<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
</head>
<body dir="ltr">
<div id="divtagdefaultwrapper" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;" dir="ltr">
<p>Chris,</p>
<p><br>
</p>
<p>I understand and respect your position on this. I agree that allowing root access to any machine is akin to giving someone a loaded gun to kill their system. Obtaining root access not blessed by TAC would invalidate any support agreements for a host.</p>
<p><span style="font-size: 12pt;"></span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">That being said, it's very frustrating when you know TAC has the ability to assist in a situation but policy prevents it. A perfect example is UC admins who work in an environment where the cluster security password has been
lost over time. Yes, you're an admin and yes, it's technically possible to actually retrieve the cluster security password. But the official position is no; you have to reset it and take an outage on every host in your cluster. With root access, it takes
less than 5 minutes to SSH into a UCOS host, download the platformConfig.xml and decode the cluster security password.</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">It gets worse in DR situations. In the last two months I've received requests for help from a couple UC admins affected by recent hurricanes. One of them was running CUCM 8.6 and it was technically possible to modify the
XML and do a DRS restore without knowing the previous cluster security password. TAC's response? Sorry, can't help. Even though Cisco had a backdoor in the backups for years and could have helped restore, they would not use it to assist a customer whose
primary datacenter was knocked offline.</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">Besides, anyone with admin level
rights to a host (or the hypervisor) has de facto root access. As we've all seen, a quick </span><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 12pt;">Google
search shows that rooting a UCOS host is a trivial matter if you have access to the hypervisor. The only real difference here is that this method requires rights within the application to enable the root access.</span><br>
</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">Aside from being useful in lab
environments, this route provides a last ditch resort where the cluster is out of support or TAC cannot assist due to policy constraints. And I say policy constraints because I know for a fact they have capabilities they don't employ for customers. At one
time, nearly</span></span><span style="font-size: 12pt;"> 10% my tool </span><span style="font-size: 12pt;">downloads (DRS Backup Decrypter, PlatformConfig Decrypter, etc.</span><span style="font-size: 12pt;">) </span><span style="font-size: 12pt;">came from
Cisco's own IP addresses.</span></p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">So while I do agree with you when
it comes to the potential harm this could cause, I would respectfully disagree on whether or not the benefit outweighs the risk.</span><br>
</span></p>
<p><span style="font-size: 12pt;"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;"><br>
</span></span></p>
<p><span style="font-size: 12pt;"><span style="font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols; font-size: 16px;">-Pete</span></span></p>
<br>
<br>
<div style="color: rgb(0, 0, 0);">
<hr style="display:inline-block; width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Chris Ward (chrward) <chrward@cisco.com><br>
<b>Sent:</b> Wednesday, October 11, 2017 1:02 PM<br>
<b>To:</b> Pete Brown; cisco-voip@puck.nether.net<br>
<b>Subject:</b> RE: Root Access via UCOS Remote Support</font>
<div> </div>
</div>
<div>
<div style="">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
Pete,</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
As a Cisco employee, I would ask that you not publish such a tool. It’s dangerous and will probably create more problems than you are trying to solve. Obviously, I have no authority to stop you but I have forwarded the message to the product team to ask them
to re-evaluate the algorithm they are using to make sure this account password process remains a Cisco-only process.</p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="543" style="width:407.25pt">
<tbody>
<tr>
<td colspan="3" style="padding:0in 0in 0in 0in">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; font-family:"Times New Roman",serif"><img naturalheight="73" naturalwidth="110" width="110" height="73" id="Picture_x0020_1" alt="logo_Grey" style="width: 1.1458in; height: 0.7569in; user-select: none;" tabindex="0" src="cid:image001.png@01D34299.83C6F500"></span></p>
</td>
</tr>
<tr style="height:7.5pt">
<td style="padding:0in 0in 0in 0in; height:7.5pt">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:1.0pt; font-family:"Times New Roman",serif"> </span></p>
</td>
<td style="padding:0in 0in 0in 0in; height:7.5pt"></td>
<td style="padding:0in 0in 0in 0in; height:7.5pt"></td>
</tr>
<tr>
<td nowrap="" valign="top" style="padding:0in 0in 0in .25in">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666">Chris Ward</span></b><span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666"></span></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666">ENGINEER.TECHNICAL MARKETING</span></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<a href="mailto:chrward@cisco.com" style="color: rgb(5, 99, 193); text-decoration: underline;"><span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666; text-decoration:none">chrward@cisco.com</span></a></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666">Tel:
<b>+1 408 894 3751</b></span></p>
</td>
<td width="275" valign="top" style="width:206.25pt; padding:0in 0in 0in 15.0pt">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<b><span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666">Cisco Systems, Inc.</span></b></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:8.5pt; font-family:"Arial",sans-serif; color:#666666">500 Beaver Brook Road<br>
BOXBOROUGH<br>
01719<br>
United States<br>
cisco.com</span></p>
</td>
<td style="padding:0in 0in 0in 0in"></td>
</tr>
</tbody>
</table>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span lang="EN-GB" style="font-size:12.0pt; font-family:"Times New Roman",serif; display:none"> </span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="400" style="width:300.0pt">
<tbody>
<tr>
<td style="padding:0in 15.0pt 0in .25in">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:7.5pt; font-family:"Arial",sans-serif; color:#009900"><img naturalheight="19" naturalwidth="18" border="0" width="18" height="19" id="Picture_x0020_3" alt="http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif" style="width: 0.1875in; height: 0.2013in; user-select: none;" tabindex="0" src="cid:image002.gif@01D34299.83C6F500">Think
before you print.</span></p>
</td>
</tr>
<tr>
<td style="padding:0in 15.0pt 0in .25in">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:7.5pt; font-family:"Arial",sans-serif; color:#999999">This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited.
If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message.</span></p>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:7.5pt; font-family:"Arial",sans-serif; color:#999999">Please
</span><a href="http://www.cisco.com/web/about/doing_business/legal/cri/index.html" title="Legal Information" style="color: rgb(5, 99, 193); text-decoration: underline;"><span style="font-size:7.5pt; font-family:"Arial",sans-serif; color:#0E58A0">click here</span></a><span style="font-size:7.5pt; font-family:"Arial",sans-serif; color:#999999">
for Company Registration Information.</span></p>
</td>
</tr>
</tbody>
</table>
</div>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div>
<div style="border:none; border-top:solid #E1E1E1 1.0pt; padding:3.0pt 0in 0in 0in">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<b>From:</b> cisco-voip [mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of
</b>Pete Brown<br>
<b>Sent:</b> Wednesday, October 11, 2017 1:54 PM<br>
<b>To:</b> cisco-voip@puck.nether.net<br>
<b>Subject:</b> [cisco-voip] Root Access via UCOS Remote Support</p>
</div>
</div>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
</p>
<div id="divtagdefaultwrapper">
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">I'm testing a routine that translates remote support passphrases into account passwords. So far it works on 10.5.2, but I'm guessing it will work with any passphrase ending in '03'.
</span></p>
<div>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black"> </span></p>
</div>
<div>
<p style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif;">
<span style="font-size:12.0pt; color:black">Before I post a web page or utility for this, I'd like to test it out with other versions. If you have lab environment and wouldn't mind helping out, enable remote support and send me the passphrase (along with source
product/version) off list. I'll reply back with the decoded password.</span></p>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>