> > Okay, first off, I've never used anything from F5. In fact, I don't > think I've ever seen anything from them, firsthand. However, my > thoughts on this are generic enough that this shouldn't matter. > > At 10:18 PM 11/10/99 -0800, pedwardat_private wrote: > > >First of all, it's just stupid to sit here and say "They ship a product with > >a security hole, because it has a support password that is root priv'd". > > How is this different from the backdoors that were found in other network > equipment, not too long ago? In the other systems, the password was obtained through a hex dump of the firmware, this is Extended DES encoded, much stronger than anything in firmware, to date. > > >They assured me that they rotate the passwords on a regular basis to > ensure >that accountability is retained internally. > > What is that regular basis? Hourly? Daily? Weekly? Monthly? Yearly? > There's still at least two boxes out there with the same password. I was told monthly. > > >If the device shipped with a password that was obtained via a hex dump of > a >ROM, I could understand, but we're talking about a password that requires > >many hours of CPU time, or hundreds of thousands of dollars of hardware. > > No, we're talking about a password that is identical on at least two systems. > This is bad, in my opinion. How are they going to fulfill their support contract without it? They login and upgrade your system for you, with your knowledge, of course. > > >I don't like good people like F5 getting grilled, and sending me a stupid > >advisory, because someone cried the equivelent of 'Y2K bug'. > > Again, if I had a system from F5, this bug would at least annoy me. It's not a bug, it's a policy decision. People are freaking over it because of the mass hysteria created by 'ohh, you shouldn't have a vendor password'. > > >Hey everybody, <insert fav dist> ships with a UID 0 account, it's password > >is probably guessable. > > This is what I really wanted to comment about. First, why do the systems > ship with a password at all? None of the OSes I've used ship with one, > but they do -require- you to create a password for the 'root' account > when you are physically at the terminal during install, or at first boot. > Without doing this, the system never boots entirely. Or, it's done a > different way. Take Cisco routers (at least the one's I've used) for > example. You cannot remotely log into them if a password is not set. > Setting the password is as simple as plugging in a serial cable. I think > F5 could/should do something similar to this, regardless of which IP > addresses are allowed to connect to the system. Unix is slightly different than embedded, but this could be achieved via: /etc/securetty: /dev/ttyS0 > > >Grr, this just makes me mad that we're discussing this. > > I see it as a security related bug. Now, I'll probably never buy an F5 > product, or be in any way involved in a purchasing decision related to > an F5 product, but that has nothing to do with this bug. Still, I find > it interesting and I believe that it does belong on BUGTRAQ. That's the point, it's not a 'bug', it's a policy set forth by F5. Someone may disagreee with this policy, but I don't. I have faith in the security they maintain, ot trust them with access to my box. I didn't intend this to be an attack on you, I was addressing the list as a whole. > > >--Perry > > Mike > > -- > Mike Johnson - mike.johnson@gd-cs.com > Network Engineer - New Technology Group > General Dynamics - All opinions are mine, not General Dynamics'. > --Perry -- Perry Harrington Director of zelur xuniL () perryat_private System Architecture Think Blue. /\
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:11:35 PDT