[87867] in North American Network Operators' Group
Re: Cisco, haven't we learned anything? (technician reset)y
daemon@ATHENA.MIT.EDU (eric)
Thu Jan 12 21:34:54 2006
Date: Thu, 12 Jan 2006 20:34:30 -0600
From: eric <eric-list-nanog@catastrophe.net>
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
Cc: nanog@merit.edu
In-Reply-To: <20060113020552.93CFE3BFCF8@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
>
> How much entropy is there in a such a serial number? Little enough
> that it can be brute-forced by someone who knows the pattern? Using
> some function of the serial number and a vendor-known secret key is
> better -- until, of course, that "secret" leaks. (Anyone remember how
> telephone credit card number verification worked before they could do
> full real-time validation? The Phone Company took a 10-digit phone
> number and calculated four extra digits, based on that year's secret.
> Guess how well that secret was kept....)
>
Hi Steven,
I believe the Netscreen default password of a serial number can only be
entered over the console (and possibly modem/aux) port(s).
