RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg <nathan () atlasnetworks us>]

Matthew Palmer [mpalmer () hezmatt org]
> To be fair, he was just asking about factory resetting the device
> because
> the current password was unknown, then reconfiguring the device (I'm
> willing
> to be generous and assume that the reconfiguration included setting a
> new,
> secure password).

Thank you - You're correct.  The administration and security of these devices is hardly magic - but one has to be able 
to access them in order to secure them.  The devices haven't even left my hotel room for the production site, and you 
would already be SOL if you didn't have access to the either the (management interface AND the Very Long Password) or 
the (reset button AND the management interface AND (the default password)).  

Dobbins, Roland [rdobbins () arbor net]
> Which goes to show that they just really don't get it when it comes to
> security.  

So are you specifically opposed to globally default passwords, or are you opposed to being able to reset a device to 
factory defaults and somehow get into the device?  Because while I still maintain there's no real security issue with 
the former (if there is, there's a bigger issue), all that I'm really gung ho for is the ability to get into a piece of 
equipment I need to operate, even if I don't have credentials to it.  

Nothing grinds my gears more than equipment that has to be thrown out because there is no recovery mechanism.  I 
frankly don't much care if the default password on my WWP LE427 is 'wwp' or 
'wwp[serial-number-which-is-printed-on-the-back]' - as long as I can get it so I can get in and change it, I'm happy.

Steven Bellovin [smb () cs columbia edu]
> And we all suffer from p0wned devices, because they
> get turned into bots.  Roland is 100% right.

Eh... I think this is confusing cause and effect.  We all suffer, but the fact that a device is compromised because of 
a default password is, at the root of the chain, the result of a faulty Operator.  Why was the password left at 
default?  Why was it possible to access the management interface to utilize the default password?  I would argue that 
the solution is to replace or modify the defective operator, rather than replacing, eliminating, or modifying the tool 
they misused.

Joe Hamelin [joe () nethead com]
> I've been in training with the WWP folks for the last two days (VERY
> GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.

Are they still around, or are they Ciena employees?  My understanding was that they were completely acquired.

> If you got some serious layer 2 stuff to do, these boxes have a really
> interesting architecture and some trick features (unix type shell, for
> one.)

Yep, they're rock solid devices.  Every deployment I've seen of them as worked very well.  Ciena certainly got a good 
deal out of buying them!  I'm actually not sure how much of the WWP gear is still manufactured.

Thank you all again for helping me sort out what the factory default WWP passwords are so that I can now have a secure 
and documented deployment out here!  I've received a couple offers of technical assistance from WWP veterans that I may 
well take up moving forward.

Best Regards,
Nathan Eisenberg