Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.
I am defenseless. Use your button. Mod me down with all of your hatred.
So what are they going to do for the people that purchased these?
Proof of Concept
admin/password.
I had but a simple dream, to destroy all humans.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
I wonder of these insecurities are in my Cisco 350 series aironet radio card? My ISP should be informed of this if they are there.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
Cisco actually has a better track record than some other closed source vendors I could mention.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Being able to read the code can stop this from happening.
All your wifi are belong to Cisco
500GB of disk, 5TB of transfer, $5.95/mo
Most people don't have a password on their backdoors.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
How fucking stupid do you have to be to realize that this was a BAD THING? Damn, perhaps if Cisco stopped spending so much on stupid ads and rethought its dev process stupid shit like this would not happen.
How did anyone EVERY think this was a 'good thing'???
is the id/pwd pair unique to device or is it the same for all devices? i.e. is it some hash of the serial number or something?
:) j/k
this is the funniest hting i've read all day.
btw there exists a similar backdoor in win xp.... sorry can't say what it is.
I believe that this kind of backdoor abuse is still illegal, even if it is behind Closed Source.
Does anyone know if this software has been implimented in any of the Linksys products?
Do they plan on releasing a firmware update? If so, how do we know they aren't going to put another backdoor into that and simply change the information? Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
-- johntracy.com, because everybody else is wrong.
"Mr. Potato Head! Back doors are not secrets!"
buddybuddy with the Dept of Homeland Security: The corps will have less liability for their stupid products, any good samaritan type will get thrown in the slammer for pointing out holes, and nobody is going to sue the US government because their company server got hax0red.
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Physicists get Hadrons!
Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China. Thanks, Cisco. Another one bites the credibility dust.
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Tubal-Cain smokes the white owl.
" Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"
Yes. Lord, next you'll be asking about patents.
The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.
WHAT?! no public announcements? THIS IS VERY PUBLIC!
No malicious use?! Are they retarded, in about 30 seconds this user/pass combo will be on every hack site in the world... thank god I don't have cisco! This is probably killing their stock price, I'm going to go check.
The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post about what I think about the completeness of said fix.
Kinetic stupidity has a new brand leader: Allen Zadr.
People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
3COMengineers/Areweenies
I'm sure they do extensive checking against this sort of thing.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
...so that means anything they do is all right, right? When forced to choose between a Linux using dictatorship or a Windows using democracy, the dictatorship will always be first choice, eh?
How many other products have "hidden" surpises.
It seems that the customer who pays for the product
is the last to know...
Sorry, posted to quick and read 'software' as 'hardware'. Silly me.
Good question. Perhaps a better question might be, what are the people who purchased these going to do to CISCO?
Perhaps a legal action? Breach of contract anyone? Promissory fraud? Negligent representation?
Only Women Bleed (Sex, Sharia remix)
"Can we really trust closed-source venders, "?? Of course not. Isn't commerce combat? Open source is for the people by the people and corporations would sell babymeat on streetcorners if it was profitable to do so. No clues needed there. Obvious as hell.
Uh.. no, I don't. That's why I use ACLs to prevent the access no matter what the login is. And if the device doesn't support ACLs, the next device on the network will.
Dump the IRS - http://www.fairtax.org
What do you bet the id set is joshua/pencil?
Kinetic stupidity has a new brand leader: Allen Zadr.
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
look for openbsd's corporate usage page.
You can't judge a book by the way it wears its hair.
Greetings, Professor Falken.
Shall we play a game?
You probably shouldn't click this.
Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.
I don't read your sig, why do you read mine?
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
Thanks for that invaluable link.
The answer is NO. We simply cannot trust closed-source vendors of any kind.
Think of it this way: Any kind of physical machine that you can get can be taken apart and inspected. But when it comes to software, which has grown in the last decades to very large and complex systems, doing so without the source is extremely difficult and wouldn't give any benefit because the results could be impossible to understand.
Therefore, RMS is absolutely right in this respect, no matter how wacko some people think he is.
Let's see..
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
I wonder if they put this backdoor in on purpose or if some evil programmer added it when noone was watching. I don't think the latter is very likely as you'd think they would have noticed that sooner. If they knowingly put this in, I wonder what their motivation was to do so. They must have known that if the username/password would leak, the impact would be huge.
admin/12345
FreeBSD for the impatient.
Cisco in no way represents the rest of us in the proprietary software industry. We in no way have or condone software backdoors.
Bill Gates, Microsoft
Rob Glaser, RealNetworks
mods, that was funny...
"I'm just here to regulate funkiness."
This is mind-blowingly insane. Its bad enough when products come with a default name/password or open login like the old MS SQL 7.
