EEVblog #458 - Industrial Computer

[EEVblog]

[rain]

FYI, CF cards are pin-compatible with the ATA interface, so you don't need any special software to use them in place of a hard disk.  http://en.wikipedia.org/wiki/CompactFlash#Technical_details

I've got a passive IDE<->CF adapter adapter laying around somewhere from an older industrial computer board we used at a wireless internet provider.

[Psi]

yep, CF is pin compatible with IDE.

Some even support DMA mode.

[gxti]

That linux install is ancient. kernel 2.4.21 came out in 2003 or 2004. Hope it didn't leave too bad a taste in your mouth, hardly representative of what it can do today.

[Bored@Work]

That linux install is ancient. kernel 2.4.21 came out in 2003 or 2004. Hope it didn't leave too bad a taste in your mouth, hardly representative of what it can do today.

Dave is a card carrying Linux hater. You could give him the most modern, most refined Linux and he will still complain that even Windows 3.11 is better. By all means, Windows 3.11, a heap of constantly crashing, unusable, unsafe, unreliable, unergonomic, stinking pile of shit.

[EEVblog]

Dave is a card carrying Linux hater.

Bullshit.
I simply don't use it, and consequently know very little about it.
As far as I'm concerned an O/S is a tool to get a job done. Linux is a tool I have never used.

You could give him the most modern, most refined Linux and he will still complain that even Windows 3.11 is better. By all means, Windows 3.11, a heap of constantly crashing, unusable, unsafe, unreliable, unergonomic, stinking pile of shit.

Funny how Win 3.11 never ever crashed on dozens of production machines that were either constantly plug and unplugged and abused by production operators, or left running 24/7 for many years.

[firewalker]

Cyclades.

Alexander.

[bxs]

Haha, a P4 @ 3GHz, how many KW does it need? 

About that Linux, it's simple too outdated, it have changed a lot, but it don't make it less capable, you simple need to know a bit about unix systems and a few particular things about Linux to make good use of it 

About your complains about keyboard/mouse in graphical interface (X-server), note it is normal especially in older systems, the config of those things in X-server are independent from the console stuff. In modern systems X-server config have changed a lot.

Also note, that many of those systems even if they start X-server, they are not made to use it, many are simple accessed remotely  , or even locally by serial port 

[peter.mitchell]

This forum topic so far makes me see just this:

[max-bit]

so it seems to me that this computer is used to manage devices via RS232 (terminal) including APC-UPS

[cyteen]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. Then you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

[smashedProton]

Dave should use it to control his pick and place machine.  When he gets one...

[grumpydoc]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline.

Usually you have to enter the current root password before you get the single user mode command prompt. RedHat has been that way for years.

It's fairly trivial to bypass that, though.

[c4757p]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline.

Usually you have to enter the current root password before you get the single user mode command prompt. RedHat has been that way for years.

It's fairly trivial to bypass that, though.

Yep. Add "init=/bin/sh rw" to the prompt (removing "ro" if it's there) and you're in. You won't be able to shut down normally, so just do "sync" and then shut down with the power button when you're done changing the password.

[free_electron]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. The you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

[firewalker]

If you press E when at the grub prompt before it boots and add 1 at the end  of the kernel line it will boot to a commandline. The you can use 'passwd root' to change the root password. Might be a idea to add a new user with 'adduser dave' just in case root logins to X are not allowed. Then just 'reboot' and when it comes back up use your new login. But if the mouse and keyboard aren't working it might slow you down.

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

In the vast majority of setups you will have to provide the root password to be able to login in "Single user mode". Also anyone serious about his system will have GRUB locked for editing.



Alexander.

[PA0PBZ]

Besides that, you need physical access to the computer. Once you have that there are lots of other ways to get in.

[grumpydoc]

wow. really ? and here i thought linux was secure .. if it's that easy to take charge of a box...

is there a way to turn that off ?

Yes and no.

If you have physical access to a computer then it's difficult to prevent someone hacking their way in - using encrypted filesystems is the only way.

To be fair the same is largely true of Windows - just stick a Linux crack disk in and edit the administrator password.

[firewalker]

Forgot to mention that it's trivial to enable the password login when in single user mode.

