[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

vendor incompetence

To: opsec@ops.ietf.org, <opsec@psg.com>
Subject: vendor incompetence
From: Dan Hollis <goemon@anime.net>
Date: Fri, 22 Aug 2003 11:44:34 -0700 (PDT)

if anyone thinks the current opsec draft is too harsh, i would argue it's 
not harsh enough.

http://www.cs.wisc.edu/~plonka/netgear-sntp/

We need to make sure the opsec rfc prevents vendors from 'pulling a 
netgear'.

I also did some thinking on the issue of embedded default passwords and 
came upon a solution: if a vendor chooses to use an embedded default 
password in their product, the password MUST be no less than 24 characters 
long, consisting of at least 25% numeric characters, and no more than 3 
consecutive alpha characters.

the idea is to make the embedded default password annoying enough that the 
user will be compelled to change it from the default. (Rationale: a poorly 
chosen custom password is at least more secure than a globally known 
default password)

we could provide a reference algorithm in C to generate random default 
passwords.

-Dan

Prev by Date: Citing ANSI docs
Next by Date: Re: Citing ANSI docs
Previous by thread: more is more (ideas from NSPs)
Next by thread: Re: [spam score 5/10 -pobox] draft-jones-opsec-01.txt comments
Index(es):
- Date
- Thread