However, this wasn't an uncommon practice once. We had this in a product from Data General, but that was mid 1980's and we changed it later when we woke up to how stupid it was.
Ok, almost as stupid, I know of hardware systems which have backdoors where if you know the key generating algorithm you can take the challenge string from the system's UI and generate the password from it. The math is simple and can be done in your head. The algorithm had to be changed once when it leaked out but it was still simple to do the new one in your head.
However, Cisco of all folks have seen security disasters in other's and their own products over the last few years. They should've fixed this and stopped doing it already.
**sigh**
this is not a sig
hm... does this affect Linksys wireless too?
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Gimmie a break, they likly made a mistake, and you never have? They admited it and have issued an advisory (mind you it looks worse if found out by the public later on, which may be the case this time as I didn't rtfa). In a case like this I'd return the product if I couldn't remove the uid and pass. "Sorry, its got a major problem with it, I don't want it". Simple as that.
E.
Never rub another man's rhubarb - The Joker
"...I just can't take the money, bitches and fame anymore...-BLAM!!!..."
What a jackassed coward.
"I'm just here to regulate funkiness."
sounds like wku has cisco's internet software...
~*~ ~*~ ~*~
yes, girls read /. too...
How can anybody over the age of 10 be so naive as to even think of asking that question?
still has access to all the systems everywhere. don't they?
Privacy is terrorism.
Any idea what prompted them to reveal this backdoor? Did somebody hack it?
It is simply, unFUCKING believable that companies and people are STILL doing this kind of shit. Has any of these morons ever heard of Cliff Stoll or read his book? Or know anything about how FUCKING STUPID backdoors are?
Truly amazing these people make things that are trusted to run the financial infrastructure of this country.
Simply add a 'reset' button. Or something like that handy little jumper you can switch on your motherboard in case someone forgets a bios password.
A backdoor as cisco has is unacceptable in every way.
// "Can't clowns and pirates just -try- to get along?"
A workaround is a configuration change a user makes with the existing software, a software upgrade is, well, a software upgrade. Some admins would rather use a quick workaround on a production system instead of taking the chance that a software upgrade will introduce a new bug.
The grass is only greener, if you don't take care of your own lawn.
That boss of mine whom I hated told me that CISCO was the best. I told him it wasn't!! We'll show him now!!!
In case you didn't know. I tried to get the source from Cisco but ran into a lot of hassle.
"They're not tricks!"
Backdors are Not secrets!
A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.
The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
AccountKiller
dude... backdoors are cool; it's that cloak and dagger shit I am too young to have been able to participate in. Knowing your shit when it comes to computers was much cooler when there were no laws that said hacking was bad. HACK THE PLANET!!!
OK, back to reality now, yeah, that's pesky... back to using the old desktops as routers now. Oh well.
I haven't posted in so long, my sig is out of date.
Maybe they considered it an Easter Egg???
The / in
Now bow to me, your new overlord (at least until the next /. topic is posted!)
Mod +5 Drunk
I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
----- Lotus Super 7 - A real car.
Could be the case that this product was acquired by another company rather than developed by CSCO? It's my understanding that they buy lotsa startups, so there could be a backdoor in this line of products but not necessarily into everything that CSCO makes.
It could also be possible that the backdoor was inserted a long time ago (before the acquisition?) and then left there, till someone found out.
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
Lets just imagine someone posts in a messageboard, or chat room, that they're having problems with their DSL modem.
"Can someone help me, my laptop won't access the Internet but my desktop will."
"What are you using to get on the Internet?"
"You mean like cable or DSL?"
"Yeah"
"Oh I have DSL"
"What kind of modem is it"
"BitTronics 200M"
"Hrm...."
Then you bullshit with them for a little, have them ping the gateway, whatever. Meanwhile, you're on BitTronics website, downloading the PDF file of the manual for that modem.
Two minutes later, you've used the default name/password to get in the modem, and you can do a number of things. Upload a garbage file for a firmware update, and hose it, disable routes, shut ports off...While you're in there, most routers/modems will let you telnet to other hosts on the LAN. Time for fun with HP JetDirects!
What do you do next? Do the same thing to the whole block of IP's, since more than likely, they've all got the exact same modem.
I'm a back door ma-an!
The consumers don't know, but the Cisco guys, they understand!
Sorry, I felt the need. Jim Morrison may be rolling in his grave, but that's only if you can hear me actually "singing".
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
4 people jumped in an corrected this, but for some reason it keeps getting bumped up!
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the company, but who couldn't forge a Invoice from CDW or Insight?
