Comments on: Your Cisco phone is listening to you: 29C3 talk on breaking Cisco phones

By: bellebouche

bellebouche — Sun, 30 Dec 2012 09:56:00 +0000

Wry smiles all round when the slides that detailed the Cisco TAC responsiveness to their own bugs came up. Fancy that!

Schadenfreude all round and I trust one or two people there will be butthurt after xmas

By: fuzzyfuzzyfungus

fuzzyfuzzyfungus — Sun, 30 Dec 2012 05:40:00 +0000

It was. However, the default user account(which isn’t privileged; but which is enough to launch their privilege escalation exploit) is identical across all phones, so obtaining a password that would work reliably during an automated attack wasn’t terribly difficult.

(And, in an ironic touch, the file checksumming security system prevents tampering with /etc/passwd, so even an alert operator cannot disable the account or change its password, the phone will just detect the tampering and revert the file…)

By: Sean Aubin

Sean Aubin — Sun, 30 Dec 2012 02:11:00 +0000

One thing that I was a little unclear on, why wasn’t the console which gave them access password protected?

By: asuffield

asuffield — Sat, 29 Dec 2012 23:51:00 +0000

If the competition was Polycom then it’s not hard to beat in any evaluation. Sad reality is that standards are low in this market, and this is driven by customers being primarily interested in price – what corporate purchasers want is a cheap, bad phone that covers all the things on their “essential features” list. I know a lot of engineers who would love to build better endpoints. Nobody would buy them.

(My opinions here are my own and not those of my employer, Cisco Systems. I don’t work in a part of the company that does phones.)

By: Brad Ackerman

Brad Ackerman — Sat, 29 Dec 2012 23:36:00 +0000

“Nobody ever got fired for buying Cisco”. Do Cisco phones get bought because they beat the competition in a real evaluation, or because the CxO said “I met with the Cisco sales rep and he had a really swank suit; give them all our money”?

By: fuzzyfuzzyfungus

fuzzyfuzzyfungus — Sat, 29 Dec 2012 21:49:00 +0000

Just remember, this is the expensive, classy, ‘enterprise’, secure product… Odds are good that the goods don’t exactly improve elsewhere in the market.

By: Aaron Swain

Aaron Swain — Sat, 29 Dec 2012 21:15:00 +0000

Equal parts entertaining and disturbing

By: PAPPP

PAPPP — Sat, 29 Dec 2012 20:57:00 +0000

The official mirrors/torrents for videos of all the talks for the 29C3 sessions as they get processed and uploaded are here: https://events.ccc.de/congress/2012/wiki/Documentation#Official_mirrors
They were running a live-stream during the conference, but it was at inconvenient times for the U.S. and some of the things I wanted to watch overlapped, so I just waited for the good copies to go up and am watching now. The Chaos Communication Congress talks tend to be some of the best tech presentations that make it to the ‘net, I’ve never managed to come up with an excuse to end up in Germany for it, but I have ended up watching most of the sessions online after the fact each year.

By: kai rupert

kai rupert — Sat, 29 Dec 2012 20:32:00 +0000

this time the CCC is in Hambug, not in Berlin

By: René Walter

René Walter — Sat, 29 Dec 2012 20:13:00 +0000

Yep, it’s in Hamburg this year. Also: Here’s the YT-Channel for all 29c3-Talks in english Language: http://www.youtube.com/user/CCCen/videos (and here are the german ones: http://www.youtube.com/user/CCCdeVideos/videos)

By: Jan-Bernd Vstn

Jan-Bernd Vstn — Sat, 29 Dec 2012 20:08:00 +0000

29c3 is in Hamburg not Berlin