OK, I've had just about enough of this. I was subscribed read-only, but this latest brouhaha has motivated me to post the following semi-diatribe: First of all, there -is- a bug in the Catalyst Supervisor software revision 5.4.1 which basically disables the functionality of the enable password. If someone has the login password to the router, they can use the same password to get to enable mode. Yes, someone has to either a) get his password sniffed internally or b) re-use the password on some external network which allows it to get sniffed or c) use a weak and/or easily-guessable password for this exploit to be used. But your blanket statement about the enable password on Cisco switches is incorrect. And while shared segments are generally a Bad Thing, there are certain instances in which they make sense. See http://www.cisco.com/warp/public/707/catos-enable-bypass-pub.shtml for more details. Secondly, there's also a bug in the Cisco telnet daemon for IOS 11.3AA, 12.0(2)-12.0(6) and 12.0(7), excluding 12.0(7)S, 12.0(7)T, and 12.0(7)XE, which allows a very easy DoS attacks against routers and switches running those revs. The bug ID is CSCdm70743, and more information can be found at http://www.cisco.com/warp/public/707/iostelnetopt-pub.shtml . Thirdly, 12-series IOSes can make use of ssh, but there are a lot of other issues with the 12.x revs (see the above paragraph for an example) which have prevented their wide-scale adoption. Kerberos is certainly an option, and a good one, but Monday-morning quarterbacking is really easy, especially when one doesn't have direct knowledge of all the various factors involved, nor any responsibility for maintaining the network in question. Fourthly, being abrasive and condescending certainly isn't a way to get your point across. There is a huge amount of collective talent on this list; Paul Vixie, in particular, has made enormous contributions to the Net community as a whole, and therefore is someone who is, I think, deserving of a more respectful tone than your previous posts on this subject. He's a really smart guy, and he's donated a lot of time and effort and sheer technical know-how towards making the entire Internet more usable and useful for -everyone-. Whilst I'm not privy to Mr. Vixie's schedule, I doubt very seriously that he configures every single router and switch in his network himself, by hand. Most of the real operators here have, at one time or another, had an employee or a group of employees who violated security policy in the name of expediency, and thereby caused a security breach, potential or otherwise. I have no knowledge of the incident at above.net other than the rumors which been bandied about in the public domain, but I wouldn't be surprised if something of this latter sort played a role in their problems, which have long since been resolved. If you have views to contribute, you're going to get far more attention and thought paid to them by refraining from condescension and patronizing rhetoric. You're not going to educate or enlighten anyone my implying that they're stupid or incompetent; and, if you'll think about it, you're probably not perfect, yourself. I think Gary Kasparov summed it up best when he said that he's never learned anything from a chess game he -won-. ----------------------------------------------------------- Roland Dobbins <rdobbins@netmore.net> // 818.535.5024 voice -----Original Message----- From: Exiled Dave [mailto:exiled_dave@yahoo.com] Sent: Friday, April 28, 2000 1:10 PM To: nanog@merit.edu Subject: Re: ABOVE.NET SECURITY TRUTHS? Ive had some private messages asking if i was involved in this. I wasnt. I was asked to write this initial email by someone who KNOWS the real truth of what happened at above, and why they are being so tight-lipped. Lets think about this, cisco in no way has such a flaw that would allow someone to 'root' and erase all the info on switches. The password was sniffed. Unless above has some employee who felt the need to do do this. But, my Above rep laughling CONFIRMED that this was the problem. COMMON PASSWORDS. Cant we make it a LITTLE tougher on the script kiddies? And not make EVERY MAJOR switch the same password? This is safe to post, because my above sales rep told me what the old password was. God. THATS SECURITY. Sales reps telling Clients OLD PASSWORDS. So, if we wanna verify my authenticity, Here's what she told me: whY2Ghay/1Pee-Fr331y Sound framiliar Above? Im suprised by lack of comment from you. Im out to HELP. Not to hurt. __________________________________________________ Do You Yahoo!? Talk to your friends online and get email alerts with Yahoo! Messenger. http://im.yahoo.com/