Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

Greetings,

LONG VERSION:

I have recently inherited the management of an undocumented network (failed 
FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port 
GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches.  We've swapped 
out a 427 so that we can rebuild it, push it back into the network, and repeat, 
until everything is under our control.

Trouble is, the lack of documentation extends to passwords, the nature of which 
preclude any hope of getting in to the switch without resetting to defaults.  
Fortunately, I can do this without issue, since it is not in active service.

I reset a spare 311v to defaults, but cannot log in to it with any of the 
logical default passwords.  I can only assume the same will be true of the 427.

Sadly, it seems World Wide Packets is now owned by a new company, who will not 
provide simple documentation without a full support contract.  I got them to 
grudgingly provide the documentation for the customer premise devices 
(LightningEdge 47's), but my pleas for the switch documentation (and the 
management software that I believe WWP provided for free) has fallen on deaf 
ears.  I don't have the budget to blow on a support contract just to get one 
default password (Who would?).

SHORT VERSION:

Does anyone know the default passwords for World Wide Packets 427 and 311v 
switches?


I will most definitely owe anyone with an answer a beer or four next time they 
visit Seattle.  By the way, the default username/password for the LightningEdge 
47 and other WWP CPEs is su/pureethernet.  Hopefully that will save someone 
else some pain.  :-)

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Bill Stewart]

A password recovery method I've found very frustrating is to use the
serial number or similar value that's on a label on the bottom of the
equipment.  It's just fine for desktop hardware - but for rack-mounted
gear, it's not uncommon to find out that you need this information
*after* somebody's racked and stacked the hardware, and therefore you
either need to unscrew it (if it was screwed into the rack) or drag it
out (if it wasn't screwed in for some reason like missing
wing-brackets or 23-inch telco racks or random junk piled on top of
it, etc.), and possibly uncable it as well, depending on how much
slack is in the cabling, and you almost certainly want to power it
down first, and you need to have enough flashlights and reading
glasses to deal with reading the bottom of the equipment lying down on
the floor of the data center.

Yes, you *should* be able to find the serial number by looking in the
accurate complete up-to-date spreadsheet of equipment inventory
records, or at least the previous-user-printed Dymo-label on the front
of the box.  But if you had that quality of records, you  probably
wouldn't need to be running password recovery anyway.

(Disclaimer: I'm currently working in a development lab, not
operations, so ideally this doesn't reflect the state of our
production data centers :-)  Most of the time it doesn't reflect our
lab either, but occasionally it does, and of course loaner equipment
often arrives in random condition.

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Valdis . Kletnieks]

On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
> A password recovery method I've found very frustrating is to use the
> serial number or similar value that's on a label on the bottom of the
> equipment.

Related pet peeve:  Inventory and asset control people that stick a sticker on
hardware and then expect to be able to scan the barcode at a later date. Works
fine if the barcode sticker actually ends up facing the front or the back of
the rack.  But occasionally, the sticker ends up stuck on an empty space on the
printed circuit board of a upgrade blade that's plugged into a chassis...



pgpORvq0cySnH.pgp
Description: PGP signature

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[gordon b slater]

Dymo-style solutions are somewhat lacking when it comes to some complex
boxes. 
Equipment configs, mods, firmware versions, etc can all be fitted onto a
nice big sheet that can be slipped back into the rack without much
problem in most  cases  

A nifty solution I often claim to have invented in the last century is
to spray-adhesive an A4 (or equivalent US size) plastic pocket/"punched
pocket" on the TOP face of the equipment before you slide it in, such
that a single piece of A4 just protrudes from the front of the rack when
you use a self-adhesive tab on it's TOP edge. 

(the TOP 's above are emphasized, ignore them at your peril; in the
first  case  the plastic will be destroyed the first time the
equipment is de-racked and in the second the tab will pull off easily.
Problems can be prevented by placing two tabs on the paper, one on each
side, exactly over each other.)

The trick, to ensure subsequent re-insertion (which is much harder than
it seems if you don't) is to also firmly stick a tab to the UPPER INSIDE
of the plastic wallet opening. To re-insert, gently lift the plastic tab
up.

All of this takes up under a millimeter and (unless the equipment
designer was drunk) doesn't affect ventilation. On rolling ships,
however, the papers require a bit of insulation tape across adjacent
case-fronts after each use.  

/end_stationary_geek_mode

pics off-list on request if that doesn't make sense.

Gord

On Tue, 2010-01-12 at 17:50 -0800, Bill Stewart wrote:
> A password recovery method I've found very frustrating is to use the
> serial number or similar value that's on a label on the bottom of the
> equipment.  It's just fine for desktop hardware - but for rack-mounted
> gear, it's not uncommon to find out that you need this information
> *after* somebody's racked and stacked the hardware, and therefore you
> either need to unscrew it (if it was screwed into the rack)

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Barry Shein]

On January 12, 2010 at 23:03 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) 
wrote:
 > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
 > > A password recovery method I've found very frustrating is to use the
 > > serial number or similar value that's on a label on the bottom of the
 > > equipment.
 > 
 > Related pet peeve:  Inventory and asset control people that stick a sticker 
 > on
 > hardware and then expect to be able to scan the barcode at a later date. 
 > Works
 > fine if the barcode sticker actually ends up facing the front or the back of
 > the rack.  But occasionally, the sticker ends up stuck on an empty space on 
 > the
 > printed circuit board of a upgrade blade that's plugged into a chassis...
 > 

Sounds like RFID FTW!

Actually, I have no idea if it'd work, maybe someone else does. Seems
like it'd be nice to be able to just wand a rack and poof out comes a
list of everything in it.


-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Matt Simmons]

That would be excellent for both the administrator, and anyone walking
down the row with a wand in their pocket.

On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein  wrote:
>
> On January 12, 2010 at 23:03 valdis.kletni...@vt.edu 
> (valdis.kletni...@vt.edu) wrote:
>  > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
>  > > A password recovery method I've found very frustrating is to use the
>  > > serial number or similar value that's on a label on the bottom of the
>  > > equipment.
>  >
>  > Related pet peeve:  Inventory and asset control people that stick a 
> sticker on
>  > hardware and then expect to be able to scan the barcode at a later date. 
> Works
>  > fine if the barcode sticker actually ends up facing the front or the back 
> of
>  > the rack.  But occasionally, the sticker ends up stuck on an empty space 
> on the
>  > printed circuit board of a upgrade blade that's plugged into a chassis...
>  >
>
> Sounds like RFID FTW!
>
> Actually, I have no idea if it'd work, maybe someone else does. Seems
> like it'd be nice to be able to just wand a rack and poof out comes a
> list of everything in it.
>
>
> --
>        -Barry Shein
>
> The World              | b...@theworld.com           | http://www.TheWorld.com
> Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
> Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*
>
>



-- 

LITTLE GIRL: But which cookie will you eat FIRST?
COOKIE MONSTER: Me think you have misconception of cookie-eating process.

