Default Passwords for World Wide Packets/Lightning Edge Equipment

Steven Bellovin smb at cs.columbia.edu
Wed Jan 6 16:13:58 CST 2010


On Jan 6, 2010, at 4:43 AM, George Bonser wrote:

>> -----Original Message-----
>> 
>>> having physical access pretty much trumps any other security
> measure.
>> 
>> The fact that there's a factory default means that lots of folks won't
>> change it when they configure the unit with an IP address; they follow
>> this with failing to implement iACLs, and it's pw3nt1me!
> 
> 
> I suppose it is a philosophical thing with me.  I don't believe in
> protecting people from their own stupidity. If you try to enforce that,
> you end up with organizations making up their own "default" passwords
> which can be little better than manufacturer defaults. 
> 
> 
They're much better, since once guess doesn't suffice for all devices; see http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirects=0 for some indication of just how bad the problem can be.  And we all suffer from p0wned devices, because they get turned into bots.  Roland is 100% right.

		--Steve Bellovin, http://www.cs.columbia.edu/~smb









More information about the NANOG mailing list