[121244] in North American Network Operators' Group
RE: Default Passwords for World Wide Packets/Lightning Edge Equipment
daemon@ATHENA.MIT.EDU (Nathan Eisenberg)
Wed Jan 13 14:48:23 2010
From: Nathan Eisenberg <nathan@atlasnetworks.us>
To: Steven Bellovin <smb@cs.columbia.edu>, Barry Shein <bzs@world.std.com>
Date: Wed, 13 Jan 2010 11:47:38 -0800
In-Reply-To: <F5FB6A57-E843-49D2-86DD-8AC8ED3242AB@cs.columbia.edu>
Cc: "nanog@nanog.org" <nanog@nanog.org>,
"nonobvious@gmail.com" <nonobvious@gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Not if you change the default password like any sane admin does...
-----Original Message-----
From: Steven Bellovin [mailto:smb@cs.columbia.edu]=20
Sent: Wednesday, January 13, 2010 11:26 AM
To: Barry Shein
Cc: nanog@nanog.org; nonobvious@gmail.com
Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipm=
ent
On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
>=20
> There seem to be a lot of misconceptions about RFID tags. I'm hardly
> an expert but I do know this much:
>=20
> RFID tags are generic, you don't put data into them unique to your
> application.
>=20
Part of the original (or at least early) context for this thread was recove=
ry of default passwords. If the password is F(ser#), it's only learnable i=
f you know both F() and ser#. The vendor knows F() -- who knows ser#? If =
it's in an RFID tag, or is DBlookup(tag#,vendor_db), being able to read thi=
s admittedly-arbitrary number may indeed be a threat.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