But seriously, it only affects WLSE and HSE software, my brief investigation tells me this is not the software that the Linksys devices run. Someone correct me if you have contrary evidence.
my apartment has a front door and that doesn't suprise me, but seriously...
I can't say that I'm shocked by this I'm sure they just wanted an easy way to help users with their hardware if the really screwed it up but it looks like Cisco has screwed up.
We maintain a very substantial annual contract with Cisco. I can tell you that while our service has varied a bit in terms of engineering skill over the years, overall it has been outstanding. They maintain, by and large, the most thoroughly documented product base of any major hardware vendor.
Second of all, when you read those two bug toolkit ID's, you will notice that there are patches directly available to fix the problem. Oh no, not a patch. Pfffft.
>Just like we can't trust closed-source e-voting software [when] it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
Taliban leader speaking:
OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!
Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.
Simple.
I don't know the meaning of the word 'don't' - J
The interbase backdoor wasn't found for quite a few years, and only then because the thing went open-source. Could it be that companies are stopping themselves from going open because it would reveal their backdoors?
that other vendors don't also. The two aren't mutually exclusive, and this event does absolutely nothing to prove that other vendors are any more trustworthy than they are. Possibly the other vendors are just quieter about the issue.
Indeed, it's a common way of letting support staffs fix products. But I'm a little surprised it is still going on.
Hmm.. It seems like people are overlooking the BIOS backdoors that used to be put in (still are?). Not ever having used the WLAN feeature on my systems, isn't this an old issue on a new(er) device?
Ever occured to you that the reason it get lost is that the perception is it has no value.
How many people loses their new Rolex within a few days? Let them pay for the cost of a Re-setup
The argument that this will lead to shoddy safety internally as the password will be written on a Stick-it note on the box, is not valid. They have themselves to blame and the risk does not get foisted onto someone else.
Help fight continental drift.
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
How long will it be until someone takes the update, compares it a past version of the firmware, and then discovers what the username/password were...
No
If someone says he and his monkey have nothing to hide, they almost certainly do.
Read it here. It is one of the scariest articles I've ever seen. And yes, I have copies of gcc source dating back to the late 80% that I could use to bootstrap myself back up to the current version without whatever might have been inserted along the way.
admin/nopassword ... ??? (just kidding!) Perhaps it's unkind to Cisco to think that if they were so stupid as to do it once, they're stupid enough to do it twice, but one never knows.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
This is the most idotic thing I have ever heard
of! This is another good reason why admins need
to get applications, servers, and utilities in source
code form, audit the code for garbage like this,
and compile it themselves.
...of the phrase that President Regan used to tell Gorbie all the time "Trust, but verify."
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
I only made it to (Score:3, Funny) before I decided it was likely bogus...
One more reason to hate cisco equipment. They may have made an name for themselves in the router business, but they need some help in the ethernet and wireless business. Their switches are garbage for the high price that you pay. You would think that you are getting alot for the money you pay but what you'll is find that you have to buy more just to get same features that are in the 3com and netgear switches at much lower prices. They act like they can write thier own standards and not comform to others. They are the M$ of networking, and this just proves it. I sure the same can be said about Windows *
A: Because it ruins the flow of conversation.
Q: Why is top quoting retarded?
I doubt a newfound sense of benevolence initiated this admission.
Something they couldn't buy off or threaten into silence most likely.
Backdoors are very common in embedded devices
so you can bootstrap the system. They should
have covered this better, but it is probably
not an evil conspiracy. It's probably just
developers and testers trying to do their
job without a lot of security shit that
makes everything take longer and be more
difficult.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
No no, they put a modem on the rs232 analyzer that's in their modem port. You "do the magic" they send the recorded bits off to alt.hack.yerEmployersAboutToDie and viola. In a few months you're lining up with all your former coworkers at the local unemployment shop while management sorts out the cords on their golden parachutes. bk425
hell, be glad at least that cisco even mentioned it.
Alcohol & calculus don't mix. Never drink & derive.
BSD licensing lets venders modify it without releasing the source of their version. So what's to stop FooNetCo. adding a backdoor to their version of OpenBSD and shipping that?
We let our users password-protect their databases. So of course they lose the passwords and we have to have a mechanism (challenge-response) to let them break in and reset the master password.
The problem is, how do we know the person asking for this service is the owner of the data? There's no way (that I can see) of both guaranteeing that a thief won't ask to have his password broken into and that a legitimate owner won't be prevented from rescuing his own data.
Yeah, they're really happy until the backdoor username and password leaks and their network is hacked.
