back to article Backdoor root login found in Barracuda gear - and Barracuda is OK with this

Multiple Barracuda Networks products feature an undocumented backdoor, leaving widely deployed data centre kit vulnerable to hijacking. Secret privileged user accounts were found in various Barracuda appliances, including its flagship Spam and Virus Firewall, Web Application Firewall, Web Filter, SSL VPN, and other gear. The …

COMMENTS

This topic is closed for new posts.
  1. Wallyb132
    Big Brother

    Well this is certainly....

    Well this is certainly going to be interesting. I can see the tinfoil hat and black helicopter crowd queuing up ready to start going ape shit.

    This was starting off to be a slow news year, but this should be fun to watch.... /popcorn

    1. This post has been deleted by a moderator

      1. Wallyb132
        Coat

        Re: Well this is certainly....

        Eadon, it was a joke, there is this thing call sarcasm...

        have some more kool-aid...

        1. This post has been deleted by a moderator

          1. Anonymous Coward
            Windows

            Re: Well this is certainly....

            "@Every Windows user out there. I despise you and have spent way to much time trying to force my views down other peoples throat, disregarding their choice in OS because Linux is great and its great because i say so".

            There, fixed that for you.

          2. This post has been deleted by its author

          3. sabba
            Holmes

            Re: Well this is certainly....

            'explaining what a backdoor is' - surely, that's easy: it's the door that's round the back; as opposed to the front door, which is normally, but not always, at the front (and occasionally on the side).

            No, no need to thank me :-)

            1. Anonymous Coward
              Anonymous Coward

              Re: 'explaining what a backdoor is'

              Shirley if you search the term on Google you will find plenty of vids showing its use!

          4. Fatman
            Linux

            Re: MSCE types

            Oh, yes, the dreaded MCSE, aka

            Microsoft

            Certified

            Shutdown

            Engineer.

            Useless in a Linux shop, yet we get at least a dozen a month looking for positions. What a waste of time!

        2. Anonymous Coward
          Anonymous Coward

          Re: it was a joke

          Was it? It must have stopped being funny some time between when you wrote it and when I read it.

        3. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            Re: Well this is certainly....

            Wally, would you like to explain to the class what you were being sarcastic about? It sounds like you were taking the piss out of people concerned about the security of their data - "those paranoid folks who don't trust cloud vendors with their data and all." (Notice the sarcasm here?)

            If it was an honest mistake on Barracuda's part, what a fukup. Though I reserve the right to further suspicion.

    2. Destroy All Monsters Silver badge
      Paris Hilton

      Re: Well this is certainly....

      > This was starting off to be a slow news year

      Don't know whether you have been buried under the Jehovah Stone recently, but so far in this year:

      >Backdoor root login found in Barracuda gear, Barracuda is OK with this

      >'Gozi Trojan trio' blamed for multimillion-dollar bank raid spree

      >Surprised? Old Java exploit helped spread Red October spyware

      >Latest Java patch is not enough, warns US gov: Axe plugins NOW

      >DefenseCode turns up Linksys zero-day

      >'Better than Adobe' Foxit PDF plugin hit by worse-than-Adobe 0-day

      >Kill that Java plugin now! New 0-day exploit running wild online

      >Hellish XML demon exorcised from Windows, IE bug stays

      >Security bods rip off Microsoft's 'sticking plaster' IE bug fix

      >Microsoft scrambles to thwart new Internet Explorer 0-day attack

      If the slowness continues this way, we will all be pwned, enslaved by aliens from Zarkor IV (cunningly disguised as sexually appealing females of the genus homo sapiens sapiens) or communist before the end of the year.

    3. yossarianuk

      Re: Well this is certainly....

      Can only assume your a Windows user and used to running systems with backdoors

  2. Ragarath
    FAIL

    Security by obscurity

    Not the best way, and why do the "customers" have to find out that this route exists, even if it is nigh on impossible to get into, from people other than Barracuda?

