[olliej]

I know right? If you ship horrible security flaws so often, eventually no one will think they're intentional :D

Honestly you could probably do it without engineers knowing about it simply by cutting QA and red team budgets.

I'm not saying I think that's what happens at Cisco. Having worked at large companies that actively try to ship secure products, and having observed (as a paying end user) the general terrible-ness of networking hardware, that it is more plausible that they're just not being careful - I want to say incompetent by that is likely unfair to the majority of engineers there.

Of course nothing says that various gov. agencies in many countries aren't auditing the equipment themselves and making use of flaws without publicizing them.

[monocasa]

There's screwing up and having bugs.

And then there's leaving in five separate root logins in just in the first half of 2018. Like, come on.

[olliej]

the problem with that statement though is that's also what happens with every internet attached device people buy. At this point I would be surprised if an off the shelf IoT/IoS device didn't have at least one root login and RCE via a command line passed in a url.

[monocasa]

I'm talking about the big iron that provides core infrastructure to corporate intranets, and the Internet at large. Comparing that to fly by night IoT shovelware is a bit disingenuous, IMO.

[olliej]

But look at the industry - "Big iron" (Cisco, network solutions?, juniper, dynalink ...) have all had these issues, over and over and over again.

Given the lack of subtlety and the wide spread existence of these same exploits/backdoors/bugs indicates there's a level of care that is missing in engineering of these devices that makes it plausible that this is by ignorance rather than malice.

[monocasa]

You know who's big iron routers haven't had the issue of continuously appearing explicit backdoors? Huawei.