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Valdis . Kletnieks]

On Wed, 13 Jan 2010 12:55:00 EST, Matt Simmons said:
> That would be excellent for both the administrator, and anyone walking
> down the row with a wand in their pocket.

Barry's right, for at least some scenarios. If I have an unauthorized somebody
walking down the row with a wand in their pocket, the fact they have a wand in
their pocket is the least of my problems.

It's of course different if your biggest competitor is colo'd in the same
room, two cages over.



pgpbqSKCsFMLN.pgp
Description: PGP signature

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Jon Lewis]

We have an internally written app that allows us to either find where in 
the data center a server is, or pull up a rack and see what's in it.  It 
wouldn't be a very big leap to assign each rack a bar code and have an app 
(you could even write it as a smartphone app) that scans the bar code and 
looks up what's in the rack.  Of course, without access to (authentication 
is required) the web app front end for the database of what's where, just 
scanning the bar code wouldn't get you anything but a rack serial 
number...so you don't have to worry about random people scanning the rack 
bar code.


BTW...a friend who works for a mostly failed .com patented something like 
this some years ago.  I think his patent was actually for a system in 
which a bar code on the front of a server could be scanned by a portable 
device, and you'd get current system health information for that system.


On Wed, 13 Jan 2010, Matt Simmons wrote:


That would be excellent for both the administrator, and anyone walking
down the row with a wand in their pocket.

On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein  wrote:


On January 12, 2010 at 23:03 valdis.kletni...@vt.edu (valdis.kletni...@vt.edu) 
wrote:
 > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
 > > A password recovery method I've found very frustrating is to use the
 > > serial number or similar value that's on a label on the bottom of the
 > > equipment.
 >
 > Related pet peeve:  Inventory and asset control people that stick a sticker 
on
 > hardware and then expect to be able to scan the barcode at a later date. 
Works
 > fine if the barcode sticker actually ends up facing the front or the back of
 > the rack.  But occasionally, the sticker ends up stuck on an empty space on 
the
 > printed circuit board of a upgrade blade that's plugged into a chassis...
 >

Sounds like RFID FTW!

Actually, I have no idea if it'd work, maybe someone else does. Seems
like it'd be nice to be able to just wand a rack and poof out comes a
list of everything in it.


--
       -Barry Shein

The World              | b...@theworld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, Canada
Software Tool & Die    | Public Access Internet     | SINCE 1989     *oo*






--

LITTLE GIRL: But which cookie will you eat FIRST?
COOKIE MONSTER: Me think you have misconception of cookie-eating process.




--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

> -Original Message-
> From: Matt Simmons [mailto:standalone.sysad...@gmail.com]
> Sent: Wednesday, January 13, 2010 9:55 AM
> To: Barry Shein
> Cc: nanog@nanog.org; Bill Stewart
> Subject: Re: Default Passwords for World Wide Packets/Lightning Edge
> Equipment
> 
> That would be excellent for both the administrator, and anyone walking
> down the row with a wand in their pocket.

I'm not sure there's an attack vector utilizing inventory ID numbers.  Even if 
there is, they can just as easily scan a barcode or read a label from that 
distance, so I'm not sure there's a huge difference.

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Barry Shein]

On January 13, 2010 at 12:55 standalone.sysad...@gmail.com (Matt Simmons) wrote:
 > That would be excellent for both the administrator, and anyone walking
 > down the row with a wand in their pocket.


All an RFID wand would give you is a unique id number for each tag in
range which someone with access to an inventory database would look up
to find the associated record for other info.

It would be mostly useless info to "anyone...with a wand."

I suppose my question is more in the realm of whether the environment
is too RF noisy for RFIDs to be reliable, do such systems exist at
that scale (can I buy 1,000 RFID tags and a wand? I'd think so but I
don't know.) Also, would RF shielding in racks make it tricky to get a
good wanding?

Anyhow, just a thought.


 > 
 > On Wed, Jan 13, 2010 at 12:21 PM, Barry Shein  wrote:
 > >
 > > On January 12, 2010 at 23:03 valdis.kletni...@vt.edu 
 > > (valdis.kletni...@vt.edu) wrote:
 > >  > On Tue, 12 Jan 2010 17:50:37 PST, Bill Stewart said:
 > >  > > A password recovery method I've found very frustrating is to use the
 > >  > > serial number or similar value that's on a label on the bottom of the
 > >  > > equipment.
 > >  >
 > >  > Related pet peeve:  Inventory and asset control people that stick a 
 > > sticker on
 > >  > hardware and then expect to be able to scan the barcode at a later 
 > > date. Works
 > >  > fine if the barcode sticker actually ends up facing the front or the 
 > > back of
 > >  > the rack.  But occasionally, the sticker ends up stuck on an empty 
 > > space on the
 > >  > printed circuit board of a upgrade blade that's plugged into a 
 > > chassis...
 > >  >
 > >
 > > Sounds like RFID FTW!
 > >
 > > Actually, I have no idea if it'd work, maybe someone else does. Seems
 > > like it'd be nice to be able to just wand a rack and poof out comes a
 > > list of everything in it.
 > >
 > >
 > > --
 > >        -Barry Shein
 > >
 > > The World              | b...@theworld.com           | 
 > > http://www.TheWorld.com
 > > Purveyors to the Trade | Voice: 800-THE-WRLD        | Dial-Up: US, PR, 
 > > Canada
 > > Software Tool & Die    | Public Access Internet     | SINCE 1989     
 > > *oo*
 > >
 > >
 > 
 > 
 > 
 > -- 
 > 
 > LITTLE GIRL: But which cookie will you eat FIRST?
 > COOKIE MONSTER: Me think you have misconception of cookie-eating process.

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Lyndon Nerenberg (VE6BBM/VE7TFX)]

> Barry's right, for at least some scenarios. If I have an unauthorized somebody
> walking down the row with a wand in their pocket, the fact they have a wand in
> their pocket is the least of my problems.

Encrypt the data?

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Barry Shein]

There seem to be a lot of misconceptions about RFID tags. I'm hardly
an expert but I do know this much:

RFID tags are generic, you don't put data into them unique to your
application.

All they are is a range of long serial numbers guaranteed to be
globally unique, like ethernet macs more or less.