    Bad form in my opinion and would make me trust them a lot less.

    1. karlp

      Re: Security by obscurity

      In my dealings with Barracuda they have always been forthcoming with the fact they hold their own login points. They are, after-all, a managed-solution appliance provider.

      I can't remember the exact wording of their T&C's, but I believe it's in there already.

      The fact they had thought to clamp down the IP range in the first place and are now pushing an update to help secure things a bit more is good.

      I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable.

      Karl P

      1. Anonymous Coward
        Anonymous Coward

        Re: Security by obscurity

        Erm...

        The article makes multiple use of the word "undocumented", including, interestingly: "Steve Pao, VP for Product Management at Barracuda Networks, told El Reg that the undocumented superuser accounts were established..."

        The source alert also makes multiple use of the word "undocumented", e.g. "This functionality is entirely undocumented and can only be disabled via a hidden 'expert options' dialog (see Workaround)."

        ...so I'm inclined to think that these backdoors are, in fact, undocumented.

      2. Anonymous Coward
        Anonymous Coward

        Backdoor in security device is acceptable?

        "The fact they had thought to clamp down the IP range in the first place"

        What if someone got control of an upstream router and redirected traffic traffic specific to that IP range?

        "I am not saying that their solution is appropriate for everyone in all fields, but their are many applications where this is perfectly acceptable".

        But totally unacceptable in security devices, any such vulnerability will eventually be exploited.

        1. Blitterbug
          Unhappy

          Re: totally unacceptable in security devices

          Agreed - I see Barracuda potentially losing some major blue chippies from their client rosters (but possibly gaining sales from those that enjoy close ties with dodgy guvmints - not excluding ours of course!)

        2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Barracuda Terms & Conditions ...

        "I can't remember the exact wording of their T&C's, but I believe it's in there already"

        'Customer agrees to allow Barracuda Networks to collect information ("Statistics") from their Barracuda Networks .. "Statistics" include, but are not limited to, the number of messages .. and other statistics` link

  3. JimmyPage
    FAIL

    FIELD/SERVICE ?

    1. Destroy All Monsters Silver badge

      rms/rms

  4. This post has been deleted by a moderator

    1. Anonymous Coward
      Anonymous Coward

      Re: ANY closed source software might have secret back doors

      Wrong. Under NDA, with a contract, and after payment, you can (or could) get the sourcecode for almost anything. I used to work for a company that paid for the source code for every operating system that we ran. Was it worth it? I don't know, that wasn't my responsibility or decision. I actually have the sourcecode (from 1992) for the system that ran the shop floor...it's about 5 kilos of microfiche.

      1. Anonymous Coward
        Anonymous Coward

        @AC 18:11GMT - Re: ANY closed source software might have secret back doors

        And how do you know it is the same source that has been compiled into your binaries ? How can you tell the source code has not been slightly edited specially for you ? How can you tell if that source code hasn't been altered just after they gave you a copy ?

        Asking for the source code of a closed proprietary software is useless, those vendors were laughing in your back counting the money.

        1. Anonymous Coward
          Anonymous Coward

          Re: @AC 18:11GMT - ANY closed source software might have secret back doors

          Noooo...... I'm sure AC 18:11GMT was careful to spec exactly the same build environment running identical versions of every tool and then painstakingly compile the entire suite against identical versions of every dependency using identical compiler arguments before confirming the binary diffs or hashes of every file he produced against those originally provided. Having first read and understood every line of the source, of course.

          /sarc

          The point of (F)OSS, AC18:11, is it's DEVELOPED in the open - so myriad interested parties pick over the areas which most interest each of them throught the software's evolution, as they all work to improve THEIR software. Rather than dumping gigabytes of poorly designed and craply commented code on some hapless employee and saying "check that", he'd be working among a large group with compatible goals, public documentation and public mailing lists on which to openly discuss the code with its developers and other interested parties - like independent "security researchers".

