Re: F5 Networks Security Advisory (fwd)

[pedward () WEBCOM COM (pedward () WEBCOM COM)]

I am upset about the recent thread about the Big/ip support account on Bugtraq.

First of all, it's just stupid to sit here and say "They ship a product with
a security hole, because it has a support password that is root priv'd".

I have known about this for nearly 2 years, questioned them initially, but wrote
it off as non-consequential.

First of all, the default config is very restrictive, and they don't recommend
the contrary.

The Big/ip products ship with the F5 labs firewall IP COMMENTED OUT of the sshd
config.

They assured me that they rotate the passwords on a regular basis to ensure that
accountability is retained internally.

If the device shipped with a password that was obtained via a hex dump of a ROM,
I could understand, but we're talking about a password that requires many hours
of CPU time, or hundreds of thousands of dollars of hardware.

I don't like good people like F5 getting grilled, and sending me a stupid advisory,
because someone cried the equivelent of 'Y2K bug'.

When will the discussion of real security threats, return to Bugtraq?

Hey everybody, <insert fav dist> ships with a UID 0 account, it's password is probably
guessable.

Grr, this just makes me mad that we're discussing this.

--Perry

--
Perry Harrington                 Director of                   zelur xuniL  ()
perry () webcom com             System Architecture               Think Blue.  /\