There is no justification for this. If I bought ANY program with a backdoor that I could not disable, I would be outraged. What's the point of any security if an immoral employee can break right through it? Or more importantly, if my competetors/hackers/the government can break right through it after bribing said immoral employee.
Ridiculous.
I've got the same combination on my luggage.
Apparently his company was approached by Cisco, on the feasability of using their GPS chips in "all of our [Cisco's] upcoming products." From the discussions, it appeared that Cisco wanted to put GPS capabilities in their routers and such, but they were being hush-hush about it, implying that this wasn't to be a publicly known feature.
And before you say "You can't use GPS in a data center", I should note that at least one company in that field has a chipset which is known to work well inside of buildings. And ethernet cables make huge antennas.
On the other hand, Cisco's backdoor can be accessed remotely and wirelessly. So physical security will not help.
Kinetic stupidity has a new brand leader: Allen Zadr.
Routers and switches can simply be switched off and then hacked as they boot up. This has been around for a long time.
However I am surprised to see it like this for a WLAN product becuase now someone can sit in the parking lot and hack theirselves into your companies bandwidth.
The Cisco Kid was a friend of mine / The Cisco Kid was a friend of mine / He drink whiskey, Poncho drink the wine...
A quick twelve-step program and Cisco should be all set to take Microsoft's lead and usher us into the age of Trusted Computing.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
Its much more likely that this was installed by an employee who thought it was a good idea (for any one of a thousand reasons), or by a product manager who similarly thought it a good idea.
Whatever the reason, I suspect that whoever did this will have poor career prospects with Cisco.
As long as the backdoor only works when you go through a certain channel (diagnostic port) that normal traffic can't use, then I don't see a problem with this.
(Disclaimer: I have no idea what a diagnostic port is.)
A Cisco exec should do hard time for this.
on the device (that only resets the master password not the entire config) or let it load the password from a PCMCIA or similar device?
For devices like switches this should work just fine since most of them have physical security.
DAMN! I just gave away my password.
The Raven
That's my luggage combination!!
Snapgear!
Open-source, uClinux based routers, VPN solutions and OEM products!
We use a two key system for our backdoors. If the user needs a support engineer to log in and undo the damage, they have to create the account themselves. Only then do we have access to the backdoor. Once we're done, the user can delete the account.
Seriously, why should only the criminals know this stuff? Why can't the rest of us know it, too?
If all this should have a reason, we would be the last to know.
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
You mean that Cisco is so retarded that they put in a default superuser that can't be changed or disabled? I hope this it's a different password for each box, else I'm never touching anything made by Cisco again.
Any company stupid enough (and I don't use the term stupid lightly) to think that 1) a backdoor is not simply a good idea, but so neccessary that it should never be disabled and 2) that information like the username and password wouldn't get out, doesn't deserve to manufacture products that other people buy.
Next time I'm asked for my recommendations on routers for corporate sites, I'll bring in an old PC with a couple of NICs and Linux, and show them how a /truly/ secure system works.
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
Hmm... Should I blow the whistle. Let's look at Cisco's 15454 gear, arguably some of the most widely deployed gear for SONET communications. Yes, 30+ Thousand boxes flittered all around the globe. Want to know a read/write user/password that is also hardcoded? I'll take donations... Do I have takers?
Why? Do you think people should have to throw away multi-thousand dollar boxes because someone lost the password?
Physical security goes hand-in-hand with infosec. There's a reason that physical security is part of the CISSP. If you can get physical access to any system you can get in . Having a "back door" that's only accessible when physically connected to the system is a common mechanism (now and for the foreseeable future) of performing password recovery.
Chris - CISSP, CCNP, RCIE/RCSI, MCSE, CNE
This isn't a let down for Cisco or a boost for open source. It's a common thing for any system to have a default account, root (linux) Administrator (Windows) admin (routers/switches/etc), just change the password!
Anyone who operates any multiuser device and doesn't read the manual, and that first page that tells you to change the default password, deserves to be hacked, prodded and slapped around the face, neck and buttocks.
Find out here Its not the router Its not the radio Its not the switch Its the management platform that you can use to monitor your wireless connections. Why any company would allow network access to this device from a un-secure network is beyond me. Still don't know why its frontpage news, besides the fact it gives us a chance to bash closed source systems.
Cisco is bad because it doesn't sell open source solutions?
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Where's my lobbyist? Right here.
lol
Username: debug
Password: synnet
This isn't an open / closed source issue. This is simply sheer negligence and stupidity on Cisso's part. It is hard to believe that ANYONE in this day and age would leave back doors in shipping code. What is worse is the statement that the back door can not be disabled. This borders on criminal stupidity. This is a complete lapse in management and development oversight.
