Web Analytics

Founding Document

Default is a FAULT – Founding Document

Version: 0.1 (Draft)
Date: August 2017

This project is currently at a starting point. We wish to learn from the public what each and every one of you think about this project and how it can be done better – so please, do share your thoughts with us in any possible way – in the comments below, via the “Contact Us” form at our web site (the site is really basic now, we hope to make it better soon) or by sending us an email to [email protected]

  1. Project name
    • Default is a FAULT
      • DIAF for short
    • The name aims to describe the project’s vision, that default passwords are a stupid and bad thing for information security
  2. Vision
    • Eliminating the use of default passwords
  3. Mission
    • Eliminate the concept of default passwords, especially in hardware based products, hence encouraging the use of unique passwords by vendors and product owners, aiming to minimize the risk of their hardware being breached
  4. The need
    • Imagine you are interested in buying a front door for your home. At the store of the first vendor you try, the salesman tells you that the door’s key of the specific door you will get – is the same for all the doors this vendor sells, and anyone in the world can easily find and use this key – so anyone in the world can open your home door.
      Yes, there is an ability, for free, to change the key pattern, but it is not easily changed by non-technical customers.
      Will you buy a door from this vendor? Or will you reject the vendor as not serious about security, hence driving you to move on to find a more secure conscious vendor? I believe the answer is clear…
    • The above door story is simply an metaphor to what is happening today for almost all computerized hardware products, with emphasis on networking devices, like home routers, Wi-Fi access points and so on – which multiplies the risk by many factors because these products are connected to the Internet while acting as the digital “door” to your home network, hence increase the risk of breaking into your network by using these products’ default passwords
    • In almost all cases the default user and default password gran the one who use them – the highest possible permissions on the target device, an account know as either “Administrator” (or “Admin” for short) or “Root”, meaning that this account can do whatever is possible to be done to and by the device
    • In addition, the information about these default password is easily accessible to anyone on the Internet – here are some Internet sites that hold and index of many default passwords, by many vendors and for many models:
      • https://www.defaultpassword.com/
      • https://cirt.net/passwords
      • Try to use an Internet search engine to search the default password for your own home internet connection device plus the term “default password” and see how easily you will find this data, which means anyone on the Internet can find it too
    • Next, some examples of how many devices are accessible from the Internet to be logged into:
      • We will be assisted with a web site called censys.io, that scans the internet for networked devices and index the results
        • For example, Cisco is a well-known networking devices vendor. Let’s search for devices that are marked as being from Cisco plus the word “Wi-Fi”, hence our assumption is that we will find Cisco devices that have a wireless Wi-Fi capabilities
        • We don’t claim that the elimination of default passwords will prevent all possible device hacking options, but it will surely prevent easy breaching to devices of non-technical owners of many products
  1. Target audiences
    • Vendors
      • Vendors are the primary target audience of this project as they are the source for the default password, embedded inside the hardware they manufacture
      • Vendors will be encouraged to cease the use of default password for their products, and instead use a different, unique and random password for each unique product they manufacture (e.g. per serial number)
    • Customers
      • Customers are affecting the vendors as they are the ones who decide which products to buy, and they are the ones affected by the products’ default security level – putting many of them, mostly the non-experts, in a risk for being hacked because of default passwords
      • Customers who will prefer to buy products that are more secure, because these products will not use default passwords – will direct vendors to do the right thing and eliminate the use of default passwords
    • Governments and regulation bodies
      • These entities also has great effect on vendors and they can force the vendors to make sure their products demonstrate a minimal level of Information Security, like not using default passwords – the same ideal like, for example, baby toys must comply with many safety regulations and standards
      • Governments and regulation bodies will be encouraged to set, preferred by a country/state/federal laws, that it will be illegal to sell digital products that has an authorization mechanism that use default passwords
  1. Principles
    • This project is based on good will, positive attitude and plenty of supporting information to drive the change
    • Vendors
      • The project will maintain a public index of as much as possible relevant vendors, focusing at start on the most popular ones – and how many of their selling products are using or not using default passwords
      • Each vendor will receive a grade that will represent how good does this vendor comply with eliminating default passwords
      • The source of the data for calculating the grade will come from official and digitally signed declarations by the vendors themselves, based on forms created by this project
      • This project does not have the resources to verify the level of credibility these reports and they will be published to all on the project’s web site. We are certain that the vendor’s customers and competitors will the ones to test these decelerations and inform us of any issues
    • Customers
      • Customers will be heavily informed on the risk of default passwords and encouraged to choose products that have been declared, by the vendors, to avoid the use of default password
    • Governments and regulation bodies
      • These entities will be heavily informed on the risk of default passwords to their citizens and encouraged to legislate relevant laws, that will officially prohibit the sale of product with low level of Information Security, hence prevent the sale of products with default passwords
  1. Resources
    • This project is based purely on volunteering of its operators
    • Contributors will not be paid with money, money-equivalent or any other benefits
    • Contributions, either by money or service or product, will be considered base on the needs of the project and the identity of the donor
      • Contributions by vendors affected by this project are strictly prohibited
      • Every contribution will be publicly presented on the project’s site – including the financial amount (or other essence of the benefit) and the name of the donor
  1. Who are we
    • The founder of this project is Eitan Caspi, from Israel
    • I would be very happy if others will join the ride if they agree with the project’s data – as detailed about, and will be willing to contribute some of their time and skills to promote the project’s goals

If you are willing to help – please use the “Contact Us” form and state who you are, how can you contribute to the project and how much time can you dedicate to it. Thank you!

Again – This project is currently at a starting point. We wish to learn from the public what each and every one of you think about this project and how it can be done better – so please, do share your thoughts with us in any possible way – in the comments below, via the “Contact Us” form at our web site (the site is really basic now, we hope to make it better soon) or by sending us an email to [email protected]