Mountains Out of Security

By Larry Seltzer  |  Posted 2003-03-13 Print this article Print

Molehills"> Mountains Out of Security Molehills This particular alleged vulnerability was always less than it seemed: The Recovery Console is a very restrictive environment. You cant access the network; you cant run programs; contrary to what the original report asserted, you cant copy files to or from the hard disk. The only real news was that the exploit did uncover some behavior that was unexpected; if you run the Windows 2000 Recovery Console on Windows 2000 or the Windows XP Recovery Console on Windows XP, it will ask you for a password. Perhaps the Windows 2000 Recovery Console cant read the local Windows XP SAM (the user information database) and, as the point of the Recovery Console is to let you repair damaged systems, it lets you in.

But any operating system is just as vulnerable. With any version of Linux or *BSD, I could boot off a floppy or CD and gain access to the contents of the hard disk. Solaris at least used to include a "single user mode" into which one could boot the system and access anything on the hard disk, including changing the passwords for normal boots.

There are other things you can do to add some extra measure of protection to a machine to which an attacker may get physical access. If you set the BIOS password, the user will have to enter it before any operating system is booted. This method isnt foolproof; some BIOS have hard-coded backdoor passwords (see this page for a list and further discussion of BIOS passwords), and the password doesnt prevent someone from pulling the hard disk from the system. There are physical locks you can buy that make it harder to open the case, but I think we all know that the right tools can dispense with any lock in short order.

So when considering the seriousness of an attack, its important to put it into perspective: What does this attack presume about access to the system? If it requires that the user have physical access, then the barn doors already open, and the horse is in the glue factory.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel