Slashdot Mirror
Cisco Products Have Backdoors
Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.
I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.
On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...
However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
Kinetic stupidity has a new brand leader: Allen Zadr.
I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.
I am defenseless. Use your button. Mod me down with all of your hatred.
So what are they going to do for the people that purchased these?
admin/password.
I had but a simple dream, to destroy all humans.
Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.
I wonder of these insecurities are in my Cisco 350 series aironet radio card? My ISP should be informed of this if they are there.
You're right, I wouldn't steal a car. But if it were possible, I sure as hell would download one!
Cisco actually has a better track record than some other closed source vendors I could mention.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
Being able to read the code can stop this from happening.
No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
But what can anyone do? Are there any open-source makers of networking hardware?
How fucking stupid do you have to be to realize that this was a BAD THING? Damn, perhaps if Cisco stopped spending so much on stupid ads and rethought its dev process stupid shit like this would not happen.
How did anyone EVERY think this was a 'good thing'???
Does anyone know if this software has been implimented in any of the Linksys products?
Do they plan on releasing a firmware update? If so, how do we know they aren't going to put another backdoor into that and simply change the information? Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?
-- johntracy.com, because everybody else is wrong.
"Mr. Potato Head! Back doors are not secrets!"
(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)
I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!
Simon
Physicists get Hadrons!
Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China. Thanks, Cisco. Another one bites the credibility dust.
The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.
However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.
Tubal-Cain smokes the white owl.
" Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"
Yes. Lord, next you'll be asking about patents.
The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post about what I think about the completeness of said fix.
Kinetic stupidity has a new brand leader: Allen Zadr.
People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
3COMengineers/Areweenies
I'm sure they do extensive checking against this sort of thing.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
How many other products have "hidden" surpises.
It seems that the customer who pays for the product
is the last to know...
Sorry, posted to quick and read 'software' as 'hardware'. Silly me.
Good question. Perhaps a better question might be, what are the people who purchased these going to do to CISCO?
Perhaps a legal action? Breach of contract anyone? Promissory fraud? Negligent representation?
Only Women Bleed (Sex, Sharia remix)
Uh.. no, I don't. That's why I use ACLs to prevent the access no matter what the login is. And if the device doesn't support ACLs, the next device on the network will.
Dump the IRS - http://www.fairtax.org
What do you bet the id set is joshua/pencil?
Kinetic stupidity has a new brand leader: Allen Zadr.
Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?
You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.
How do you know that the open source you are looking at actually is the one running in your device? You don't.
How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.
How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.
How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.
What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.
The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.
look for openbsd's corporate usage page.
You can't judge a book by the way it wears its hair.
Greetings, Professor Falken.
Shall we play a game?
You probably shouldn't click this.
Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.
I don't read your sig, why do you read mine?
The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .
I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.
For every karma whore there are four more people with mod points to kill.
Let's see..
"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."
This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?
Why can software/hardware companies get way with "We tried our best, honest!" ?
admin/12345
FreeBSD for the impatient.
Cisco in no way represents the rest of us in the proprietary software industry. We in no way have or condone software backdoors.
Bill Gates, Microsoft
Rob Glaser, RealNetworks
This is mind-blowingly insane. Its bad enough when products come with a default name/password or open login like the old MS SQL 7.
However, this wasn't an uncommon practice once. We had this in a product from Data General, but that was mid 1980's and we changed it later when we woke up to how stupid it was.
Ok, almost as stupid, I know of hardware systems which have backdoors where if you know the key generating algorithm you can take the challenge string from the system's UI and generate the password from it. The math is simple and can be done in your head. The algorithm had to be changed once when it leaked out but it was still simple to do the new one in your head.
However, Cisco of all folks have seen security disasters in other's and their own products over the last few years. They should've fixed this and stopped doing it already.
**sigh**
this is not a sig
hm... does this affect Linksys wireless too?
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Gimmie a break, they likly made a mistake, and you never have? They admited it and have issued an advisory (mind you it looks worse if found out by the public later on, which may be the case this time as I didn't rtfa). In a case like this I'd return the product if I couldn't remove the uid and pass. "Sorry, its got a major problem with it, I don't want it". Simple as that.
E.
Never rub another man's rhubarb - The Joker
sounds like wku has cisco's internet software...
~*~ ~*~ ~*~
yes, girls read /. too...
still has access to all the systems everywhere. don't they?
Privacy is terrorism.
Any idea what prompted them to reveal this backdoor? Did somebody hack it?
It is simply, unFUCKING believable that companies and people are STILL doing this kind of shit. Has any of these morons ever heard of Cliff Stoll or read his book? Or know anything about how FUCKING STUPID backdoors are?
Truly amazing these people make things that are trusted to run the financial infrastructure of this country.
Simply add a 'reset' button. Or something like that handy little jumper you can switch on your motherboard in case someone forgets a bios password.
A backdoor as cisco has is unacceptable in every way.
// "Can't clowns and pirates just -try- to get along?"
A workaround is a configuration change a user makes with the existing software, a software upgrade is, well, a software upgrade. Some admins would rather use a quick workaround on a production system instead of taking the chance that a software upgrade will introduce a new bug.
The grass is only greener, if you don't take care of your own lawn.
You'll come back with something along the lines of "people can look at the code and find vulnerabilities".
But who is going to painstakingly inspect every line of code in every piece of open-source software he/she comes across? How can we trust that they will fix an exploit they find rather than use it themselves?
As embarassing as this is for Cisco, they have people who do nothing but test code. The fact that they let this one pass doesn't take away from the fact that closed-source software by and large undergoes far more thorough testing than open-source, and that's where I'm putting my money until you can prove to me that I should trust the commune over the corporation.
"Ask not what your country can do for you." --John F. Kennedy
In case you didn't know. I tried to get the source from Cisco but ran into a lot of hassle.
"They're not tricks!"
Backdors are Not secrets!
