×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cisco Products Have Backdoors

CmdrTaco posted about 10 years ago | from the two-scoops-of-creepy dept.

Security 555

Cbs228 writes "A Cisco Security Advisory released yesterday admits that "A default username/password pair is present in all releases of the Wireless LAN Solution Engine (WLSE) and Hosting Solution Engine (HSE) software. A user who logs in using this username has complete control of the device. This username cannot be disabled." Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

555 comments

Cisco's Life Lesson - Maybe not. (5, Insightful)

Allen Zadr (767458) | about 10 years ago | (#8807695)

There is no doubt that this is the sort of thing that all of the so called "tin-foil hat" crowd has been warning us about for years.

I, for one, welcome the "I-told-you-so"s from our new paranoid overlords.

On a more serious point, and on the paranoid side, I'm sure Cisco is only releasing this information because an employee either threatened to leak this information, or was mis-using this information to his/her own gain...

However, if that's the case, wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

Well, that depends. (1)

AltGrendel (175092) | about 10 years ago | (#8807736)

Cisco actually has a better track record than some other closed source vendors I could mention.

Re:Well, that depends. (1)

irokitt (663593) | about 10 years ago | (#8807823)

Indeed, until now I haven't had any reason to dislike Cisco(although their equipment is expen$ive). Companies like Symantec and Roxio have always been higher on the list of people who will be the first against the wall when the revolution comes. But guess I'll be looking at Cisco more closely.

On another note, I guess the guys at the school lab need to hear this one.

Re:Cisco's Life Lesson - Maybe not. (1)

On Lawn (1073) | about 10 years ago | (#8807792)

wouldn't Cisco's fix simply change the password? I highly doubt that they will be embarassed enough to have learned a powerful life-lesson.

Assuming the word has gotten out somehow, I'm not sure how they can change the password on all those systems that are currently out there, without raising the public awareness to the level that motivates them to apply the neccisary patches.

Re:Cisco's Life Lesson - Maybe not. (2, Insightful)

Ithika (703697) | about 10 years ago | (#8807798)

"However, if that's the case, wouldn't Cisco's fix simply change the password?"

Doesn't sound like much of a fix to me... That barely comes into the category of workaround. Maybe issue-evasion.

I see a great many people buying hardware from Cisco's competitors in the near-future. Like right now. I wonder how long it'll be before we find out what the user/pass pairs are?

USER/PASS (4, Funny)

Allen Zadr (767458) | about 10 years ago | (#8807869)

Don't some of us have some serious hacking to do? I guess I know what you are planning on doing this weekend.

What do you bet the id set is joshua/pencil?

Re:Cisco's Life Lesson - Maybe not. (0)

big_knuckles (754446) | about 10 years ago | (#8807840)

However, if that's the case, wouldn't Cisco's fix simply change the password?

Your suggestion for Cisco's "fix" would still leave an account open to be exploited, just with a different password.

Re:Cisco's Life Lesson - Maybe not. (0)

erwinkarim (614392) | about 10 years ago | (#8807848)

actually, there's a reason for some company to provide a backdoor access.

there's some system that is so important that one cannot afford to loose the protected data. a client who messes up the system so badly, by purpose or accident, that the data is locked out, but the client don't want the data to be lost forever. crictical system like protein-folding or dna sequencing or airline reservation comes to mind.

what's the solution for this? backdoor access comes to mind. now it's just a question of the morallity of the company about using the back door access.

Re:Cisco's Life Lesson - Maybe not. (2, Insightful)

akintayo (17599) | about 10 years ago | (#8807962)

I have a problem with that scenario on two levels; important data should be properly backed up and two customers should be told about this 'feature'. I think some owners of critical data would have some reservations about allowing Cisco unfettered access to their data.

Re:Cisco's Life Lesson - Maybe not. (5, Funny)

Anonymous Coward | about 10 years ago | (#8807932)


Cisco has an evil backdoor that works (initially) at the ethernet level. You send several specially crafted frames to a MAC on the local segment or special packets to the outside interface and the unit will open up a back connection to Cisco. The PIX and ACLs in their router products will not log these or otherwise alert you to their existence. Once the connection is made, Cisco can mirror selected bits of your LAN traffic. Being that most of the internet's traffic flows over Cisco products...