          1. Anonymous Coward
            Anonymous Coward

            Re: @AC 20:36GMT

            And you think only closed sourse software shops are evil? Or do you think only OSS developers are nice/good/upstanding/righteous?

            I've had developers take me through their proprietary code to explain exactly why a long login banner caused certain logins to fail messily (not just make it unable for them to log in).

            The problem with people like you is that your attitude makes be think more highly of the scum at Microsoft whom I've been cursing since 1988 - the ones that write and maintain the Bill Gates virus (Windows.)

        2. Anonymous Coward
          Anonymous Coward

          Re: @AC 18:54GMT

          1) because we licensed the compilers and used comparison programs running on our internally developed operating sytem (I think it was system 5 release 3.2 at that time)

          2) why would we need to know that?

          3) I'm sure it was altered, several updated versions were released after we PURCHASED a copy.

          I'm sure it wasn't useless as I don't think we payed for it to validate it, but rather to use it as an example and add/change functionality.

      2. Jeremy Allison
        Linux

        Re: ANY closed source software might have secret back doors

        Sure you can get the source code. But unless you build it yourself, you can't know that what you are running matches the source code you were given under the contracted NDA.

        That always amuses me about the Microsoft claims of "but we gave the organization the source code, so it's the same as Open Source/Free Software, honest !"

        Unless the organization has the build system as well, and does their own builds, then no it really isn't the same.

        The wonderful thing about the Linux-based Open Source/Free Software releases is that you get the build systems as well and they're really widely understood - so if you're really paranoid yes you *can* build everything yourself. From scratch - just like CentOS does.

        Of course then you have to trust the compiler, but now we're going into an interesting recursive problem :-).

        http://cm.bell-labs.com/who/ken/trust.html

        Jeremy.

    2. graeme leggett

      Re: ANY closed source software might have secret back doors

      Aren't Barracuda appliances built on open source software?

      Linux, Spamassassin, ClamAV, etc

      https://www.barracudanetworks.com/company/opensource

      1. yossarianuk

        Re: ANY closed source software might have secret back doors

        Yes and so are many components of Apple and even Windows (the Windows TCP/IP stack I believe was originally 'lifted' from the opensource world) - like them It doesn’t mean that Barracuda devices are opensource though.

        If the components were GPLv3 they would have to be though I believe.

    3. jake Silver badge

      @Eadon (was:Re: ANY closed source software might have secret back doors)

      Eadon, have you ever read Ken Thompson's ACM paper "Reflections on Trusting Trust" from 1984? It's a good read, and the concepts haven't changed in the intervening quarter century. See:

      http://cm.bell-labs.com/who/ken/trust.html

      Basically, who built your initial, basic binary tool chain? It wasn't you, that's for certain ... and it's trivially easy for me to insert code into the assembler and/or linker to include back doors in any given executable. This works even when that code isn't actually in the source fed into the compiler. It even works if you re-compile the assembler & linker from "inspected, clean" source.

      In other words, if you haven't inspected the basic tool chain at a ones & zeros level, and then read and understood every single line of the source in your system before compiling it, you're being just as faithful as anyone running Redmond or Cupertino.

      So get off your fucking high-horse, youngster. You know not of what you speak.

      1. Mephistro Silver badge

        Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)

        "Basically, who built your initial, basic binary tool chain? It wasn't you, that's for certain ... and it's trivially easy for me to insert code into the assembler and/or linker to include back doors in any given executable"

        Partial solutions to this:

        - Compile the source yourself, if possible with an open source compiler.

        - Do the same with the other elements in your toolchain.

        While I agree that the 'Trusting trust' document should be read -and understood- by every IT professional, and it makes quite clear that you can't completely trust ANY system, your comment seems to be arguing that, as we can't make any system 100 % safe, we shouldn't bother trying. Imagine if we used this same argument in other areas. "As we can't totally eradicate crime, we shouldn't bother to have law enforcement" or, "As we can't totally eradicate disease, we shouldn't bother to have doctors and hospitals"...

