Death of the Internet, Film at 11

Leo Bicknell bicknell at
Sat Oct 22 12:53:35 UTC 2016

In a message written on Sat, Oct 22, 2016 at 07:34:55AM -0500, Mike Hammett wrote:
> "taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified" 


The part that should outrage everyone on this list:

        That's because while many of these devices allow users to change
        the default usernames and passwords on a Web-based administration
        panel that ships with the products, those machines can still be
        reached via more obscure, less user-friendly communications services
        called "Telnet" and "SSH."

        "The issue with these particular devices is that a user cannot
        feasibly change this password," Flashpoints Zach Wikholm told
        KrebsOnSecurity.  "The password is hardcoded into the firmware, and
        the tools necessary to disable it are not present. Even worse, the
        web interface is not aware that these credentials even exist."

As much as I hate to say it, what is needed is regulation.  It could
be some form of self regulation, with retailers refusing to sell
products that aren't "certified" by some group.  It could be full
blown government regulation.  Perhaps a mix.

It's not a problem for a network operator to "solve", any more than
someone who builds roads can make an unsafe car safe.  Yes, both
the network operator and rood operator play a role in building safe
infrastructure (BCP38, deformable barriers), but neither can do
anything for a manufacturer who builds a device that is wholely
deficient in the first place.

Leo Bicknell - bicknell at
PGP keys at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 811 bytes
Desc: not available
URL: <>

More information about the NANOG mailing list