Some history:
In 1928 an American inventor (Henry P. Acket) was working on a method to send extremely low voltage electrical impulses over wires as a covert means of communications. He succeeded in that he was able to use the telephone companies' wires to speak to friends without paying a telephone tax. Early on, his friend Charles Isco was able to put a backdoor in the vacuum tubes with nothing more than a few drops of solder, some tin and flux. Charles showed Acket this and provided some wax cylinders of Acket's supposedly private conversation.

The FBI heard of this and took all their patent-pending information. Acket and Isco were paid the then huge sums of $1M and $500K respectively to shut up.

Fast forward to the 60's.
Early in 1963, J. Edgar Hoover was perusing the FBI archives when he spotted these plans from 35 years prior. He didn't believe it but one of his technical people played Hoover a tape recording made with a successor of the equipment. The tape was of Hoover making dinner reservations at Le Grande Fiste, a homosexual dinner club. Hoover went through the roof. He destroyed all the paperwork and equipment. After months of extreme drug therapy which rendered the technician nearly incoherent, Hoover had him framed for a crime we are all familiar with. The technician's name? Lee Harvey Oswald.

Ahh.. the technology survived
In the 1980s some people from Stanford University were going through recordings of Oswalds. Playing them backwards they could hear the terms "Black Helicopters", "Area 51" and "Backdoor Device". The truly learned already know about black helicopters and Area 51.. but what was this "Backdoor Device" Oswalds was rambling about? Those investigators, Len Bosack and Sandy Lerner, went on to form Cisco.

If you look inside any Cisco product you'll find a small vacuum tube with hacked in piece of tin, some solder and flux.

I present this information at grave risk to myself.

I... (2, Insightful)

Seoulstriker (748895) | about 10 years ago | (#8807697)

I simply can not believe this has happened. This is more boneheaded than what Microsoft has done for the past few years.

Re:I... (3, Insightful)

rgmoore (133276) | about 10 years ago | (#8807804)

What makes you think that this was a Cisco policy? It's far more likely that this is the work of some rogue coder within Cisco who added it without anyone else's knowledge. It's not as though adding a backdoor password is very tough for somebody who has access to the relevant code. If there aren't detailed code reviews, a backdoor could hide out for a very, very long time.

Re:I... (0)

Anonymous Coward | about 10 years ago | (#8807886)

Its far more likely that they did this on purpose for the sake of law enforcment

Re:I... (0)

Anonymous Coward | about 10 years ago | (#8807894)

"Yeah, but Jim, you're giving away all our best tricks! That girl's standing over there, and you're talking about back doors."

Refund? (1)

valjean78 (92139) | about 10 years ago | (#8807700)

So what are they going to do for the people that purchased these?

Re:Refund? (0)

Anonymous Coward | about 10 years ago | (#8807722)

hahahahaha...

oh wait, you're serious....

hahahahahahahaha

No Refund - firmware fix (3, Informative)

Allen Zadr (767458) | about 10 years ago | (#8807801)

The ARTICLE that you DIDN'T read, clearly states how to get a service fix - see my first post [slashdot.org] about what I think about the completeness of said fix.

Re:No Refund - firmware fix (5, Funny)

thpdg (519053) | about 10 years ago | (#8807880)

Can't Cisco just download it to the devices themselves? They do have the password to every box, after all.

Legal action? (1)

David Hume (200499) | about 10 years ago | (#8807851)


So what are they going to do for the people that purchased these?


Good question. Perhaps a better question might be, what are the people who purchased these going to do to CISCO?

Perhaps a legal action? Breach of contract anyone? Promissory fraud? Negligent representation?

Re:Legal action? (0)

Anonymous Coward | about 10 years ago | (#8807912)

Perhaps they could just download the patch and be done with it.

proof of concept (0, Informative)

Anonymous Coward | about 10 years ago | (#8807705)

Proof of Concept [coattails.net]

Great, a homophobic loser with a broken website (0)

Anonymous Coward | about 10 years ago | (#8807906)

Thanks for that invaluable link.

And the username/password pair is... (5, Funny)

momerath2003 (606823) | about 10 years ago | (#8807714)

admin/password.

Re:And the username/password pair is... (5, Funny)

orrigami (769691) | about 10 years ago | (#8807747)

That is my root password.

