I am upset about the recent thread about the Big/ip support account on Bugtraq.
First of all, it's just stupid to sit here and say "They ship a product with
a security hole, because it has a support password that is root priv'd".
I have known about this for nearly 2 years, questioned them initially, but wrote
it off as non-consequential.
First of all, the default config is very restrictive, and they don't recommend
the contrary.
The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT of the sshd
config.
They assured me that they rotate the passwords on a regular basis to ensure that
accountability is retained internally.
If the device shipped with a password that was obtained via a hex dump of a ROM,
I could understand, but we're talking about a password that requires many hours
of CPU time, or hundreds of thousands of dollars of hardware.
I don't like good people like F5 getting grilled, and sending me a stupid advisory,
because someone cried the equivelent of 'Y2K bug'.
When will the discussion of real security threats, return to Bugtraq?
Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably
guessable.
Grr, this just makes me mad that we're discussing this.
--Perry
--
Perry Harrington Director of zelur xuniL ()
[EMAIL PROTECTED] System Architecture Think Blue. /\