A workaround is a simple method of fixing the problem without patching the software. Usually it involves configuration changes, disabling parts of the software, or even firewalls. For this particular problem it's easy to see why there's no workaround.
The fix is a software patch. Many admins prefer a workaround as a short-term solution (can change simple config in a few minutes). A software patch is obviously more complicated, and often has higher impact on other services.
AccountKiller
dude... backdoors are cool; it's that cloak and dagger shit I am too young to have been able to participate in. Knowing your shit when it comes to computers was much cooler when there were no laws that said hacking was bad. HACK THE PLANET!!!
OK, back to reality now, yeah, that's pesky... back to using the old desktops as routers now. Oh well.
I haven't posted in so long, my sig is out of date.
fuck you sir, and have a little respect on the anniversary of the day the man's body was found.
the jury's still out, so you might be insulting a victim of murder...
Maybe they considered it an Easter Egg???
The / in
Now bow to me, your new overlord (at least until the next /. topic is posted!)
Mod +5 Drunk
I have worked for 6 or 7 different companies that build either comm boxes or control software, and each and every one has had built in backdoors.
It's not just Cisco, it's a common practice in the industry to give their field people a way to get into the box (or program) when the customer screws it up.
Backdoors that, often, have access to functions far beyond what the customer knows about, and in many cases, able of really messing up the device if used incorrectly by a tech who is not an expert.
On the flip side, I was working as a level 3 tech for one now out-of-business large computer company, and it was not uncommon to get a call from a customer asking if we could break into a box and reset passwords for them since they had "lost" the passwords. They need to get access without doing a full reset and losing the configuration information since the box is in a production environment.
So, they put a modem on the diagnostic port, I dial in, do the magic, and make the customer happy.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
----- Lotus Super 7 - A real car.
Could be the case that this product was acquired by another company rather than developed by CSCO? It's my understanding that they buy lotsa startups, so there could be a backdoor in this line of products but not necessarily into everything that CSCO makes.
It could also be possible that the backdoor was inserted a long time ago (before the acquisition?) and then left there, till someone found out.
Ironclad Security only exists when you have Chuck Norris on the shift. Do we really have to discuss this? (Plutonite)
I'm a back door ma-an!
The consumers don't know, but the Cisco guys, they understand!
Sorry, I felt the need. Jim Morrison may be rolling in his grave, but that's only if you can hear me actually "singing".
-- I'm not a pessimist, I'm a realist. It's not my fault that life sucks so much. --
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Yes. They have to keep an eye out for their customers. However, there are two ways of getting around this:
Password can only be entered while someone is physically present - so you have to press a button on the device, then login with back door in the next 30 seconds. This proves access, and any company that has poor physical security is not likely to care about network security.
Second use challenge-response password mechanisms. This prevents a 'global' backdoor, while still giving the manufacturer the ability to gain access. The user enters a generic name/pass ("lost", "password") the machine then responds with a 128 bit (hexadecimal) number (randomly generated) and the user provides both the serial number and this random number to the company. The company responds with a correct response (another 128 bit number, perhaps) and the device allows access.
Combine either or both of these two methods with a "reset configuration to factory defaults when back door is used" and the company can claim that they are as secure as can be, without preventing the occasional user complaint that the hardware is a doorstop because some subadmin made a mistake changing the password.
-Adam
The advisory (that link in the story) was pretty clear that there isn't a way to disable the use of this backdoor without a firmware upgrade.
Kinetic stupidity has a new brand leader: Allen Zadr.
I was called by a apartment complex that offered broadband to tenants. Apparently, one of the kids (mostly college students) had taken a networking class or something, and telneted in to the switches, and screwed a bunch of stuff up.
Of course, he changed the password to who knows what, so we had to call Nortel up and read them the serial number from each switch, and they gave us a backdoor password. I belive it was generated by a program they had. We had to verify proof of purchase and everything with the company, but who couldn't forge a Invoice from CDW or Insight?
But seriously, it only affects WLSE and HSE software, my brief investigation tells me this is not the software that the Linksys devices run. Someone correct me if you have contrary evidence.
my apartment has a front door and that doesn't suprise me, but seriously...
I can't say that I'm shocked by this I'm sure they just wanted an easy way to help users with their hardware if the really screwed it up but it looks like Cisco has screwed up.
We maintain a very substantial annual contract with Cisco. I can tell you that while our service has varied a bit in terms of engineering skill over the years, overall it has been outstanding. They maintain, by and large, the most thoroughly documented product base of any major hardware vendor.
Second of all, when you read those two bug toolkit ID's, you will notice that there are patches directly available to fix the problem. Oh no, not a patch. Pfffft.
>Just like we can't trust closed-source e-voting software [when] it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.
Taliban leader speaking:
OK troops, here's what we'll do; we will sub-contract from the Pakistanis that are sub-contracting from the Indians that are sub-contracting from the Americans that are outsourcing their I.T. operations, and when WE are the ones coding everything for the Americans, we slip in trojans, viruses and everything else we can think of to screw with their heads!
Once they are all helpless because they've outsourced all the jobs that require an education, we show up and sell them all Edsel automobiles and when they've all killed themselves on the road, we simply take over the country.
Simple.
I don't know the meaning of the word 'don't' - J
The interbase backdoor wasn't found for quite a few years, and only then because the thing went open-source. Could it be that companies are stopping themselves from going open because it would reveal their backdoors?
that other vendors don't also. The two aren't mutually exclusive, and this event does absolutely nothing to prove that other vendors are any more trustworthy than they are. Possibly the other vendors are just quieter about the issue.
Indeed, it's a common way of letting support staffs fix products. But I'm a little surprised it is still going on.
Ever occured to you that the reason it get lost is that the perception is it has no value.
How many people loses their new Rolex within a few days? Let them pay for the cost of a Re-setup
The argument that this will lead to shoddy safety internally as the password will be written on a Stick-it note on the box, is not valid. They have themselves to blame and the risk does not get foisted onto someone else.
