Re: Dell BIOS DoSDec 09 2003 09:11PM der Mouse (mouse Rodents Montreal QC CA)
>> Or, as a last resort, Dell can be phoned to provide a master
>> backdoor password, [...]
Actually, that there even _is_ a backdoor password sounds like a fairly
serious security problem. That Dell would tell it to _anyone_ (as
opposed to "ship it back to us and we'll fix it") is another,
especially in the presence of all the ways you point out of working
around the BIOS password. To me, this clearly says "don't trust the
BIOS password for anything on a Dell", since anyone who cares to bother
can learn the backdoor password (at most, it takes buying a machine).
> seriously, bios passwords are worthless.
Well, if implemented right (which it appears Dell didn't), they can be
useful - but you have to be careful; they're useful for a lot less than
many people seem to think they are.
In particular, as you point out, if you have full physical access there
are various of ways to get around them. But this doesn't make them
worthless; it just means that they're worthless against a threat model
which includes attackers with physical access to inside the case. But
that's not always the case; I've seen, for example, university labs
where the machines are inside locked metal cages but the human
interface components (screen, keyboard, mouse) are accessible.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse (at) rodents.montreal.qc (dot) ca [email concealed]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
>> backdoor password, [...]
Actually, that there even _is_ a backdoor password sounds like a fairly
serious security problem. That Dell would tell it to _anyone_ (as
opposed to "ship it back to us and we'll fix it") is another,
especially in the presence of all the ways you point out of working
around the BIOS password. To me, this clearly says "don't trust the
BIOS password for anything on a Dell", since anyone who cares to bother
can learn the backdoor password (at most, it takes buying a machine).
> seriously, bios passwords are worthless.
Well, if implemented right (which it appears Dell didn't), they can be
useful - but you have to be careful; they're useful for a lot less than
many people seem to think they are.
In particular, as you point out, if you have full physical access there
are various of ways to get around them. But this doesn't make them
worthless; it just means that they're worthless against a threat model
which includes attackers with physical access to inside the case. But
that's not always the case; I've seen, for example, university labs
where the machines are inside locked metal cages but the human
interface components (screen, keyboard, mouse) are accessible.
/~\ The ASCII der Mouse
\ / Ribbon Campaign
X Against HTML mouse (at) rodents.montreal.qc (dot) ca [email concealed]
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
[ reply ]