Re: Cisco, haven't we learned anything? (technician reset)y

• From: eric
• Date: Thu Jan 12 21:35:32 2006

On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...

> 
> How much entropy is there in a such a serial number?  Little enough 
> that it can be brute-forced by someone who knows the pattern?  Using 
> some function of the serial number and a vendor-known secret key is 
> better -- until, of course, that "secret" leaks.  (Anyone remember how 
> telephone credit card number verification worked before they could do 
> full real-time validation?  The Phone Company took a 10-digit phone 
> number and calculated four extra digits, based on that year's secret.  
> Guess how well that secret was kept....)
> 

Hi Steven,

I believe the Netscreen default password of a serial number can only be
entered over the console (and possibly modem/aux) port(s).

• Follow-Ups:
  • Re: Cisco, haven't we learned anything? (technician reset)y Steven M. Bellovin
  • Re: Cisco, haven't we learned anything? (technician reset)y Martin Hannigan

• References:
  • Re: Cisco, haven't we learned anything? (technician reset)y Martin Hannigan
  • Re: Cisco, haven't we learned anything? (technician reset)y Steven M. Bellovin

• Prev by Date: Re: Cisco, haven't we learned anything? (technician reset)y
• Next by Date: Re: Cisco, haven't we learned anything? (technician reset)y
• Date Index
• Thread Index
• Author Index
• Historical