I ran across a blog noting that Cisco has a vulnerability in a new product. The blog also lists two (one, two) articles showing that Cisco has had hard-coded credentials in the past. I understand that many times a known process is repeated, essentially copy-pasted between people, and we have similar issues as we have had in the past. However, in 2022 or 2023, it's unacceptable to hard-code credentials in digital systems that will be used in today's world.

What's worse than having this issue is stating that the fix is "an upgrade". Their verbiage for those without a service contract is: "Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade." Which, to me, is not only bad for the world, but it's equivalent to the stuff that bulls leave behind in the fields.

Read the rest of Bad Culture Bad Security