Help fight continental drift.
Cisco IOS routers don't have to have a "master password" backdoor; they have a well-defined process for password recovery (typically you connect to the console port, interrupt the boot at the firmware level, and change a register - then you are in with no password and can reset it).
Another example: Livingston PortMasters also don't have a "master password" backdoor. You hook up to the console port, flip a dip switch and use a special login. That issues a challenge string, which you then send to Livingston (or now portmasters.com). You get a respose string and use it to log in, and then you change the password.
The common assumption is that full physical access implies ownership; that is a reasonable assumption (since if someone can get at it, they can take it).
But that wouldn't be trusting the vendor. That would be knowing there are no back doors. Trusting would be exactly that: being able to place your trust in the vendor without using the back doors.
RMS may be right that closed-source products may have security holes. But if, say, one of my friends wrote a closed-source product that handles security, and I were confident of his/her programming skills, I would be able to trust there are no intentional security holes.
Very few people actually inspect each line of open-source software, so we are still trusting them. Logically, it makes less sense to trust open-source vendors, since they place their code in the open knowing that statistically not many will inspect/suspect it for security holes.
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Simple question, with an even simpler answer: No.
If you want to be wordier, you can make the general statement that the reason for closed source is that there are things in the source that the vendor doesn't want you to know about.
Those things may be innocent, such as debugging hooks, that you'd probably approve of if you knew, but which they don't want made public because then competitors' support people could sabotage the equipment during a support call. Or they could be not so innocent, such as collecting date from your network for commercial use (i.e., selling it to your competitors). Or maybe they don't want you to see the low quality of the code.
But if the source is hidden, there's a reason, and the reason can be summarized as "They don't want you to know about something in there."
If you have any security concerns at all, you should follow the advice that the security folks have been giving for years: Don't run software unless you've compiled it yourself (preferably using a compiler from a different vendor). Otherwise, you have no way of knowing what's hidden inside the binaries.
Of course, in whatever passes for the Real World around here, some vendors are more trustworthy than others. We've had few actual problems like this with open-source vendors, though there have been a few incidents. It's a lot harder for an open-source vendor to get away with such tricks for very long.
But in general, you should be aware that if they don't want you to see the source, there is probably a good reason.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
No
If someone says he and his monkey have nothing to hide, they almost certainly do.
I can tell from your post that you're not a thinking man, so I'm really posting this for anyone who may read and believe your non-argument.
Yes, OSS get scrutinized - often every line. Because every person out there who for whatever reason is *interested* in how a printer driver or IO toolkit works can pull it apart and learn to understand it. And while they're in there, they add to the percentage chance that a bug will be found and an explit patched. Keep adding those little percentages together, and you approach 100% - "given enough eyes, all bugs are shallow."
In addition, OSS software undergoes immense testing. It undergoes testing by the user/developers who can see the source, which helps them figure out where to push and how to break it, and by the end users, who enjoy long public beta cycles with open defect tracking logs, so they can see, report and vote for bugs - and understand what milestone or version they will be fixed in.
And finally, if commercial companies presented the source to thier software, how would that affect ho wmuch testing they would do on it? Logic would indicate that the two would have no bearing on each other - because the source is open, they would stop testing it?
admin/nopassword ... ??? (just kidding!) Perhaps it's unkind to Cisco to think that if they were so stupid as to do it once, they're stupid enough to do it twice, but one never knows.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
...of the phrase that President Regan used to tell Gorbie all the time "Trust, but verify."
Cisco has been a major player for a long time, so we have a de-facto trust relationship with them, but we need to be able to verify their account guarding. All they need to do is open the firmware up and let the million eyes peer through it. Any vulnerability detected and not reported by one will surely be caught by another, and assuming he's not trustworthy either there are still more eyes. Quis custodiet ipsos custodes. The only problem is if the flaw doesn't exist in only flashable firmware (i.e.: in hardware someplace that can't be modified at all)--then that would be an issue. I think we can trust the Cisco hardware, it's the flashed system that needs to be checked.
So, Cisco, how about opening that up? Come on, be a pal....
This is the most fundamental problem with closed source: even if the underlying code is 100% perfect, bug-free, and wonderfully coded, there is no mechanism to prevent the last developer with sign-off on a project from slipping something nefarious in as code goes into "release" status.
I say this because, IMHO, Cisco's customers generally trust both them as a company and their products. In short, they've done a good job, for a closed source firm, of keeping the perception that they run a tight ship and keep their corporate nose clean.
That said, this is a ding, no doubt, but the bigger question here is while this backdoor was arguably somewhat obscure, it still existed. Even if no one "on the outside" ever learned of its existence, its very existence is troubling.
This is the type of thing that typically would have been caught in no time by the average open-source code-troller (much less a developer) quite quickly.
Sure, Cisco has a decent name, but what about companies that don't have the positive overall goodwill/reputation that Cisco does?
The notion that closed source software is "just as good" or even "more secure" is just plain wack-a-loo. (You can quote me on that.)
----------
Nope. Not gonna do it. Wouldn't be prudent. Not at this juncture.
I only made it to (Score:3, Funny) before I decided it was likely bogus...
One more reason to hate cisco equipment. They may have made an name for themselves in the router business, but they need some help in the ethernet and wireless business. Their switches are garbage for the high price that you pay. You would think that you are getting alot for the money you pay but what you'll is find that you have to buy more just to get same features that are in the 3com and netgear switches at much lower prices. They act like they can write thier own standards and not comform to others. They are the M$ of networking, and this just proves it. I sure the same can be said about Windows *
I doubt a newfound sense of benevolence initiated this admission.
Something they couldn't buy off or threaten into silence most likely.
