Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Sprint DSL's Security Hole Easy As 1,2,3,4

timothy posted more than 11 years ago | from the oh-didn't-you-catch-that dept.

Privacy 373

An Anonymous reader points to this Wired article, excerpting "Sprint officials acknowledged that remote access to the administrative software embedded in the ZyXel Prestige 642 and 645 modems is by default protected with a password of '1234.' But the company said users are responsible for securing the equipment, which stores login data, including the user's e-mail address and password." Wired found that more than 90% of the modems they polled were using that default password.

cancel ×

373 comments

Sorry! There are no comments related to the filter you selected.

FP (-1, Troll)

YourMissionForToday (556292) | more than 11 years ago | (#5145833)

Enjoy it when you lick my fist, commie!

First Post (-1, Troll)

Anonymous Coward | more than 11 years ago | (#5145837)

That was easy as 1,2,3,4

Re:First Post (0, Offtopic)

jbrelie (322599) | more than 11 years ago | (#5145879)

except that yours was't first. :P

Shit (5, Funny)

Anonymous Coward | more than 11 years ago | (#5145845)

Time to change the combo on the luggage again.

Hey! (-1, Redundant)

mrdisco99 (113602) | more than 11 years ago | (#5145850)

That's the same password I have on my luggage!

Oh No! (-1, Redundant)

Ravensfire (209905) | more than 11 years ago | (#5145855)

That's my luggage combination!

As I've always said (5, Insightful)

Amsterdam Vallon (639622) | more than 11 years ago | (#5145862)

The biggest security hole is not buffer overflows, ICMP packet manipulation, or poorly written software.

The easiest security breaches are to be had via social engineering, such as human manipulation and simple password guesses such as the default password for a certain system.

You can have all the conferences on security and corporate code reviews you want, but people will always be stupid. You can't change that.

Re:As I've always said (-1, Offtopic)

goatasaur (604450) | more than 11 years ago | (#5146003)

"...but people will always be stupid. You can't change that." Hitler tried. :(

Obligatory Space Balls Quote... (4, Funny)

kenthorvath (225950) | more than 11 years ago | (#5145865)

President Skroob: "What's the combination?"

Colonel Sandurz: "1-2-3-4-5."

Skroob: "1-2-3-4-5?"

Sandurz: "Yes."

Skroob: "That's amazing! I've got the same combination on my luggage!"

Wasn't it Skoorb? (2, Informative)

jerkychew (80913) | more than 11 years ago | (#5146087)

I always thought it was spelled Skoorb, whitch is Brooks (as in Mel) backwards...

So, who needs Kevin Mitnick? (4, Funny)

Uninvited Guest (237316) | more than 11 years ago | (#5145868)

Who needs a social engineer to get the password, when we have the fine folks at Sprint around.

1, 2, 3, 4 (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5145869)

That's the stupidest thing i've heard in my life!

That's the kind of thing an idiot would put on his luggage!

DMCA (1, Interesting)

Anonymous Coward | more than 11 years ago | (#5145871)

Is talking about security holes legal under the dmca?

Re:DMCA (1)

silicon_synapse (145470) | more than 11 years ago | (#5146095)

Does talking about it circumvent any copy protection mechanisms on a copywrited work?

Way too easy... IMDB (-1, Redundant)

Anonymous Coward | more than 11 years ago | (#5145873)

[King Roland has given in to Dark Helmet's threats, and is telling him the combination to the "air shield"]
Roland: One.
Dark Helmet: One.
Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

It couldn't happen here! (1)

Thud457 (234763) | more than 11 years ago | (#5145946)

Goddamit, that's like the eight "luggage" joke already!

You'd have to be an idiot to lock your luggage, because with today's new airline security restrictions, that would get you a suite at the GWB's Guantuanamo Hilton!

GWB, and the New Intellectual (-1, Offtopic)

farrellj (563) | more than 11 years ago | (#5146137)

Fnord
This is not a firedrill, if it was a firedrill, an alarm like the one that is sounding would ring.
Fnord

"And have a nice and sunny day" - Mgt.

ttyl
Farrell

Home users (5, Interesting)

Ogrez (546269) | more than 11 years ago | (#5145882)

Yeah.. but 90% of home users cant remeber their email password, do you really want them changing the password on the hardware... It comes with the default password, its impractical for the isp to change them all, and should the user change it, then forget it, its a hour long tech support call to fix it. Replace user, press any key to continue.

