Imagine buying this expensive equipment as part of your critical infrastructure and then being told "btw it has a huge security vulnerability which we aren't gonna bother fixing".
Not so much "for ever", but yes, for a reasonably long period covering the _actual_ useful lifetime of the product. (eg. I still have 25yo Bay/Nortel/Avaya switches in use. They work, why should I replace them. The Cisco 1760... yeah, the internet is a lot faster than 8Mbps, so that's no longer "useful".) In this case, while it might seem to be a trivial thing to fix -- and should be -- this assume Ericson has the people and assets (code, build env, etc.) to actually make a patch for something two decades old.
A great talk and presentation. By the way @DEFCONConference there's a few errors in the transcribed subtitles, is there any way I can suggest some edit improvements? (mostly due to misheard sentences, in some cases they make no sense because of the mistyped words)
I'm still curious what research or what techniques you used to determine the ISP equipment Brand/Model to begin research? I know there are many options available but curious what your path was.
Sometimes the ISP will include model numbers as part of the host name for the equipment, so a simple trace route can give you a lot of information regarding the network between you and outside ASs. If you have L2 connectivity, you could look at ARP to determine equipment OUIs and link that back to a manufacturer. Nmap scans to reveal any services that might help fingerprint, etc
Imagine buying this expensive equipment as part of your critical infrastructure and then being told "btw it has a huge security vulnerability which we aren't gonna bother fixing".
That would assume that they would bother telling you there is a vulnerability...
That's the sad reality of the modern world. "We fixed it in the new 250,000$ box." (omitting that there are _other_ bugs in the new box.)
Very expensive research, great talk❤
I have a Cisco 19" switch in my room here, I had to replace the fans with near-silent ones, was horrendously noisy (but not any more!)
Say P P P one more time 🤣!! Just kidding great talk much appreciated !👍
This is so incredibly cool! I would love to do similar research. Thanks for the great presentation! 🤗
Aleph Research the author of "Aleph1 smashing the stack for fun and profit"?
This is strong Kung Fu!
'stop using eol equipment' should be 'vendors should issue security patches in perpetuity'
Not so much "for ever", but yes, for a reasonably long period covering the _actual_ useful lifetime of the product. (eg. I still have 25yo Bay/Nortel/Avaya switches in use. They work, why should I replace them. The Cisco 1760... yeah, the internet is a lot faster than 8Mbps, so that's no longer "useful".)
In this case, while it might seem to be a trivial thing to fix -- and should be -- this assume Ericson has the people and assets (code, build env, etc.) to actually make a patch for something two decades old.
@@jfbeam Been to installations where people are still using Cisco 2950s haha
A great talk and presentation. By the way @DEFCONConference there's a few errors in the transcribed subtitles, is there any way I can suggest some edit improvements? (mostly due to misheard sentences, in some cases they make no sense because of the mistyped words)
Bro really likes Solar Opposites
Great presentation 👌
I'm still curious what research or what techniques you used to determine the ISP equipment Brand/Model to begin research? I know there are many options available but curious what your path was.
Sometimes the ISP will include model numbers as part of the host name for the equipment, so a simple trace route can give you a lot of information regarding the network between you and outside ASs. If you have L2 connectivity, you could look at ARP to determine equipment OUIs and link that back to a manufacturer. Nmap scans to reveal any services that might help fingerprint, etc
turn on the closed captions, drink a shot for every letter 'P"
the rick and morty characters were sure necessary
Very cool!
What's the Piupa doing?
Looks like it was designed to have holes in it.
PPP?
PPP!
יפה מאוד
PS4 PPPWNed
at the end im sure he said thank you for your come lol
thank you for you TUM (Time)