Results 1 to 10 of 10

Thread: Custom Dialer Rant

  1. #1
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165

    Lightbulb Custom Dialer Rant

    First some background. I just signed up with a new ISP that gives me a fairly decent internet connection. It's a PPPoE connection, which means that I have to "dial in" before I can start surfing. The PPPoE drivers used are RASPPPOE. However, the ISP has provided me with a custom dialer program for use. The dialer program makes a PPP connection using the RASPPPOE drivers. Now for the rant.

    At first, I trusted that a big ISP like this would have done a decent job on writing a dialer software which, for all practical purposes, just calls a few functions from the RASPPPOE API and provides a pretty interface. Guess what? I was wrong . I immediately noticed a few problems with the dialer.

    1. It required admin rights to run. That generally means that a program is badly written. If I had been the sole user of this computer, I might not have minded too much. But to have to teach my Mom and Dad how to use Run As and give them the admin password is going too far.

    2. Since it had placed a connection in the "Network Connections" in Windows XP, I tried using the connection. Didn't work. Great, that means it's doing some kind of voodoo before or after the connection is made. The connection would fail at "Verifying username and password" with an error message of "The supplied username or password is invalid on the domain".

    3. It caused intermittent crashes on my otherwise rock solid XP box.

    All this was enough to piss me off enough for me to try to do something about it. Calling Customer Service didn't help either. So, I fired up ethereal and checked the packet that the dialer sent against the one that the connection in "Network Connections" sent. It turns out that while the password itself is sent out unencrypted, the dialer performs some operations on the password before it is sent. So, a password of "abcdefg" might become "avbfgfherotbfgklghrt". However, this affords no protection against a sniffer, since the server doesn't decrypt "avbfgfherotbfgklghrt" to "abcdefg". It simply accepts "avbfgfherotbfgklghrt" as the password. Substituting "avbfgfherotbfgklghrt" for "abcdefg" in the connection in "Network Connections" does the trick. The only reason for this "encryption" seems to be to force people to use the dialer.

    Now, overall I'm really pissed off with this ISP because not only is their software badly written, it's also blatantly insecure and very vulnerable to sniffing. I got around their protection in a very short time and am not using their dialer anymore. However, most people will have to put up with this and will become a very easy target for an unscrupulous person. /me kills ISP. AAAAARGH!!!!!

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  2. #2
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    I assume most people wouldnt know or care enough to try and get around it.Most ISP's here,I find..ARE very susceptible to sniffing..they generally prey on the average user's ignorance..one question thought,you said that if a dialer allowed itself to be executed only on admin,why would it make it badly written?I assume the reason it was written like that was to prevent access to employees or kids who didnt have the proper 'authority'?

  3. #3
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    only working on admin is bad becasue if the kid does have permission to use the net but the parents dont want him to have admin rights its not possible. passwords are set up so only authorized users can connect, so being executable on a guest account should be ok.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  4. #4
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    It's up to the admin to secure the dialer. Unless it's a program like a password cracker or a Remote Admin Tool, NO user mode program should require to run as admin. This is because if a normal user needs to run it, he needs to be given admin rights. This might be OK on a home computer, but what about work? Imagine if everyone who needed to connect to the net had to be given admin access. It'd be a f***ing disaster.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by cgkanchi
    It's up to the admin to secure the dialer. Unless it's a program like a password cracker or a Remote Admin Tool, NO user mode program should require to run as admin. This is because if a normal user needs to run it, he needs to be given admin rights. This might be OK on a home computer, but what about work? Imagine if everyone who needed to connect to the net had to be given admin access. It'd be a f***ing disaster.

    Cheers,
    cgkanchi
    Have you tried changing the permissions on the dialer to allow all access to it from all users that use the PC? What about other drivers that it might call on? Have you checked the permissions on those and tried to tweak them at all?

    In a corp. environment... I'd hope that each user doesn't have their own DSL connection...

    I have DSL at home and I use PPPoE but my router also has options to use RASPPPoE too...

    Have you looked into getting a router to do this for you?

    Or, have you looked into another dialer?
    http://www.raspppoe.com/
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  6. #6
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    True,but maybe the TOS you got was only given to home users(with a special advertising line going:the ONLY secure internet connection lol).Interesting though,it'd obviate the need for any nanny type programs.Do people need to be set up for net access on Windows XP and the like btw,if they're not admin I mean..can they go online on a guest account?I know they wont be able to access a LAN if the permissions arent set right,I figure it'll be the same thing for the net too

  7. #7
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    Have you tried changing the permissions on the dialer to allow all access to it from all users that use the PC? What about other drivers that it might call on? Have you checked the permissions on those and tried to tweak them at all?
    Yes. The program connects and then tries to obtain a WRITE LOCK to some dll files in C:\Windows\System32. Obviously (and correctly), the system declines. To fix the problem, it'd mean that each dll file that the program needs to access must be writable for everyone who accesses the net. Not something I'm about to do, especially since it's not needed by RASPPPOE itself, just the dialer.

    Have you looked into getting a router to do this for you?

    Or, have you looked into another dialer?
    http://www.raspppoe.com/
    Why? I've already got it working without the dialer.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

  8. #8
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    ah, missed that part of your post... things are crazy around here today... just skimming.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  9. #9
    Senior Member
    Join Date
    Jun 2004
    Posts
    460
    just out of curosity, what 3rd party ones have you tried, and what company's software is the one that sucks?
    [gloworange]find / -name \"*your_base*\" -exec chown us:us {} \\;[/gloworange] [glowpurple]Trust No One[/glowpurple][shadow] Use Hardened Gentoo [/shadow]
    CATAPULTAM HABEO. NISI PECUNIAM OMNEM MIHI DABIS, AD CAPUT TUUM SAXUM IMMANE MITTAM

  10. #10
    Antionline Herpetologist
    Join Date
    Aug 2001
    Posts
    1,165
    just out of curosity, what 3rd party ones have you tried, and what company's software is the one that sucks?
    I haven't tried any third party dialers. I didn't need to. I wouldn't like to say what company it is in public. However, it's an Indian company which has (AFAIK) no branches elsewhere, so it's unlikely that you know about it. If you still want to know, I'll PM you the name of the company.

    Cheers,
    cgkanchi
    Buy the Snakes of India book, support research and education (sorry the website has been discontinued)
    My blog: http://biology000.blogspot.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •