Re: BoS: Magic password of some linux-box(Hardware..)

[ebradley () andromeda rutgers edu (Eugene Bradley)]

-----BEGIN PGP SIGNED MESSAGE-----

on Nov 20, moost () xs4all nl writes:
# On Mon, 18 Nov 1996, Seo Euiseong wrote:
# [deletia]
# > But, It's not true. Unfortunately almost versions of award bios has
the
# > magic password "condo,"
#
# Some manuals of mainboards describe this 'feature'. Most Award bioses
# I've come across respon to the password AWARD_SW (mind the case) and
will
# allow altering of the bios or just regular booting.
#
# Ofcourse this is meant as a sort of 'last' recover option, but for me it
# seems a little foolish to make this default to all Award Bioses..
#
# M. Oosterink

I tested the [magic,universal] passwords on some of the new P120's we
recently received that come with the Award BIOS.  Surely enough the
[magic,universal] passwords work and I've instructed all of my
co-workers who repair computers on campus not to disclose these
passwords to anyone, in addition to the BIOS passwords that are
already set.

I know that newer versions of the American Megatrends (AMI) BIOS
require that you call an 800 number (1-800-U-BUY-AMI) in order
to receive a disk that will recover a lost BIOS password.

My idea for handling lost BIOS passwords (if this hasn't been
implemented already by some company); forgive me if some portions
of this seem wrong, but note that this is just an idea:

1) install a random, 16-bit universal password onto each BIOS made before
inserting into the motherboard.

2) have computer buyer sign and register computer with the BIOS
manufacturer.  Then the BIOS manufacturer can give the user
(or in some cases a network admin) a confirmation password that
MUST be given to the BIOS support (as well as the name, address,
company [if applicable], and job title) people before the random
secret system password can be given out.   Naturally, this
applies when the user forgets any chosen and set password.

3) the secret system password can only be used _once_.  If the user
forgets the password that was personally set, the user must
go through 2) but will also be sent a new BIOS chip for a $5
fee.

My hope with this idea is that it will prevent the problems that I'm
seeing where people use the set universal passwords found on the Award
BIOS to change system settings.  Afterwards, such doctored BIOS systems
can be used for any (illegitimate) activity possible...

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMpN1RBskmjHS+zH1AQGwMwP7B18/4Kx2cPKg9Lnk+CAW832uwxkub4HN
KhnBHyu0aj8vETFSALaP4MezaKUFNSqQVMPtp4MQCPx++OW4ETy7fa2sZKrS1NcM
m81Gv9ZvlGS7k91x//CUSqpD0bexjNWpCY+BAGFJcOXBDGlj39HuWn2Is4uCZhJf
TVGGMToYJpM=
=3t0Z
-----END PGP SIGNATURE-----

--
Eugene Bradley | finger for PGP public key | Unsolicited commercial email
    webmaster of http://www.winter.org/    | will be deleted at $100/msg
    PGP Fingerprint = 55 70 DE 84 FE E1 3D 50  7F C2 88 22 30 8C 81 9E
   <a href="http://www.armory.com/~ebradley";> Eugene's W^3 Duckpond </a>