        I understand that the solutions I listed are difficult, time consuming and hence expensive, but there usually is a point of balance between the security measures and and the level of protection. As an example, I'd say that just using the first solution (open source + recompile) would either lower the risk a 95 %* or leave a backdoor for some ITs pook that died of old age in 1997.

        :-)

        *: Yep, you guessed it, I took that figure from my backside. But you get the general idea

        1. jake Silver badge

          Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)

          "Compile the source yourself, if possible with an open source compiler."

          You don't actually understand the issue, do you? Did you read & understand ken's article?

          "your comment seems to be arguing that, as we can't make any system 100 % safe, we shouldn't bother trying."

          No. My comment is arguing that if you don't actually understand what you are talking about, it's probably better to keep your mouth shut and be assumed ignorant, than open it and prove your ignorance to all and sundry.

          ""As we can't totally eradicate crime, we shouldn't bother to have law enforcement" or, "As we can't totally eradicate disease, we shouldn't bother to have doctors and hospitals"..."

          Reductio ad absurdum rarely works in this forum.

          "a backdoor for some ITs pook that died of old age in 1997."

          ken's not dead. He works for the gootards.

          1. Mephistro Silver badge

            Re: @Eadon (was:ANY closed source software might have secret back doors) (@ jake)++

            Jake wrote:

            "You don't actually understand the issue, do you? Did you read & understand ken's article?"

            It's not rocket science. The 'Trusting trust article" says that you can't trust any system that you haven't created yourself from the ground up, and I wholeheartedly agree with that. I think my comment makes this clear enough.

            "My comment is arguing that if you don't actually understand what you are talking about, it's probably better to keep your mouth shut and be assumed ignorant, than open it and prove your ignorance to all and sundry."

            Would you be so kind as to point out exactly what parts of my comment make you think I "don't actually understand" what I'm talking about?. If you don't, I'll consider your answer just as a nursery-level ad hominem.

            "Reductio ad absurdum rarely works in this forum."

            Or so you say. It would help if you were able to explain why exactly this particular 'reductio' is wrong. Otherwise, other readers might come to the conclusion that you're FOS.

            "ken's not dead. He works for the gootards."

            If you think that when I wrote "some ITs pook that died of old age in 1997." (sorry for the misplaced whitespace :-) I was making a reference to Ken Thompson, then you're seriously lacking reading comprehension.

            To clarify my point:

            - Security can be greatly improved by taking partial measures, without the costs jumping to infinity. That's why I used the reductio ab absurdum argument. IT professionals usually try to get to a compromise between costs and results. Just like everybody else. Using FOSS can give you a big advantage security-wise for a relatively low cost, but there is no such a thing as '100% safe', at least in IT.

            - I can´t totally subscribe what Eadon said, but he is at least partially right, and IMHO some of the arguments you made against his comment are quite wrong, and I was just pointing that out.

            PD: Seriously, jake, why all the hate?

    4. mickey mouse the fith

      Re: ANY closed source software might have secret back doors

      " But even if you do not personally inspect it, you have more reassurance anyway - for, way with Linux, you can be sure that back doors are less likely to be inserted - they do not get past Torvalds easily"

      Im pretty sure i read a news report a few years ago on this very site that the NSA inserted a backdoor in a Linux irq client included on some distributions that went unnoticed for a number of years even though it was open source. Old Linus missed that one eh?

      Thats the trouble, who the fuck wants to trawl through source code and compile the bugger themselves when they can just use the binaries that come with the distro?

      Linux is more secure than say Windows (which also had/has? MS sanctioned NSA backdoors, to keep the rest of the malware company) but its not bulletproof by any means.

      1. Tom 13

        Re: Old Linus missed that one eh?

        IRQ =/= Linux Kernel. Linus reviews the kernel, not all the software in any distributions which might be made.

        Yes, if you compare the Windows kernel to the Linux kernel and ignore the add ons, the two are roughly equally in terms of security vulnerabilities. The difference is, Windows sells what ought to be the add ons as an inherent part of the kernel, and further used that position as part of their legal defense for incorporating IE (which is clearly an app) into the OS way back in the dark ages of computing.

