| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 9 Dec 2003 16:11:18 -0500 (EST) From: der Mouse <mouse@...ents.Montreal.QC.CA> To: bugtraq@...urityfocus.com Subject: Re: Dell BIOS DoS >> Or, as a last resort, Dell can be phoned to provide a master >> backdoor password, [...] Actually, that there even _is_ a backdoor password sounds like a fairly serious security problem. That Dell would tell it to _anyone_ (as opposed to "ship it back to us and we'll fix it") is another, especially in the presence of all the ways you point out of working around the BIOS password. To me, this clearly says "don't trust the BIOS password for anything on a Dell", since anyone who cares to bother can learn the backdoor password (at most, it takes buying a machine). > seriously, bios passwords are worthless. Well, if implemented right (which it appears Dell didn't), they can be useful - but you have to be careful; they're useful for a lot less than many people seem to think they are. In particular, as you point out, if you have full physical access there are various of ways to get around them. But this doesn't make them worthless; it just means that they're worthless against a threat model which includes attackers with physical access to inside the case. But that's not always the case; I've seen, for example, university labs where the machines are inside locked metal cages but the human interface components (screen, keyboard, mouse) are accessible. /~\ The ASCII der Mouse \ / Ribbon Campaign X Against HTML mouse@...ents.montreal.qc.ca / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Powered by blists - more mailing lists