I am upset about the recent thread about the Big/ip support account on Bugtraq. First of all, it's just stupid to sit here and say "They ship a product with a security hole, because it has a support password that is root priv'd". I have known about this for nearly 2 years, questioned them initially, but wrote it off as non-consequential. First of all, the default config is very restrictive, and they don't recommend the contrary. The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT of the sshd config. They assured me that they rotate the passwords on a regular basis to ensure that accountability is retained internally. If the device shipped with a password that was obtained via a hex dump of a ROM, I could understand, but we're talking about a password that requires many hours of CPU time, or hundreds of thousands of dollars of hardware. I don't like good people like F5 getting grilled, and sending me a stupid advisory, because someone cried the equivelent of 'Y2K bug'. When will the discussion of real security threats, return to Bugtraq? Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably guessable. Grr, this just makes me mad that we're discussing this. --Perry -- Perry Harrington Director of zelur xuniL () perryat_private System Architecture Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:13 PDT