Re:And the username/password pair is... (0)

segfault7375 (135849) | about 10 years ago | (#8807805)

Really? What's your IP? :)

Re:And the username/password pair is... (5, Funny)

MacOS_Rules (170853) | about 10 years ago | (#8807858)

I found it! The little bugger is at 127.0.0.1, and confirmed, the l/p work! OMG, tons of pr0n! ;)

Re:And the username/password pair is... (0)

Anonymous Coward | about 10 years ago | (#8807888)

192.168.0.1

Re:And the username/password pair is... (2, Funny)

mitchell_pgh (536538) | about 10 years ago | (#8807787)

Sorry, the real password is...

1... 2... 3... 4... 5... 6...

Re:And the username/password pair is... (0)

Anonymous Coward | about 10 years ago | (#8807814)

Amazing! That's the same combination as I have on my luggage!

Re:And the username/password pair is... (0, Redundant)

colonwq (258221) | about 10 years ago | (#8807865)

Ack. That is the same code that I sue on my luggage! I have to change yet another password to change.

:wq

Re:And the username/password pair is... (0)

Anonymous Coward | about 10 years ago | (#8807800)

Actually it is user/password

Trust No One (5, Insightful)

aaron240 (618080) | about 10 years ago | (#8807719)

Anything that can be exploited will be exploited. The key is to take every precaution possible--that's not possible when only a select few can see the code.

I have a backdoor (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8807729)

And every time I eat Taco Bell or Skyline Chili, I am acutely reminded of that.

Radio cards? (1, Interesting)

Kethinov (636034) | about 10 years ago | (#8807731)

I wonder of these insecurities are in my Cisco 350 series aironet radio card? My ISP should be informed of this if they are there.

Re:Radio cards? (0)

Anonymous Coward | about 10 years ago | (#8807885)

The default password is "Cisco" but you can change that.

Re:Radio cards? (0)

Anonymous Coward | about 10 years ago | (#8807929)

its your get out of jail free card...i would keep that under your hat incase you're ever busted for porn/terrorism

Open Source (1, Flamebait)

MBAFK (769131) | about 10 years ago | (#8807738)

Being able to read the code can stop this from happening.

Re:Open Source (2, Insightful)

gatki (110936) | about 10 years ago | (#8807922)

Auditing the code only guarantees security if you trust that your compiler isn't compromised.

Auditing the compiler's code doesn't guaranteee anything either. It too had to be compiled, and the compiler's compiler may have been compromised.

username/password (-1, Redundant)

Anonymous Coward | about 10 years ago | (#8807743)

admin/admin?

What's the big deal? (0)

Anonymous Coward | about 10 years ago | (#8807752)

What's the big deal?

Most people don't have a password on their backdoors.

Can we really trust closed-source vendors? (5, Insightful)

macshune (628296) | about 10 years ago | (#8807760)

No, obviously not when you get right down to it. Just like we can't trust closed-source e-voting software with it comes to our republic (the U.S.:), we can't trust close-source vendors whose systems power our infrastructure...that, without, the world would cease to function as it does today.

But what can anyone do? Are there any open-source makers of networking hardware?

How Stupid. (1, Insightful)

DAldredge (2353) | about 10 years ago | (#8807761)

How fucking stupid do you have to be to realize that this was a BAD THING? Damn, perhaps if Cisco stopped spending so much on stupid ads and rethought its dev process stupid shit like this would not happen.

How did anyone EVERY think this was a 'good thing'???

Sad News, Kurt Cobain dead at 27 (-1, Offtopic)

Anti-Anti-Slash Blac (765257) | about 10 years ago | (#8807764)

I just heard some sad news on talk radio - 'grunge' rocker Kurt Cobain was found dead in his Washington home 10-years ago this week. I'm sure we all miss him, even if you weren't a fan of his music there's no denying his contribution to popular culture. Truly an American icon.

intentionally vague (0)

Anonymous Coward | about 10 years ago | (#8807768)

is the id/pwd pair unique to device or is it the same for all devices? i.e. is it some hash of the serial number or something?

this is the funniest hting i've read all day.

btw there exists a similar backdoor in win xp.... sorry can't say what it is. :) j/k

In Texas... (0)

Anonymous Coward | about 10 years ago | (#8807772)

I believe that this kind of backdoor abuse is still illegal, even if it is behind Closed Source.

