nanog mailing list archives

Re: ABOVE.NET SECURITY TRUTHS?

From: Exiled Dave <exiled_dave () yahoo com>
Date: Fri, 28 Apr 2000 12:23:15 -0700 (PDT)



EXACTLY. You'd think Above.Net would realize this. 
And maybe not use the SAME password everywhere, and
permit some 12 year old to put all of our livlihood at
risk.

This was so easily done with ONE sniffed password, I
hope that everyone takes a second look at their own
security procedures. Dont you?

--- dhudes () hudes org wrote:

the whole issue you raise is password management,
long since addressed
in the UNIX world and supported by cisco routers:
Kerberos.

On Fri, 28 Apr 2000, Exiled Dave wrote:

I guess by now everyone knows what happened.

Paul, can you share some info

with the rest of us about what the

vulnerability

was so we can "plug the

hole"?


"Plug the hole" was a figure of speech.  You

pretty

much all know that if

MFN/Abovenet suspected a way in which other

providers were vulnerable, we'd

have shared that information with you

(privately) by

now.

--
Paul Vixie <vixie () mibh net>
SVP for Internet Services, MFNX


HAHAHA the reason no other provider is vulnerable

is

because no other
provider with half a clue has the same simple

login

and enable "p4ssw0rds"
on all their switches, and internal machines in

their

sjc facilities on
hubs. What does one expect will happen when their
switch passwords become
public knowledge? The funny thing is the passwords
were originally sniffed
by MafiaBoy.

There's no need to "privately" share a fix/hole in
this case. 
The ENTIRE problem here, is above's total

inability to

secure their own switches.
And it SHOULD be public. People who control

literally

MILLIONS OF DOLLARS of other people's data per

second

NEED to learn, that CORE NETWORKS NEED TO BE
PROTECTED. (i.e. CHANGING PASSWORDS, NOT

PERMITTING

"COMMON PASSWORDS")
I hope we ALL learn a lesson from this.





__________________________________________________
Do You Yahoo!?
Talk to your friends online and get email alerts

with Yahoo! Messenger.

http://im.yahoo.com/


__________________________________________________
Do You Yahoo!?
Talk to your friends online and get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

Current thread:

ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- <Possible follow-ups>
- Re: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
  - RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
    - RE: ABOVE.NET SECURITY TRUTHS? Paul Froutan (Apr 28)
    - Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 28)
    - Re: ABOVE.NET SECURITY TRUTHS? Travis Pugh (Apr 28)
    - Re: ABOVE.NET SECURITY TRUTHS? Hank Nussbacher (Apr 29)
    - Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 30)
    - Re: ABOVE.NET SECURITY TRUTHS? Philip Smith (Apr 30)
    - Re: ABOVE.NET SECURITY TRUTHS? John Kristoff (Apr 28)
  - Re: ABOVE.NET SECURITY TRUTHS? Alex Rubenstein (Apr 28)

(Thread continues...)