Backdoors are very common in embedded devices
so you can bootstrap the system. They should
have covered this better, but it is probably
not an evil conspiracy. It's probably just
developers and testers trying to do their
job without a lot of security shit that
makes everything take longer and be more
difficult.
There will be no wholesale move off of Cisco products. Why?
Let's roleplay the conversation between the CIO and CEO/COO:
The bottom line is, most CIO/CTO's of non-IT companies could give a flying f**k what runs their networks as long as it works, stays up most of the time, is not too expensive, and is recommended.
ACHTUNG! Das computermachine ist nicht fuer gefingerpoken und mittengrabben. Ist nicht fuer gewerken bei das dumpkopfen.
No no, they put a modem on the rs232 analyzer that's in their modem port. You "do the magic" they send the recorded bits off to alt.hack.yerEmployersAboutToDie and viola. In a few months you're lining up with all your former coworkers at the local unemployment shop while management sorts out the cords on their golden parachutes. bk425
They must have known that if the username/password would leak, the impact would be huge.
One would think. I figured Cisco stock would be in for a hit today, but at the close, it's only down 0.37%.
That's why I've stopped playing the market. What makes sense to me does not make sense to the market, and vice versa.
Mod down people who tell people how to mod in their sigs
hell, be glad at least that cisco even mentioned it.
Alcohol & calculus don't mix. Never drink & derive.
BSD licensing lets venders modify it without releasing the source of their version. So what's to stop FooNetCo. adding a backdoor to their version of OpenBSD and shipping that?
We let our users password-protect their databases. So of course they lose the passwords and we have to have a mechanism (challenge-response) to let them break in and reset the master password.
The problem is, how do we know the person asking for this service is the owner of the data? There's no way (that I can see) of both guaranteeing that a thief won't ask to have his password broken into and that a legitimate owner won't be prevented from rescuing his own data.
Yeah, they're really happy until the backdoor username and password leaks and their network is hacked.
There is no justification for this. If I bought ANY program with a backdoor that I could not disable, I would be outraged. What's the point of any security if an immoral employee can break right through it? Or more importantly, if my competetors/hackers/the government can break right through it after bribing said immoral employee.
Ridiculous.
Apparently his company was approached by Cisco, on the feasability of using their GPS chips in "all of our [Cisco's] upcoming products." From the discussions, it appeared that Cisco wanted to put GPS capabilities in their routers and such, but they were being hush-hush about it, implying that this wasn't to be a publicly known feature.
And before you say "You can't use GPS in a data center", I should note that at least one company in that field has a chipset which is known to work well inside of buildings. And ethernet cables make huge antennas.
On the other hand, Cisco's backdoor can be accessed remotely and wirelessly. So physical security will not help.
Kinetic stupidity has a new brand leader: Allen Zadr.
Routers and switches can simply be switched off and then hacked as they boot up. This has been around for a long time.
However I am surprised to see it like this for a WLAN product becuase now someone can sit in the parking lot and hack theirselves into your companies bandwidth.
The Cisco Kid was a friend of mine / The Cisco Kid was a friend of mine / He drink whiskey, Poncho drink the wine...
A quick twelve-step program and Cisco should be all set to take Microsoft's lead and usher us into the age of Trusted Computing.
This is my post. There are many others like it. If you don't like what you read here, go try one of the others.
Its much more likely that this was installed by an employee who thought it was a good idea (for any one of a thousand reasons), or by a product manager who similarly thought it a good idea.
Whatever the reason, I suspect that whoever did this will have poor career prospects with Cisco.
"What makes sense to me does not make sense to the market, and vice versa."
Your problem is you assume that everyone who participates in the market is as intelligent as you are and values the same things in the same ways.
Sometimes the market makes little sense but some times if you think like a drooling idiot who cares only about the big number at the bottom of the financial report you can make some accurate predicitions.
Be happy. Nothing else matters.
A Cisco exec should do hard time for this.
DAMN! I just gave away my password.
The Raven
We do have a PCMCIA system setup, but we found out early on that when users opened the machine in an industrial environment, it was exposed to debris, mess and electrical noise that caused extreme problems. For most customers, we do recommend this method when the oppurtinity arises.
Want a job?
-Patrick
"They never stop thinking about new ways to harm our country and our people, and neither do we."
Snapgear!
Open-source, uClinux based routers, VPN solutions and OEM products!
We use a two key system for our backdoors. If the user needs a support engineer to log in and undo the damage, they have to create the account themselves. Only then do we have access to the backdoor. Once we're done, the user can delete the account.
Seriously, why should only the criminals know this stuff? Why can't the rest of us know it, too?
If all this should have a reason, we would be the last to know.
From the Slashdot story: "Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"
This should be shortened to: "Can we trust closed-source vendors?"
History has shown that we cannot.
Take Microsoft for example. LUGOD maintains a list of stories about Microsoft abusiveness: Reasons to Avoid Microsoft. I counted more than 200 in 2002, and things have gotten worse since then.
(This seems to be one of the few times that Open Source advocates have invented an interesting name: Linux User GOD. Sounds like a new religion.)
Part of the problem seems to be that, eventually, closed-source vendors begin to be controlled by managers who have no technical experience. Such managers can help the company make more money only by abusing the customer, because they don't know enough to contribute to technical improvements.
Why has Google risen to prominence so quickly? Partly because they know what they are doing technically. But largely because they have a policy of "do no harm". It's a simple policy, but most managers are not able to come to the conclusion they should follow it.
Most managers seem to have received their training by mimicing the abusive, ignorant PHB in Dilbert cartoons. Think what a terrible world we live in that Dilbert is considered funny!
I know most Open Source developers are uncomfortable with this description, but they approach their work as an act of love. Whatever the reason, history has shown that they are far more trustworthy.
You mean that Cisco is so retarded that they put in a default superuser that can't be changed or disabled? I hope this it's a different password for each box, else I'm never touching anything made by Cisco again.