      2. hayseed

        Re: ANY closed source software might have secret back doors

        A backdoor might masquerade as a bug - and don't tell me there are not plenty of those in linux.

  5. This post has been deleted by a moderator

  6. SirWired 1

    2 Class C's = "large range"?

    I'm a little confused: how is a single pair of Class C's a "large range" of public internet addresses? And Barracuda doesn't control them both? Really? I find that hard to believe. I know public IP's are harder to come by than they used to be, but you'd think Barracuda could manage it.

    I'm not saying this is a case of major fail (any RAS architect worth his title knows how to set up remote tech support access without such stupidly large backdoors), but I don't think it is as bad as advertised.

    1. Henry 8
      FAIL

      Re: 2 Class C's = "large range"?

      CIDR has been around for 20 years now. Why do so many people who allegedly know about IT still think that class a/b/c networks exist?

      1. SirWired 1

        Re: 2 Class C's = "large range"?

        Yes I know about CIDR. But saying "Class C" is a lot shorter than "network with a 24-bit netmask)"

        1. Henry 8

          Re: 2 Class C's = "large range"?

          "A /24" is a) shorter than "class C", and b) factually correct. Both are virtues, no?

          1. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    Did you mean to use the troll icon?

    Barracuda Networks is an American owned and run company in Cambell, CA. Unlike Cisco, they don't have any development activities in China.

    1. Anonymous Coward
      Anonymous Coward

      Re: Did you mean to use the troll icon?

      Of course not. It's not "trolling". It's something called sarcasm - in this case triggered by subjection to an overwhelming inundation of hypocrisy, irony and schadenfreude.

  8. Anonymous Coward
    Anonymous Coward

    Shucks, those pesky commies...

    ...and so soon after the US gov kindly took the trouble to orchestrate a public display to the world that we shouldn't be using networking kit from these Chinese companies... for this very reason! We obviously can't trust those stinking commies. I bet all the fools who bought this cheap Chinese crap are wishing they'd stuck with good ol' trustworthy uncle sam now! It'd have been worth paying the extra for a good ol' US name like Barracuda Networks Inc. which you know you can trust. The morons got what they deserved if you ask me.

  9. Khaptain Silver badge

    Service Entrance

    See title for more appropriate term than backdoor.

    1. Anonymous Coward
      Anonymous Coward

      Re: Service Entrance

      Undocumented/undisclosed/hidden "Service Entrance" = "backdoor"

      1. Khaptain Silver badge

        Re: Service Entrance

        And just how else is the provider supposed to offer his support .....

        I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

        By signing a service contract with over-the-wire support, it is quite clear that the client accepts some kind of risk.

        My data is supposed to be safe within a data centre but at the same time the service provider has access to my servers be it documented or not, that is the price I have to pay for requiring his services..

        It is almost impossible for 99.9% of clients to verify whether or not there are backdoors hidden away within code/hardware. It is far safer to simply think that there are and that there always will be backdoors and to arrange your security around that fact. Anything connected to the web is inherently "unsafe"....

        1. Galidron
          FAIL

          Re: Service Entrance

          I don't know how BMW perform those detailed diagnostics on my car, it's not written in the manual, should I also consider this as the backdoor approach. As long as it presents no danger to me then I accept the fact that a "service port" exists even though it is undocumented.

          It is written in the maintenance manuals. I've also never relied on the BMW computer systems to protect my sensitive data. If they need to maintain the device there is no reason to hide the account they use to do it.

          1. Khaptain Silver badge

            Re: Service Entrance

            If your data is so sensitive then why is it on a public network......

        2. Anonymous Coward
          Anonymous Coward

          Re: Service Entrance on BMWs and others

          There was extensive reportage (check out The Register and nakedsecurity,sophos.com) on the stealing BMWs and other high-end wheelers by spoofing the OBD ports.

