[192187] in North American Network Operators' Group
Re: Death of the Internet, Film at 11
daemon@ATHENA.MIT.EDU (Leo Bicknell)
Sat Oct 22 08:53:42 2016
X-Original-To: nanog@nanog.org
Date: Sat, 22 Oct 2016 05:53:35 -0700
From: Leo Bicknell <bicknell@ufp.org>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <430335629.3600.1477139691877.JavaMail.mhammett@ThunderFuck>
Errors-To: nanog-bounces@nanog.org
--qDbXVdCdHGoSgWSk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
In a message written on Sat, Oct 22, 2016 at 07:34:55AM -0500, Mike Hammett=
wrote:
> "taken all necessary steps to insure that none of the numerous specific t=
ypes of CCVT thingies that Krebs and others identified"=20
=46rom https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-toda=
ys-massive-internet-outage/#more-36754
The part that should outrage everyone on this list:
That's because while many of these devices allow users to change
the default usernames and passwords on a Web-based administration
panel that ships with the products, those machines can still be
reached via more obscure, less user-friendly communications services
called "Telnet" and "SSH."
"The issue with these particular devices is that a user cannot
feasibly change this password," Flashpoints Zach Wikholm told
KrebsOnSecurity. "The password is hardcoded into the firmware, and
the tools necessary to disable it are not present. Even worse, the
web interface is not aware that these credentials even exist."
As much as I hate to say it, what is needed is regulation. It could
be some form of self regulation, with retailers refusing to sell
products that aren't "certified" by some group. It could be full
blown government regulation. Perhaps a mix.
It's not a problem for a network operator to "solve", any more than
someone who builds roads can make an unsafe car safe. Yes, both
the network operator and rood operator play a role in building safe
infrastructure (BCP38, deformable barriers), but neither can do
anything for a manufacturer who builds a device that is wholely
deficient in the first place.
--=20
Leo Bicknell - bicknell@ufp.org
PGP keys at http://www.ufp.org/~bicknell/
--qDbXVdCdHGoSgWSk
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBWAthT7N3O8aJIdTMAQJk0BAAoJBM2DLYiCdasMIR28PlgtNDNPGccljA
N21Msn/pmMiQ8M+JTFRMfyyEbcBx6DmdJqjSU0m3Lx9hdoxOqbPegEb7kwb+GMc5
TCGzFjP+hC6AMvxISGaSSUbT8QuRf2K0VV0xsYH3rU4NxVS8cUw05hiRQ0QBRIiU
x4FGWmnKDpT2SkOhiFpYKXQ8K8gV2pFyirPppO7lSGGSFqVdYR78Bo162Vv0ntCG
cxpo4VLD4KvG80GfBrYiUZN4SHKYNfTBx2J4+dmNqAGVjUFeQOcT3QUHfhCogaLf
rD7gDGFyQd4LOV+xQL7gHdNYrq4mH5/Hgmi6mpyrhDdPEFC/3ObgVYlPDGaXshhQ
ARay3eZkOzB7dzajjOV4iO0Ikz9sHvbkyuVFs4t2x8Txz5QqSL46IOeVSfpJuc2X
YhY6D1mdRJ8ytzyYNuLoXonVm4Tr7Av9afUqaMPeL82NGN6nRVATko9J+/qHOepZ
bkF7ogsMSl2UuRVBWJh94f4m8TlCglttskO013x4VGiKAdy2OERIudSUtBWKx6uI
voPkIB6P0zhmhHPdwBUBydiP06SdKoPgjn2+/yMsCYxt8/wG8nwTBbhe1gpc5b0+
oGU66nfqybOmHfoY0gPSrbJKgddWvbwu42Tq9KjfWk1if475Op54Kaf5SbdikprU
ZVVqyXLp2lQ=
=HPgR
-----END PGP SIGNATURE-----
--qDbXVdCdHGoSgWSk--