Most F500 comapnies have language in all agreements that make the vendor attest that there are no back doors in any product. Cisco is going to have to fix this, and likely bear whatever cost is related, including replacing units. And their liability for any secruity breaches and losses that are a result will be large. Since someone has already posted a "how to" to exploit this, we can expect that people will.
Just amazing. My faith in Cisco is greatly rediced. They need to explain to the community how this happend, whether or not there are other products that have this issue and what they are doing to make sure it doesn't happen again.
The obligatory reference to:
Reflections on Trusting Trust
by Ken Thompson
http://www.acm.org/classics/sep95/
:level 3 tech casts silver modem at level 2 bug.
:level 2 bug takes damage.
I had stupid fast typing, so the correction is important.
Don't sweat it - I don't even use the 'enemy' setting.
Kinetic stupidity has a new brand leader: Allen Zadr.
You can't trust open source either.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
Yeah, the ones where hackers end up in jail (where CISO employees should now be)? And the corporations win? Those so pissed me off. I think CISCO deserves what it is now getting for being so bloody arrogant.
http://www.itsecurity.com/dictionary/nsakey.htm
>I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
I admit this is anecdotal.
A penetration tester at a local consultancy spotted a Cisco vulnerability and reported it.
He got an acknowledgement from a human and a thank-you when the fix shipped a little while later.
Cisco's a big enough company to act inconsistently, but they've certainly been known to do the right thing.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
That's great, and I'm sure your customers appreciate it. But does it have to be 1) undocumented, and 2) on all the time without the option to be disabled? No, it doesn't. The customer should at least have to flip a switch to activate it. But because it doesn't work that way, ol' Fred has to always be looking over his shoulder and running his packet sniffers 24x7 because some manufacturer may have decided to include a major, trivially exploitable security hole on his hardware.
I don't buy the "that's the way the industry does it excuse." Obviously (judging from some of the other posters here) there is a better way to do it. There will always be a better way to do it.
Fred
"A fool and his freedom are soon parted"
-RMS
I'm assuming you're talking about PLCs and SCADA systems - which are typically custom designed for the job/client. There's a big difference between that and the backdoors in those kinds of systems that apparently your customer knew about, and this Cisco bulletin. This is much larger in scale with a large well-known company and a large staff (potential spilly-talkers) and affects perhaps thousands of customers who did not know they had backdoors. Consequently the security implications are much more severe. If I have access to the custom built PLC in , say, a sewer pumping station - whoopdeedoo.. sure I can cause damage but my ability to cause damage is likely limited to that particular system and the information is probably damned hard to come by (I would hope). Plus I thinks it's safe to say I'd be a lot easier to catch since there's probably only a very limited hand full of people who ever had access to it in the first place.
They've had previous instances of this, in both the Cisco designed products and in stuff from vendors they bought. I was rather horrified to find out that there was a backdoor password into one of my customer's ATM switches (a large bank), and I wouldn't have discovered the fact except the support technician at Cisco was in a hurry to close the ticket I had open. (The customer had rightly changed the enable password, and I couldn't track down the guy who had the new pw).
Erm, reset button? that requires physical access to the hardware. Having highly important network hardware with a backdoor is risky these days. You'd be better supplying password recovery software which operates on the console port.
The logic was that having no wireless network at all is less secure than deploying a Cisco wireless network with the Wireless LAN Solution Engine, with the enhanced logging features and ability to monitor RF and detect rogue APs and the like.
Now that "Capital Requisition" (WLSE, APs, antennas) is headed for the circular file...
I do not deploy Linux. Ever.
... microsoft and that joke fine they got, where they could print their own money-vouchers.
Uh huh, they were "punished"
I got me a WHOLE ROLL that says reynolds on it, and I tell ya, MS cut a deal with the feds/spooks, there's back doors to the back doors in their stuff, and will be, for many moons...
bet a voucher on it...
After so many firmware upgrades and security holes. I decided to rid our company of cisco routers altogether and replaced them with linux boxes. So far it's handling our 100 Megabyte pipe with no problems. Our company peaks as 40 Megs per second everyday. I've been really impressed with my linux box.
Is there anyone else who has done the same?
"If a show of teeth is not enough, bite
When I first read that I was like totally blown away. Today, I have root on 37 PCs.
..you do realise that when you're doing this service to them, they are already basically giving you access to the device by hooking up the modem to the diagnostic port?
that is QUITE different from what cisco was caught doing now. If you could have just telnetted to the boxes from your home through your normal internet connection, and there would have been backdoors to make that possible, THEN you would have been getting near to the seriousness of what's going on now.