Re:Home users (-1)

Anonymous Coward | more than 11 years ago | (#5146023)

No kidding, if a user can't be bothered to take a simple measure like changing a password (see all the redundant luggage jokes), they deserve what happens to them. It also makes sense to have a default easy password because if the users change it and forget the password, they can reset the modem and then get into their router. This isn't Sprint's problem at all, any more than outlook holes are Microsoft's. If a user can't be bothered to maintain their stuff, that is theiur problem.

I'm ready (1)

Radio Shack Robot (640478) | more than 11 years ago | (#5145887)

The radio shack modems in the back room run on these things, but the password is the first thing we change when the modem is pulled out of the box. So, don't try to hax0r RS. heh

Re:I'm ready (1)

8282now (583198) | more than 11 years ago | (#5146038)

Hate to mock. But we're all so very aware that "RS" is the bastion of elite high technology that it is. Right?

--------
For the sarcasm impaired, please tag the above as ... sarcasm.

To add to the redundants (-1, Informative)

Anonymous Coward | more than 11 years ago | (#5145888)

You have to be an idoit to have a combination like 1,2,3,4. Also considering the fact that most luggage combos use 3 numbers not 4. Mod me up Mudda-Fucker

Re:To add to the redundants (0)

Anonymous Coward | more than 11 years ago | (#5146135)

Funny, I'd say you'd have to be an idiot not to realize that it's a quote from Space Balls... as well as a bunch of other places. Mod you down.

Isn't anyones fault. (1)

jb_02_98 (636753) | more than 11 years ago | (#5145894)

Anyone who install one of these modems should change the password. It's that simple. Most routers have "admin" "password" combinations. They are all the same. It is the installers responsibility to secure it.

AT&T key lock hack and Sprint ZyXel Prestige (0)

neomuzic (459266) | more than 11 years ago | (#5145895)

AT&T's key lock hack and Sprint ZyXel Prestige 642 and modems security hole sounds like a party waiting to happen.

Default passwords (0)

Anonymous Coward | more than 11 years ago | (#5145896)

Why would the default be 1234? I'm surpirsed they didn't make it 'password', that'd be too classic. It could have been anything. Even 'asdfghjkl' is harder to guess than 1234. I wonder who made that decision ...

This is a suprise to everyone? (3, Informative)

Dolemite_the_Wiz (618862) | more than 11 years ago | (#5145899)

This is Sprint, the ISP who doesn't do a thing about hackers originating from their domain.

I don't know how many times in the past I've tracked hackers at work to Sprint's networks.

Getting a reply or action from Sprint Security is non-existent. I guess it takes an article published in 'Wired' to get action from them.

Sprint and Prodigy are renown for not working with customers in addressing secuity issues.

Dolemite
_________________________________

Obligatory Spaceball's quote (0, Redundant)

cshoes (459798) | more than 11 years ago | (#5145905)

Roland: One.
Dark Helmet: One.
Sandurz: One.
Roland: Two.
Dark Helmet: Two.
Sandurz: Two.
Roland: Three.
Dark Helmet: Three.
Sandurz: Three.
Roland: Four.
Dark Helmet: Four.
Sandurz: Four.
Roland: Five.
Dark Helmet: Five.
Sandurz: Five.
Dark Helmet: So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard! That's the kind of combination an idiot would put on his luggage!

Not Sprint's fault... (1, Insightful)

bmh5c (587520) | more than 11 years ago | (#5145909)

As much as I don't like Sprint, it's not their fault that people aren't changing the default password. If people don't change it, it's their own fault if they get burned.

Re:Not Sprint's fault... (5, Insightful)

rmadmin (532701) | more than 11 years ago | (#5145961)

Sprint needs to let these people know how to do that then. More importantly, they need to get the point across that customers "NEED" to do this. For example, when a customer signs up give them a piece of paper explaining how to do it, leave a blank so they can write the password down, and explain that the paper needs to be protected, or someone can steal their e-mail. If I give a child a loaded gun, and don't tell him not to pull the trigger, IT WILL BE MY FAULT. (I hate to use that comparison, but I think it gets the point across) Just my opinion.

