A question about default routes. 3489

The authorized person is the one who's dialing in. But a ppp link that has been set up doesn't check credentials on the packets that are going over the wire. If a company allows access to their internal net from authenticated users, it's quite unusual for them to exercise the same amount of security as the firewall protecting the front door.

With the introduction of ppp-2.3.0 back in 1997 or so, root could set up a few options so that the link was somewhat harder to exploit, but it wasn't until 2.3.6 in early 1999 that the trap for an existing default route was put in, and I'm sure you remember the wailing and gnashing of teeth when that happened. However, this really only applies to ANU ppp, and it's not the only implementation out there.

I have to agree with this. In most secure operations, such as government, military contractors, and so on, there are lots of rules that specify security requirements that will be met. Real life is often quite different until something happens, and a bunch of people have the flaming torch of retribution shoved up their whatever. (Below)

Preacher - meet choir.

That was one example - yes, it was a windoze box, and at the other end of the dialin was a military contractor who'd just had a COR that had read the Riot Act (ALLLLL the way through) to staff and executives over a security problem he'd noticed. In case you haven't been on the receiving end of such a reaming, I'm here to tell you that it is NOT pleasant, and may be a major disaster for your personal career. I'm told that the secret stuff (so stamped in bright red letters an inch high on the top and bottom of everything down to and including the toilet paper) was behind a series of locked and guarded gates, and the networks were isolated by a physical gap of several tens of feet. None the less, there was hell to pay, and I know one person saw jail time, and maybe ten others got fired.

Old guy