Re: [AFMUG] Trango Security Issue

LOL -- Original Message -- From: "Ken Hohhof" To: af@afmug.com Sent: 11/14/2016 12:22:43 PM Subject: Re: [AFMUG] Trango Security Issue I had a friend who kept a spare car key in his glove compartment in case he locked himself out of his car. From: Af [mailto:af-boun...

Re: [AFMUG] Trango Security Issue

I had a friend who kept a spare car key in his glove compartment in case he locked himself out of his car. From: Af [mailto:af-boun...@afmug.com] On Behalf Of Simon Westlake Sent: Monday, November 14, 2016 11:04 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue I wouldn&#

Re: [AFMUG] Trango Security Issue

Well said. -- Original Message -- From: "Simon Westlake" To: af@afmug.com Sent: 11/14/2016 12:03:35 PM Subject: Re: [AFMUG] Trango Security Issue I wouldn't recommend panic anyway (unless your management infrastructure is not properly secured, in which case, I woul

Re: [AFMUG] Trango Security Issue

@afmug.com> Sent: 11/14/2016 11:13:39 AM Subject: Re: [AFMUG] Trango Security Issue Just last week someone was dealing with a whole Mikrotik network from a WISP they bought and the fired ex admin had changed all the passwords. So it’s not just people too lazy to keep track of passwords.

Re: [AFMUG] Trango Security Issue

I can see both sides of this. Simon and Paul make correct and salient arguments about having a back door, but like Ken I'm not panicking about it. -- Original Message -- From: "Ken Hohhof" To: af@afmug.com Sent: 11/14/2016 11:13:39 AM Subject: Re: [AFMUG] Trango Secur

Re: [AFMUG] Trango Security Issue

, November 14, 2016 9:58 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue Agree 110% … It does suck re: having to climb a tower to reset a password but would also think that folks might suddenly be inclined to keep better track of passwords after having to do so a couple of

Re: [AFMUG] Trango Security Issue

November 14, 2016 9:11 AM *To:*af@afmug.com *Subject:*Re: [AFMUG] Trango Security Issue There's no reason for it to be secret, either. If it exists purely to assist customers who forgot their password, then there is no reason to both disclose it, and offer the user the ability to turn it of

Re: [AFMUG] Trango Security Issue

Ken Hohhof > <mailto:af...@kwisp.com>> wrote: >> >> Well, it’s not a secret backdoor if you disclose it. >> >> “You ever flashy thinged me?” >> “No.” >> “I ain’t playing with you, K, you ever flashy thinged me”? >> “No.” >> >>

Re: [AFMUG] Trango Security Issue

he one the Chinese chip maker put there, the one Fancy Bear put there … *From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Simon Westlake *Sent:* Monday, November 14, 2016 9:11 AM *To:* af@afmug.com *Subject:* Re: [AFMUG] Trango Security Issue There's no reason for it to be secret, eithe

Re: [AFMUG] Trango Security Issue

there and didn’t tell his boss about, the one the Chinese chip maker put there, the one Fancy Bear put there … From: Af [mailto:af-boun...@afmug.com] On Behalf Of Simon Westlake Sent: Monday, November 14, 2016 9:11 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue There'

Re: [AFMUG] Trango Security Issue

> *Subject:*Re: [AFMUG] Trango Security Issue Different people deploy them different ways … good or bad … The biggest problem I have with this is when a vendor doesn’t disclose this information and that a customer cannot choose to remove this option if the vendor insists on putting it in place. On

Re: [AFMUG] Trango Security Issue

oun...@afmug.com>] On > Behalf Of Paul Stewart > Sent: Sunday, November 13, 2016 3:56 PM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] Trango Security Issue > > Different people deploy them different ways … good or bad … > > The biggest proble

Re: [AFMUG] Trango Security Issue

: [AFMUG] Trango Security Issue Different people deploy them different ways … good or bad … The biggest problem I have with this is when a vendor doesn’t disclose this information and that a customer cannot choose to remove this option if the vendor insists on putting it in place

Re: [AFMUG] Trango Security Issue

Consider setting up an openvpn "jump box" for vendors (and yourself!) to use. On Nov 13, 2016 4:00 PM, "Bill Prince" wrote: > We checked our Trango PTP links, and they all have this issue. They are > all on private /30 or /29 subnets, but we added a couple firewall rules to > prevent any SSH int

Re: [AFMUG] Trango Security Issue

We checked our Trango PTP links, and they all have this issue. They are all on private /30 or /29 subnets, but we added a couple firewall rules to prevent any SSH interlopers from getting in. Sure, we'll have to disable the firewall rules to actually get in to do something, but that doesn't hap

Re: [AFMUG] Trango Security Issue

Different people deploy them different ways … good or bad … The biggest problem I have with this is when a vendor doesn’t disclose this information and that a customer cannot choose to remove this option if the vendor insists on putting it in place. > On Nov 13, 2016, at 4:35 PM, George Skor

Re: [AFMUG] Trango Security Issue

I don't exactly see the problem, especially with a PTP radio that should only be accessible from within your network and possibly only from management subnets/VLANs, too. If it's a public facing piece of equipment like a router, then sure, I agree. On 11/13/2016 3:07 PM, Paul Stewart wrote: To

Re: [AFMUG] Trango Security Issue

Totally disagree with this… we would never let a vendor into our network if there was a possibility of this. It puts our network at risk from their stupidity …. We aggressively look at this when new products are coming into the network - realizing that sometimes there’s no way to detect it but