You get an RFID tag, associate it with a piece of equipment, enter the
tag serial number and other info INTO YOUR OWN INVENTORY DATABASE, and
stick it on the equipment.

Then you can later use a wand which can retrieve the RFID tag number
at some distance, a few feet, think: supermarket checkout.

The big advantage of RFIDs is that you don't need line of sight access
like you do with bar codes, they use RF, radio frequency.

Think: anti-shoplifting tags, most of them are basically RFID tags tho
older ones don't have a unique id which is why they had to be
physically removed or disabled.

More modern anti-shoplifting systems wand the tag id (possibly via an
externally printed bar code because point of sale (POS) systems aren't
quite there yet) into the POS system so the anti-shoplifting exit
system can look it up to see if the item has been paid for.

A system which also used these to track equipment being removed from
an area or building would be a relatively straightforward plus.

It may not stop someone but it might know exactly what time it passed
out the door to help with any investigation, or in a more secure
environment one might have to mark the RFID tag as authorized to go
out the door via some security process, or at least associate its
leaving with a security badge or whatever id is used.

It's much better than sliced bread for some apps except that they make
for really lousy BLTs.



On January 13, 2010 at 11:23 lyn...@orthanc.ca (Lyndon Nerenberg 
(VE6BBM/VE7TFX)) wrote:
 > > Barry's right, for at least some scenarios. If I have an unauthorized 
 > > somebody
 > > walking down the row with a wand in their pocket, the fact they have a 
 > > wand in
 > > their pocket is the least of my problems.
 > 
 > Encrypt the data?
 > 

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Lyndon Nerenberg (VE6BBM/VE7TFX)]

> RFID tags are generic, you don't put data into them unique to your
> application.

Field programmable RFID-like tags do exist. They aren't common, but
they're out there.

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:

> 
> There seem to be a lot of misconceptions about RFID tags. I'm hardly
> an expert but I do know this much:
> 
> RFID tags are generic, you don't put data into them unique to your
> application.
> 
Part of the original (or at least early) context for this thread was recovery 
of default passwords.  If the password is F(ser#), it's only learnable if you 
know both F() and ser#.  The vendor knows F() -- who knows ser#?  If it's in an 
RFID tag, or is DBlookup(tag#,vendor_db), being able to read this 
admittedly-arbitrary number may indeed be a threat.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

Not if you change the default password like any sane admin does...

-Original Message-
From: Steven Bellovin [mailto:s...@cs.columbia.edu] 
Sent: Wednesday, January 13, 2010 11:26 AM
To: Barry Shein
Cc: nanog@nanog.org; nonobvi...@gmail.com
Subject: Re: Default Passwords for World Wide Packets/Lightning Edge Equipment


On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:

> 
> There seem to be a lot of misconceptions about RFID tags. I'm hardly
> an expert but I do know this much:
> 
> RFID tags are generic, you don't put data into them unique to your
> application.
> 
Part of the original (or at least early) context for this thread was recovery 
of default passwords.  If the password is F(ser#), it's only learnable if you 
know both F() and ser#.  The vendor knows F() -- who knows ser#?  If it's in an 
RFID tag, or is DBlookup(tag#,vendor_db), being able to read this 
admittedly-arbitrary number may indeed be a threat.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joel Jaeggli]

Steven Bellovin wrote:
> On Jan 13, 2010, at 1:45 PM, Barry Shein wrote:
> 
>> There seem to be a lot of misconceptions about RFID tags. I'm hardly
>> an expert but I do know this much:
>>
>> RFID tags are generic, you don't put data into them unique to your
>> application.

Not true, the simplest rfid tags are energized and play back whatever
string is embedded, passive tags, however, plenty of device that fall
under the moniker rfid are at a minimum field programmable. Moreover
when you get beyond passive tags, the devices can be found with full on
java stacks, challenge response system, fips certified crypto engines,
flash for stored value etc.


> Part of the original (or at least early) context for this thread was recovery 
> of default passwords.  If the password is F(ser#), it's only learnable if you 
> know both F() and ser#.  The vendor knows F() -- who knows ser#?  If it's in 
> an RFID tag, or is DBlookup(tag#,vendor_db), being able to read this 
> admittedly-arbitrary number may indeed be a threat.
> 
> 
>   --Steve Bellovin, http://www.cs.columbia.edu/~smb
> 
> 
> 
> 
> 
> 

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Valdis . Kletnieks]

On Wed, 13 Jan 2010 11:23:59 MST, "Lyndon Nerenberg (VE6BBM/VE7TFX)" said:
> > Barry's right, for at least some scenarios. If I have an unauthorized 
> > somebody
> > walking down the row with a wand in their pocket, the fact they have a wand 
> > in
> > their pocket is the least of my problems.
> 
> Encrypt the data?

That's a possible solution to the wand, which is the least of my problems.

My *big* problem at that point is I have an unauthorized person in my
server room. ;)



pgp6fIGjrrDm2.pgp
Description: PGP signature

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 13, 2010, at 2:47 PM, Nathan Eisenberg wrote:

> Not if you change the default password like any sane admin does...


This is from the OP:

I have recently inherited the management of an undocumented network 
(failed FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 
port GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches.  

...

Does anyone know the default passwords for World Wide Packets 427 and 
311v switches?

Lots of gear has a button/jumper/pop_the_CMOS 
battery/other_physical_presence_magic to reset things to factory state, 
including the default pw.  The threat went on to why default passwords are bad, 
to passwords on the bottom of the device, to RFIDs because the devices of 
interest to this community are racked and stacked -- and back to theme #2: 
default passwords are bad...

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Graeme Fowler]

On Wed, 2010-01-13 at 15:12 -0500, Steven Bellovin wrote:
> Lots of gear has a button/jumper/pop_the_CMOS 
> battery/other_physical_presence_magic to reset things to factory state, 
> including the default pw.  The threat went on to why default passwords are 
> bad, to passwords on the bottom of the device, to RFIDs because the devices 
> of interest to this community are racked and stacked -- and back to theme #2: 
> default passwords are bad...

And somewhere in the dim and distant past (Jan 6th), Nathan announced
that he'd sorted out his original problem and now had the defaults.

What a peculiar bunch we are. And this from the group lauded as
anonymously and peacefully co-existing to hold the Internet together,
eh?

