Home page logo

nanog logo nanog mailing list archives

Re: Cisco, haven't we learned anything? (technician reset)y
From: eric <eric-list-nanog () catastrophe net>
Date: Thu, 12 Jan 2006 20:34:30 -0600

On Thu, 2006-01-12 at 21:05:52 -0500, Steven M. Bellovin proclaimed...

How much entropy is there in a such a serial number?  Little enough 
that it can be brute-forced by someone who knows the pattern?  Using 
some function of the serial number and a vendor-known secret key is 
better -- until, of course, that "secret" leaks.  (Anyone remember how 
telephone credit card number verification worked before they could do 
full real-time validation?  The Phone Company took a 10-digit phone 
number and calculated four extra digits, based on that year's secret.  
Guess how well that secret was kept....)

Hi Steven,

I believe the Netscreen default password of a serial number can only be
entered over the console (and possibly modem/aux) port(s).

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]