          Lovely little wrap was "Ultimately, it's worth remembering - as BMW admits - that there's "no such thing as an unstealable car"."

          Repositioning, there seems to be no such thing as an unstealable Barracude protected enterprise.

        3. Vic

          Re: Service Entrance

          > And just how else is the provider supposed to offer his support .....

          Key-based login.

          Vic.

    2. Anonymous Coward 15
      Paris Hilton

      Re: Service Entrance

      That's what she said.

  10. Pirate Dave
    Pirate

    Wow

    Amazing that the iptables rules they use were generated in 2003... At least that's what it shows in the dump output if you follow the first link in the article.

    And more curious-er - a quick whois shows the two external IP ranges aren't even directly registered to Barracuda. One is out of Layer42's block, the other from XO.

    So after 9 years, Barracuda hasn't changed or dropped ISPs nor network ranges. Hopefully...

  11. This post has been deleted by its author

  12. Herby

    SSH scans?

    From my recent experience, there are people who do SSH scans looking for open SSH ports and throwing LOTS of account names up to see if anything sticks. I have a home network with a "public" SSH port and it gets scanned all the time (about 1/day). Yes, they fail (but fill up my logs) but they are out there.

    Be afraid, be very afraid!

    1. Khaptain Silver badge

      Re: SSH scans?

      I reckon you are lucky if you are sniffed only once a day. One off my colleagues opened up SSH on his home NAS and is being hit anywhere between 10 and 30 times per day... I didn't beleive him till he should me the logs... We verified some of the IPs, no one constant location and scattered all over the world....( Could have been spoofed IPs but no way to know)

      If SSH is available, the Password Authentication should at leat be set to off and authentication by certificate should be the only method publically available. and no ROOT on SSH.

      1. xerocred

        Re: SSH scans?

        My rackspace server has no firewall for technical reasons and got > 5000 hits/day until I put iptables to block wrong attempts for an hour. Now its only 30 a day. Root is blocked too. But rackspace has acres of ip ranges that are allowef through.

      2. Suricou Raven

        Re: SSH scans?

        Move SSH off of port 22. That way the people running scans won't find it. Any determined attacker focusing on you specifically is going to scan the whole range, but at least opportunistic script kiddies won't waste your bandwidth and clutter your logs.

        1. Justicesays

          Re: SSH scans?

          Moved my ssh to a different port, plus I put an ipchains wrapper around that port to block incoming ips for 5 mins on three consecutive failed ssh logins, which nicely honeypots anyone trying a brute force attack that finds the port in the first place. Haven't seen anything in the logs since I moved the port, so your average random attack doesn't bother with a port scan, just looking for low hanging fruit.

          You could also use a port knock sequence if you felt inclined, or only use shared keys for access.

          Leaving it unprotected on the standard port does expose you to spammy attacks,

          1. Vic

            Re: SSH scans?

            > block incoming ips for 5 mins on three consecutive failed ssh logins,

            Don't block - DROP.

            This leaves the attacker with dangling TCP connections. It consumes more of his resources and slows down his progress...

            Vic.

  13. Michael Xion
    Happy

    ...firewall off port 22 completely.

    I don't know much about networking, but I can't see that helping as the paragraph before that mentioned IP ranges with port 24.

    1. Henry 8

      Re: ...firewall off port 22 completely.

      Nope, sorry, no mention of port 24 anywhere. The paragraph you're referring to did mention some /24 subnets. 192.168.200.0/24 means the addresses from 192.168.200.0 to 192.168.200.255. Go and read about subnets and netmasks

      1. Allan George Dyer Silver badge
        Boffin

        Re: ...firewall off port 22 completely.

        Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon.

        You are correct, but failing to communicate.

        1. Anonymous Coward
          Anonymous Coward

          Re: ...firewall off port 22 completely.

          "Henry, Michael's remark is a good example of why, although /24 is "factually correct" and "shorter than Class C", it is less informative to people who are unfamiliar with networking jargon."

