In a message written on Sat, Oct 22, 2016 at 07:34:55AM -0500, Mike Hammett wrote:
"taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified"
From https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massi... The part that should outrage everyone on this list: That's because while many of these devices allow users to change the default usernames and passwords on a Web-based administration panel that ships with the products, those machines can still be reached via more obscure, less user-friendly communications services called "Telnet" and "SSH." "The issue with these particular devices is that a user cannot feasibly change this password," Flashpoints Zach Wikholm told KrebsOnSecurity. "The password is hardcoded into the firmware, and the tools necessary to disable it are not present. Even worse, the web interface is not aware that these credentials even exist." As much as I hate to say it, what is needed is regulation. It could be some form of self regulation, with retailers refusing to sell products that aren't "certified" by some group. It could be full blown government regulation. Perhaps a mix. It's not a problem for a network operator to "solve", any more than someone who builds roads can make an unsafe car safe. Yes, both the network operator and rood operator play a role in building safe infrastructure (BCP38, deformable barriers), but neither can do anything for a manufacturer who builds a device that is wholely deficient in the first place. -- Leo Bicknell - bicknell@ufp.org PGP keys at http://www.ufp.org/~bicknell/