Re:Not Sprint's fault... (1)

bmh5c (587520) | more than 11 years ago | (#5146158)

Agreed...Sprint should should let people know how to do this, and personally, I like your idea of leaving a blank to for a personal password. I was thinking that it would be useless for Sprint to give out random passwords because they would get a hundred calls a day (which would slow down Sprints already poor customer service...but thats just my opinion) from people who lost their password and need to know what it is. Oh, and to the person who asked me to elaborate on my disliking of Sprint, they have managed to 1) not disconnect the phone from the last place I lived, allowing the next tenants to run up a $200 bill that I am now responsible for, 2) have yet to change the name on the bill in my house, even after 3 separate phone calls, and 3) always manage to transfer me no less than 4 or 5 times each time I call and try to straighten out the aforementioned screwups. end rant

Re:Not Sprint's fault... (5, Insightful)

Beatbyte (163694) | more than 11 years ago | (#5145987)

Its your job as an ISP to supply a service. Part of that service would be protecting your customer from being hacked by :

1) turning off remote administration [it just helps their tech support be lazy anyways]

2) have the password for their equipment match their normal account password (or a randomly generated password created when the DSL is setup and logged into their account information)

3) at least explaining in the manual, after its all setup, do steps a,b,c to change the password after the account is functional for security reasons

I understand that people are computer dumb but I'm car dumb and I'd appreciate a mechanic telling me that when I retrieve my car from the shop, to make sure I fill up all the fluids in car.

Re:Not Sprint's fault... (5, Interesting)

jovlinger (55075) | more than 11 years ago | (#5146006)

erm yes it is.

I've had DSL for over a year and this is the first I hear about my modem even HAVING a password. For what?

And I'm in the upper n-th percentile of computer litteracy. Unless verizon and sprint differ significantly in how they do DSL, there's no WAY that Sprint's customers would have even known this password existed.

Re:Not Sprint's fault... (1)

scotch (102596) | more than 11 years ago | (#5146016)

How much do you not like Sprint? Please elaborate. Thank you.

Totally unprofessional (1, Troll)

unterderbrucke (628741) | more than 11 years ago | (#5145913)

"Wired found that more than 90% of the modems they polled were using that default password."

Believe it or not, "polling" modems by checking their passwords is hacking. If not hacking, it is at least dishonest. How can I trust Wired not to root around my box looking through my private files now that they "polled" my computer to make sure I didn't use a default password?

Re:Totally unprofessional (5, Insightful)

dytin (517293) | more than 11 years ago | (#5146021)

Ok, so would you rather have wired not tell you that your modem is unprotected? If I were a sprint user, I would not be mad at wired, I would be pleased. I'd rather have wired hack my modem and tell me about it than some random script kiddie hack it and break into my email account.

Re:Totally unprofessional (1)

silicon_synapse (145470) | more than 11 years ago | (#5146061)

Just logging in and leaving may not be illegal (or at least not punishable). At least not by Federal laws that I can find. I thought it was federal offense though. There are also state laws that probably apply. Check out http://www.stoel.com/resources/articles/ebusiness/ ebiz_007.shtm [stoel.com]

Re:Totally unprofessional (-1)

Real World Stuff (561780) | more than 11 years ago | (#5146066)

Based on your extraordianry high UID (628741) you are obviously a troll. Next time be sure to RTFA!

From the article:
"Derek Chen-Becker, a computer science graduate student at Washington University who has studied the ZyXel 645's programming, said malicious attackers could remotely render the device inoperable by deleting its firmware. They could also potentially mine the user's Sprint login information from the configuration files, he said."
It is evidently clear that "polling" and illeagal activity are not as synonymous as you infer.

Re:Totally unprofessional (0)

Anonymous Coward | more than 11 years ago | (#5146075)

Because in the US, corps farking around with peons is ok. Peons farking around is bad.

Re:Totally unprofessional (1)

kbroom (258296) | more than 11 years ago | (#5146085)

At least it was Wired who did it and not a real hacker with malicious intentions. If they hadn't done this, this story might have not made it to slashdot and you would never know that you NEED to change your default password.

