherotbfgklghrt" as the password. Substituting "avbfgfherotbfgklghrt" for "abcdefg" in the connection in "Network Connections" does the trick. The only reason for this "encryption" seems to be to force people to use the dialer.
Now, overall I'm really pissed off with this ISP because not only is their software badly written, it's also blatantly insecure and very vulnerable to sniffing. I got around their protection in a very short time and am not using their dialer anymore. However, most people will have to put up with this and will become a very easy target for an unscrupulous person. /me kills ISP. AAAAARGH!!!!!