Re: [AFMUG] Trango Security Issue

...@afmug.com] On Behalf Of Josh Reynolds Sent: Saturday, November 12, 2016 3:14 PM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue +1 On Nov 12, 2016 1:37 PM, "Colin Stanners" wrote: Any security holes are perfectly secure until they are discovered. Having a backdoor into you

Re: [AFMUG] Trango Security Issue

Haven’t been a customer in years but I’ll still comment.. 1) Sure that’s nice … but doesn’t mean damage can’t be done 2) Sure passwords get lost - but if a tower climb to hit a reset button is the only option then so be it instead of a fixed root “backdoor” password…. I think that part that is m

Re: [AFMUG] Trango Security Issue

+1 On Nov 12, 2016 1:37 PM, "Colin Stanners" wrote: > Any security holes are perfectly secure until they are discovered. Having > a backdoor into your products can be argued as good or bad, mostly > depending on whether customers know or not. > > But the crux is that having a hard-coded password

Re: [AFMUG] Trango Security Issue

On 11/12/16 11:17, Chris Gustaf wrote: The current method has worked well for 10 years with no breaches reported to us. The secret is out, time to reset the clock. ~Seth

Re: [AFMUG] Trango Security Issue

Any security holes are perfectly secure until they are discovered. Having a backdoor into your products can be argued as good or bad, mostly depending on whether customers know or not. But the crux is that having a hard-coded password on devices is still monumentally stupid, when it's trivially ea

Re: [AFMUG] Trango Security Issue

A couple clarifications on this- 1) All Trango microwave products have separate control and data planes, so root level access does not allow any packet sniffing. No user data goes through the CPU. 2) Trango investigated using a Salt to make each root level password unique, but opted against it si

Re: [AFMUG] Trango Security Issue

yep, karma From: Mike Hammett Sent: Saturday, November 12, 2016 8:18 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue So the moral of the story is if you steal software, you'll die and leave your family burned with a shitty lawsuit? - Mike Hammett Intelligent Comp

Re: [AFMUG] Trango Security Issue

o: af@afmug.com Sent: Saturday, November 12, 2016 9:15:44 AM Subject: Re: [AFMUG] Trango Security Issue I will never forget the first time I cracked one of these backdoors. It was a central office telephone switch made by Harris. The company had purchased it used in Puerto Rico and did

Re: [AFMUG] Trango Security Issue

And I guess it was not really a “backdoor” just the vendors password, but it did give me a great sense of satisfaction. From: Chuck McCown Sent: Saturday, November 12, 2016 8:15 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue I will never forget the first time I cracked one

Re: [AFMUG] Trango Security Issue

2016 9:12:06 AM Subject: Re: [AFMUG] Trango Security Issue I'm sure many of them do, but it's trivial to make such a backdoor essentially unbreakable unless a high-level encyption key theft happens inside the manufacturer. E.g. user "backdoor" with the password being a hash of

Re: [AFMUG] Trango Security Issue

still going... From: Mike Hammett Sent: Saturday, November 12, 2016 7:52 AM To: af@afmug.com Subject: Re: [AFMUG] Trango Security Issue I would be surprised if *EVERY* platform didn't have some secret manufacturer backdoor, some just are better guarded than others. - Mike Ha

Re: [AFMUG] Trango Security Issue

/twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > -- > *From: *"Jon Langeler" > *To:

Re: [AFMUG] Trango Security Issue

eler" To: af@afmug.com Sent: Saturday, November 12, 2016 8:44:59 AM Subject: Re: [AFMUG] Trango Security Issue It's not the first time that a manufacturer has a secret root account. It just got out Jon Langeler Michwave Technologies, Inc. On Nov 12, 2016, at 7:09

Re: [AFMUG] Trango Security Issue

It's not the first time that a manufacturer has a secret root account. It just got out Jon Langeler Michwave Technologies, Inc. > On Nov 12, 2016, at 7:09 AM, Paul Stewart wrote: > > Yikes…. > > > > [+] Credits: Ian Ling > [+] Website: iancaling.com > [+] Source: http://blog.iancaling.com/

Re: [AFMUG] Trango Security Issue

One good thing about the Ubiquiti worm(s) is that any network operator who lacked the sense or experience to do so has hopefully fixed things up. On Sat, Nov 12, 2016 at 7:53 AM, Simon Westlake wrote: > Hopefully everyone has their management subnets firewalled away from any > unauthorized users

Re: [AFMUG] Trango Security Issue

Hopefully everyone has their management subnets firewalled away from any unauthorized users.. On 11/12/2016 6:09 AM, Paul Stewart wrote: Yikes…. [+] Credits: Ian Ling [+] Website: iancaling.com [+] Source: http://blog.iancaling.com/post/153011925478/ Vendor: =

Re: [AFMUG] Trango Security Issue

that answer varies … they could be not acknowledging this, they could still be trying to figure it out …. hard to tell with vendors - some of them are great at dealing with this kind of stuff and some put their head in the sand …. Also - this notice doesn’t mean 100% that it’s actually correct …

Re: [AFMUG] Trango Security Issue

Why didn't Trango announce this to customers? On Sat, Nov 12, 2016 at 7:09 AM, Paul Stewart wrote: > Yikes…. > > > > [+] Credits: Ian Ling > [+] Website: iancaling.com > [+] Source: http://blog.iancaling.com/post/153011925478/ > > Vendor: > = > www.trangosys.com > > Products: > =

[AFMUG] Trango Security Issue

Yikes…. [+] Credits: Ian Ling [+] Website: iancaling.com [+] Source: http://blog.iancaling.com/post/153011925478/ Vendor: = www.trangosys.com Products: == All