What?! (0)

Anonymous Coward | more than 11 years ago | (#5145920)

That's the kind of stupid number someone might put on their luggage!

go for more security (0)

Anonymous Coward | more than 11 years ago | (#5145923)

I always been told that the longer the password is, the harder it will be to crack.
7 chars or more....therefore...1234567 is good? :)
Hoooo, mix alpha and numeric, therefore :
1234abcd

My luggage PIN is 9999

HA-HA (0)

Anonymous Coward | more than 11 years ago | (#5145927)

Known about this for years, I'm amazed that it took this long to come to the public eye. I'll just go home to my apartment now, knowing that my lock will keep the kid next door out (doh).

New Sprint Ad (5, Funny)

Lord_Slepnir (585350) | more than 11 years ago | (#5145932)

Can j00 0wnz0r me now? g0000d!

1234 (5, Insightful)

qoncept (599709) | more than 11 years ago | (#5145933)

How does it really matter what the default password was? If the default password was -8*k|-- it would still be just as easy to gain access to. The flaw is in not requiring the user to change it.

Re:1234 (4, Insightful)

kiwimate (458274) | more than 11 years ago | (#5146111)

The flaw is in not requiring the user to change it.

Sorry, but I disagree. It goes higher than that. This is a piece of equipment provided by Sprint to paying customers in order to facilitate the network service. Therefore, it's incumbent upon Sprint to modify the default password, not the user. The user is paying for a complete service, and as such should have a reasonable expectation of at least moderate safeguards in place, particularly given the well-known dangers of a permanent Internet connection.

By the way, just to point something out: lots of other hardware/software comes with default passwords. Remember the SQL Server worm a few months ago? (Sorry, can't recall the name of the worm.) It could only get in if you didn't change the default sa password away from blank. It's not just MS, either -- Sybase has exactly the same default logon name and password, and Oracle has a default logon name of system with a default password of manager.

However, that's a different situation -- a company buys a database server with the expectation of having to perform post-purchase configuration. Did you sign up for DSL or cable service, get a modem as part of the package, and expect to have to perform some final configuration?

Re:1234 (1)

Anonymous CowWord (635850) | more than 11 years ago | (#5146126)

Its not the fact that there is a default thats the problem. Its what it IS that's the problem. If the default password was something like -8*k|-- , there is a lesser chance that a brute force password cracker could crack it.

With a combination like 1234, you don't even need software, just guess and you have it. Even if you use software, it will probably take 5 seconds to crack. As a result, the system can be compromised long before an admin can even check what's up with it..

Re:1234 (5, Insightful)

SlashdotLemming (640272) | more than 11 years ago | (#5146130)

The flaw is in not requiring the user to change it.

The flaw IS requiring the user to change it. Why is remote administration even enabled by default?

Ignorant users should always be protected, while those in the know should have power. The feature should be disabled by default, and if someone knows it exists and wants to use it, they should be able to do so.

Psssttt, Yo Guys... (-1, Offtopic)

Amsterdam Vallon (639622) | more than 11 years ago | (#5145937)

I just got into CmdrTaco's account...!

Beautiful (1)

Beatbyte (163694) | more than 11 years ago | (#5145939)

I find this hilarious considering I JUST got back from a friend's house where his CPE was non-functional. He'll be switching to my ISP when his 1 year contract is up.

But hey, he was only paying 30 bucks a month for the first 6 months! and surprise, he got what he paid for.

Total negligence by sprint. (4, Insightful)

guido1 (108876) | more than 11 years ago | (#5145943)

"We recommend that customers change the (administrative) password to increase security..." said Sprint FastConnect spokeswoman Laura Tigges.

Tigges admitted that Sprint does not provide instructions for resetting the administrative password in the documentation provided to FastConnect customers.


They recommend you change it, but don't mention how? (It is listed in the modem manual, which is apparently not provided by Sprint.)

Oh, even better... In February they plan on shipping modems with this disabled. In February. Not now.

  • On the other hand...

This has been around for a while. I wonder how many users have actually been affected.

Randomize (2, Funny)

Jason1729 (561790) | more than 11 years ago | (#5145944)

ZyXel should set it so the password is randomized by default. That way, it might not be possible for the user to get in, but at least it will be more secure. For boosted security, they could make it re-randomize the password every hour.

Jason
ProfQuotes [profquotes.com]

Re:Randomize (2, Funny)

grub (11606) | more than 11 years ago | (#5145972)


For boosted security, they could make it re-randomize the password every hour.

