[clug] Drive-By Pharming Attack Could Hit Home Networks

Kim Holburn kim.holburn at gmail.com
Thu Feb 22 08:10:13 GMT 2007 

I like the idea of a password based on mac address or serial number.   
It has some inherent security compared with a default password.

Surely it could be done as a script?  The system wakes up after a  
reset to default and says to itself - "No password - create a new one  
from the serial number with this script. There, that's better.  Now  
I'll allow wireless to be activated."  Then all copies of the OS  
could be the same.

On 2007/Feb/22, at 4:32 AM, Alex Satrapa wrote:

> On 22/02/2007, at 13:39 , Andrew Boyd wrote:
>
>> On 2/22/07, Sunnz <sunnzy at gmail.com> wrote:
>>> Well Windows Adobe whatever etc. make people type in serial numbers
>>> for a long long time so it should be no way "customer unfriendly".
>
>> I think that, as a species, we could probably do better.
>
> I think the appeal of the default password is simply that the  
> manufacturer can mass produce the hardware, burn a single image  
> onto each and every ROM, and ship it to the customer.
>
> For a system such as "initial password is the serial number",  
> they'd have to modify the memory of each piece of hardware  
> separately. Of course, the fact that each piece of hardware goes  
> through some form of QA testing would imply that there is a point  
> in the process at which it becomes trivial to generate a random  
> password, burn that into the device's ROM, and print out a label  
> with the password, then attach the label to the device (this could  
> even be the "tested by …" label).
>
> Alternately, the mass-produced anonymous device could ship with  
> wireless deactivated by default, with the initial administrative  
> connection being made by cable connected to the device. Turning on  
> the wireless would then require a password to be entered (or  
> modified). This preserves the economy of mass-produced anonymous  
> devices, while providing some means of preventing "default  
> password" attacks on such devices as installed at users' premises.
>
> But then, as the saying goes, the world will build a better fool.  
> The people at home — now required by the setup procedure to invent  
> a password — will simply copy the password from the example in the  
> manual, and we'll be back to square 1.
>
> Alex
>
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

--
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3342707610
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the linux mailing list