lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200312092136.QAA26280@Sparkle.Rodents.Montreal.QC.CA>
Date: Tue, 9 Dec 2003 16:11:18 -0500 (EST)
From: der Mouse <mouse@...ents.Montreal.QC.CA>
To: bugtraq@...urityfocus.com
Subject: Re: Dell BIOS DoS


>> Or, as a last resort, Dell can be phoned to provide a master
>> backdoor password, [...]

Actually, that there even _is_ a backdoor password sounds like a fairly
serious security problem.  That Dell would tell it to _anyone_ (as
opposed to "ship it back to us and we'll fix it") is another,
especially in the presence of all the ways you point out of working
around the BIOS password.  To me, this clearly says "don't trust the
BIOS password for anything on a Dell", since anyone who cares to bother
can learn the backdoor password (at most, it takes buying a machine).

> seriously, bios passwords are worthless.

Well, if implemented right (which it appears Dell didn't), they can be
useful - but you have to be careful; they're useful for a lot less than
many people seem to think they are.

In particular, as you point out, if you have full physical access there
are various of ways to get around them.  But this doesn't make them
worthless; it just means that they're worthless against a threat model
which includes attackers with physical access to inside the case.  But
that's not always the case; I've seen, for example, university labs
where the machines are inside locked metal cages but the human
interface components (screen, keyboard, mouse) are accessible.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse@...ents.montreal.qc.ca
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