Linksys (1)

ogewo (652234) | about 10 years ago | (#8807773)

Does anyone know if this software has been implimented in any of the Linksys products?

Re:Linksys (2, Informative)

fgb (62123) | about 10 years ago | (#8807935)

I wouldn't think they would need it. There's a tiny little recessed button on the back on my linksys unit. Hold it in for 10 seconds and presto! the unit is back to the factory configuration. Passwords and all.

No excuse for a master password. Mind you, I'm not saying there isn't one, just that there is no need for one.

Firmware? (1, Interesting)

pholower (739868) | about 10 years ago | (#8807776)

Do they plan on releasing a firmware update? If so, how do we know they aren't going to put another backdoor into that and simply change the information? Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?

Re:Firmware? (0)

Anonymous Coward | about 10 years ago | (#8807919)

Patch as out at the bottom of the notice.

Re:Firmware? (4, Insightful)

spoonyfork (23307) | about 10 years ago | (#8807942)

Do they plan on releasing a firmware update?

RTFA [cisco.com].

If so, how do we know they aren't going to put another backdoor into that and simply change the information?

You don't.

Is there a way they can make the firmware patch open source without giving away their other "proprietary" source?

If you own the affected products and require open source firmware patches then you should have thought of that before you bought the product. If you require open source hardware then buy open source hardware.

Re:Firmware? (1, Insightful)

MarkGriz (520778) | about 10 years ago | (#8807955)

Why the hell was this modded "Interesting". RTFA.
It's software, it's been fixed, nothing to see here. Move along.

THIS is why tech companies want to get all (0)

Anonymous Coward | about 10 years ago | (#8807782)

buddybuddy with the Dept of Homeland Security: The corps will have less liability for their stupid products, any good samaritan type will get thrown in the slammer for pointing out holes, and nobody is going to sue the US government because their company server got hax0red.

There is no workaround. (5, Interesting)

Space cowboy (13680) | about 10 years ago | (#8807786)


(According to the summary). In fact you can get new firmware, and it's free for everyone so long as you go through the channels. Fair play to Cisco (or at least, well done for recognising a public-relations disaster when they see one!)

I can see why it's useful to have a master password, but really, it was bound to cause major embarassment in the end - the only way it would work is if everyone who knew it (presumably cisco employees) never ever divulged it. That's likely!

Simon

Re:There is no workaround. (1)

On Lawn (1073) | about 10 years ago | (#8807952)


Yeah, I remember working for a company that made network storage devices. We had to make sure that we not only didn't have a back door, but that we didn't even know the root password. Lest we be implicated in any information leaked from the company.

Yet we wanted to be able to fix a device even if they forgot their root password. What we settled for was a root password reset that was entirely visible to them at the time so if someone malicious did try to get their information they would at least know as it happened.

Well, definately not buying any of those... (3, Informative)

BradySama (755082) | about 10 years ago | (#8807789)

Another example of why the benefits of open source need to be pushed up the corporate ladder... this is nuts. Almost as nasty as the things they've done for China [kuro5hin.org]. Thanks, Cisco. Another one bites the credibility dust.

Ah but China uses Linux.... (0)

Anonymous Coward | about 10 years ago | (#8807834)

...so that means anything they do is all right, right? When forced to choose between a Linux using dictatorship or a Windows using democracy, the dictatorship will always be first choice, eh?

No workarounds? (4, Insightful)

Aardpig (622459) | about 10 years ago | (#8807790)

The Cisco advisory points out that there are no workarounds. This would suggest that the problem cannot be remedied.

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

Re:No workarounds? (5, Informative)

dbarclay10 (70443) | about 10 years ago | (#8807944)

However, the advisory also discusses how to obtain new software for their equipment. So it appears that there is a fix to the problem, via a software upgrade. In light of this, the 'no workarounds' stuff is rather misleading -- and when I first read it, it made my draw drop.

It's pretty much understood, at least by sysadmins if not the general public, that an issue can always be fixed by a software upgrade. Any vendor saying that an issue *really* can't be fixed, no matter what, typically means that it's a design choice and if you don't like it, switch to another vendor (*cough* Microsoft? *cough*).

Given that, when a vendor says "no workaround available," they mean that your only choice is to upgrade the software. For example, a workaround to a vulnerability in, say, Microsoft's CIFS stack would be to firewall off the ports it uses (though you need to do that on every machine, of course - otherwise it won't be effective, as we've seen so many times).

