This message is from the T13 list server.
[EMAIL PROTECTED] wrote:
The problem is NOT that ATA security is broken.
That depends on what side you look at it. The ata standard designs a feature and expects the BIOS guys to add it to their latest BIOSs. If they do not there is a large security risk ...
The problem is that most/many BIOSes and OS's do not issue the SECURITY
FREEZE LOCK
Which is not backwards compatible with the existing implementations. As said earlier this problem must have been discussed. I personally discussed it long time ago with some one well known on the t13 reflector and also a T13 member. To protect him I'll not give you his name though. Leaving these things to an OS is insecure since by nature they will allow low level access at some level. The BIOS would have been nice in reverse. Some thing like the BIOS must issue a command before the first read command for the drive not to be frozen perhaps.
command to ANY/ALL devices (not just the boot device).
This is NOT a device failure.
This is NOT a 'broken standard'.
No it's a badly designed feature. When it at least would ask for the old password (when one is set) one would have the chance to protect himself. What you do have now is a feature which can an possible will create great havoc against users but to weak to protect against real data theft. With the rate mainboard manufacturers spit out new boards a new BIOS is hard to find even for two year old systems.
This <IS> about major host software vendors NOT using the tools it has had
<<SINCE 1997>> to protect
itself and the host system.
Again for a standard which very clearly written and is very good in maintaining backwards compatibility this strange. Features are usually implemented when needed. For a desktop PC there is not much need for password security. If there is users will use encrypted data which is an OS related feature.
Are there any solutions to fix the problem ?. I hope you agree there is a problem leaving in between who is responsible for this mess.
Sincerely,
Thomas
