This message is from the T13 list server.
That's an implementation decision. If I'm building for an embedded environment or whatever, why do I HAVE to set SECURITY FREEZE LOCK. The answer - I don't. In order to maintain backwards compatibility, you can't force someone to issue the command first in order to have the drive work. That would prevent me from buying a new drive for an older system. T13 and ATA strongly, strongly maintains backwards compatibility as a design feature. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thomas Jansen Sent: Monday, May 16, 2005 9:32 AM To: [email protected] Subject: Re: [t13] Security problems This message is from the T13 list server. [EMAIL PROTECTED] wrote: >The problem is NOT that ATA security is broken. > > That depends on what side you look at it. The ata standard designs a feature and expects the BIOS guys to add it to their latest BIOSs. If they do not there is a large security risk ... >The problem is that most/many BIOSes and OS's do not issue the SECURITY >FREEZE LOCK > > Which is not backwards compatible with the existing implementations. As said earlier this problem must have been discussed. I personally discussed it long time ago with some one well known on the t13 reflector and also a T13 member. To protect him I'll not give you his name though. Leaving these things to an OS is insecure since by nature they will allow low level access at some level. The BIOS would have been nice in reverse. Some thing like the BIOS must issue a command before the first read command for the drive not to be frozen perhaps. >command to ANY/ALL devices (not just the boot device). > >This is NOT a device failure. >This is NOT a 'broken standard'. > > No it's a badly designed feature. When it at least would ask for the old password (when one is set) one would have the chance to protect himself. What you do have now is a feature which can an possible will create great havoc against users but to weak to protect against real data theft. With the rate mainboard manufacturers spit out new boards a new BIOS is hard to find even for two year old systems. >This <IS> about major host software vendors NOT using the tools it has had ><<SINCE 1997>> to protect >itself and the host system. > > Again for a standard which very clearly written and is very good in maintaining backwards compatibility this strange. Features are usually implemented when needed. For a desktop PC there is not much need for password security. If there is users will use encrypted data which is an OS related feature. Are there any solutions to fix the problem ?. I hope you agree there is a problem leaving in between who is responsible for this mess. Sincerely, Thomas
