Okay, first off, I've never used anything from F5. In fact, I don't think I've ever seen anything from them, firsthand. However, my thoughts on this are generic enough that this shouldn't matter. At 10:18 PM 11/10/99 -0800, pedwardat_private wrote: >First of all, it's just stupid to sit here and say "They ship a product with >a security hole, because it has a support password that is root priv'd". How is this different from the backdoors that were found in other network equipment, not too long ago? >They assured me that they rotate the passwords on a regular basis to ensure >that accountability is retained internally. What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly? There's still at least two boxes out there with the same password. >If the device shipped with a password that was obtained via a hex dump of a >ROM, I could understand, but we're talking about a password that requires >many hours of CPU time, or hundreds of thousands of dollars of hardware. No, we're talking about a password that is identical on at least two systems. This is bad, in my opinion. >I don't like good people like F5 getting grilled, and sending me a stupid >advisory, because someone cried the equivelent of 'Y2K bug'. Again, if I had a system from F5, this bug would at least annoy me. >Hey everybody, <insert fav dist> ships with a UID 0 account, it's password >is probably guessable. This is what I really wanted to comment about. First, why do the systems ship with a password at all? None of the OSes I've used ship with one, but they do -require- you to create a password for the 'root' account when you are physically at the terminal during install, or at first boot. Without doing this, the system never boots entirely. Or, it's done a different way. Take Cisco routers (at least the one's I've used) for example. You cannot remotely log into them if a password is not set. Setting the password is as simple as plugging in a serial cable. I think F5 could/should do something similar to this, regardless of which IP addresses are allowed to connect to the system. >Grr, this just makes me mad that we're discussing this. I see it as a security related bug. Now, I'll probably never buy an F5 product, or be in any way involved in a purchasing decision related to an F5 product, but that has nothing to do with this bug. Still, I find it interesting and I believe that it does belong on BUGTRAQ. >--Perry Mike -- Mike Johnson - mike.johnson@gd-cs.com Network Engineer - New Technology Group General Dynamics - All opinions are mine, not General Dynamics'.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:30 PDT