          Seems to me that "Class C" would also come under networking jargon ...

  14. JaitcH
    WTF?

    Backdoors are OK for US products but Chinese products watch out

    Huawei and ZTE get accused of having back doors but none have been found but they get barred from contracts.

    Yet this US supplier proudly confirms back doors.

    Why does the US Congress and those Australian numb-nuts get real?

  15. Mephistro Silver badge
    Black Helicopters

    One question or two...

    ...for those who say that the fact that the backdoor can only be accessed from certain IP ranges controlled by Barracuda makes the systems affected safe:

    Can't these ranges be 'spoofed'?

    Wouldn't it be trivial for intelligence agencies worldwide to use those infamous 'closed rooms' at ISPs to spoof said ranges?

    IMHO the black copters fit perfectly into this discussion.

    1. Anonymous Coward
      Anonymous Coward

      Re: One question or two...

      Without hacking an upstream router, or ARP spoofing a LAN IP, etc, it's kind of hard to spoof IPs in TCP sessions, since you don't get the return packets to answer the random number challenge. UDP on the other hand...

  16. Suricou Raven

    Why is there even a password?

    Public key auth, Barracuda. USE IT! If you must have remote access - and they sell managed solutions, so the need is understandable - you don't use passwords. You use public key. You then have exactly one online computer that holds the private key (Plus offline backup for disaster recovery) and make it act as an authenticating SSH proxy, like a MITM attacker would. That's the way to do it right.

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Why is there even a password?

      I don't know what kind of asinine jerk downvotes this.

      The sad truth is that if companies do use certificates, they use self-signed certificates ... it's abysmal.

  17. Crisp

    Time to redirect Port 22 to a terminal that only plays Zork

    You are standing in a field west of a white house.

    There is a mail box here.

    >_

    1. Anonymous Coward
      Anonymous Coward

      Re: Time to redirect Port 22 to a terminal that only plays Zork

      > n

      You are facing the north side of a white house. There is no door here,

      and all the windows are barred.

      > n$£(*$&£*($&"£*($&"(£*%&$*(!!"!"£$"$"$"$000000000000000000000000000000000000000000000000

      root@pxeserver:~#

      1. Anonymous Coward
        Anonymous Coward

        Re: Compass

        If you went north, surely you would be facing the south side of whatever you encountered?

        Unless you had traversed the North Pole in the process.

        1. Anonymous Coward 15

          Re: Compass

          Try it. You can play Zork online. (Be careful of the grues.)

  18. Anonymous Coward
    Anonymous Coward

    Open Source

    I've seen one switch that a company is trying to sell to the military where you have to log in as Linux root to make configuration changes, and make changes directly to OS files at that!

    This, and others mentioned earlier, are exactly the reason why all defense and aerospace conformance criteria state "no open source code" within their first few requirements.

    'Proper', secure network devices have closed source embedded OS's, no backdoors (ever) and most run off hardware locked read-only memory (provable Information Assurance means no on-the-fly configuration changes, or network information survives a power cycle).

    Having to gain physical access to the device PCB to add a write-enable jumper, logging in using the customers' correct secure authentication, and knowing how to navigate the strictly controlled U/I is sure to put off your average script kiddie, (unlike the average switch from the big corps. who claim to know better!)

    FWIW one of my 24x1G + 2 x10G managed switches that will turn on after a night in Siberia (-46C) without heating, or work happily in a helicopter in the Saudi Desert (+85C) without cooling, and survive ballistic shock (firing from a gun) and happily goes into space, does cost nearly as much as a small car.

  19. JimmyPage
    Boffin

    Trusting trust

    fascinated to read this, and it goes much deeper.

    How can you know the actual CPU you are running on can be trusted ? How do you know there isn't some sneaky opcode which can be used to leverage an attack ?

    To all those smug commentards who boasted about having the source code to a system: did you get a schematic of the CPU, and logic arrays ?

    1. This post has been deleted by its author

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020