Graeme

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

> From: Graeme Fowler [mailto:gra...@graemef.net]
> And somewhere in the dim and distant past (Jan 6th), Nathan announced
> that he'd sorted out his original problem and now had the defaults.
> 
> What a peculiar bunch we are. And this from the group lauded as
> anonymously and peacefully co-existing to hold the Internet together,
> eh?
> 
> Graeme

I think the impulse to challenge and question assertions probably tends to be a 
common personality feature in (good) network admins.  The resulting 
conversations are often lively, oddly passionate arguments - but I firmly 
believe that there is a friendly nature behind it all.

Nathan

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Valdis . Kletnieks]

On Wed, 13 Jan 2010 12:50:03 PST, Nathan Eisenberg said:
> I think the impulse to challenge and question assertions probably tends to
> be a common personality feature in (good) network admins.

Something to keep in mind is that this list is, by and large, comprised of
people who are paid large sums of money for their ability to have meaningful
conversations with inanimate objects made of melted sand.

You gotta expect their people skills will be different. :)


pgprXek07GxSS.pgp
Description: PGP signature

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Matthew Palmer]

On Wed, Jan 13, 2010 at 12:55:00PM -0500, Matt Simmons wrote:
> That would be excellent for both the administrator, and anyone walking
> down the row with a wand in their pocket.

So... someone has a list of the "barcodes" on all my equipment.  ONOES! 
Without access to the asset database that backs it, I'm not sure what damage
they're going to do.  It's not as though one of my core switches is going to
try and get through airport security with it.

- Matt

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 6, 2010, at 3:17 PM, Nathan Eisenberg wrote:

> Does anyone know the default passwords for World Wide Packets 427 and 311v 
> switches?

One should think the fact that there are default passwords at all should be a 
cause for alarm, in and of itself.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

> One should think the fact that there are default passwords at all
> should be a cause for alarm, in and of itself.

I must not have been very clear.  I'm resetting these switches to factory 
defaults using the hardware reset button, and attempting to log in using 
whatever the factory default passwords are.  No cause for alarm - the devices 
as deployed DO NOT have the default passwords on them (probably... without 
having the factory default passwords for the devices, it's hard to say...)

Anyways, does that make sense?

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

After weeks on banging my head on this, I figure it out within an hour of 
posting it to NANOG.  You guys are good luck!

For future reference/Google, the factory default password for (at least the 
LightningEdge 427 - not sure about the 311v yet) these switches is: su/wwp.  
Obviously, you should change this prior to deployment!

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 6, 2010, at 3:44 PM, Nathan Eisenberg wrote:

> I must not have been very clear.  I'm resetting these switches to factory 
> defaults using the hardware reset button, and attempting to log in using 
> whatever the factory default passwords are. 

Right - what I'm saying is the fact that there are default passwords at all is 
horribly insecure, and that the vendor in question should be prodded to change 
this dangerous practice.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Benjamin BILLON]

Did you try to get in touch with Ciena people? I'm sure they will be 
comprehensive about how you get their products (not being exactly a 
customer).
You could maybe even get an access to products' documentation without 
providing S/N: 
https://portal.ciena.com/AccountRequest/index.aspx?mode=MgsZFb3Brzo=

I didn't try myself, but I guess getting the full documentation is worth it.

Ben


Nathan Eisenberg a écrit :

Greetings,

LONG VERSION:

I have recently inherited the management of an undocumented network (failed 
FTTH provider) which utilizes World Wide Packets' LightningEdge 427 (16 port 
GBIC switch) and 311v (24/4 port Ethernet/GBIC switch) switches.  We've swapped 
out a 427 so that we can rebuild it, push it back into the network, and repeat, 
until everything is under our control.

Trouble is, the lack of documentation extends to passwords, the nature of which 
preclude any hope of getting in to the switch without resetting to defaults.  
Fortunately, I can do this without issue, since it is not in active service.

I reset a spare 311v to defaults, but cannot log in to it with any of the 
logical default passwords.  I can only assume the same will be true of the 427.

Sadly, it seems World Wide Packets is now owned by a new company, who will not 
provide simple documentation without a full support contract.  I got them to 
grudgingly provide the documentation for the customer premise devices 
(LightningEdge 47's), but my pleas for the switch documentation (and the 
management software that I believe WWP provided for free) has fallen on deaf 
ears.  I don't have the budget to blow on a support contract just to get one 
default password (Who would?).

SHORT VERSION:

Does anyone know the default passwords for World Wide Packets 427 and 311v 
switches?


I will most definitely owe anyone with an answer a beer or four next time they 
visit Seattle.  By the way, the default username/password for the LightningEdge 
47 and other WWP CPEs is su/pureethernet.  Hopefully that will save someone 
else some pain.  :-)

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Matthew Palmer]

On Wed, Jan 06, 2010 at 08:26:25AM +, Dobbins, Roland wrote:
> > Does anyone know the default passwords for World Wide Packets 427 and 311v 
> > switches?
> 
> One should think the fact that there are default passwords at all should be a 
> cause for alarm, in and of itself.

As much as they're a definite security risk, I can't imagine what other
option there is.  The closest I can come to a solution is to set a random
password and flash it using a front-panel LED using morse.  

- Matt

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[George Bonser]

> Right - what I'm saying is the fact that there are default passwords
at
> all is horribly insecure, and that the vendor in question should be
> prodded to change this dangerous practice.

How is that a risk in any way?  Considering that one must have physical
access to reset the unit to factory default, having physical access
pretty much trumps any other security measure. 

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote:

> The closest I can come to a solution is to set a random password and flash it 
> using a front-panel LED using morse.  

heh

No password at all, operator prompted at the console during startup 
unless/until he sets one.  No IP address, et. al. until a password is set.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 6, 2010, at 4:24 PM, George Bonser wrote:

> having physical access pretty much trumps any other security measure. 

The fact that there's a factory default means that lots of folks won't change 
it when they configure the unit with an IP address; they follow this with 
failing to implement iACLs, and it's pw3nt1me!

;>

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[George Bonser]

> -Original Message-
> 
> > having physical access pretty much trumps any other security
measure.
> 
> The fact that there's a factory default means that lots of folks won't
> change it when they configure the unit with an IP address; they follow
> this with failing to implement iACLs, and it's pw3nt1me!


I suppose it is a philosophical thing with me.  I don't believe in
protecting people from their own stupidity. If you try to enforce that,
you end up with organizations making up their own "default" passwords
which can be little better than manufacturer defaults. 

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

> Right - what I'm saying is the fact that there are default passwords at
> all is horribly insecure, and that the vendor in question should be
> prodded to change this dangerous practice.

I don't see how there's a security problem with equipment coming from the 
factory with factory default passwords. 

In my opinion, a breach caused by a reset of equipment to default 
configuration/passwords would suggest far more basic security issues, which are 
not at all mitigated by eliminating the existence of default passwords.

