[120948] in North American Network Operators' Group
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
daemon@ATHENA.MIT.EDU (Steven Bellovin)
Wed Jan 6 17:14:42 2010
From: Steven Bellovin <smb@cs.columbia.edu>
In-Reply-To: <5A6D953473350C4B9995546AFE9939EE081F716E@RWC-EX1.corp.seven.com>
Date: Wed, 6 Jan 2010 17:13:58 -0500
To: George Bonser <gbonser@seven.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Jan 6, 2010, at 4:43 AM, George Bonser wrote:
>> -----Original Message-----
>>=20
>>> having physical access pretty much trumps any other security
> measure.
>>=20
>> The fact that there's a factory default means that lots of folks =
won't
>> change it when they configure the unit with an IP address; they =
follow
>> this with failing to implement iACLs, and it's pw3nt1me!
>=20
>=20
> I suppose it is a philosophical thing with me. I don't believe in
> protecting people from their own stupidity. If you try to enforce =
that,
> you end up with organizations making up their own "default" passwords
> which can be little better than manufacturer defaults.=20
>=20
>=20
They're much better, since once guess doesn't suffice for all devices; =
see =
http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredire=
cts=3D0 for some indication of just how bad the problem can be. And we =
all suffer from p0wned devices, because they get turned into bots. =
Roland is 100% right.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
