North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Cisco, haven't we learned anything? (technician reset)y

  • From: Martin Hannigan
  • Date: Thu Jan 12 21:48:52 2006

> 
> 
> On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...
> 
> > 
> > How much entropy is there in a such a serial number?  Little enough 
> > that it can be brute-forced by someone who knows the pattern?  Using 
> > some function of the serial number and a vendor-known secret key is 
> > better -- until, of course, that "secret" leaks.  (Anyone remember how 
> > telephone credit card number verification worked before they could do 
> > full real-time validation?  The Phone Company took a 10-digit phone 
> > number and calculated four extra digits, based on that year's secret.  
> > Guess how well that secret was kept....)
> > 
> 
> Hi Steven,
> 
> I believe the Netscreen default password of a serial number can only be
> entered over the console (and possibly modem/aux) port(s).

Yes. Sorry, I left that out.

-M<