EEVblog #458 - Industrial Computer

[EEVblog]

[rain]

FYI, CF cards are pin-compatible with the ATA interface, so you don't need any special software to use them in place of a hard disk.  http://en.wikipedia.org/wiki/CompactFlash#Technical_details

I've got a passive IDE<->CF adapter adapter laying around somewhere from an older industrial computer board we used at a wireless internet provider.

[Psi]

yep, CF is pin compatible with IDE.

Some even support DMA mode.

[gxti]

That linux install is ancient. kernel 2.4.21 came out in 2003 or 2004. Hope it didn't leave too bad a taste in your mouth, hardly representative of what it can do today.

[Bored@Work]

That linux install is ancient. kernel 2.4.21 came out in 2003 or 2004. Hope it didn't leave too bad a taste in your mouth, hardly representative of what it can do today.

Dave is a card carrying Linux hater. You could give him the most modern, most refined Linux and he will still complain that even Windows 3.11 is better. By all means, Windows 3.11, a heap of constantly crashing, unusable, unsafe, unreliable, unergonomic, stinking pile of shit.

[EEVblog]

Dave is a card carrying Linux hater.

Bullshit.
I simply don't use it, and consequently know very little about it.
As far as I'm concerned an O/S is a tool to get a job done. Linux is a tool I have never used.

You could give him the most modern, most refined Linux and he will still complain that even Windows 3.11 is better. By all means, Windows 3.11, a heap of constantly crashing, unusable, unsafe, unreliable, unergonomic, stinking pile of shit.

Funny how Win 3.11 never ever crashed on dozens of production machines that were either constantly plug and unplugged and abused by production operators, or left running 24/7 for many years.

[firewalker]

Cyclades.

Alexander.

[bxs]

Haha, a P4 @ 3GHz, how many KW does it need? 

About that Linux, it's simple too outdated, it have changed a lot, but it don't make it less capable, you simple need to know a bit about unix systems and a few particular things about Linux to make good use of it 

About your complains about keyboard/mouse in graphical interface (X-server), note it is normal especially in older systems, the config of those things in X-server are independent from the console stuff. In modern systems X-server config have changed a lot.

Also note, that many of those systems even if they start X-server, they are not made to use it, many are simple accessed remotely  , or even locally by serial port 

[peter.mitchell]

This forum topic so far makes me see just this:

[max-bit]

so it seems to me that this computer is used to manage devices via RS232 (terminal) including APC-UPS

[cyteen]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. Then you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

[smashedProton]

Dave should use it to control his pick and place machine.  When he gets one...

[grumpydoc]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline.

Usually you have to enter the current root password before you get the single user mode command prompt. RedHat has been that way for years.

It's fairly trivial to bypass that, though.

[c4757p]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline.

Usually you have to enter the current root password before you get the single user mode command prompt. RedHat has been that way for years.

It's fairly trivial to bypass that, though.

Yep. Add "init=/bin/sh rw" to the prompt (removing "ro" if it's there) and you're in. You won't be able to shut down normally, so just do "sync" and then shut down with the power button when you're done changing the password.

[free_electron]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. The you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

[firewalker]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. The you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

In the vast majority of setups you will have to provide the root password to be able to login in "Single user mode". Also anyone serious about his system will have GRUB locked for editing.



Alexander.

[PA0PBZ]

Besides that, you need physical access to the computer. Once you have that there are lots of other ways to get in.

[grumpydoc]

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

Yes and no.

If you have physical access to a computer then it's difficult to prevent someone hacking their way in - using encrypted filesystems is the only way.

To be fair the same is largely true of Windows - just stick a Linux crack disk in and edit the administrator password.

[firewalker]

Forgot to mention that it's trivial to enable the password login when in single user mode.

But once someone has physical access to an unencrypted machine, will almost sure crack it open. E.g. booting with a live cd. Something similar to Winternals ERD commander for Windows.

Alexander.

[SeanB]

Easiest fix is to lock it, though for most server cases the locks are so complex that I normally just use 2 paper clips and 30 seconds to open them, often a lot faster than finding the key in the first place. Some use a cylinder lock like PC's used to have, and all of those I have met use the same key, which coincidentally is on my set of keys as well. I use the locks as nice non user fiddleable switches, not for anything high security but to deter the casual random switch flipper.

[free_electron]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

the file system should be encrypted so that booting from a startup disk yields you nothing. no access to anything stored on the machine.
keys should be stored in the TPM.

yous should not be able to bypass that. the machine should basically tell you 'i don't know who you are . get lost'

[c4757p]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

There is, it's just almost never used. GRUB can be password-protected so you can't edit the boot line. Throw a password lock on the BIOS as well and you're good. Still, I don't think that's going about it the right way. Software protection for software access and physical protection for hardware access. Even if you can't unlock the system because there's an encrypted file system, you can still install hardware keyloggers and whatnot with hardware access. Use the software to keep intruders out over the network and the locks on the building to keep intruders out of the electronics.

[free_electron]

oh, but that wasn't the point.

the point is to keep (l)users off my machine.

let's say i configure this computer for industrial purposes( machine automation)
i do NOt want any operator in the night shift installing solitaire .. or booting it from his own usb or cd ( that's bios config pwd locking and or not installing external drives)

furthermore , i may have proprietary software on there. i don't want anyone going into places on the drive he has no busines sbeing , let alone being able to copy a file of the machine. this is all perfectly possible in a unix environment , except if , on power on you can bypass the boot and change the root password that easily ...

[c4757p]

Ah. Still, just use the GRUB password lock. Almost always forgotten, but it's still there.

[grumpydoc]

A GRUB password can be set but with access to the BIOS I can change the boot device.

A BIOS password can be set but with physical access I can clear the CMOS and the password is gone.

It would be possible, if you really needed it to make a PC pretty secure - make the BIOS require a password and not have an override. If you're really paranoid perhaps even encrypt the BIOS in the EEPROM then decrypt on the fly. Using public key encryption would mean the PC could have the decrypt key but only the holder of the private key could write a BIOS so you couldn't swap it out or re-flash the EEPROM even with access and, of course, fully encrypted hard disks would be mandatory. Probably keyed to the hardware so you can't read them on another machine even if you do know the key.

Its even possible such a computer exists in certain niches.

However using it would be a royal pain in the arse and if the boot password ever gets forgotten** you have a very secure paperweight on your hands.

** In environments where such precautions might be considered the passwords are usually written down and then held in a very safe safe somewhere. Oh and you'll be lucky to get physical access to the hardware.