• it's not really a security hole

    From Ogg@VERT/EOTLBBS to All on Tue Jul 28 21:46:00 2020
    Hello Nightfox!

    ** On Tuesday 28.07.20 - 12:01, nightfox wrote to Moondog:

    I've heard stories like that, but I've wondered if some people just
    aren't password-protecting their camera or something (as you said,
    issues people have with not securing their nanny cams). If that's the case, it's not really a security hole, but people just not being
    careful enough to secure their camera.

    These type of devices should have the ability to generate an automatic
    random pasword at the first (after-factory) bootup. Then, lets consider a camera, since the user has to use a networked computer to access the
    camera, the device could prompt to enter a first-time setup menu to reveal the random password and an opportunity to change it. That can't be impossible to implement. It just seems stupid to have the same factory-set password for every device - especially when there are many more people on
    the internet who won't play nice compared to 20 years ago.

    ---
    ■ Synchronet ■ End Of The Line BBS - endofthelinebbs.com
  • From Moondog@VERT/CAVEBBS to Ogg on Wed Jul 29 04:31:00 2020
    Re: it's not really a securit
    By: Ogg to All on Tue Jul 28 2020 05:46 pm

    Hello Nightfox!

    ** On Tuesday 28.07.20 - 12:01, nightfox wrote to Moondog:

    I've heard stories like that, but I've wondered if some people just aren't password-protecting their camera or something (as you said, issues people have with not securing their nanny cams). If that's the case, it's not really a security hole, but people just not being
    careful enough to secure their camera.

    These type of devices should have the ability to generate an automatic random pasword at the first (after-factory) bootup. Then, lets consider a camera, since the user has to use a networked computer to access the
    camera, the device could prompt to enter a first-time setup menu to reveal the random password and an opportunity to change it. That can't be impossible to implement. It just seems stupid to have the same factory-set password for every device - especially when there are many more people on the internet who won't play nice compared to 20 years ago.

    An NVR I set up for a non-profit club had a factory override password in it's documentation that would work with any of that model of NVR. The only
    caveat was you had to enter that password directly at the console, and it couldn't be done through the remote interface. I also set them up with user a ccounts so a "user" could view footage, but not delete or make any changes
    tot he system configuration. An admin account was provided, but I told them only use it when changes had to be made. For all intent and purpose they
    could do what they needed through the user account.

    Regardless, the documentation that contained that password was locked away in
    a box in the security room, and it was more of an issue of "security
    through obscurity because the lock box looked like another wired security panel.

    ---
    ■ Synchronet ■ The Cave BBS - Since 1992 - cavebbs.homeip.net