Any company stupid enough (and I don't use the term stupid lightly) to think that 1) a backdoor is not simply a good idea, but so neccessary that it should never be disabled and 2) that information like the username and password wouldn't get out, doesn't deserve to manufacture products that other people buy.
Next time I'm asked for my recommendations on routers for corporate sites, I'll bring in an old PC with a couple of NICs and Linux, and show them how a /truly/ secure system works.
*****
Dear Mary,
I yearn for you tragically,
A.T. Tappman, Chaplain, U.S. Army.
Yes, OSS get scrutinized - often every line. Because every person out there who for whatever reason is *interested* in how a printer driver or IO toolkit works can pull it apart and learn to understand it. And while they're in there, they add to the percentage chance that a bug will be found and an explit patched. Keep adding those little percentages together, and you approach 100% - "given enough eyes, all bugs are shallow."
Which does *NOT* necessarily mean a short time period.
How long was the admin username/password in Interbase after it went OSS? Year and a half or so? Doesn't get much more blatant than that.
How long was that double free in zlib?
Hmm... Should I blow the whistle. Let's look at Cisco's 15454 gear, arguably some of the most widely deployed gear for SONET communications. Yes, 30+ Thousand boxes flittered all around the globe. Want to know a read/write user/password that is also hardcoded? I'll take donations... Do I have takers?
Why? Do you think people should have to throw away multi-thousand dollar boxes because someone lost the password?
Physical security goes hand-in-hand with infosec. There's a reason that physical security is part of the CISSP. If you can get physical access to any system you can get in . Having a "back door" that's only accessible when physically connected to the system is a common mechanism (now and for the foreseeable future) of performing password recovery.
Chris - CISSP, CCNP, RCIE/RCSI, MCSE, CNE
This isn't a let down for Cisco or a boost for open source. It's a common thing for any system to have a default account, root (linux) Administrator (Windows) admin (routers/switches/etc), just change the password!
Anyone who operates any multiuser device and doesn't read the manual, and that first page that tells you to change the default password, deserves to be hacked, prodded and slapped around the face, neck and buttocks.
Find out here Its not the router Its not the radio Its not the switch Its the management platform that you can use to monitor your wireless connections. Why any company would allow network access to this device from a un-secure network is beyond me. Still don't know why its frontpage news, besides the fact it gives us a chance to bash closed source systems.
Cisco is bad because it doesn't sell open source solutions?
No, Cisco is bad because they stuck a backdoor into their product that potentially fucked over a bunch of their customers.
I bet half your jobs depend on cisco.
And what kind of half-assed argument is that? Just because people use their products doesn't mean that their jobs depend on Cisco. Cisco can be ripped out and replaced just like most vendors. Get some Foundry or Nortel equipment.
Oh yeah, and fuck you too.
Where's my lobbyist? Right here.
Zlib? from 1.0.8 to 1.1.3, so around 2 years.
Interbase, no idea - a default password isn't really a source defect, though, and it was both known and intentional, so I guess it was found instantly.
WLSE 2.0 appears to have come out in '02, so it looks like the defect longevity is running neck-and-neck with zlib - a project that the grandparent refered to as 'commune' software.
And then there's the other issues - namely, Cisco did this one intentionally (a backdoor isn't a bug - and it isn't public like a default password.) and they charge between 5 and 9 thousand dollars a pop for it, and they require you to register for the fix.
I'm not knocking cisco - they make a reasonably good product, but arguing against transparency in the code of such a mission-critical product doesn't make any sense. If there were even just a handful of eyes on this product, this problem would have been found.
This isn't an open / closed source issue. This is simply sheer negligence and stupidity on Cisso's part. It is hard to believe that ANYONE in this day and age would leave back doors in shipping code. What is worse is the statement that the back door can not be disabled. This borders on criminal stupidity. This is a complete lapse in management and development oversight.
Most F500 comapnies have language in all agreements that make the vendor attest that there are no back doors in any product. Cisco is going to have to fix this, and likely bear whatever cost is related, including replacing units. And their liability for any secruity breaches and losses that are a result will be large. Since someone has already posted a "how to" to exploit this, we can expect that people will.
Just amazing. My faith in Cisco is greatly rediced. They need to explain to the community how this happend, whether or not there are other products that have this issue and what they are doing to make sure it doesn't happen again.
The obligatory reference to:
Reflections on Trusting Trust
by Ken Thompson
http://www.acm.org/classics/sep95/
:level 3 tech casts silver modem at level 2 bug.
:level 2 bug takes damage.
I had stupid fast typing, so the correction is important.
Don't sweat it - I don't even use the 'enemy' setting.
Kinetic stupidity has a new brand leader: Allen Zadr.
You can't trust open source either.
No electrons were harmed creating this post, though some may have been subjected to electrical and/or magnetic fields.
But who is going to painstakingly inspect every line of code in every piece of open-source software he/she comes across? How can we trust that they will fix an exploit they find rather than use it themselves?
It's just a matter of odds. Nobody is likely to examine every line of all source they use. However, if the source is out there, there are decent odds that someone will spot the problem.
We can argue all day over what those odds are, but it's fairly clear that with Open Source (or better, Free Software), there's a much better chance that sombody who has no vested interest in keeping quiet will spot the problem and report it than with proprietary software.
After all, Cisco products aren't exactly obscure.
Interbase, no idea - a default password isn't really a source defect, though, and it was both known and intentional, so I guess it was found instantly.
It wasn't a default password, it was a hidden account with a hardcoded password. And it was 1 1/2-2 years (after opening. Don't know how long before), *NOT* instantly. "Many eyes" only work if there are many eyes, not could be many eyes.
>I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.
I admit this is anecdotal.
A penetration tester at a local consultancy spotted a Cisco vulnerability and reported it.
He got an acknowledgement from a human and a thank-you when the fix shipped a little while later.
