jgreco at ns.sol.net
Sat Jul 7 14:30:13 UTC 2012
> On 7/5/12, Joe Greco <jgreco at ns.sol.net> wrote:
> > It'll get real interesting when Cisco's cloud database is breached and
> > some weakness in the password encryption is discovered.
> Will the users' passwords even matter, if a compromise of the
> database allows an intruder to make a system-wide change to end users'
> equipment, such as delivering a compromising configuration change, or
> a "patched" firmware update that deactivates cloud service and
> turns them all into botnet nodes under exclusive control of the
> compromiser ?
> Hopefully Cisco thought that stuff out, but password encryption
> weaknesses at least are easily addressed by forcing all users to reset
> pw, and requiring a proof of physical access to the unit.
"and requiring a proof of physical access to the unit"? Yeah, sure,
that seems likely.
No, really, how bad an idea can it be to have a central database and
a system that's allowed to remotely log in, configure, and update
thousands of Internet-connected CPE? I mean, talk about making an
attractive target. Compromise this one system and gain access to
create a huge botnet. Complete list of CPE addresses and access
credentials in one juicy bundle. How is it that NANOG can see this
with no trouble but Cisco cannot?
What's stunningly clear is that Cisco did NOT think that stuff out.
You want content filtering? Boring. Been done for years, without
You want remote management? Boring. Been done for years, just look
at DD-WRT et.al.
You want configuration backup and restore? Still boring. Could have
figured a slick method to do THAT "to the cloud", as an option, with
per-account encryption, or config backup to local PC, or both.
Automatic firmware updates? Hey, effin' great! I heartily approve
of THAT idea, even of defaulting it to on. Just make sure I can also
turn it off. "Forced" upgrades are not acceptable. Requiring an
upgrade to happen over the public Internet is not acceptable. Make
sure we have the option to upgrade manually from a local firmware
So is a user locked out of administering the router unless it can talk
to the cloud? If so, that's boneheaded in the extreme. Hey, Cisco,
when my DSL with static IP finally dies and I need to switch to a
provider that uses DHCP, how am I supposed to log in to my router
since it can not connect to your glorious cloud?
And the onerous puritanical TOS? Find and fire whoever came up with
that. That's just a complete load. Did you sign an agreement not to
watch porno DVD's when you bought your DVD player? It's *equipment*,
Cisco. Some people will invariably use it for purposes you find to
be objectionable. Geez.
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.
More information about the NANOG