I generally try to mitigate the issues further down the stack.  I doubt factory 
default passwords are going anywhere, but even if they did go away, I would 
still strictly control access to my management interfaces, as well as the reset 
holes on my equipment, and so I would argue that I would be no more or less 
secure than I am now.

But maybe I'm missing something?

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Jim Burwell]

On 1/6/2010 01:23, Dobbins, Roland wrote:
> On Jan 6, 2010, at 4:18 PM, Matthew Palmer wrote:
>
>   
>> The closest I can come to a solution is to set a random password and flash 
>> it using a front-panel LED using morse.  
>> 
> heh
>
> No password at all, operator prompted at the console during startup 
> unless/until he sets one.  No IP address, et. al. until a password is set.
>   
Yeah.  And for devices with no console, only network interfaces, a
default IP address, no default password, and no default route (just in
case they plug it into a real LAN instead of a laptop.  :p  ).

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 6, 2010, at 4:43 AM, George Bonser wrote:

>> -Original Message-
>> 
>>> having physical access pretty much trumps any other security
> measure.
>> 
>> The fact that there's a factory default means that lots of folks won't
>> change it when they configure the unit with an IP address; they follow
>> this with failing to implement iACLs, and it's pw3nt1me!
> 
> 
> I suppose it is a philosophical thing with me.  I don't believe in
> protecting people from their own stupidity. If you try to enforce that,
> you end up with organizations making up their own "default" passwords
> which can be little better than manufacturer defaults. 
> 
> 
They're much better, since once guess doesn't suffice for all devices; see 
http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirects=0 
for some indication of just how bad the problem can be.  And we all suffer from 
p0wned devices, because they get turned into bots.  Roland is 100% right.

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Jeffrey I. Schiller]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

An option I saw years ago (I forgot on whose equipment) was a default
password which was a function of the equipment's serial number. So you
had to have the algorithm and you needed the serial number which was not
related to the MAC. So if you didn't have physical access, you were not
in a good position to learn the password.

I suspect this was a support nightmare for the vendor and I bet they
went to a more standard (read: the same) factory password.

At the end of the day, minimizing support costs for the vendor (not to
mention likely annoyance for the customer) trumps providing "default"
security for the folks who won't change the default password.

-Jeff

Matthew Palmer wrote:
> On Wed, Jan 06, 2010 at 08:26:25AM +, Dobbins, Roland wrote:
>>> Does anyone know the default passwords for World Wide Packets 427 and 311v 
>>> switches?
>> One should think the fact that there are default passwords at all should be 
>> a cause for alarm, in and of itself.
> 
> As much as they're a definite security risk, I can't imagine what other
> option there is.  The closest I can come to a solution is to set a random
> password and flash it using a front-panel LED using morse.  
> 
> - Matt
> 

- --

Jeffrey I. Schiller
MIT Network Manager/Security Architect
PCI Compliance Officer
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
j...@mit.edu
http://jis.qyv.name

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFLRRuk8CBzV/QUlSsRAuEEAJ4vFWYnMqK3AP1q9y46HzIIMeasoQCfSAkb
CobOYgNelNkZL2ePmd6jwpM=
=zBKR
-END PGP SIGNATURE-

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nick Hale]

I think the vendor you're thinking of was Cabletron (now Enterasys).  I
had to call them and give them the Serial Number for them to provide me
with the default password to the system after a hard reset (this was for
an ELS100-24TXG 'switch').


-NH

-Original Message-
From: Jeffrey I. Schiller [mailto:j...@mit.edu] 
Sent: Wednesday, January 06, 2010 17:24
To: Matthew Palmer
Cc: nanog@nanog.org
Subject: Re: Default Passwords for World Wide Packets/Lightning Edge
Equipment

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

An option I saw years ago (I forgot on whose equipment) was a default
password which was a function of the equipment's serial number. So you
had to have the algorithm and you needed the serial number which was not
related to the MAC. So if you didn't have physical access, you were not
in a good position to learn the password.

I suspect this was a support nightmare for the vendor and I bet they
went to a more standard (read: the same) factory password.

At the end of the day, minimizing support costs for the vendor (not to
mention likely annoyance for the customer) trumps providing "default"
security for the folks who won't change the default password.

-Jeff

Matthew Palmer wrote:
> On Wed, Jan 06, 2010 at 08:26:25AM +, Dobbins, Roland wrote:
>>> Does anyone know the default passwords for World Wide Packets 427
and 311v switches?
>> One should think the fact that there are default passwords at all
should be a cause for alarm, in and of itself.
> 
> As much as they're a definite security risk, I can't imagine what
other
> option there is.  The closest I can come to a solution is to set a
random
> password and flash it using a front-panel LED using morse.  
> 
> - Matt
> 

- --

Jeffrey I. Schiller
MIT Network Manager/Security Architect
PCI Compliance Officer
Information Services and Technology
Massachusetts Institute of Technology
77 Massachusetts Avenue  Room W92-190
Cambridge, MA 02139-4307
617.253.0161 - Voice
j...@mit.edu
http://jis.qyv.name

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFLRRuk8CBzV/QUlSsRAuEEAJ4vFWYnMqK3AP1q9y46HzIIMeasoQCfSAkb
CobOYgNelNkZL2ePmd6jwpM=
=zBKR
-END PGP SIGNATURE-

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> An option I saw years ago (I forgot on whose equipment) was a default
> password which was a function of the equipment's serial number. So you
> had to have the algorithm and you needed the serial number which was not
> related to the MAC. So if you didn't have physical access, you were not
> in a good position to learn the password.
> 
> I suspect this was a support nightmare for the vendor and I bet they
> went to a more standard (read: the same) factory password.
> 
> At the end of the day, minimizing support costs for the vendor (not to
> mention likely annoyance for the customer) trumps providing "default"
> security for the folks who won't change the default password.

The MyFi apparently does this.  According to 
http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html "The 
network password is printed right there on the bottom of the MiFi itself."

--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joel Esler]

On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin  wrote:

> On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:
>
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA1
> >
> > An option I saw years ago (I forgot on whose equipment) was a default
> > password which was a function of the equipment's serial number. So you
> > had to have the algorithm and you needed the serial number which was not
> > related to the MAC. So if you didn't have physical access, you were not
> > in a good position to learn the password.
> >
> > I suspect this was a support nightmare for the vendor and I bet they
> > went to a more standard (read: the same) factory password.
> >
> > At the end of the day, minimizing support costs for the vendor (not to
> > mention likely annoyance for the customer) trumps providing "default"
> > security for the folks who won't change the default password.
>
> The MyFi apparently does this.  According to
> http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The 
> network password is printed right there on the bottom of the MiFi
> itself."
>
>
At least it's not "".

