Death of the Internet, Film at 11
bicknell at ufp.org
Sat Oct 22 12:53:35 UTC 2016
In a message written on Sat, Oct 22, 2016 at 07:34:55AM -0500, Mike Hammett wrote:
> "taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified"
The part that should outrage everyone on this list:
That's because while many of these devices allow users to change
the default usernames and passwords on a Web-based administration
panel that ships with the products, those machines can still be
reached via more obscure, less user-friendly communications services
called "Telnet" and "SSH."
"The issue with these particular devices is that a user cannot
feasibly change this password," Flashpoints Zach Wikholm told
KrebsOnSecurity. "The password is hardcoded into the firmware, and
the tools necessary to disable it are not present. Even worse, the
web interface is not aware that these credentials even exist."
As much as I hate to say it, what is needed is regulation. It could
be some form of self regulation, with retailers refusing to sell
products that aren't "certified" by some group. It could be full
blown government regulation. Perhaps a mix.
It's not a problem for a network operator to "solve", any more than
someone who builds roads can make an unsafe car safe. Yes, both
the network operator and rood operator play a role in building safe
infrastructure (BCP38, deformable barriers), but neither can do
anything for a manufacturer who builds a device that is wholely
deficient in the first place.
Leo Bicknell - bicknell at ufp.org
PGP keys at http://www.ufp.org/~bicknell/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 811 bytes
Desc: not available
More information about the NANOG