Disclaimer 2: Any opinions expressed here are mine. I don't speak for Cisco. You knew that already, right?
I find the thesis of the original article somewhat dubious. We jump from "here's a security advisory" to "Can we really trust closed-source vendors?". Yes, with open source you have the ability to scrutinize the code to search for security holes and other problems. However, do you actually scrutinize every piece of code you download? Do you never download any prebuilt binaries from anywhere -- images that could easily contain suspect modifications that you might not know about, even if you did scrutinize the source you think those binaries are built from? In short, I find the presumption of safety when dealing with open source somewhat unwarranted. Don't get me wrong; I like open source. My own computers are all Linux-driven boxes. But I didn't examine all the sources, nor compile the entire system and every application set from scratch. I doubt most of us have.
Reading some of the replies already made on this thread, I notice that many seem to assume intent, even malice, on Cisco's part. I seriously doubt either is the case. Some other possibilities:
- Some early testing code which someone forgot to remove.
- Something we inherited from an outside party, and failed to catch.
and of course, the obvious possibility of simple stupidity (some would probably argue that the above two points fall into the 'stupidity' category too). Regardless of the cause, I think it is probably more likely an error on some individual's part rather than an intentional action of any group, much less the company as a whole.I have no more knowledge about the real source of this particular gaffe than any of the other readers here. Still, I know the products I work on, and that none of the developers I know of would ever try slipping a back-door into code, or even intentionally let any security hole into the code. Indeed, we take security issues seriously and try to fix any problems we know of as fast as possible. Consider that we have stock and stock options. We want our company to do really well, and make us all fat happy campers. Gaffes like this are just plain bad business. ;-)
<subliminal>Buy Cisco! </subliminal> (sorry, couldn't resist)
Idiotic and wholly unintentional double negative in the first sentence giving the whole thing the reverse of its intended meaning. That's what happens when I post out of the corner of one eye when my attention is really on the book I'm reading.
"Four Wings and A Prayer." Nice little popular work on Monarch butterfly migration. Written by a woman who lives just up the road from me apiece. I give it a hearty recommendation for anyone who might be vaguely interested in such things.
KFG
This is so terrribly bad.
I've read some comments on the issues, some try to make a lame excuse to make this acceptable but this one is really terrible:
can be used for customer support
-> Bull, there are more secure ways to do that, and if so why don't we know about it and can't enable/disable this?
There is absolutely no excuse for this type of thing. Now there has been a discussion whether vendors should be fined for their bugs.. well in this case they should! This is equal to acts of computercrime!
Now.. it wouldn't be fair to fine companies for an undeliberate bug, but this case is so obvious that it's a crime.
Even if this was some act of a malicious programmer, then I think Cisco is responsible for finding out who did it and bring him to trial!
The Pope is Polish and bears crap in the woods.
Clearly exactly the same situation as this huh ...
The following belief enables me to sleep at night:
There are many eyeballs at work at each level of hardware and software because large hardware/software projects are necessarily collaborative efforts.
Keeping malicious secrets in projects involving lots of people would require serious coercive control that most people naturally find repugnant.
It only takes one super-paranoid out of a million end-users to uncover a strange login attempt via some unconventional means. Then it becomes known to everyone. The risk for getting caught is very high, IMHO.
I can't believe that ALL router vendors ALL AROUND THE WORLD, for example, would conspire to hack their hardware in exactly the same way. So if someone wanted to be super-paranoid, they would buy some random kind of external packet auditing system and apply it to an arbitrarily chosen hardware/software configuration.
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
"Trusting every aspect of our lives to a giant computer was the smartest thing we ever did.." Homer Simpson
If you read further, you would note that Cisco has already released patches for the problem.
If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.
Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.
And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"
I just heard some sad news on talk radio -- Radio Talk Show host Rush Limbaugh was found dead in his New York home last night. The coroner has not yet officially ruled it a suicide, but apparently that's what it's going to be ruled.
I'm sure everyone in the Slashdot community will mourn his passing -- even if you didn't agree with him, there's no denying his contributions to popular culture. Truly an American icon.
I was thinking
userid "ganes" and
"Joshua" for pass
every day http://en.wikipedia.org/wiki/Special:Random
Back in the early Unix days CC when it compiled login.c would insert a back door for the developers.
Enteraysys/Cabletron devices all have back door passwords for when the user loses their passwords and these are burned into ROM and not changeable or fixable.
Do not attribute to malice what stupidity will adequately explain. In this case I think the backdoor was stupidity inserted by a developer as I recall an experience where a Cisco SE was locked out of one of these boxes and needed to use the password recovery mechanism to get in (yes the HSE and WLSE both have a power it on and apply secret handshake mode) to recover lost passwords.
