[87868] in North American Network Operators' Group
Re: Cisco, haven't we learned anything? (technician reset)y
daemon@ATHENA.MIT.EDU (Martin Hannigan)
Thu Jan 12 21:46:35 2006
From: Martin Hannigan <hannigan@world.std.com>
To: eric-list-nanog@catastrophe.net (eric)
Date: Thu, 12 Jan 2006 21:41:18 -0500 (EST)
Cc: smb@cs.columbia.edu (Steven M. Bellovin), nanog@merit.edu
In-Reply-To: <20060113023430.GI22251@catastrophe.net> from "eric" at Jan 12, 2006 08:34:30 PM
Errors-To: owner-nanog@merit.edu
>
>
> On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
>
> >
> > How much entropy is there in a such a serial number? Little enough
> > that it can be brute-forced by someone who knows the pattern? Using
> > some function of the serial number and a vendor-known secret key is
> > better -- until, of course, that "secret" leaks. (Anyone remember how
> > telephone credit card number verification worked before they could do
> > full real-time validation? The Phone Company took a 10-digit phone
> > number and calculated four extra digits, based on that year's secret.
> > Guess how well that secret was kept....)
> >
>
> Hi Steven,
>
> I believe the Netscreen default password of a serial number can only be
> entered over the console (and possibly modem/aux) port(s).
Yes. Sorry, I left that out.
-M<
