>“The password is just seven characters long and draws on a ten-year old meme”
Rick Astley strikes again. The password is obviously "rikroll".
Paris - because I'm never gonna give her up, never gonna let her down...
HP is being accused of leaving a serious security vulnerability in its StoreOnce SAN system: a hard-coded administrator account in its management software. According to this blog post published under the handle Technion, weeks of contact with HP's Software Security Response Team have failed to elicit a response, so the poster …
The MSA claim was male dog genitalia so, not having a Storeonce unit to look at, I went to have a look at the manuals on the hp public website. Took me five minutes of browsing to find out that the hpsupport account is discussed in the Storeonce B6000 user manuals (HP StoreOnce B6000 Series Backup System Maintenance &Service Guide, August 2012). It also has an hp internal link (page 13) to the website hp field engineers have to go to for the time-limited password generation tool for use after the password has been reset from the factory default at installation, which suggests to me that Technion has a unit where the install engineer did not reset the factory default password upon installation. Just like the MSA admin account non-story he goes on about. No wonder hp have been ignoring him.
The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing.
"The first moral of the story is only let accredited people that know what they are doing install your stuff. The second moral is don't rush to declare a "built-in back door" without doing at least five minutes of browsing."
Wrong.
The first moral of this story is don't develop an installation process that requires such an account in the first place. If it's a brand new fresh-out-the-box product it should have no fixed accounts and part of the config should be to set up the first account (probably through the mfg's website).
That might make theft a bit easier to track as well.
"....The first moral of this story is don't develop an installation process that requires such an account ...." Like Technion, you need to RTFM, it's not an installation account it's a general servicing account for use by field engineers for doing stuff under the bonnet.
"......If it's a brand new fresh-out-the-box product it should have no fixed accounts....." Really? So Windows Server shouldn't come with any default accounts like Administrator? Just looking around my office I have Brocade and CiSCO switches, all which come with default installation accounts, several storage devices ditto. Do you actually touch hardware?
My advice is, if you have a Storeonce unit (or any appliance) that you don't know if the defaults have been reset then check it. If you're unsure how to do it for a Storeonce (and it may be an hp engineer only task, I don't know), then call the support line.
This post has been deleted by its author
You neither replied to any of my points in my other post, because you are cannot do so without looking stupid, nor the above point about you not understanding the basics of windows server security. Perhaps technical threads aren't your strength either?
Instead, more matt bryant zero content condescension. MBZCC for short, henceforth.
"You neither replied to any of my points in my other post...." Your post has been answered and your errors exposed, please go back and learn your mistakes like a good little sheep.
".....because you are cannot do so without looking stupid....." LOL! You are actually stalking and frothing in a completely unrelated thread and want to say I look stupid! Have you dropped more acid?!?!?!? Serioulsy, you need to go seek professional help.
"....Cisco switches and routers have no default installation account...." They do, it just comes with NO PASSWORD by default! When you do the initial setup on something like a 3750 you just put in the IP 10.0.0.1 and go straight into the settings where you put in the management port IP address, gateway, etc. I have known users that did not then go to the "Advanced" and put a password in for telnet access, which effectively leaves you with an admin login via http with no password protection at all!
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/hardware/quick/guide/3750GSG3.html#wp43320
IIRC, the bigger CISCO switches like the 7000 series do have a default login account on the CP which you have to set a password on at installation, but this is kinda pointless considering the fall-back CMP (which can grab console control from the CP) has no password on its default login!
So, yes, you are right, CISCO devices actually have WORSE security.
"I heard the userid was admin...." Alli, you do nothing to help yourself convince others that you should be listened to when your information sources are so frequently plain wrong. Maybe you shoul dstop using rumours to base your technical arguments on? The userid is hpsupport, as pointed out in the blog and this thread. Do please try and keep up!
it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty
sad but true HP killing HP3000 and now VMS is no joke....if you want to be serious :-D
as someone recently said....
"As I said last week when reporting that Hewlett-Packard has decided not to port the latest OpenVMS 8.4 release to the current "Poulson" Itanium 9500 processors from Intel and has basically sunsetted the hardware platform on the older Itanium 9300-based Integrity servers that are several years long in the tooth, it is important not to gloat. But, having said that, it is Silverlake's 25th birthday, and it seems appropriate to keep score."
"it was a joke..... funny ha ha......btw..and i know you know this I really hate being called anything but Allison. Maty"
He does come across as a bit humour impaired at the best of times. I also thought of that old Blackadder line about "Still worshipping God, eh Melchett? Last time I heard he was worshipping me, woof"
Probably best to include the Joke icon.
Seriously, and you accuse me of no sense of humour?
"..... it is Silverlake's 25th birthday, and it seems appropriate to keep score." AS/400? LOL, that's like a terminal cancer victim laughing at the misfortune of others. BTW, you did notice how Linux and UNiX is eating into that AS/400 base?