
HP admits to backdoors in storage products - iProject
http://www.theregister.co.uk/2013/07/11/hp_prepping_fix_for_latest_storage_vuln/
======
kryten
1\. SSH to the box

2\. Username: hpsupport

3\. Password (from SHA1 lookup): badg3r5

Yes that shit.

We have some of this kit in and I've tested it and it works absolutely spot
on. Fortunately it's all firewalled off but it's not the sort of crap you want
on your doorstep.

Nothing to do with the NSA this - just a crappy decision somewhere which is
designed to make HP support's life easier. As someone else said: this bug is
as old as time.

~~~
wslh
Welcome to the 80s. Seems like software development is moving in circles

------
RexRollman
I just don't understand why companies are still pulling this crap. It puts
their customers at risk.

~~~
bigiain
Because their customers are the pointy-haired-bosses who're asking "Why the
hell to we need to wait for them to send a service tech out? Why can't they
fix this online?" when shit is actually going down - rather than the
network/storage/security guys who point out the risks of things that haven't
happened yet.

~~~
drdaeman
Yea, but techies should at least use PKI with HSM guarding the private key,
not 7-char almost-dictionary-based password.

~~~
DavidBradbury
But it has numbers replacing the letters! That makes it hard for computers to
guess!!!

~~~
drdaeman
Oh, right. Sounds like the pointy-haired boss decided upon the password
himself.

------
blinkingled
Misleading article title. (What better to expect from The Register?) HP
admitted there's a vulnerabiity that with customer provided access and
permission can allow HP support to access underlying os of the storage device.
At most a reboot is possible not data access. So this is just another stupid
vulnerability that'll be fixed soon - not a backdoor.

~~~
nness
I would say otherwise, seeing as that it was a known vulnerability, and left
in intentionally. Very much a backdoor.

~~~
ikurei
Why "intentionally". May be it was put there intentionally but leaving it that
way was a mistake. I don't think that's a backdoor, just from the article.

~~~
venomsnake
I would say that both malice and stupidity of HP are well balanced in this
case.

------
coldcode
Sadly our parent company uses HP to handle all security and computer
support/installation. Around here they are known as Helpless People.

------
Fuxy
HP nicely covering their ass to not get associated with the NSA scandal
happening at the moment. I don't know if the fact that they are trying so hard
is an indication that they actually are but this is suspicious.

------
exgeocitiesuser
this keeps getting better and better

------
sgloutnikov
Looks more like name/brand smearing to me (from the competition?). Especially
convenient in the midst of the NSA scandal.

~~~
mtgx
It's not smearing when it's true. Just plain old exposing.