But yes, my Mifi *had* the password on the bottom.



-- 
Joel Esler

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Mark Foster]

At the end of the day, minimizing support costs for the vendor (not to
mention likely annoyance for the customer) trumps providing "default"
security for the folks who won't change the default password.


The MyFi apparently does this.  According to
http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The 
network password is printed right there on the bottom of the MiFi
itself."



At least it's not "".

But yes, my Mifi *had* the password on the bottom.



In a lot of cases, physical access = you're screwed anyway. What's the 
difference if the password is printed on the box?


If you can't physically protect your kit, that's something else, but aside 
from things like WAP's which are routinely in 'the open' surely you 
protect your equipment inside secure racks/cabinets/datacentres such that 
the physical labelling is inaccessible to those who aren't authorised... ?

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Matthew Palmer]

On Wed, Jan 06, 2010 at 08:41:14PM -0500, Joel Esler wrote:
> On Wed, Jan 6, 2010 at 8:26 PM, Steven Bellovin  wrote:
> > On Jan 6, 2010, at 6:24 PM, Jeffrey I. Schiller wrote:
> > > An option I saw years ago (I forgot on whose equipment) was a default
> > > password which was a function of the equipment's serial number. So you
> > > had to have the algorithm and you needed the serial number which was not
> > > related to the MAC. So if you didn't have physical access, you were not
> > > in a good position to learn the password.
> > >
> > > I suspect this was a support nightmare for the vendor and I bet they
> > > went to a more standard (read: the same) factory password.
> > >
> > > At the end of the day, minimizing support costs for the vendor (not to
> > > mention likely annoyance for the customer) trumps providing "default"
> > > security for the folks who won't change the default password.
> >
> > The MyFi apparently does this.  According to
> > http://www.nytimes.com/2009/05/07/technology/personaltech/07pogue.html"The 
> > network password is printed right there on the bottom of the MiFi
> > itself."
>
> At least it's not "".
> 
> But yes, my Mifi *had* the password on the bottom.

As long as the passwords are reasonably secure (ie not generated to a simple
pattern that can be easily brute forced) and they can be changed, I'd
consider that to be pretty reasonable security.  As has been mentioned in
this thread already, if someone's got physical access to your equipment
you're dead in the water, security wise, so having the device-specific
"factory" default password on the equipment is far more secure than having a
single factory default password, whilst being *far* more user friendly than
a hash-the-serial-number approach -- or even a "prompt for a password before
I'll do anything" (which, I agree, is the most secure, but is still not very
usable).

For the record, all of my personal networking gear has the admin credentials
(and whatever else I need to get into them, like IP addresses, etc) written
on it.  I don't trust myself to remember those over the years, and assuming
that anything else is going to be working when I *need* to get into them
seems awfully optimistic.

- Matt

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Hamelin]

I've been in training with the WWP folks for the last two days (VERY
GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.
 They say if a customer is willing to pay they can change the
initialization method.  But I'm guessing that anyone willing to pay
would be the type to actually secure the box once it's turned-up.

If you got some serious layer 2 stuff to do, these boxes have a really
interesting architecture and some trick features (unix type shell, for
one.)

-Joe

-- 
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 7, 2010, at 10:12 AM, Joe Hamelin wrote:

>  they got quite a chuckle out of this thread.

Which goes to show that they just really don't get it when it comes to 
security.  Maybe they should look here at all the entries for 'default 
credentials':



---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Dobbins, Roland]

On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote:

> Which goes to show that they just really don't get it when it comes to 
> security.  Maybe they should look here at all the entries for 'default 
> credentials':

Actually, should be 'default password'.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[James Hess]

On Wed, Jan 6, 2010 at 1:12 PM, Jim Burwell  wrote:
[snip]
> Yeah.  And for devices with no console, only network interfaces, a
> default IP address, no default password, and no default route (just in
> case they plug it into a real LAN instead of a laptop.  :p  ).

Ah... don't worry about default routes..  Proxy ARP will  "fix it"..
when combined with a suitable router that does it by default,  and
help make sure the  default-pw'ed  device  can still be reached by the
bad guys.

As murphy would have it,  default device IP happens to correspond to a
valid LAN IP address formerly used by a server,  that the neglected
perimeter firewall   still  forwards  port 80 traffic to...

You know..  an extra port isn't so expensive these days. equipment
vendors could just make one of the network ports be labelled
"Manage",   ship the units with management access disabled, except on
that port.
Don't allow  normal traffic forwarding  to/from that port by default.

On first login,  require a password change to be made before all other
changes, such as  enabling full management are even allowed,
including turning the manage port into a normal port  (if it's even
necessary).

Device  should shutdown the manage port, until reboot, via "management
port security"..   when the first frame is received,  memorize the MAC
address,  as long as carrier is still detected.

If later a second MAC address is detected as the source on any frame,
or any multicast frame at all is received,  other than an ARP  for
switch's default IP.

Light up an  orange LED for "security violation"   or  a "user error"
light.   :)

--
-J

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[George Bonser]

> -Original Message-
> From: Dobbins, Roland 
> Sent: Wednesday, January 06, 2010 7:23 PM
> To: NANOG list
> Subject: Re: Default Passwords for World Wide Packets/Lightning Edge
> Equipment
> 
> 
> On Jan 7, 2010, at 10:19 AM, Dobbins, Roland wrote:
> 
> > Which goes to show that they just really don't get it when it comes
> to security.  Maybe they should look here at all the entries for
> 'default credentials':
> 
> Actually, should be 'default password'.
> 

One of the problems I have seen is an organization where someone uses
something stupid just to get something up and running (say a password of
"password" or "foo" or something) with every intention of coming back to
fix it later but forgets to.  That is what I meant yesterday about an
organizational "default" password that can be just as bad as the
manufacturers default.

At least with some manufacturers you can log in from the console with
the factory "default" password but can't log in over the network unless
you have set one. 

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Hamelin]

On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  wrote:
> Which goes to show that they just really don't get it when it comes to 
> security.  Maybe they  should look here at all the entries for 'default 
> credentials':

Roland, this isn't the home wi-fi market we're talking about.  Anyone
that's going to buy one of these puppies is going to have a clue about
putting their password in.  BTW: You have to be on the console or the
management port on them to use the default password (ok, you could get
on the right VLAN too.)  Problem solved, except for those cases where
the operator is a total idiot.  Trust me, the shop I'm working for
isn't that way, not with the size of the roll-out we're doing (25k+
switches.)

