Bugtraq mailing list archives
Re: 3COM: Security Advisory (fwd)
From: strange () TEZCAT COM (Mike Scher)
Date: Fri, 15 May 1998 12:58:31 -0500
The below is more a security policy comment than a technical comment, in response to 3Com's release, a release which I, frankly, found astounding. On Thu, 14 May 1998, Eric Monti wrote: [quoting the 3COM advisory]
http://www.3com.com/news/advisory51498.html
Due to this disclosure some 3Com switching products may be vulnerable to security breaches caused by unauthorized access via special logins.
If 3COM is implying that *disclosure* of the backdoor to the public *made* the products vulnerable to back-door logins, which IMHO they seem to be doing, they are demonstrating a fundamental misunderstanding about the nature of the hole they created. Further, it indicates that they consider security though obscurity to be a satisfactory access control device. Finally, it implies a complete state of denial -- before the public disclosure, 3Com really cannot say whether some other person or people independently discovered the backdoors (using such powerful tools as 'strings' and 'more') and whether such people may have used them with dubious intent. A remotely-accessible "emergency backdoor" that is given to customers in password "emergencies" effectively makes the security of all customers (of these products) subject to the honesty of the customers to whom the backdoor is given, or who independently find the passwords, i.e., it makes them subject to the honesty of total strangers, chosen at 3Com's discretion, as a matter of corporate policy. I am truly astounded that a company producing core network products could still have that attitude in 1998. -M -- Michael Brian Scher (MS683) | Anthropologist, Attorney, Part-Time Guru strange () cultural com | http://www.tezcat.com/~strange/ strange () uchicago edu | strange () tezcat com Give me a compiler and a box to run it, and I can move the mail.
Current thread:
- 3COM: Security Advisory (fwd) Eric Monti (May 14)
- Re: 3COM: Security Advisory (fwd) Mike Scher (May 15)