Cisco's a big enough company to act inconsistently, but they've certainly been known to do the right thing.
So, yes, it is a security hole, but it is also something that customers are happy about when they need it.
That's great, and I'm sure your customers appreciate it. But does it have to be 1) undocumented, and 2) on all the time without the option to be disabled? No, it doesn't. The customer should at least have to flip a switch to activate it. But because it doesn't work that way, ol' Fred has to always be looking over his shoulder and running his packet sniffers 24x7 because some manufacturer may have decided to include a major, trivially exploitable security hole on his hardware.
I don't buy the "that's the way the industry does it excuse." Obviously (judging from some of the other posters here) there is a better way to do it. There will always be a better way to do it.
Fred
"A fool and his freedom are soon parted"
-RMS
I'm assuming you're talking about PLCs and SCADA systems - which are typically custom designed for the job/client. There's a big difference between that and the backdoors in those kinds of systems that apparently your customer knew about, and this Cisco bulletin. This is much larger in scale with a large well-known company and a large staff (potential spilly-talkers) and affects perhaps thousands of customers who did not know they had backdoors. Consequently the security implications are much more severe. If I have access to the custom built PLC in , say, a sewer pumping station - whoopdeedoo.. sure I can cause damage but my ability to cause damage is likely limited to that particular system and the information is probably damned hard to come by (I would hope). Plus I thinks it's safe to say I'd be a lot easier to catch since there's probably only a very limited hand full of people who ever had access to it in the first place.
Oops - you're right on that one, and I'm wrong. I didn't (and still don't) know anything about Interbase, except that they managed to whine enough to get mozilla to change their browser's development name. I don't even sure why I assumed it was a default password problem, except that it helpmed make my point :)
1 1/2 is still less than my projected 2, though, so OSS is still neck-and neck (and better on average in this tiny and meaningless sample) with proprietary software.
They've had previous instances of this, in both the Cisco designed products and in stuff from vendors they bought. I was rather horrified to find out that there was a backdoor password into one of my customer's ATM switches (a large bank), and I wouldn't have discovered the fact except the support technician at Cisco was in a hurry to close the ticket I had open. (The customer had rightly changed the enable password, and I couldn't track down the guy who had the new pw).
Erm, reset button? that requires physical access to the hardware. Having highly important network hardware with a backdoor is risky these days. You'd be better supplying password recovery software which operates on the console port.
The logic was that having no wireless network at all is less secure than deploying a Cisco wireless network with the Wireless LAN Solution Engine, with the enhanced logging features and ability to monitor RF and detect rogue APs and the like.
Now that "Capital Requisition" (WLSE, APs, antennas) is headed for the circular file...
I do not deploy Linux. Ever.
... microsoft and that joke fine they got, where they could print their own money-vouchers.
Uh huh, they were "punished"
I got me a WHOLE ROLL that says reynolds on it, and I tell ya, MS cut a deal with the feds/spooks, there's back doors to the back doors in their stuff, and will be, for many moons...
bet a voucher on it...
After so many firmware upgrades and security holes. I decided to rid our company of cisco routers altogether and replaced them with linux boxes. So far it's handling our 100 Megabyte pipe with no problems. Our company peaks as 40 Megs per second everyday. I've been really impressed with my linux box.
Is there anyone else who has done the same?
"If a show of teeth is not enough, bite
Disclaimer 2: Any opinions expressed here are mine. I don't speak for Cisco. You knew that already, right?
I find the thesis of the original article somewhat dubious. We jump from "here's a security advisory" to "Can we really trust closed-source vendors?". Yes, with open source you have the ability to scrutinize the code to search for security holes and other problems. However, do you actually scrutinize every piece of code you download? Do you never download any prebuilt binaries from anywhere -- images that could easily contain suspect modifications that you might not know about, even if you did scrutinize the source you think those binaries are built from? In short, I find the presumption of safety when dealing with open source somewhat unwarranted. Don't get me wrong; I like open source. My own computers are all Linux-driven boxes. But I didn't examine all the sources, nor compile the entire system and every application set from scratch. I doubt most of us have.
Reading some of the replies already made on this thread, I notice that many seem to assume intent, even malice, on Cisco's part. I seriously doubt either is the case. Some other possibilities:
- Some early testing code which someone forgot to remove.
- Something we inherited from an outside party, and failed to catch.
and of course, the obvious possibility of simple stupidity (some would probably argue that the above two points fall into the 'stupidity' category too). Regardless of the cause, I think it is probably more likely an error on some individual's part rather than an intentional action of any group, much less the company as a whole.I have no more knowledge about the real source of this particular gaffe than any of the other readers here. Still, I know the products I work on, and that none of the developers I know of would ever try slipping a back-door into code, or even intentionally let any security hole into the code. Indeed, we take security issues seriously and try to fix any problems we know of as fast as possible. Consider that we have stock and stock options. We want our company to do really well, and make us all fat happy campers. Gaffes like this are just plain bad business. ;-)
<subliminal>Buy Cisco! </subliminal> (sorry, couldn't resist)
Idiotic and wholly unintentional double negative in the first sentence giving the whole thing the reverse of its intended meaning. That's what happens when I post out of the corner of one eye when my attention is really on the book I'm reading.
"Four Wings and A Prayer." Nice little popular work on Monarch butterfly migration. Written by a woman who lives just up the road from me apiece. I give it a hearty recommendation for anyone who might be vaguely interested in such things.
KFG
This is so terrribly bad.
I've read some comments on the issues, some try to make a lame excuse to make this acceptable but this one is really terrible:
can be used for customer support
-> Bull, there are more secure ways to do that, and if so why don't we know about it and can't enable/disable this?
There is absolutely no excuse for this type of thing. Now there has been a discussion whether vendors should be fined for their bugs.. well in this case they should! This is equal to acts of computercrime!
Now.. it wouldn't be fair to fine companies for an undeliberate bug, but this case is so obvious that it's a crime.
