[EAS] Cybersecurity for broadcast stations

[Sean Donelan]

On Fri, 8 Apr 2016, Phil Johnson wrote:
> There's no such thing as a "secure" default password.  They become
> well-known not long after the first units are shipped.  And try Googling
> "default password Comcast router."

Other parts of the IT industry figured that out.  You never ship 
everything with the same default password.

Instead as part of the out-of-the-box configuration you prompt the 
installer for a new password to complete the set up (before allowing
any remote access).  Or you ship every box with different randomly 
generated setup (i.e. default) passwords, and put the unique randomly 
generated password on the label next to the serial number like almost 
every new WiFi vendor does now.

It took many clue by fours to the head like your Comcast example for 
some router vendors to realize that. Yep, I'm on a first name basis with 
several Comcast (and other cable companies) security folks and executives.

It would be better if equipment didn't rely on static passwords, and used 
more secure authentication.  But I'm realistic that the initial 
out-of-the-box setup process is always limited.  Do you read the owner's 
instruction manual cover to cover every time you get in a new rental car
at the airport for all safety features? Vendors should realize
pre-configured defaults are important.

Its amazing how often configured boxes "forget" their configuration,
and reset to their original settings.  Even if you did set configure
securely a box once upon a time, unless you are checking it constantly, 
you may not realize the defaults are back after an update or CMOS battery 
change.

Defaults matter.  And the vendor always decides what first default is.