Re: 3COM: Security Advisory (fwd)

[strange () TEZCAT COM (Mike Scher)]

The below is more a security policy comment than a technical comment, in
response to 3Com's release, a release which I, frankly, found astounding.

On Thu, 14 May 1998, Eric Monti wrote:
[quoting the 3COM advisory]

> http://www.3com.com/news/advisory51498.html

> Due to this disclosure some 3Com switching products may be vulnerable to
> security breaches caused by unauthorized access via special logins.

If 3COM is implying that *disclosure* of the backdoor to the public *made*
the products vulnerable to back-door logins, which IMHO they seem to be
doing, they are demonstrating a fundamental misunderstanding about the
nature of the hole they created.  Further, it indicates that they consider
security though obscurity to be a satisfactory access control device.
Finally, it implies a complete state of denial -- before the public
disclosure, 3Com really cannot say whether some other person or people
independently discovered the backdoors (using such powerful tools as
'strings' and 'more') and whether such people may have used them with
dubious intent.

A remotely-accessible "emergency backdoor" that is given to customers in
password "emergencies" effectively makes the security of all customers (of
these products) subject to the honesty of the customers to whom the
backdoor is given, or who independently find the passwords, i.e., it makes
them subject to the honesty of total strangers, chosen at 3Com's
discretion, as a matter of corporate policy.

I am truly astounded that a company producing core network products could
still have that attitude in 1998.

      -M

--
Michael Brian Scher   (MS683)  | Anthropologist, Attorney, Part-Time Guru
     strange () cultural com      |     http://www.tezcat.com/~strange/
     strange () uchicago edu      |           strange () tezcat com
   Give me a compiler and a box to run it, and I can move the mail.