Chris Cunnington wrote:
> Andreas said: 
> 
> Which is something that I'm 
> absolutely not fond of because it's transmitting your password pretty 
> much in plain text, obfuscated as base64. Ouch.
> 
> <rant>
> 
> This won't answer your question, but I'd like to play the Devil's Advocate and as how this is a problem? 
> 
> I hear a lot of people tout SSL and other things and get antsy about exactly what you're describing, but how do you exploit it? Are there any crackers here? 
> 
> I went to a local meeting of the 2600 (from the magazine of the same name) and I said I was concerned about security and I'd like to know how to exploit something so I can protect against it. They said, basically, that if you were trying to exploit somebody on another network then it was only really possible by blasting endless password combinations. It seems sitting on a LAN, you can watch the traffic go in and out. On the Internets plural, it's harder or impossible to do. 
> 
> I've got Fyodor's "NMAP Network Scanning" on my desk right now. OK, you can port scan. You can see what ports are open. Then what? Security seems to me to be a real area of cargo cult programming. Get SSL, or else. 
> 
> Maybe you want to ignore this, as it, again, doesn't really do anything for your question. But just once I wish somebody would convince me about efforts taken to create security from first principles and not just because Bruce Schneier raised his eyebrow. 
> 
> </rant>


Fair points, Chris. But let's not forget that the majority of security 
breaks (no, I don't have references to hand) come from internal sources. 
So I'd almost say it's MORE important to secure stuff on a LAN than over 
the public Internet.

frank