I liked what you said about firewalls vs. servers but, to be honest, in
this thread you're really beating a dead horse.

-Joe

-- 
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Greco]

> On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  wrote:
> > Which goes to show that they just really don't get it when it comes to 
> > security.  Maybe they  should look here at all the entries for 'default 
> > credentials':
> 
> Roland, this isn't the home wi-fi market we're talking about.  Anyone
> that's going to buy one of these puppies is going to have a clue about
> putting their password in. 

You apparently missed the recent thread on NANOG where this guy was asking
for some help with "Default Passwords for World Wide Packets/Lightning Edge
Equipment" ...  apparently not everyone has the "clue" you expect them to.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Matthew Palmer]

On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote:
> > On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  wrote:
> > > Which goes to show that they just really don't get it when it comes to 
> > > security. ?Maybe they  should look here at all the entries for 'default 
> > > credentials':
> > 
> > Roland, this isn't the home wi-fi market we're talking about.  Anyone
> > that's going to buy one of these puppies is going to have a clue about
> > putting their password in. 
> 
> You apparently missed the recent thread on NANOG where this guy was asking
> for some help with "Default Passwords for World Wide Packets/Lightning Edge
> Equipment" ...  apparently not everyone has the "clue" you expect them to.

To be fair, he was just asking about factory resetting the device because
the current password was unknown, then reconfiguring the device (I'm willing
to be generous and assume that the reconfiguration included setting a new,
secure password).

- Matt

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Greco]

> On Wed, Jan 06, 2010 at 10:45:32PM -0600, Joe Greco wrote:
> > > On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  
> > > wrote:
> > > > Which goes to show that they just really don't get it when it comes to 
> > > > security. ?Maybe they  should look here at all the entries for 'default 
> > > > credentials':
> > > 
> > > Roland, this isn't the home wi-fi market we're talking about.  Anyone
> > > that's going to buy one of these puppies is going to have a clue about
> > > putting their password in. 
> > 
> > You apparently missed the recent thread on NANOG where this guy was asking
> > for some help with "Default Passwords for World Wide Packets/Lightning Edge
> > Equipment" ...  apparently not everyone has the "clue" you expect them to.
> 
> To be fair, he was just asking about factory resetting the device because
> the current password was unknown, then reconfiguring the device (I'm willing
> to be generous and assume that the reconfiguration included setting a new,
> secure password).

But that's my point.  Someone who is presumably reasonably clueful had
a problem determining what a predefined default password for a given 
device is.  If it's difficult to determine THAT, what sort of chance
does an engineer/admin have when he doesn't even possess the manual for
the device, and it requires some more clever and sophisticated serial-
number based method?

The fact that someone has purchased some extremely expensive device does
not guarantee that the next guy who has to run it will magically be able
to figure it all out.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Bjørn Mork]

"Jeffrey I. Schiller"  writes:

> An option I saw years ago (I forgot on whose equipment) was a default
> password which was a function of the equipment's serial number. So you
> had to have the algorithm and you needed the serial number which was not
> related to the MAC. So if you didn't have physical access, you were not
> in a good position to learn the password.
>
> I suspect this was a support nightmare for the vendor and I bet they
> went to a more standard (read: the same) factory password.

Another class of devices, but the Compaq OOM management cards for
servers ("RILOE") used to do this.  Really nice when the serial number
is placed on a sticker on a PCI card...  You would usually have to shut
down the server and pull out the card to read the sticker.  Unless it
had fallen off.  Did I mention that the cards had a number of stickers
with similar numbers on them with no indication which was the real
serial number?

Well, I'm not going to claim this was the reason why there is no Compaq
anymore, but it must have cost them *a lot* in support and frustrated
users.  For what passible gain?  It was still a default password, just a
tiny bit more obscure. 



Bjørn

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

Matthew Palmer [mpal...@hezmatt.org]
> To be fair, he was just asking about factory resetting the device
> because
> the current password was unknown, then reconfiguring the device (I'm
> willing
> to be generous and assume that the reconfiguration included setting a
> new,
> secure password).

Thank you - You're correct.  The administration and security of these devices 
is hardly magic - but one has to be able to access them in order to secure 
them.  The devices haven't even left my hotel room for the production site, and 
you would already be SOL if you didn't have access to the either the 
(management interface AND the Very Long Password) or the (reset button AND the 
management interface AND (the default password)).  

Dobbins, Roland [rdobb...@arbor.net]
> Which goes to show that they just really don't get it when it comes to
> security.  

So are you specifically opposed to globally default passwords, or are you 
opposed to being able to reset a device to factory defaults and somehow get 
into the device?  Because while I still maintain there's no real security issue 
with the former (if there is, there's a bigger issue), all that I'm really gung 
ho for is the ability to get into a piece of equipment I need to operate, even 
if I don't have credentials to it.  

Nothing grinds my gears more than equipment that has to be thrown out because 
there is no recovery mechanism.  I frankly don't much care if the default 
password on my WWP LE427 is 'wwp' or 
'wwp[serial-number-which-is-printed-on-the-back]' - as long as I can get it so 
I can get in and change it, I'm happy.

Steven Bellovin [...@cs.columbia.edu]
> And we all suffer from p0wned devices, because they
> get turned into bots.  Roland is 100% right.

Eh... I think this is confusing cause and effect.  We all suffer, but the fact 
that a device is compromised because of a default password is, at the root of 
the chain, the result of a faulty Operator.  Why was the password left at 
default?  Why was it possible to access the management interface to utilize the 
default password?  I would argue that the solution is to replace or modify the 
defective operator, rather than replacing, eliminating, or modifying the tool 
they misused.

Joe Hamelin [...@nethead.com]
> I've been in training with the WWP folks for the last two days (VERY
> GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.

Are they still around, or are they Ciena employees?  My understanding was that 
they were completely acquired.

> If you got some serious layer 2 stuff to do, these boxes have a really
> interesting architecture and some trick features (unix type shell, for
> one.)

Yep, they're rock solid devices.  Every deployment I've seen of them as worked 
very well.  Ciena certainly got a good deal out of buying them!  I'm actually 
not sure how much of the WWP gear is still manufactured.

Thank you all again for helping me sort out what the factory default WWP 
passwords are so that I can now have a secure and documented deployment out 
here!  I've received a couple offers of technical assistance from WWP veterans 
that I may well take up moving forward.

