Keith Rhodes, chief technologist at the U.S. Government Accountability Office, said he's not surprised at all by what Moore says he found.

"Default passwords are a silly problem," said Rhodes, who is widely considered to be the federal government's top hacker. "But they were able to take a silly flaw and turn it into a business. ... It disappoints me, but I'm not surprised."

Kenneth van Wyk, principal consultant with KRvW Associates, said leaving default passwords up is a widespread and dangerous problem.

"It's a huge problem, but it's a problem the IT industry has known about for at least two decades and we haven't made much progress in fixing it," said van Wyk. "People focus on functionality when they're setting up a system. Does the thing work? Yes. Fine, move on. They don't spend the time doing the housework and cleaning things up."

It's also a problem for which the companies themselves are liable, Moore said.

"I think it's all their fault," he added. "They're using default passwords and their administrators don't even care. ... Anybody who has bad security, it's their fault. There are so many people out there who are malicious hackers who look for these vulnerable boxes. All this information is right on the Web and it's easy to find. They need to get more education and security in the VoIP industry. There were thousands of routers that were compromised in this, just from my scans alone."

Alan Paller, director of research at the SANS Institute, says it's not the companies' fault. He even says it's not IT's fault. The problem, he says, lies with the vendors.

"Products should be sold so the default password has to be changed first time they use it," said Paller. "It's all on the vendors. It's not about the user being careless. It's a silly thing for them to have to know to do."

Rhodes, however, says until vendors make it necessary to change the default password before a system or product will work, IT departments need to be given the time and resources to get it done.

"I have nothing but empathy for all the security personnel I've ever worked with," he said. "I've never met one yet who had enough people, enough time, enough support. ... It would take nothing to change a default password, but you need to actually have people who have the job to do that."

The Break In

Moore, who describes himself as a "mega geek" more upset about being banned from using a computer than actually going to prison, said his job in the operation largely was to write software that ran scans and brute-force attacks against Cisco XM routers and Quintum Tenor VoIP gateways. To do it, he said he used 2 gigs of information on corporate IP ranges that they bought for $800.