Error delivering to CLAPTON/IRIS mail\CKaufman; Insufficient disk space
-- BEGIN included message
- To: www-security <www-security@ns2.rutgers.edu>
- Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2 (fwd)
- From: Steve Dabbs <sdabbs@netcom.com>
- Date: 21 Dec 95 5:31:34 EDT
- bcc: kaufman <kaufman.iris@iris.com>
---------- Forwarded message ---------- Date: Wed, 20 Dec 95 17:39:41 PST From: Paul Leach <paulle@microsoft.com> To: owner-www-security@ns2.rutgers.edu Cc: www-security@ns2.rutgers.edu Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2 Message-ID: red-16-msg951221013656MTP[01.51.00]000000c4-67012 Your description of Win 3.x is correct. Protection against reboot (in the extreme case, with a floppy containing an alternate OS) depends on protection that an OS can't provide. For this reason, many, if not most, PCs have a reboot password protection built in the BIOS ROM that can be enabled via CMOS setup, as well as a way to disable booting from the floppy. In order to adequately secure a PC, these need to be used, as well as some protection from opening the case and clearing the CMOS memory that retains these options if you're really serious. I think that the ususal criterion is to make breaking in take too long for a causal office-snooper to do without risking being caught -- nothing will stop someone with unlimited physical access from being able to break into any commonly used office machine. Win95 is a little bettter -- CTL-ALT-DEL doesn't reboot when in the password protected screen saver, and it can be configured to force you to enter a password before using the machine at all after reboot. This eliminates the need to use the BIOS password protection, but you still need to use the BIOS to configure the system to not boot from floppy in order to be safe. Paul (All the PCs I looked at (8) had such a feature...) ---------- ] From: Michael Brennen <mbrennen@fni.com> ] To: Paul Leach ] Cc: <www-security@ns2.rutgers.edu> ] Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2 ] Date: Wednesday, December 20, 1995 9:10AM ] ] On Tue, 19 Dec 1995, Paul Leach wrote: ] ] > to other users. In addition, Windows can be configured to require a ] > password to unlock the machine if it is ever left idle for more than a ] > few minutes, thus protecting the user even while logged in. ] ] Which Windows? 3.1[1]* had a password protected screensaver -- and all it ] took to get around it was Ctrl/Alt/Del, Reset or Off/On. ] ] Does Win95 have a startup level password (and I don't know because I don't ] run Win95) to prevent access at all unless a valid password is entered? ] ] Michael ] --------------------------------------------------------------------- ] Michael Brennen, President / / mbrennen@fni.com ] FishNet, Inc. / Internet / http://www.fni.com/ ] P.O. Box 940451 / Services / (214) 783-2553 (vox/fax) ] Plano, TX 75094-0451 / / finger me for PGP public key ]
-- END included message