Even if this was some act of a malicious programmer, then I think Cisco is responsible for finding out who did it and bring him to trial!
The Pope is Polish and bears crap in the woods.
The following belief enables me to sleep at night:
There are many eyeballs at work at each level of hardware and software because large hardware/software projects are necessarily collaborative efforts.
Keeping malicious secrets in projects involving lots of people would require serious coercive control that most people naturally find repugnant.
It only takes one super-paranoid out of a million end-users to uncover a strange login attempt via some unconventional means. Then it becomes known to everyone. The risk for getting caught is very high, IMHO.
I can't believe that ALL router vendors ALL AROUND THE WORLD, for example, would conspire to hack their hardware in exactly the same way. So if someone wanted to be super-paranoid, they would buy some random kind of external packet auditing system and apply it to an arbitrarily chosen hardware/software configuration.
Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?
Well, we certainly can't trust Cisco anymore. The reason is because trust is built up by having the ability to screw up and then not doing so. Cisco has clearly violated the trust of anybody who wanted a zero-backdoor product, and I submit that this breach is one that cannot be recovered from.
However, I certainly understand why Cisco insists on there being such a hard-coded full-control backdoor. If you ever lose possession of the root password, you are screwed and you can turn a big-dollarsign router into a paperweight. It makes sense that Cisco should be able to swap your locked-up router for a like part in its default settings, and then be able to recover most of its value as an "open box" "remanufactured" item since there was nothing wrong with it other than an unknown password that since has been reset.
Really, I'm not mad at Cisco for having backdoors as much as the fact that they refused to admit that there were secret backdoors.
"Trusting every aspect of our lives to a giant computer was the smartest thing we ever did.." Homer Simpson
If you read further, you would note that Cisco has already released patches for the problem.
If you had ANY experience with cisco security vulnerabilty disclosures, you would realise that cisco's definition of "workaround" means "a way to avoid the problem without applying patches or updates", because many cisco customers aren't able to apply patches the second an exploit is announced due to down time / planning / change control measures.
Just because it says there is no workaround, it doesn't mean there isn't a fix. And there is, in this case, which is clearly linked to in the article.
And before someone replies with "you're new to slashdot aren't you", no, I'm not. I'm used to this sort of reaction from the slash community. Normally there are a few sane people that get modded up by correcting the knee jerkers, but this time it looks like everyone is preaching "every cisco switch and router has a built in username and password that can't be disabled"
I was thinking
userid "ganes" and
"Joshua" for pass
every day http://en.wikipedia.org/wiki/Special:Random
Back in the early Unix days CC when it compiled login.c would insert a back door for the developers.
Enteraysys/Cabletron devices all have back door passwords for when the user loses their passwords and these are burned into ROM and not changeable or fixable.
Do not attribute to malice what stupidity will adequately explain. In this case I think the backdoor was stupidity inserted by a developer as I recall an experience where a Cisco SE was locked out of one of these boxes and needed to use the password recovery mechanism to get in (yes the HSE and WLSE both have a power it on and apply secret handshake mode) to recover lost passwords.
A developer probably inserted this while testing the login modules (there are 5 authenticators only one of which is active at any given time) for these boxes so if they failed they could still get in and subsequently forgot to remove the backdoor.
Yes I have given up too much of my life configuring these boxes! and I am having a bad month when I do not get at least 1 bug per week listed on CCO.
The standard solution to this problem is to have the password be the serial number for the box, which you can read off the tag on the back. That way, somebody who has physical access to the box can still crack it, but you can't just attack an arbitrary box from across the Internet, because the formula depends on something that a random cracker won't know. Another variation is to use the MAC address for the box, which can be gotten by other boxes on the LAN, but is still mostly safe. And many types of hardware only let you use the administrative login from a specific port, typically a serial console port or the LAN side of a firewall or something, or only let you use the administrative login within N minutes of rebooting the box.
Somebody else mentioned the option of having a unique password that's based on the serial number of the box, which you can only get by calling the manufacturer. That's useful for your paid-option problem as well, and you can either keep a database or have the formula be "hash the serial number with a password that only the manufacturer knows", implmemented in some cryptographically strong fashion. The customer will normally do the administratively correct thing, which is to write the password on a yellow sticky note and tape it to the top of the box.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
No, but then again, you should not fully trust Open Source either. Think about all the openings that we have had lately and attempts at back doors. Do you really think that all of them have been caught?
I prefer the "u" in honour as it seems to be missing these days.
Sun have a backdoor too.
Just ask Microsoft's cock.
Intellectual Property
Intellectual: of the mind
Property: that over which one has control
People who want to exploit it, of course.
How can we trust that they will fix an exploit they find rather than use it themselves?
We can't. But we can trust that when you put software into the wild, people will try to exploit it. So why can open source be more secure? Because it's easy to find exploits if you have the source, and it's hard to find them if you have only the binary.
Imagine two identical programs, one open and one closed, each with 100 exploitable bugs. A group of crackers look for bugs in the closed version, finds 25 of them, and exploits them. The company fixes them, and they're down to 75 bugs. In a parallel universe, the crackers look for bugs in the source of the open version, and find and exploit 75 of them. The community fixes them, and there are 25 bugs left. The open version has become more secure.
You may say the company's testing would find 50 more bugs. But I don't think they can employ enough testers to out-do the entire cracker community. You may say that the open source version had three times as many exploits. That's true, but those were in the past, before the product was mature. At this point, both projects have reached an equillibrium between the bugs created and bugs found, and the open source version has fewer bugs.
Another factor is that with closed source, the only external people interested in finding bugs are those that want to exploit them. With open source, those few people who are just really bored and want to help have the tools, namely access to the source, to do so.
Cisco's password recovery procedure can be disabled from Rommon, making the "configuration bypass" procedure non-functional.
For those that would die defending it, Freedom
has a sweet taste that the protected will never know.