A developer probably inserted this while testing the login modules (there are 5 authenticators only one of which is active at any given time) for these boxes so if they failed they could still get in and subsequently forgot to remove the backdoor.
Yes I have given up too much of my life configuring these boxes! and I am having a bad month when I do not get at least 1 bug per week listed on CCO.
The standard solution to this problem is to have the password be the serial number for the box, which you can read off the tag on the back. That way, somebody who has physical access to the box can still crack it, but you can't just attack an arbitrary box from across the Internet, because the formula depends on something that a random cracker won't know. Another variation is to use the MAC address for the box, which can be gotten by other boxes on the LAN, but is still mostly safe. And many types of hardware only let you use the administrative login from a specific port, typically a serial console port or the LAN side of a firewall or something, or only let you use the administrative login within N minutes of rebooting the box.
Somebody else mentioned the option of having a unique password that's based on the serial number of the box, which you can only get by calling the manufacturer. That's useful for your paid-option problem as well, and you can either keep a database or have the formula be "hash the serial number with a password that only the manufacturer knows", implmemented in some cryptographically strong fashion. The customer will normally do the administratively correct thing, which is to write the password on a yellow sticky note and tape it to the top of the box.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Just to put things into perspective:
you = silly linux hippy on slashdot, tinkering away at a dying OS.
cisco = 1 trillion dollar corporation that could have you arrested and shot for their CEO's amusement.
none of the people who make the buying decisions will ever hear of this news item. and no loosers, your "isp" that is ran out of your mother's basement with its cisco adsl router (sitting next to a semen encrusted sock) does not count! you are not a "CIO" or power player whose purchase decisions are going to influence cisco.
if cisco chooses to require you to wear a microchip in your forehead to access a network that uses IPv6 which is routed across a cisco router, then you will promptly comply like the little slave that you are. and you will enjoy it too!
i hope this mild adjustment of your world view back towards reality hopes you regain perspective and realize everything you say and do is futile. the big corporations own you and your entire family. give up now.
No, but then again, you should not fully trust Open Source either. Think about all the openings that we have had lately and attempts at back doors. Do you really think that all of them have been caught?
I prefer the "u" in honour as it seems to be missing these days.
Sun have a backdoor too.
Just ask Microsoft's cock.
Intellectual Property
Intellectual: of the mind
Property: that over which one has control
With Cisco's history of buying competitors' technology and rebadging it (Kalpana XDI/CATOS, Crescendo, Aironet, PIX/Finesse OS, Lan2Lan, etc), this sounds like a leftover from one of their acquisitions. Not familiar with either of the 2 affected offerings, which is why I ask.
Cisco's password recovery procedure can be disabled from Rommon, making the "configuration bypass" procedure non-functional.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Obviously all affected products must be taken offline ASAP and replaced with hardware from trustworthy vendors. Who's going to pay for all of this?
I heard it was "cmdrtaco" and "gnaa", but I don't have access to any Cisco equipment, so I can't try it.
eom.
... we all have backdoors! Nobody will ever figure out the password to my backdoor though!
Uh. So I capture the serial connection, give you a call and .. there comes the master password?
you were running Cisco VPN server at your site. What's the IP address again ?
bin
look siG is kool
When they can't support a protocol, they invent a better alternative. Instead of just redundant routing, they made CARP with cryptographically secured redundant routing.
Look for it in 3.5.
You can't judge a book by the way it wears its hair.
Think about how many people keep up with their "ownership rights" aka the license and service contracts. Panicked ceo's and cisco trained tech's are gonna go batshit to pay up. All of mine are behind firewalls. I like iptables.
This is bullshit news.. anyone that has ever worked with a cisco product or been in any type of "underground" site, will clearly see that default cisco/pass usernames have been used for AGES by cisco, and are well documented.
Hrrm... I usually just sign my name.
In 1988 The name Echelon is defined : "Eavesdropping on Europe" :
October 1998 : "In October, Europe's governing body will commission a full report into the workings of Echelon, a global network of highly sensitive listening posts operated in part by America's most clandestine intelligence organization, the National Security Agency."
"British investigative journalist Duncan Campbell was the first to report about Echelon in a 1988 article in The New Statesman. He believes that there is a very thin line between intelligence gathering and commercial espionage."
Wasn't that the guy who was put behind bars by the British Queen?
Some time ago Cisco announced IOS was highly vulnerable to hack attacks, so they said : "download new fixed IOS version today!" But didn't they announce a press release that future IOS releases would contain FBI Fed hookups?