Yes, that makes a lot of sense, randomly change the password and lock out the user after an hour. Or were you suggesting something even more brilliant: change the password and display it on the user's screen?

Sheeeesh.

Re:Randomize (0)

Anonymous Coward | more than 11 years ago | (#5146045)

if the user has no chance of knowing the password, whats the point of having it in the first place?

How are they supposed to know? (5, Interesting)

jandrese (485) | more than 11 years ago | (#5145947)

How in the world are they supposed to expect the end user to secure the box they leased from the phone company and are told not to touch? They didn't even tell people HOW to change the password.

So heres, the situation. Joe Consumer gets a DSL modem, has it set up for him, goes through a small checklist on the sheet they provided for him, and he's online. Great. Unfortunatly his modem is now vulnerable to whatever nastyness this exploit allows. Now the Sprint guy is blaming Joe for not doing the thing they didn't tell him about?

Local vs. National ISP (4, Interesting)

wulfhere (94308) | more than 11 years ago | (#5145951)

I work for an ISP. Lots and lots of equipment comes with widely known default passwords. We have always considered it our resonsiblity to our customers to change the default password on any piece of equipment they buy from us. Things like this are exactly why national ISP's will NEVER have customer service that compares favorably to a local ISP.

Here's another hole that needs to be plugged (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#5145954)

*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_
g_______________________________________________g_ _
o_/_____\_____________\____________/____\_______o_ _
a|_______|_____________\__________|______|______a_ _
t|_______`._____________|_________|_______:_____t_ _
s`________|_____________|________\|_______|_____s_ _
e_\_______|_/_______/__\\\___--___\\_______:____e_ _
x__\______\/____--~~__________~--__|_\_____|____x_ _
*___\______\_-~____________________~-_\____|____*_ _
g____\______\_________.--------.______\|___|____g_ _
o______\_____\______//_________(_(__>__\___|____o_ _
a_______\___.__C____)_________(_(____>__|__/____a_ _
t_______/\_|___C_____)/______\_(_____>__|_/_____t_ _
s______/_/\|___C_____)_Sprint|__(___>___/__\____s_ _
e_____|___(____C_____)\______/__//__/_/_____\___e_ _
x_____|____\__|_____\\_________//_(__/_______|__x_ _
*____|_\____\____)___`----___--'_____________|__*_ _
g____|__\______________\_______/____________/_|_g_ _
o___|______________/____|_____|__\____________|_o_ _
a___|_____________|____/_______\__\___________|_a_ _
t___|__________/_/____|_________|__\___________|t_ _
s___|_________/_/______\__/\___/____|__________|s_ _
e__|_________/_/________|____|_______|_________|e_ _
x__|__________|_________|____|_______|_________|x_ _
*_g_o_a_t_s_e_x_*_g_o_a_t_s_e_x_*_g_o_a_t_e_x_*_


Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account.

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) If you want replies to your comments sent to you, consider logging in or creating an account. 3

Important Stuff: Please try to keep posts on topic. Try to reply to other people's comments instead of starting new threads. Read other people's messages before posting your own to avoid simply duplicating what has already been said. Use a clear subject that describes what your message is about. Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be mo

1 - 2 - 3 - 4?! (0)

Anonymous Coward | more than 11 years ago | (#5145955)

What? How'd you get my luggage combination?!

Keygen for ZyXel Prestige 642 and 645 modems (1)

teamhasnoi (554944) | more than 11 years ago | (#5145959)

10 Print "1234"
20 Print "Brought to you by the 133t Animal Kracker"
30 Print "Go 0wnz some modems!"
40 END

f34r my sk1LLZ!

BTW: The Animal Kracker was the name I used when I was 13 and using Locksmith 3.0 to copy Apple II games. Ahh.. the innocence of youth...;)

What is the big deal for Sprint to fix this? (5, Interesting)

ortholattice (175065) | more than 11 years ago | (#5145966)

They know the IP addresses of all the modems. Create a db with a random string assigned to each IP, then write a script to change the passwords (of all of the ones have the default password) in one fell swoop. They'll have the db of passwords if they need to login for maintenance. The customer doesn't even have to know about it. Any admin can do this trivially. Instead, they are just going to lamely post instructions on their web site, which probably 1% of customers are going to read. Am I missing something?

