Unsecure routers, webcams prompt feds to sue D-Link
-
-
That entire article is one failure after another, but the last one takes the cake:
"Defendants have failed to use free software, available since at least 2008, to secure users’ mobile app login credentials, and instead have stored those credentials in clear, readable text on a user’s mobile device."
-
@travisdh1 I got a kick out of it.
-
@lance said in Unsecure routers, webcams prompt feds to sue D-Link:
@travisdh1 I got a kick out of it.
Even that doesn't get the amount of fail right. Passwords haven't been stored in the clear since the very early days of computing, very, very early days!
-
This is why the one D-Link camera I have is on its own VLAN with no outbound access and is only accessible from the outside through an SSH tunnel.
-
@travisdh1 said in Unsecure routers, webcams prompt feds to sue D-Link:
@lance said in Unsecure routers, webcams prompt feds to sue D-Link:
@travisdh1 I got a kick out of it.
Even that doesn't get the amount of fail right. Passwords haven't been stored in the clear since the very early days of computing, very, very early days!
They were still standardly open in the early 1990s.
-
Without reading the article on Windows 2000 with a password for your user account enabled, you could just tap enter with a blank password field and get access.
-
@scottalanmiller said in Unsecure routers, webcams prompt feds to sue D-Link:
@travisdh1 said in Unsecure routers, webcams prompt feds to sue D-Link:
@lance said in Unsecure routers, webcams prompt feds to sue D-Link:
@travisdh1 I got a kick out of it.
Even that doesn't get the amount of fail right. Passwords haven't been stored in the clear since the very early days of computing, very, very early days!
They were still standardly open in the early 1990s.
Really? I remember my UNIX training around 1995/1996 era and learning about shadow files, I don't go back to the early 90s with any training/experience, so that's just how it's always been for me. I would've thought that would be a lot older than that as a standard practice. When you can
cat /etc/passwdand login as anyone you want, that's really not so great!
-
From wikipedia:
Prior to password shadowing, a Unix user's hashed password was stored in the second field of his/her record in the /etc/passwd file (within the seven-field format as outlined above).
Password shadowing first appeared in Unix systems with the development of SunOS in the mid-1980s,[10] System V Release 3.2 in 1988 and BSD4.3 Reno in 1990. But, vendors who had performed ports from earlier UNIX releases did not always include the new password shadowing features in their releases, leaving users of those systems exposed to password file attacks.
System administrators may also arrange for the storage of passwords in distributed databases such as NIS and LDAP, rather than in files on each connected system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled by the security mechanisms of the underlying data repository.
In 1987 the author of the original Shadow Password Suite, Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing the login, passwd and su commands. The original release, written for the SCO Xenix operating system, quickly got ported to other platforms. The Shadow Suite was ported to Linux in 1992 one year after the original announcement of the Linux project, and was included in many early distributions, and continues to be included in many current Linux distributions.
-
So while the technology existed by the mid-1980s, it was really only on one or two platforms and just because it released by 1990 - 1992 for most systems, that only impacted new installations of up to date systems. Servers running for a while, which is the bulk of the market, or systems that didn't deploy the latest technology, or sites that didn't want to break compatibility or products built on older releases continued to not have shadow functionality for many years and even in the 2000s finding a lack of shadow and/or the use of telnet instead of SSH to still be lingering, even at large companies. By the mid-1990s we were all learning about shadow, but in a "sometimes you have it" sort of way.
-
The same thing still exists in the Windows environment - so many programs don't work in Windows XP-10 because they were written with no security in mind like the Windows 9x days.
-
@scottalanmiller said in Unsecure routers, webcams prompt feds to sue D-Link:
From wikipedia:
Prior to password shadowing, a Unix user's hashed password was stored in the second field of his/her record in the /etc/passwd file (within the seven-field format as outlined above).
Password shadowing first appeared in Unix systems with the development of SunOS in the mid-1980s,[10] System V Release 3.2 in 1988 and BSD4.3 Reno in 1990. But, vendors who had performed ports from earlier UNIX releases did not always include the new password shadowing features in their releases, leaving users of those systems exposed to password file attacks.
System administrators may also arrange for the storage of passwords in distributed databases such as NIS and LDAP, rather than in files on each connected system. In the case of NIS, the shadow password mechanism is often still used on the NIS servers; in other distributed mechanisms the problem of access to the various user authentication components is handled by the security mechanisms of the underlying data repository.
In 1987 the author of the original Shadow Password Suite, Julie Haugh, experienced a computer break-in and wrote the initial release of the Shadow Suite containing the login, passwd and su commands. The original release, written for the SCO Xenix operating system, quickly got ported to other platforms. The Shadow Suite was ported to Linux in 1992 one year after the original announcement of the Linux project, and was included in many early distributions, and continues to be included in many current Linux distributions.
That's worth it's own article somewhere. Don't know if it would fit best in your Learning Linux guides or somewhere else, or a couple places.
-
There has been a placeholder for it for a while.
