[clug] Drive-By Pharming Attack Could Hit Home Networks
Alex Satrapa
grail at goldweb.com.au
Thu Feb 22 03:32:49 GMT 2007
On 22/02/2007, at 13:39 , Andrew Boyd wrote:
> On 2/22/07, Sunnz <sunnzy at gmail.com> wrote:
>> Well Windows Adobe whatever etc. make people type in serial numbers
>> for a long long time so it should be no way "customer unfriendly".
> I think that, as a species, we could probably do better.
I think the appeal of the default password is simply that the
manufacturer can mass produce the hardware, burn a single image onto
each and every ROM, and ship it to the customer.
For a system such as "initial password is the serial number", they'd
have to modify the memory of each piece of hardware separately. Of
course, the fact that each piece of hardware goes through some form
of QA testing would imply that there is a point in the process at
which it becomes trivial to generate a random password, burn that
into the device's ROM, and print out a label with the password, then
attach the label to the device (this could even be the "tested by …"
label).
Alternately, the mass-produced anonymous device could ship with
wireless deactivated by default, with the initial administrative
connection being made by cable connected to the device. Turning on
the wireless would then require a password to be entered (or
modified). This preserves the economy of mass-produced anonymous
devices, while providing some means of preventing "default password"
attacks on such devices as installed at users' premises.
But then, as the saying goes, the world will build a better fool. The
people at home — now required by the setup procedure to invent a
password — will simply copy the password from the example in the
manual, and we'll be back to square 1.
Alex
More information about the linux
mailing list