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Sean Donelan]

On Thu, 7 Jan 2010, Dobbins, Roland wrote:

Which goes to show that they just really don't get it when it comes to 
security.  Maybe they should look here at all the entries for 'default 
credentials':


Actually, should be 'default password'.


Default credentials may be a more generic description of the problem 
(although "default password" is a better search term).  A problem with 
default credentials is history has demonstrated even an expert (i.e. 
the vendors own technical support) aren't always certain they've 
found and changed every default credential possible on complex devices. 
Its not just the usual console access, but also snmp protocals 
public/private, http protocols admin, ldap cn=admin, postscript none, 
decnet mop, and so on.  Even if you think you know every possible 
protocol, some vendors have had the habit of adding new protocols in 
updates with its own set of defaults for new remote access protocols.


Multiple protocols, using multiple authorization sources, with defaults.

Its not a suprise why old-timers get annoyed with vendor gear with 
default remote access methods enabled before the user configured the
access credentials for the access method.  Eventually you'll get bit by 
some device, some protocol, that has something enabled without your 
knowledge.  If you require your vendors not to ship stuff with remote
access enabled by default, its not a substitute for your own due 
dilgence, but in practice it helps reduce unexpected incidents.

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Jason Shearer]

I kind of liked the way the Symantec Vraptor (piece of junk) firewalls used to 
do it.  Factory reset from the front panel, set addressing and it generates new 
passwords displayed on the LCD.

Jason

*** NOTICE--The attached communication contains privileged and confidential 
information. If you are not the intended recipient, DO NOT read, copy, or 
disseminate this communication. Non-intended recipients are hereby placed on 
notice that any unauthorized disclosure, duplication, distribution, or taking 
of any action in reliance on the contents of these materials is expressly 
prohibited. If you have received this communication in error, please delete 
this information in its entirety and contact the Amedisys Privacy Hotline at 
1-866-518-6684. Also, please immediately notify the sender via e-mail that you 
have received this communication in error. ***

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 6, 2010, at 11:38 PM, Joe Hamelin wrote:

> On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  wrote:
>> Which goes to show that they just really don't get it when it comes to 
>> security.  Maybe they  should look here at all the entries for 'default 
>> credentials':
> 
> Roland, this isn't the home wi-fi market we're talking about.  Anyone
> that's going to buy one of these puppies is going to have a clue about
> putting their password in.

Again, look at 
http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirects=0 
-- while consumer devices were much worse, there was a noticeable problem on 
enterprise devices and a significant problem with VoIP devices, and I suspect 
that those latter are largely enterprise-based.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Ricky Beam]

On Wed, 06 Jan 2010 18:24:26 -0500, Jeffrey I. Schiller   
wrote:

An option I saw years ago (I forgot on whose equipment) was a default
password which was a function of the equipment's serial number. So you
had to have the algorithm and you needed the serial number which was not
related to the MAC. So if you didn't have physical access, you were not
in a good position to learn the password.


Gadzoox used to do that... the management modules for their hubs had  
factory set random passwords.  It's provided on a sticker with the card,  
so you can put it where you want -- just don't lose it, because that's  
only place it exists (without breaking out a JTAG debugger.)


Yes, their later gear has standard default passwords.

--Ricky

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Ricky Beam]

On Wed, 06 Jan 2010 19:13:28 -0500, Nick Hale  wrote:

I think the vendor you're thinking of was Cabletron (now Enterasys).  I
had to call them and give them the Serial Number for them to provide me
with the default password to the system after a hard reset (this was for
an ELS100-24TXG 'switch').


And their CPE gear had a 5 minute password reset window after power on.   
We hated the customers who'd figured that out.


While we're on the subject, a lot of leibert gear has a dip switch/jumper  
block to turn passwords off entirely. (of course, that requires physical  
access and a power cycle.)


--Ricky

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Greco]

> While we're on the subject, a lot of leibert gear has a dip switch/jumper  
> block to turn passwords off entirely. (of course, that requires physical  
> access and a power cycle.)

So do a lot of HP/Compaq servers with integrated lights out management.
Don't think you even need to power cycle (whether you're brave enough to
go poking around the deep innards of an energized server is another
matter).  I know the DIP switch on older DL385's is a micro DIP switch
and it's inconveniently located in the middle of the server behind some
stuff.

The good part is that you can clear out unknown passwords as long as you
have access to the chassis innards.  The bad part is that I've seen these
left in password bypass mode (though the BIOS thoughtfully warns you of
the status if you do that).

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment)

[George Imburgia]

On Wed, 13 Jan 2010, Barry Shein wrote:


The big advantage of RFIDs is that you don't need line of sight access
like you do with bar codes, they use RF, radio frequency.


Which is also a big disadvantage in a datacenter. Ever tried to use a 
radio in one?


The RF noise generated by digital equipment seriously erodes signal 
quality. Considering the relatively weak signal returned from RFID tags, 
I'd be surprised if you'd get any kind of useful range.


Has anybody tried it out?

Re: RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment)

[Brett Frankenberger]

On Wed, Jan 13, 2010 at 01:51:41PM -0500, George Imburgia wrote:
>
> On Wed, 13 Jan 2010, Barry Shein wrote:
>
>> The big advantage of RFIDs is that you don't need line of sight access
>> like you do with bar codes, they use RF, radio frequency.
>
> Which is also a big disadvantage in a datacenter. Ever tried to use a  
> radio in one?
>
> The RF noise generated by digital equipment seriously erodes signal  
> quality. Considering the relatively weak signal returned from RFID tags,  
> I'd be surprised if you'd get any kind of useful range.
>
> Has anybody tried it out?
>

Re: RFID in datacenter (was Re: Default Passwords for World Wide Packets/Lightning Edge Equipment)

[Stefan]

On Wed, Jan 13, 2010 at 12:51 PM, George Imburgia
wrote:

>
> On Wed, 13 Jan 2010, Barry Shein wrote:
>
>  The big advantage of RFIDs is that you don't need line of sight access
>> like you do with bar codes, they use RF, radio frequency.
>>
>
> Which is also a big disadvantage in a datacenter. Ever tried to use a radio
> in one?
>
> The RF noise generated by digital equipment seriously erodes signal
> quality. Considering the relatively weak signal returned from RFID tags, I'd
> be surprised if you'd get any kind of useful range.
>
> Has anybody tried it out?
>
>
FYI: Looked into this in my previous job-project, and bookmarked this as a
positive record of such:
http://www.datacenterknowledge.com/archives/2008/11/03/rfid-in-the-data-center/I
think it works.

***Stefan Mititelu
http://twitter.com/netfortius
http://www.linkedin.com/in/netfortius