nanog mailing list archives
Re: ABOVE.NET SECURITY TRUTHS?
From: Exiled Dave <exiled_dave () yahoo com>
Date: Fri, 28 Apr 2000 12:23:15 -0700 (PDT)
EXACTLY. You'd think Above.Net would realize this. And maybe not use the SAME password everywhere, and permit some 12 year old to put all of our livlihood at risk. This was so easily done with ONE sniffed password, I hope that everyone takes a second look at their own security procedures. Dont you? --- dhudes () hudes org wrote:
the whole issue you raise is password management, long since addressed in the UNIX world and supported by cisco routers: Kerberos. On Fri, 28 Apr 2000, Exiled Dave wrote:I guess by now everyone knows what happened.Paul, can you share some infowith the rest of us about what thevulnerabilitywas so we can "plug thehole"?"Plug the hole" was a figure of speech. Youprettymuch all know that ifMFN/Abovenet suspected a way in which otherproviders were vulnerable, we'dhave shared that information with you(privately) bynow.-- Paul Vixie <vixie () mibh net> SVP for Internet Services, MFNXHAHAHA the reason no other provider is vulnerableisbecause no other provider with half a clue has the same simpleloginand enable "p4ssw0rds" on all their switches, and internal machines intheirsjc facilities on hubs. What does one expect will happen when their switch passwords become public knowledge? The funny thing is the passwords were originally sniffed by MafiaBoy. There's no need to "privately" share a fix/hole in this case. The ENTIRE problem here, is above's totalinability tosecure their own switches. And it SHOULD be public. People who controlliterallyMILLIONS OF DOLLARS of other people's data persecondNEED to learn, that CORE NETWORKS NEED TO BE PROTECTED. (i.e. CHANGING PASSWORDS, NOTPERMITTING"COMMON PASSWORDS") I hope we ALL learn a lesson from this. __________________________________________________ Do You Yahoo!? Talk to your friends online and get email alertswith Yahoo! Messenger.http://im.yahoo.com/
__________________________________________________ Do You Yahoo!? Talk to your friends online and get email alerts with Yahoo! Messenger. http://im.yahoo.com/
Current thread:
- ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- <Possible follow-ups>
- Re: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Exiled Dave (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- RE: ABOVE.NET SECURITY TRUTHS? Paul Froutan (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Travis Pugh (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? Hank Nussbacher (Apr 29)
- Re: ABOVE.NET SECURITY TRUTHS? Alec H. Peterson (Apr 30)
- Re: ABOVE.NET SECURITY TRUTHS? Philip Smith (Apr 30)
- RE: ABOVE.NET SECURITY TRUTHS? Roeland Meyer (E-mail) (Apr 28)
- Re: ABOVE.NET SECURITY TRUTHS? John Kristoff (Apr 28)