Re:What is the big deal for Sprint to fix this? (1)

Beatbyte (163694) | more than 11 years ago | (#5146091)

as someone who deals with Sprint on a daily basis, you're missing the fact that they are the least pro-active LEC/Telco I've dealt with.

I had 3 T1 circuits in various locations dead for 3 months before I noticed and called them. They busied the circuits out in the switch so they didn't have to listen to the alarms. As opposed to calling the customer(myself) and getting the thing fixed!

Re:What is the big deal for Sprint to fix this? (0)

Anonymous Coward | more than 11 years ago | (#5146138)

Am I missing something?

Yep. The part where ISP's are 99.9999999999999% marketing machines. The balance is technical resources, but half of them don't have a frigging clue.

Re:What is the big deal for Sprint to fix this? (2, Insightful)

tomhudson (43916) | more than 11 years ago | (#5146143)

But remember, if they can do it, so can any script kiddie by polling blocks of ip addresses. Lock out both sprint and the user :-)

obligatory reference (0, Troll)

goatasaur (604450) | more than 11 years ago | (#5145971)

HA! I bet you thought I was going to make another Spaceballs reference.

You couldn't be more wrong.

Anyway, making a password system like this is stupid and careless. It's a safe bet that if you EVER set up a system (especially if popular and Internet-related) involving default passwords, it'll be compromised pretty quickly.

How much harder would RANDOM passwords have been? Sprint is ignorant and careless and their mobile phone service sucks too.

Obligatory Cliche (0, Offtopic)

Gudlyf (544445) | more than 11 years ago | (#5145984)

  1. Set Sprint modems to insanely easy password.
  2. Leak the information to Wired and Slashdot
  3. ...
  4. PROFIT!

security (2, Insightful)

phantomwolph (552305) | more than 11 years ago | (#5145989)

Why is it that ppl will spend a fortune securing their homes and cars and leave their computers wide open? Unfortunatly all these stories wind up on the tech sites but Joe six pack only reads the sports section of the newspaper.

Unrelated, but much more serious security hole (-1, Redundant)

NineNine (235196) | more than 11 years ago | (#5145991)

Of course, /. isn't going to post an article telling about a serious hole in CVS [com.com] . Expecially considering their own Sourceforge, according to the article, is hostnig 55,000 projects with CVS. So here it is. Read up. Very serious news. Make sure to check *every* line of every bit of your source in a CVS repository to make sure it hasn't been altered. Well, I guess that this gives new meanign to "open source", huh?

Re:Unrelated, but much more serious security hole (4, Funny)

Neon Spiral Injector (21234) | more than 11 years ago | (#5146088)

Maybe you missed it cause it was only posted once [slashdot.org] .

Um.... (1)

tgd (2822) | more than 11 years ago | (#5146089)

You mean like <a href="http://developers.slashdot.org/article.pl?si d=03/01/21/1752251&mode=thread">this</a>?

Re:Unrelated, but much more serious security hole (0, Redundant)

doja (36500) | more than 11 years ago | (#5146090)

um... i think they did [slashdot.org] .

Re:Unrelated, but much more serious security hole (1, Redundant)

SpamJunkie (557825) | more than 11 years ago | (#5146093)

This is a lie. There is in fact a slashdot story [slashdot.org] on the CVS exploit. You're getting a little too ambitious about spamming Slashdot, aren't you NineNine?

On the other hand you seem to have all it takes to be a Slashdot Editor.

Re:Unrelated, but much more serious security hole (-1, Redundant)

wulfhere (94308) | more than 11 years ago | (#5146097)

You mean like this [slashdot.org] ?

Re:Unrelated, but much more serious security hole (0, Redundant)

br0ck (237309) | more than 11 years ago | (#5146106)

No conspiracy here. Guess you missed it [slashdot.org] the first time. Don't worry, I'm sure it will be posted again soon.

Re:Unrelated, but much more serious security hole (0, Redundant)

tuanjim_2001 (534921) | more than 11 years ago | (#5146108)

Oh kinda like this [slashdot.org] one that was reported yesterday?

Parent is Troll! (0, Redundant)

KPU (118762) | more than 11 years ago | (#5146109)

Here [slashdot.org] is the slashdot article.

been there, done that. (0, Redundant)

zaphod.nu (100500) | more than 11 years ago | (#5146110)

Considering how much you seem to know I'm sure this [slashdot.org] is not what you're refering to?

