[Previous] [Next] [Index]
[Thread]
FW: Returned mail
Message-ID: red-25-msg951221180337MTP[01.51.00]000000bf-7886
Another example of mail I received that should have gone to you, I belive.
----------
From: <Mailer-Daemon@moe.iris.com>
To: Steve Dabbs <sdabbs@netcom.com>
Subject: Returned mail
Date: Thursday, December 21, 1995 9:18AM
---- message ----
Error delivering to CLAPTON/IRIS mail\CKaufman; Insufficient disk space
---- message ----
Content-Type: Message/rfc822
Content-Description: RFC822
To: www-security <www-security@ns2.rutgers.edu>
bcc: kaufman <kaufman.iris@iris.com>
From: Steve Dabbs <sdabbs@netcom.com>
Date: 21 Dec 95 5:31:34 EDT
Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
(fwd)
MIME-Version: 1.0
Content-Type: Text/Plain
---------- Forwarded message ----------
Date: Wed, 20 Dec 95 17:39:41 PST
From: Paul Leach <paulle@microsoft.com>
To: owner-www-security@ns2.rutgers.edu
Cc: www-security@ns2.rutgers.edu
Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
Message-ID: red-16-msg951221013656MTP[01.51.00]000000c4-67012
Your description of Win 3.x is correct. Protection against reboot (in
the extreme case, with a floppy containing an alternate OS) depends on
protection that an OS can't provide. For this reason, many, if not
most, PCs have a reboot password protection built in the BIOS ROM that
can be enabled via CMOS setup, as well as a way to disable booting from
the floppy. In order to adequately secure a PC, these need to be used,
as well as some protection from opening the case and clearing the CMOS
memory that retains these options if you're really serious. I think
that the ususal criterion is to make breaking in take too long for a
causal office-snooper to do without risking being caught -- nothing
will stop someone with unlimited physical access from being able to
break into any commonly used office machine.
Win95 is a little bettter -- CTL-ALT-DEL doesn't reboot when in the
password protected screen saver, and it can be configured to force you
to enter a password before using the machine at all after reboot. This
eliminates the need to use the BIOS password protection, but you still
need to use the BIOS to configure the system to not boot from floppy in
order to be safe.
Paul
(All the PCs I looked at (8) had such a feature...)
----------
] From: Michael Brennen <mbrennen@fni.com>
] To: Paul Leach
] Cc: <www-security@ns2.rutgers.edu>
] Subject: RE: Re[2]: SECURITY ALERT: Password protection bug in Netscape 2
] Date: Wednesday, December 20, 1995 9:10AM
]
] On Tue, 19 Dec 1995, Paul Leach wrote:
]
] > to other users. In addition, Windows can be configured to require a
] > password to unlock the machine if it is ever left idle for more than a
] > few minutes, thus protecting the user even while logged in.
]
] Which Windows? 3.1[1]* had a password protected screensaver -- and all it
] took to get around it was Ctrl/Alt/Del, Reset or Off/On.
]
] Does Win95 have a startup level password (and I don't know because I don't
] run Win95) to prevent access at all unless a valid password is entered?
]
] Michael
] ---------------------------------------------------------------------
] Michael Brennen, President / / mbrennen@fni.com
] FishNet, Inc. / Internet / http://www.fni.com/
] P.O. Box 940451 / Services / (214) 783-2553 (vox/fax)
] Plano, TX 75094-0451 / / finger me for PGP public key
]
---- message ------