Agree 110% … It does suck re: having to climb a tower to reset a password but would also think that folks might suddenly be inclined to keep better track of passwords after having to do so a couple of times ;)
> On Nov 14, 2016, at 10:52 AM, Simon Westlake <[email protected]> wrote: > > You may not be the only one to make that assumption, but I find it hard to > throw my hands up and say 'Oh well' to a hard coded, fixed password root > account that is publicly accessible on any kind of device. > > On 11/14/2016 9:44 AM, Ken Hohhof wrote: >> I think in some cases this means climbing the tower with a laptop and a >> serial cable though. >> >> Am I the only one who assumes everything has one or more backdoors, >> including my car? There’s the one the manufacturer knows about, the one the >> NSA put there, the one the software engineer put there and didn’t tell his >> boss about, the one the Chinese chip maker put there, the one Fancy Bear put >> there … >> >> <> >> From: Af [mailto:[email protected] <mailto:[email protected]>] On >> Behalf Of Simon Westlake >> Sent: Monday, November 14, 2016 9:11 AM >> To: [email protected] <mailto:[email protected]> >> Subject: Re: [AFMUG] Trango Security Issue >> >> There's no reason for it to be secret, either. If it exists purely to assist >> customers who forgot their password, then there is no reason to both >> disclose it, and offer the user the ability to turn it off. As long as there >> is still a physical reset method, then any fallout from forgetting a >> password ends up on the customer, if they disabled the ability for it to be >> reset. >> >> Let's just imagine right now that someone has already built a bot that is >> going out, scanning for Trango radios, and modifying the running code on >> them. You can argue that some fault lies with the operator for not properly >> securing his/her network, but the root cause of the problem is an insecure, >> root account, hard coded into a radio, with a fixed password, that cannot be >> disabled. >> >> On 11/13/2016 5:12 PM, Paul Stewart wrote: >> True and now it’s been disclosed by a security researcher and this blows up >> badly on the vendor in my opinion…. makes you wonder what else they are >> doing in their software that they are not telling you about - just an >> example and not suggesting there’s more in this case >> >> >> On Nov 13, 2016, at 5:51 PM, Ken Hohhof <[email protected] >> <mailto:[email protected]>> wrote: >> >> Well, it’s not a secret backdoor if you disclose it. >> >> “You ever flashy thinged me?” >> “No.” >> “I ain’t playing with you, K, you ever flashy thinged me”? >> “No.” >> >> From: Af [mailto:[email protected] <mailto:[email protected]>] On >> Behalf Of Paul Stewart >> Sent: Sunday, November 13, 2016 3:56 PM >> To: [email protected] <mailto:[email protected]> >> Subject: Re: [AFMUG] Trango Security Issue >> >> Different people deploy them different ways … good or bad … >> >> The biggest problem I have with this is when a vendor doesn’t disclose this >> information and that a customer cannot choose to remove this option if the >> vendor insists on putting it in place. >> >> >> On Nov 13, 2016, at 4:35 PM, George Skorup <[email protected] >> <mailto:[email protected]>> wrote: >> >> I don't exactly see the problem, especially with a PTP radio that should >> only be accessible from within your network and possibly only from >> management subnets/VLANs, too. If it's a public facing piece of equipment >> like a router, then sure, I agree. >> >> On 11/13/2016 3:07 PM, Paul Stewart wrote: >> Totally disagree with this… we would never let a vendor into our network if >> there was a possibility of this. It puts our network at risk from their >> stupidity …. >> >> We aggressively look at this when new products are coming into the network - >> realizing that sometimes there’s no way to detect it but it’s a question we >> ask, tests that we run, and hope that our confidence in this being possible >> is low. >> >> >> On Nov 13, 2016, at 11:59 AM, Ken Hohhof <[email protected] >> <mailto:[email protected]>> wrote: >> >> Yep. There are legitimate needs for the factory to have a backdoor >> >> >> >> -- >> Simon Westlake >> Skype: Simon_Sonar >> Email: [email protected] <mailto:[email protected]> >> Phone: (702) 447-1247 >> --------------------------- >> Sonar Software Inc >> The future of ISP billing and OSS >> https://sonar.software <https://sonar.software/> > -- > Simon Westlake > Skype: Simon_Sonar > Email: [email protected] <mailto:[email protected]> > Phone: (702) 447-1247 > --------------------------- > Sonar Software Inc > The future of ISP billing and OSS > https://sonar.software <https://sonar.software/>