Obviously all affected products must be taken offline ASAP and replaced with hardware from trustworthy vendors. Who's going to pay for all of this?
eom.
you were running Cisco VPN server at your site. What's the IP address again ?
bin
look siG is kool
When they can't support a protocol, they invent a better alternative. Instead of just redundant routing, they made CARP with cryptographically secured redundant routing.
Look for it in 3.5.
You can't judge a book by the way it wears its hair.
Think about how many people keep up with their "ownership rights" aka the license and service contracts. Panicked ceo's and cisco trained tech's are gonna go batshit to pay up. All of mine are behind firewalls. I like iptables.
In 1988 The name Echelon is defined : "Eavesdropping on Europe" :
October 1998 : "In October, Europe's governing body will commission a full report into the workings of Echelon, a global network of highly sensitive listening posts operated in part by America's most clandestine intelligence organization, the National Security Agency."
"British investigative journalist Duncan Campbell was the first to report about Echelon in a 1988 article in The New Statesman. He believes that there is a very thin line between intelligence gathering and commercial espionage."
Wasn't that the guy who was put behind bars by the British Queen?
Some time ago Cisco announced IOS was highly vulnerable to hack attacks, so they said : "download new fixed IOS version today!" But didn't they announce a press release that future IOS releases would contain FBI Fed hookups?
The story on that is here : "More on Cisco Building Surveillance into Routers" They talk about Eavesdropping 'must be undetectable, and such. Well now! Not so long ago a customer wanted a more powerfull cisco router, basilcy going from a 1603 to a 2600 series router.
We already had a cisco 2610 running which has 64 MB RAM in its default configuration. I checked but only the cisco 2610XM was avaliable (now 6 months ago), which highly interesting has 128 MB in its default configuration. The best part was, that a brand new cisco 2610XM at cisco's was even cheaper in price as the older cisco 2610, which cisco didn't sell anymore, but was only available on ePAy or refurbished cisco resellers.
Robert
A Slashdot comment is not a full-length essay. It doesn't say everything the author thinks. A Slashdot comment must be interpreted in the best possible fashion. Try to derive some positive meaning from each comment.
I'm not saying ALL computer companies have become abusive. But many, many have. Look at the situation with hardware. Dell often heads the list of hardware companies for abusive behavior in Ed Foster's Reader Advocate column. Dell is number 1 on Foster's Gripelog Hall of Shame Pain Index.
We are witnessing an extremely serious social breakdown. Consider Enron, Worldcom and Tyco.
It's a sad phenomenon that, when someone tries to talk about abuse, the abused begin fighting among themselves. That only assures the abuse will continue.
You're just jealous because you can't predict which virae will be released next week and charge extortionate prices for securing your clients from them before anyone else knows they exist...
A default password, one that simply needs to be set, is very different from a backdoor password, which is hidden, unknown to the device owner, and works even after the device owner sets his password. The article was about a backdoor password.
May we never see th
I'd be impressed if you were posting to Slashdot from a Cisco router...
May we never see th
To all of those who have had a Cisco Tech in their deparment because some appliance showed wierd behaviour it shouzld be nothing new that there seem to be a lot of hidden features in IOS. The many times they have hacked some "magic code" into the device and then restored data which should have never been there in the first place does seem to suggest there is more to IOS than meets the human eyes. In my particular case there even seems to be a very special debug and diagnostic mode nowhere mentioned. The VPN Concentrator we used could only be "fixed" using that mode to determine the failure. While that does not seem to be as much of an issue as a hidden user/password it does make you think what can happen when user/password + debug mode are used to crawl around the innards of your devices...
That said, the propogation of problems from this will be from people who buy this type of equipment, but don't hire a Cisco admin at all. In Soviet Russia, the wireless network hacks you. That's to say, when I find my network is being 'worked' within the next several months, chances are, it'll be from one of these switches - where someone gave themselves access, and are now attacking me from the parking lot of "joebob-widget-mfg.com".
Kinetic stupidity has a new brand leader: Allen Zadr.
I don't get the point though, once upgraded - the vulnerability (or known backdoor is closed), so a downgrade would, in theory, have to be a concious decision on the part of the administrator of the equipment.
Kinetic stupidity has a new brand leader: Allen Zadr.
You are right about the TACs, though my favorite is the Brussels one. Especially if you get a female engineer on the otherside....
Once Cisco's support made me feel somewhat guilty. I called in a hardware replacement request and sure enough the guy shows up in about 3 hours. However, later on I foundout that one of the worst blizzards ever was going on outside (I had been in the datacenter the last 16 hours).
Based on what other people have said in previous threads, this company did it right.
A diagnostic port that is usually physically disconnected from the machine meets the requirement that only someone with access to the machine can use the back door.
It's only bad if you leave the diagnostic port connected all the time.
If you ever loose a password for an Extreme Switch then you will find they have the same thing embedded in their gear. I took over a couple of large chasis type switches as part of a reorg, and I didn't have the password for either of them. When I called Extreme to get the reset procedure they insisted that I had to connect the switch to a modem or open Internet connection and let them reset the password using a secret system (read backdoor).
Needless to say I replaced the switches with something else that cost less then the next year's maintanence and have slept much better. The sad part is that Extreme sales guys never could understand why I was unhappy with that situation.
I completely agree.
I thought that was funny. Rephrasing: "We have no other option but to accept people who are not completely trustworthy, but, of course, I choose the most trustworthy server software."
We are seeing software companies be so abusive that their business is becoming largely abuse, rather than software. It's extraordinary in business to have a business partner that can change a contract at any time unilaterally.
I have no respect for those who choose to commit suicide. Respect is earned. Writing a few decent songs does not earn my respect. The fucking loser should have cleaned up his act and taken care of his family.
So, in short...
NO, FUCK YOU SIR.
"I'm just here to regulate funkiness."