You may not be the only one to make that assumption, but I find it hard
to throw my hands up and say 'Oh well' to a hard coded, fixed password
root account that is publicly accessible on any kind of device.
On 11/14/2016 9:44 AM, Ken Hohhof wrote:
I think in some cases this means climbing the tower with a laptop and
a serial cable though.
Am I the only one who assumes everything has one or more backdoors,
including my car? There’s the one the manufacturer knows about, the
one the NSA put there, the one the software engineer put there and
didn’t tell his boss about, the one the Chinese chip maker put there,
the one Fancy Bear put there …
*From:*Af [mailto:[email protected]] *On Behalf Of *Simon Westlake
*Sent:* Monday, November 14, 2016 9:11 AM
*To:* [email protected]
*Subject:* Re: [AFMUG] Trango Security Issue
There's no reason for it to be secret, either. If it exists purely to
assist customers who forgot their password, then there is no reason to
both disclose it, and offer the user the ability to turn it off. As
long as there is still a physical reset method, then any fallout from
forgetting a password ends up on the customer, if they disabled the
ability for it to be reset.
Let's just imagine right now that someone has already built a bot that
is going out, scanning for Trango radios, and modifying the running
code on them. You can argue that some fault lies with the operator for
not properly securing his/her network, but the root cause of the
problem is an insecure, root account, hard coded into a radio, with a
fixed password, that cannot be disabled.
On 11/13/2016 5:12 PM, Paul Stewart wrote:
True and now it’s been disclosed by a security researcher and this
blows up badly on the vendor in my opinion…. makes you wonder
what else they are doing in their software that they are not
telling you about - just an example and not suggesting there’s
more in this case
On Nov 13, 2016, at 5:51 PM, Ken Hohhof <[email protected]
<mailto:[email protected]>> wrote:
Well, it’s not a secret backdoor if you disclose it.
“You ever flashy thinged me?”
“No.”
“I ain’t playing with you, K, you ever flashy thinged me”?
“No.”
*From:*Af [mailto:[email protected]]*On Behalf Of*Paul Stewart
*Sent:*Sunday, November 13, 2016 3:56 PM
*To:*[email protected] <mailto:[email protected]>
*Subject:*Re: [AFMUG] Trango Security Issue
Different people deploy them different ways … good or bad …
The biggest problem I have with this is when a vendor doesn’t
disclose this information and that a customer cannot choose to
remove this option if the vendor insists on putting it in place.
On Nov 13, 2016, at 4:35 PM, George Skorup
<[email protected] <mailto:[email protected]>> wrote:
I don't exactly see the problem, especially with a PTP
radio that should only be accessible from within your
network and possibly only from management subnets/VLANs,
too. If it's a public facing piece of equipment like a
router, then sure, I agree.
On 11/13/2016 3:07 PM, Paul Stewart wrote:
Totally disagree with this… we would never let a
vendor into our network if there was a possibility of
this. It puts our network at risk from their stupidity ….
We aggressively look at this when new products are
coming into the network - realizing that sometimes
there’s no way to detect it but it’s a question we
ask, tests that we run, and hope that our confidence
in this being possible is low.
On Nov 13, 2016, at 11:59 AM, Ken Hohhof
<[email protected] <mailto:[email protected]>> wrote:
Yep. There are legitimate needs for the factory to
have a backdoor
--
Simon Westlake
Skype: Simon_Sonar
Email:[email protected] <mailto:[email protected]>
Phone: (702) 447-1247
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software
--
Simon Westlake
Skype: Simon_Sonar
Email: [email protected]
Phone: (702) 447-1247
---------------------------
Sonar Software Inc
The future of ISP billing and OSS
https://sonar.software