So, to sum up: workaround = quick fix via configuration or similar, and it's a given that you can fix the problem via a (typically time-consuming) software update.

Your answer (4, Funny)

ls-lta (681694) | about 10 years ago | (#8807796)

" Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?"

Yes. Lord, next you'll be asking about patents.

ummm. (0)

Anonymous Coward | about 10 years ago | (#8807797)

The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory.

WHAT?! no public announcements? THIS IS VERY PUBLIC!

No malicious use?! Are they retarded, in about 30 seconds this user/pass combo will be on every hack site in the world... thank god I don't have cisco! This is probably killing their stock price, I'm going to go check.

It needs to be there (5, Interesting)

thpdg (519053) | about 10 years ago | (#8807813)

People read about these back doors, and they are appalled by the concept of it. I wish it was that easy. I design software for embedded devices and let me tell you, as soon as you add a password mechanism, then someone will lose the password within days. It's happened to me, and I finally had to put a global password in every machine. You hope that no one will ever find out, but once you tell a single customer, it could spread. I'm fortunate that my userbase is small and spread out, but for Cisco, this could be a disaster. If they made it so the master password could only be put in locally, that would be a big help, but may not be possible on these devices.

Re:It needs to be there (5, Insightful)

ls-lta (681694) | about 10 years ago | (#8807891)

No, not really. The user id could be set by serial number (randomly) and you could keep track of who has what serial number, who is authorized to get the password, the password could also roll (think subscription revenue!).

Re:It needs to be there (2, Interesting)

thpdg (519053) | about 10 years ago | (#8807934)

Been there, done that. If you create any kind of formula for calculating it, then that can get out just as easily. A sales rep that uses the information to help one customer, suddenly has it for every machine. We made the mistake of using that method for enabling a pay option on one of our machines.

Re:It needs to be there (1)

animus9 (765786) | about 10 years ago | (#8807928)

Can't you just keep a list of passwords on a piece of paper locked up somewhere?

I know how hard it is to juggle a million passwords, but there has to be a better way than having a global password on each system.

Re:It needs to be there (1)

thpdg (519053) | about 10 years ago | (#8807959)

Reading your responses, makes me realize, I should add one thing. These devices that I work on, are for a non-Slashdot crowd. It won't spread like wildfire. More like a smoke signal on a dry day.
Cisco should have calculated the popularity of such an access key.

In a word... (1)

dj245 (732906) | about 10 years ago | (#8807830)

Yes. If word got out they put in a backdoor so that some guy named Sisco at Cisco could root your box, their reputation would be ruined. They would essentially be the microsoft of routers, only they don't have 95% market share so they can't just flip everyone off. (Or maybe they do have 95% market share, I don't know)

I'm sure they do extensive checking against this sort of thing.

I am just wondering... (1)

Angelonio (744297) | about 10 years ago | (#8807843)

How many other products have "hidden" surpises.
It seems that the customer who pays for the product
is the last to know...

newsflash: corporations exploit YOU (0)

flechette_indigo (738323) | about 10 years ago | (#8807857)

"Can we really trust closed-source venders, "?? Of course not. Isn't commerce combat? Open source is for the people by the people and corporations would sell babymeat on streetcorners if it was profitable to do so. No clues needed there. Obvious as hell.

you trust them? (1)

Phrack (9361) | about 10 years ago | (#8807859)

Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

Uh.. no, I don't. That's why I use ACLs to prevent the access no matter what the login is. And if the device doesn't support ACLs, the next device on the network will.

You can't trust ANYONE. (5, Insightful)

CrystalFalcon (233559) | about 10 years ago | (#8807882)

Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

You can't trust open-source for this, either. Not unless you personally constructed every piece of the device, from the source code, to everything that interacts with the source code, including the compiler, the EEPROM burners, and the chipsets on the device itself.

How do you know that the open source you are looking at actually is the one running in your device? You don't.

How do you know that the code you are looking at, assuming that it is running in the device, wasn't modified by a malicious compiler? You don't.

How do you know that the compiled code, assuming it is compiled correctly, wasn't altered in the transfer to the device? You don't.

How do you know the other onboard chips aren't built with a backdoor, patching, hooking or circumventing whatever code is put in the device? You don't.