The story on that is here : "More on Cisco Building Surveillance into Routers" They talk about Eavesdropping 'must be undetectable, and such. Well now! Not so long ago a customer wanted a more powerfull cisco router, basilcy going from a 1603 to a 2600 series router.
We already had a cisco 2610 running which has 64 MB RAM in its default configuration. I checked but only the cisco 2610XM was avaliable (now 6 months ago), which highly interesting has 128 MB in its default configuration. The best part was, that a brand new cisco 2610XM at cisco's was even cheaper in price as the older cisco 2610, which cisco didn't sell anymore, but was only available on ePAy or refurbished cisco resellers.
Robert
A Slashdot comment is not a full-length essay. It doesn't say everything the author thinks. A Slashdot comment must be interpreted in the best possible fashion. Try to derive some positive meaning from each comment.
I'm not saying ALL computer companies have become abusive. But many, many have. Look at the situation with hardware. Dell often heads the list of hardware companies for abusive behavior in Ed Foster's Reader Advocate column. Dell is number 1 on Foster's Gripelog Hall of Shame Pain Index.
We are witnessing an extremely serious social breakdown. Consider Enron, Worldcom and Tyco.
It's a sad phenomenon that, when someone tries to talk about abuse, the abused begin fighting among themselves. That only assures the abuse will continue.
can you provide some kind of a link for that?
or a router to test it on?
no 127.0.0.1 is not funny in this instance
You're just jealous because you can't predict which virae will be released next week and charge extortionate prices for securing your clients from them before anyone else knows they exist...
To all of those who have had a Cisco Tech in their deparment because some appliance showed wierd behaviour it shouzld be nothing new that there seem to be a lot of hidden features in IOS. The many times they have hacked some "magic code" into the device and then restored data which should have never been there in the first place does seem to suggest there is more to IOS than meets the human eyes. In my particular case there even seems to be a very special debug and diagnostic mode nowhere mentioned. The VPN Concentrator we used could only be "fixed" using that mode to determine the failure. While that does not seem to be as much of an issue as a hidden user/password it does make you think what can happen when user/password + debug mode are used to crawl around the innards of your devices...
That said, the propogation of problems from this will be from people who buy this type of equipment, but don't hire a Cisco admin at all. In Soviet Russia, the wireless network hacks you. That's to say, when I find my network is being 'worked' within the next several months, chances are, it'll be from one of these switches - where someone gave themselves access, and are now attacking me from the parking lot of "joebob-widget-mfg.com".
Kinetic stupidity has a new brand leader: Allen Zadr.
I don't get the point though, once upgraded - the vulnerability (or known backdoor is closed), so a downgrade would, in theory, have to be a concious decision on the part of the administrator of the equipment.
Kinetic stupidity has a new brand leader: Allen Zadr.
You are right about the TACs, though my favorite is the Brussels one. Especially if you get a female engineer on the otherside....
Once Cisco's support made me feel somewhat guilty. I called in a hardware replacement request and sure enough the guy shows up in about 3 hours. However, later on I foundout that one of the worst blizzards ever was going on outside (I had been in the datacenter the last 16 hours).
my business runs some cisco wireless equipment and i want to test to see if this is really enabled on them. is cisco not disclosing the actual login/pass and just letting you know that some people may know? i want to find out and check my equipment damn it!
Based on what other people have said in previous threads, this company did it right.
A diagnostic port that is usually physically disconnected from the machine meets the requirement that only someone with access to the machine can use the back door.
It's only bad if you leave the diagnostic port connected all the time.
If you ever loose a password for an Extreme Switch then you will find they have the same thing embedded in their gear. I took over a couple of large chasis type switches as part of a reorg, and I didn't have the password for either of them. When I called Extreme to get the reset procedure they insisted that I had to connect the switch to a modem or open Internet connection and let them reset the password using a secret system (read backdoor).
Needless to say I replaced the switches with something else that cost less then the next year's maintanence and have slept much better. The sad part is that Extreme sales guys never could understand why I was unhappy with that situation.
I completely agree.
I thought that was funny. Rephrasing: "We have no other option but to accept people who are not completely trustworthy, but, of course, I choose the most trustworthy server software."
We are seeing software companies be so abusive that their business is becoming largely abuse, rather than software. It's extraordinary in business to have a business partner that can change a contract at any time unilaterally.
I have no respect for those who choose to commit suicide. Respect is earned. Writing a few decent songs does not earn my respect. The fucking loser should have cleaned up his act and taken care of his family.
So, in short...
NO, FUCK YOU SIR.
"I'm just here to regulate funkiness."