Re:Unrelated, but much more serious security hole (0, Redundant)

8282now (583198) | more than 11 years ago | (#5146124)

Gee do you think maybe it was THIS one? http://developers.slashdot.org/article.pl?sid=03/0 1/21/1752251&mode=thread .... on the other hand, I spend altogether too much time on /. ... sigh...

Re:Unrelated, but much more serious security hole (0, Redundant)

Rich0 (548339) | more than 11 years ago | (#5146139)

Of course, /. isn't going to post an article telling about a serious hole in CVS [com.com]. Expecially considering their own Sourceforge...

Yeah! Slashdot would never post an article like that! [slashdot.org] Especially not a few days ago on the front page! (If you missed it the first time I'm sure you'll get to see it again in a few days.)

Note to whoever modded that up as informative. I would recommend at least reading Slashdot before moderating it. Then again, if those doing the posting would do the same we wouldn't have nearly as many duplicates... :)

Mod down the parent.... (-1, Offtopic)

d3xt3r (527989) | more than 11 years ago | (#5146154)

I would have done it myself but I thought it would be more useful to post a link to the Slashdot story for the clueless moderators who modded it up in the first place.

I loooks like Slashdot did run a story about the CVS bug [slashdot.org] .

What's next? Taco will read the parent and post a duplicate story without checking over yesterday's posts.... sheesh.

Re:Unrelated, but much more serious security hole (-1, Redundant)

BeeShoo (42280) | more than 11 years ago | (#5146156)

Are you sure about that? [slashdot.org]

Nope, sorry, already been discussed (0, Redundant)

plemeljr (250971) | more than 11 years ago | (#5146159)

Hey, this story was already discussed [slashdot.org] on 15:20 21st January, 2003.

Please move along. No conspiracy here. Try not to snark too quickly.

This is old.. (1)

farrellj (563) | more than 11 years ago | (#5145998)

About a month ago, I had to help my on-site person hack into one of those Zyxel modems since they had a fixed IP, and the modem came NAT pre-enabled. Why does the world want NAT enabled?!?!

ttyl
Farrell

Stupid question (1)

Telastyn (206146) | more than 11 years ago | (#5146005)

I've used Zyxel (sp?) dsl modems before, and iirc their admin interfaces were only inwardly pointing (only accessable via the ethernet i/f) Is this the case and Wired is overstating the problem, or is the outward admin IF turned on and Sprint are dumbasses? Or is there no way to set it and my memory is shot?

Re:Stupid question (1)

wulfhere (94308) | more than 11 years ago | (#5146160)

You're correct By default, they (at least the Zyxel 64x series) only accepts telnet connections from the ethernet interface. It CAN be set up to accept telnet connections from anywhere. If Sprint did this, and did not change the default password, I smell a lawsuit brewing...

What about... (1)

Newskyarena (643521) | more than 11 years ago | (#5146009)

How about continuing the poll to see how many people that changed the password to "secret" or "god" or *gasp* left it blank. I bet that is where you will find the 9.5% of the remaining 10% who did change the password.

Tons of blame to throw around (1)

SlashdotLemming (640272) | more than 11 years ago | (#5146011)

The ISP is lazy, the users are ignorant, and that modem manufacturer...
My router/firewall has the same default password, but has remote administration disabled by default
Why is this feature enabled by default? The ISP doesn't need it for anything, otherwise they wouldn't tell the users to change the password (hence the ISP couldn't login)

Manipulate the system (0)

Mr.Dippy (613292) | more than 11 years ago | (#5146024)

I ran into the same thing when I was at the University of Scranton. Everybodies voice mail password was defaulted to their room number at the beginning of the year. However, most people never changed it. So I would dial in to their voice mail, leave a rather rude sexual explicit voice mail greeting and then change their password. Oh the fun and the horror.

Want to see my sac? (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#5146026)

It smells like blue cheese. Want to see it?

Why didn't sprint fix this quickly? (2, Insightful)

t0qer (230538) | more than 11 years ago | (#5146029)

Jobless, and too smart for my own good, i'm tempted to try and find some routers. Just tempted, I never do bad stuff like comprimise others networks.

