atcomsystems.ca/forum Forums TDM Business Telephone Systems Avaya - Lucent Telephones & Systems Partner Mail VS security / hacking - how to prevent?!

Quoting Hal:
>People who own Avaya systems are supposed to have >a relationship with a dealer who would handle >such things a lost admin password and remote >administration. There would be no reason for the >customer to need the backdoor or even know one >existed. Dealers do not divulge such information >anyway.

Hmm, that's interesting, is there actually a legal clause in the sales contract that says, "In order to own or use this physical hardware & software, you MUST have a contract with a dealer for support and service"? Are there enforceable legal penalties against private acquistion and use of Avaya/Lucent phone systems? If not, your remarks are just wishful thinking.

----

>Enter the internet. Buyers think they are getting >a slick deal but there is no dealer that they can >turn to and tech support is almost non existant >or incompetant from gray market sellers. So not >only is there a desire to know by the end user >but now the information gets freely distributed >when it is learned.

-----
This is a fact of life called "change" (i.e. the Internet and its availability of all types of easily searchable information) and is no excuse for piss-poor security. Lucent/Avaya ought to have anticipated this a decade or more ago -- the Internet was sufficiently widespread even in 1995 for this development (distribution of backdoors) to have been expected.

>>So basically by buying off the internet you have >>screwed yourselves on the security issue.

That's not a fair remark. You're saying because *I* personally got a donated system from another end-user that I am responsible for the system's security problems? Silly. Think about it. How many people does it take to spoil the secret of the Partner VS backdoor? How many, Hal? One person.

Don't lump together the hundreds, probably thousands of other non-dealer system installers and end-user admins with the one (or few) people in YOUR industry who decided to divulge the passwords.

Again, the entire problem could have been avoided with even the slightest forethought by Avaya.

What stinks, generally, about Telecom providers is not your prices, per se, but the general attitude of condescension toward your end-users. The fact that your business depends on a small amount of private and arbitrary information (such as back door passwords) makes it understandable that you would resort to "Well it shouldn't be that way!" as an excuse for covering over poor security.

Again, the entire problem could have been avoided with even the slightest forethought by Avaya.

Actually I'm sure it was given forethought. Avaya is in the business of selling product and making it easy to support the customers who buy it. What happens to old equipment after it has left the original owner is of little concern.

If this is such a big issue to you get a Partner Messaging r7.0. That password is not in general circulation.

Why is it that the people who pay little or nothing are always the ones to complain the loudest?

-Hal

sound like a computer guy. hey anachron rj11's fit in rj45's

As I said, this system is installed at a non-profit organization that can't afford to upgrade to Partner Messaging 7, period. And "the password is not in general circulation?" HELLO? How long would you guess before it will be?

There is simply no reason for all the dumb "oh don't post the password on the internet!" Please realize what an awfully stupid situation that is. There is no reason, at all, that the backdoor password for each unit cannot be easily tied to the SERIAL NUMBER of the unit (or the software license key, if it's software-only.)

As for "what happens when the equipment leaves the original owner," again, that's just another jab at organizations who don't happen to be able to afford brand-new Avaya equipment and support.
If I had purchased this system brand new for $5,000 from you, plus a support contract from here to infinity including afternoon tea served daily, I would still be pissed about this stupid backdoor.

I'll increase my offer to $250.00 for anyone who can give me instructions for securing my stock Partner Mail VS 4.1 in such a way that the standard backdoor is disabled, permanently. (No additional hardware allowed, and no dangerous flashing with custom non-factory firmware or anything of that type.)

As for RJ11's fitting in RJ45's, yeah, they do, but they also will damage the RJ45 very quickly if that's done more than a few times. Don't do it.

Three county fairs and a goat rope and I ain't heard nothin like that!!!!!!!!!!!!! :rofl:

anachron I feel for you and wish I could offer advise. I agree with your comments on the security, and you are correct with the RJ45-RJ11, they will damage the pins. Not sure at what point this board decided to stop posting passwords, but it has not been very long. So don't let the high and mighty attitudes some have here turn you off. On the other hand, you need to realize that by getting old equipment, you are subject to bugs and other issues that newer equipment resolves.

Ya know what? Except for the arrogance, anachron's right! The older Partner Mails could have their password reset, but you needed the serial number and you had to cycle the power to do it. You run into problems when the hard drive is replaced, but the serial number is not. Not likely that a "hacker" (and I prefer the old school definition of hacker, it's where I started) is going to pull that one off anomyously.

Now, I love being able to dial into a customer site, get into programming, find and fix a problem for them. But I would be willing to not have backdoor passwords if I could go on site and reset it there.

However, rocks are hard and water is wet. The p/w's are out there, so if you find it an unacceptable security risk, just don't use it.

The practice of not posting passwords on this board have been in place forever, as for the high and mighty we have always offered to dial in and reset VM's so I don't know where you got that from. I grant you passwords have been posted on the board but we try to catch and delete off the open board.

That non-profit happens not to be able to afford what are I'm sure your quite expensive service rates.

You are arguing against yourself there. If there were no backdoor passwords we would have to pay a visit to the site and charge for a service call.

The reason we charge what we do is because WE don't want to become a non-profit. Geeze, then we couldn't afford a new voice messaging system. :toothy:

-Hal