The below is more a security policy comment than a technical comment, in response to 3Com's release, a release which I, frankly, found astounding. On Thu, 14 May 1998, Eric Monti wrote: [quoting the 3COM advisory] > http://www.3com.com/news/advisory51498.html > Due to this disclosure some 3Com switching products may be vulnerable to > security breaches caused by unauthorized access via special logins. If 3COM is implying that *disclosure* of the backdoor to the public *made* the products vulnerable to back-door logins, which IMHO they seem to be doing, they are demonstrating a fundamental misunderstanding about the nature of the hole they created. Further, it indicates that they consider security though obscurity to be a satisfactory access control device. Finally, it implies a complete state of denial -- before the public disclosure, 3Com really cannot say whether some other person or people independently discovered the backdoors (using such powerful tools as 'strings' and 'more') and whether such people may have used them with dubious intent. A remotely-accessible "emergency backdoor" that is given to customers in password "emergencies" effectively makes the security of all customers (of these products) subject to the honesty of the customers to whom the backdoor is given, or who independently find the passwords, i.e., it makes them subject to the honesty of total strangers, chosen at 3Com's discretion, as a matter of corporate policy. I am truly astounded that a company producing core network products could still have that attitude in 1998. -M -- Michael Brian Scher (MS683) | Anthropologist, Attorney, Part-Time Guru strangeat_private | http://www.tezcat.com/~strange/ strangeat_private | strangeat_private Give me a compiler and a box to run it, and I can move the mail.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:36 PDT