Why didn't sprint fix this quietly and quickly though? It seems to me it would have been easy just to write a script to go to each modem, change the password to something random, store it somewhere safe like a customer info database and been done with it.

Now that it's been published on wired, and worse yet here, the exploit is going to be used by many people who want to just break in because they are "bored"

Zyxel's fault? (5, Insightful)

dcavens (178673) | more than 11 years ago | (#5146036)

As someone who just (10 seconds ago) changed the default password on their DSL router, I'm actually rather surprised. I had assumed (wrongly, I guess) that the routers would only allow telnet sessions from IP addresses that it manages (via NAT i.e 192.68.x.x..).

Wouldn't this be a lot easier and safer for the average user if it were implemented in the firmware? For 99% of DSL users, what possible use is there of having the router configurable from the 'net?

1234? That's the kind of stupid combination... (0)

Anonymous Coward | more than 11 years ago | (#5146037)

...an idiot might put on his luggage!?!!

They're not the first (2, Informative)

Malc (1751) | more than 11 years ago | (#5146050)

When I signed up for US Worst's (now Qwest/MSN) DSL about four years ago, the Cisco 675 modem they were shipping came with a default password. You could telnet in to the modem from over the internet, reconfigure it so that the user couldn't connect to the web and then change the admin password so they couldn't fix it! >:) To make it even easier, all the DSL IPs had hostnames containing "dsl", so a simple DNS zone transfer saved having to scan for the modems/routers.

I don't understand how hard it could be.... (2, Interesting)

DrSpookles (637522) | more than 11 years ago | (#5146057)

To only allow remote access once the password had been changed by the user.

xDSL passwords (2, Interesting)

Lord Prox (521892) | more than 11 years ago | (#5146083)

I have been doing xDSL installs for a few years and I have noticed a strange thing...

All of your big boy companies have crappy passwords. PacBell (now SBC say their commercials) I have found to be the worst... When I notify the customer they all have the same reaction *blank_look*what password*/blank_look*.

In contrast some of the smaller xDSL providers seem to be more on the ball with these things.

I usually change the password and write down the password and network info then tape it to the top of the modem with my company tech support number. What really gets me mad is the big boy providers never even bother to tell their clients about the need to change the password... I mean how goddamn hard is it to tell em that.

One more thing... one more luggage joke and I'm going to have to kill someone...


Vidomi [vidomi.com] Killer media player and network distributed video encoder.

Pacific Bell (3, Informative)

Leme (303299) | more than 11 years ago | (#5146103)

Has the same exact issue. All of the Caymen & Efficient routers are usually setup with the default password. Which by a quick google search, is easily obtainable.

This only applies to business customers who ordered the router option instead of a bridge.

OFF TOPIC... (0)

Anonymous Coward | more than 11 years ago | (#5146122)

...but what the hell is up with the MICROSOFT ADS on slashdot?!?!

Anyone else notice that bull? Not only is Taco not watching what posts he is reposting, but is also lax on what ads he serves! :p Time to start junkbuster up again.

Digital Rights? (0)

Anonymous Coward | more than 11 years ago | (#5146142)

Are we allowed to secure the modems or will we get sued for modifying them?

as the saying goes (2, Insightful)

natefanaro (304646) | more than 11 years ago | (#5146149)

Your security is only as good as your dumbest user.

A buddy of mine and I have been uttering those words for years.

Wired is polling modems? (4, Interesting)

nochops (522181) | more than 11 years ago | (#5146155)

Wired found that more than 90% of the modems they polled were using that default password

Isn't this wrong?
Back in 1997 or so, I admin'd for my father's company. We had a massive DDOS type attack from about 100 or so IP's on our ISP's network. These were all trying to infect the machine with BackOriface, but since it was already patched, they just DOS'd the box.

When the DOS was done, I pormptly and naively swept the ISP's class-B for open port 31337 (backoriface). Well, I got about halfway through my sweep (and found about 20 infected machines) when the ISP disconnected me.

They killed my account, and when I pressed them for the reason, it finally came out that they terminated me for hacking. We went round and round, and I eventually got them to turn the account back on, but they kept their eye on me for quite some time.

I fail to see why some magazine should be able to scan the public at large with no recourse, but I cannot investigate an issue that brought down my network for several hours.

Anyone care to comment?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>