What it boils down to is that trust is a very difficult animal, and at some point, you need to draw the line. Looking at the source is a meager guarantee for the device behaving well, in the case of a malicious vendor.

The bottom line is that there are so many covert channels to insert code into your overall system today, as long as they are carried on the normal device acquisision channels, that you can't defend against an attack by a malicious vendor. What you can do is to count on their risk analysis, and expecting them to want to stay in business just as much as you do. It's not much, but it's pretty much the best we got.

Back to the good old days for hackers (2, Interesting)

dan dan the dna man (461768) | about 10 years ago | (#8807893)

Hmm yes, like when SGI shipped their machines with much the same problem. Has nearly a decade of fighting computer intrusion taught them nothing. Thats pretty shoddy Cisco.

Answer (-1, Redundant)

ltsmash (569641) | about 10 years ago | (#8807902)

Nope.

Can we really trust closed-source venders, such as Cisco, to develop secure products that are free of backdoors?

Username/Password (-1, Offtopic)

Anonymous Coward | about 10 years ago | (#8807903)

FristProst / IFailIt

Register, or else (5, Insightful)

skidde (670293) | about 10 years ago | (#8807904)

The patch can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/1105-h ost-sol ( registered customers only) .

I love when companies release vital updates or other material, and then effectively force registration of all their clients. So either register with the mothership, or deal with a vulnerable program? Great.

The answer is no. (0, Troll)

rice_burners_suck (243660) | about 10 years ago | (#8807909)

Can we really trust closed- source vendors, such as Cisco, to develop secure products that are free of backdoors?

The answer is NO. We simply cannot trust closed-source vendors of any kind.

Think of it this way: Any kind of physical machine that you can get can be taken apart and inspected. But when it comes to software, which has grown in the last decades to very large and complex systems, doing so without the source is extremely difficult and wouldn't give any benefit because the results could be impossible to understand.

Therefore, RMS is absolutely right in this respect, no matter how wacko some people think he is.

Does Cisco know wha'ts going on? (4, Insightful)

myst564 (196476) | about 10 years ago | (#8807910)

Let's see..

"Although Cisco cannot guarantee the accuracy of all statements in this advisory, all of the facts have been checked to the best of our ability."

This is probably a standard disclaimer in their security documents, but wouldn't you want them to be sure of the accuracy of their statements?

Why can software/hardware companies get way with "We tried our best, honest!" ?

accident ? (0)

Anonymous Coward | about 10 years ago | (#8807914)

I wonder if they put this backdoor in on purpose or if some evil programmer added it when noone was watching. I don't think the latter is very likely as you'd think they would have noticed that sooner. If they knowingly put this in, I wonder what their motivation was to do so. They must have known that if the username/password would leak, the impact would be huge.

Joint statement from a couple of the best (1)

tuxathon (626627) | about 10 years ago | (#8807925)

Cisco in no way represents the rest of us in the proprietary software industry. We in no way have or condone software backdoors.

Bill Gates, Microsoft

Rob Glaser, RealNetworks

Insane but not unique (1)

jmcnamera (519408) | about 10 years ago | (#8807946)

This is mind-blowingly insane. Its bad enough when products come with a default name/password or open login like the old MS SQL 7.

However, this wasn't an uncommon practice once. We had this in a product from Data General, but that was mid 1980's and we changed it later when we woke up to how stupid it was.

Ok, almost as stupid, I know of hardware systems which have backdoors where if you know the key generating algorithm you can take the challenge string from the system's UI and generate the password from it. The math is simple and can be done in your head. The algorithm had to be changed once when it leaked out but it was still simple to do the new one in your head.

However, Cisco of all folks have seen security disasters in other's and their own products over the last few years. They should've fixed this and stopped doing it already.

**sigh**

Gimmie a break!! (1)

evil-osm (203438) | about 10 years ago | (#8807964)

Can we really trust closed-source vendors, such as Cisco, to develop secure products that are free of backdoors?

Gimmie a break, they likly made a mistake, and you never have? They admited it and have issued an advisory (mind you it looks worse if found out by the public later on, which may be the case this time as I didn't rtfa). In a case like this I'd return the product if I couldn't remove the uid and pass. "Sorry, its got a major problem with it, I don't want it". Simple as that.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...