Xref: utzoo comp.dcom.modems:9190 sci.crypt:4465 alt.security:2158
Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!mips!pacbell.com!tandem!netcom!gandrews
From: gandrews@netcom.COM (Greg Andrews)
Newsgroups: comp.dcom.modems,sci.crypt,alt.security
Subject: Re: Modem backdoor passwords (was re: security functions)
Summary: Password security is for devices that don't have it already.
Message-ID: <1991Apr12.073253.9334@netcom.COM>
Date: 12 Apr 91 07:32:53 GMT
References: <1991Apr5.170644.3076@sctc.com> <1991Apr5.215301.13807@netcom.COM> <1991Apr10.150745.4628@sctc.com>
Distribution: usa
Organization: Netcom - Online Communication Services  UNIX System {408 241-9760 guest}
Lines: 39

In article <1991Apr10.150745.4628@sctc.com> smith@sctc.com (Rick Smith) writes:
>
>The basic question is *WHY* would someone buy a dialback modem in the
>first place? Yes, computer systems are pasword protected. For many
>users (academic classwork and research machines, for example) this is
>sufficient. However, if you are protecting something serious or pricey,
>you often want something more than generic authentication techniques.
>As we all know, *nobody* has ever had their password compromised ;->
>

I don't see modem password security (whether dialback or pass-through) as 
a big benefit for most computers, since they would already have security 
measures built in.

It can be useful for other types of devices that wouldn't otherwise have
security measures.  One example that was pointed out to me is computer
controlled radio transmitter gear located next to the antenna on a remote
hilltop.  The engineers at the radio station want to dial in and tweak
the transmitter, but it was designed for a dumb terminal in a locked room
so there's no password security built in.  Modem security would let the
engineers sleep without nightmares about 14-year-old modem jockeys finding
the number and pulling the plug...

>
>BTW, does anyone have a list of dialback modem manufacurers who do
>and don't have backdoor passwords?
>

Telebit doesn't use a password scheme for remote access.  Set S45=0 and
it is disabled.  I haven't double checked myself yet, but I believe that
the security register (S46) can't be changed through remote access even
if remote access were enabled.


-- 
.------------------------------------------------------------------------.
|  Greg Andrews   |       UUCP: {apple,amdahl,claris}!netcom!gandrews    |
|                 |   Internet: gandrews@netcom.COM                      |
`------------------------------------------------------------------------'