
Bug or Backdoor?
The login creds aren't cisco + c1sc0 by any chance?
Cisco on Tuesday issued a critical security advisory for its Wireless LAN Controller (WLC), used in various Cisco products to manage wireless networks. A vulnerability in the software's authentication code (bug type CWE-303) could allow an unauthenticated remote attacker to bypass authentication controls and login to the …
I used to systems test Cisco kit on a Sun sparc named Sisko in the '90s, and I didn't even know who Sisko was. This never happened on my watch, couldn't have as I was so clever and competent.
I forget now, was Dunning the smart one and Kruger the idiot, or vice versa?
Password validation algorithm?
Something no one in the history of programming has ever implemented? Something that should have been implemented once and put into a library and used everywhere?
Has Cisco lost all its competent software people and are the PFYs now running the show?
It's two birds with one stone: 1, Huawei kit is not embuggered with NSA backdoors. That makes it a 'threat' to the USA's national security. 2, Banning Huawei effectively removes competition from the market (in this case Cisco).
If you look at the history of what the USA has stolen using nefarious means like this you will see it is a pattern.
Why does everyone feel the need to roll their own, and then get surprised it's shit ?
See also: phone number, postcode, name validation routines.
And for an industry that chokes on standards and TLAs WTF isn't there an RFC or IEEE or ISO standard on password generation (i.e. complexity rules), storage (i.e. as a hash) and recovery procedures (only via an already verified channel).
Like what I wanted 20 years ago.
Not entirely sure a 20 year old standard on password complexity would be much use today to be honest. ;)
Everything you described though does have pretty solid standards that every developer should at least know - and that get repeated on every StackOverflow post where amateurs are likely to be ripping their code from.
The problem is that there's still no accounting for human error:
try {
// SuperSecureStandardPasswordVerifier.verify(password);
// TODO commented this out for testing, remember to put back!!!
}
April 2022 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication