Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!uunet!seismo!rutgers!ames!ptsfa!ihnp4!laidbak!mdb
From: mdb@laidbak.UUCP (Mark Brukhartz)
Newsgroups: comp.sys.att
Subject: Re: undocumented option in AT&T System V, Version 2.0
Message-ID: <1098@laidbak.UUCP>
Date: Tue, 28-Jul-87 02:21:12 EDT
Article-I.D.: laidbak.1098
Posted: Tue Jul 28 02:21:12 1987
Date-Received: Wed, 29-Jul-87 06:37:05 EDT
References: <476@musky2.UUCP> <13050011@acf4.UUCP>
Organization: Lachman Associates, Inc., Naperville, IL
Lines: 23
Summary: Protection from attackers with physical access to the machine is difficult.

In article <13050011@acf4.UUCP>, leonard@acf4.UUCP (shanna leonard) writes:

> Yep! works with version 3.0 too.  Looks like we should all make sure
> to change that firmware password from the default!  

The 3B2 firmware password may be reset by unplugging the "non-volatile
RAM" battery for a moment while the primary power is off.

The bootable floppy does not itself cause a computer security problem
any more than the #1 Phillips screwdriver which removes the 3B2 cover.
They are both tools of knowledgeable attackers.

Protection from an attacker with physical access to the machine is a
non-trivial problem. The solutions with which I am familiar involve
removable media and encryption. Even they often lack protection against
Trojan horses in the fixed-media-based software.

The 3B2 firmware password is analogous to a lock on a door. They both
hinder entry, and both fail against knowledgeable attacks.

					Mark Brukhartz
					Lachman Associates, Inc.
					..!{ihnp4, sun}!laidbak!mdb