But once someone has physical access to an unencrypted machine, will almost sure crack it open. E.g. booting with a live cd. Something similar to Winternals ERD commander for Windows.

Alexander.

[SeanB]

Easiest fix is to lock it, though for most server cases the locks are so complex that I normally just use 2 paper clips and 30 seconds to open them, often a lot faster than finding the key in the first place. Some use a cylinder lock like PC's used to have, and all of those I have met use the same key, which coincidentally is on my set of keys as well. I use the locks as nice non user fiddleable switches, not for anything high security but to deter the casual random switch flipper.

[free_electron]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

the file system should be encrypted so that booting from a startup disk yields you nothing. no access to anything stored on the machine.
keys should be stored in the TPM.

yous should not be able to bypass that. the machine should basically tell you 'i don't know who you are . get lost'

[c4757p]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

There is, it's just almost never used. GRUB can be password-protected so you can't edit the boot line. Throw a password lock on the BIOS as well and you're good. Still, I don't think that's going about it the right way. Software protection for software access and physical protection for hardware access. Even if you can't unlock the system because there's an encrypted file system, you can still install hardware keyloggers and whatnot with hardware access. Use the software to keep intruders out over the network and the locks on the building to keep intruders out of the electronics.

[free_electron]

oh, but that wasn't the point.

the point is to keep (l)users off my machine.

let's say i configure this computer for industrial purposes( machine automation)
i do NOt want any operator in the night shift installing solitaire .. or booting it from his own usb or cd ( that's bios config pwd locking and or not installing external drives)

furthermore , i may have proprietary software on there. i don't want anyone going into places on the drive he has no busines sbeing , let alone being able to copy a file of the machine. this is all perfectly possible in a unix environment , except if , on power on you can bypass the boot and change the root password that easily ...

[c4757p]

Ah. Still, just use the GRUB password lock. Almost always forgotten, but it's still there.

[grumpydoc]

A GRUB password can be set but with access to the BIOS I can change the boot device.

A BIOS password can be set but with physical access I can clear the CMOS and the password is gone.

It would be possible, if you really needed it to make a PC pretty secure - make the BIOS require a password and not have an override. If you're really paranoid perhaps even encrypt the BIOS in the EEPROM then decrypt on the fly. Using public key encryption would mean the PC could have the decrypt key but only the holder of the private key could write a BIOS so you couldn't swap it out or re-flash the EEPROM even with access and, of course, fully encrypted hard disks would be mandatory. Probably keyed to the hardware so you can't read them on another machine even if you do know the key.

Its even possible such a computer exists in certain niches.

However using it would be a royal pain in the arse and if the boot password ever gets forgotten** you have a very secure paperweight on your hands.

** In environments where such precautions might be considered the passwords are usually written down and then held in a very safe safe somewhere. Oh and you'll be lucky to get physical access to the hardware.

[firewalker]

Every time I tested "Single user mode" on a system, never found a non password protected login.

Haven't Ubuntu system though. 

The important thing is to protect GRUB as you would protect the user account. It's really really trivial.

Code: [Select]

password --md5 md5_hash_of_my_password
Alexander.

[Monkeh]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

[NickS]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

Yes you can make Linux do what you describe. No this computer doesn't need anything like that.
Full disk encryption (which Linux will happily do quite easily during installation) prevents anything from touching the hard drive without the password.

By the way the reason the kernel is so old is because it is Red Hat Enterprise Linux.
They don't care about new, they care about rock solid.

[Monkeh]

By the way the reason the kernel is so old is because it is Red Hat Enterprise Linux.
They don't care about new, they care about rock solid.

The kernel is so old because it's RHEL 3, which really is from 2003, and the last time they bothered to update it was in 2006. So they never maintained it anyway.

[alm]

A BIOS password can be set but with physical access I can clear the CMOS and the password is gone.

It would be possible, if you really needed it to make a PC pretty secure - make the BIOS require a password and not have an override.

I believe at least in the past IBM/Lenovo Thinkpads stored the password encrypted in EEPROM. It could not be reset by disconnecting a battery. Disk encryption was also connected to this. I'm not sure how hard it was to circumvent, but it was not a trivial exercise.

I see more reason for this kind of security for laptops than for industrial servers, however. A laptop might be exposed to all kinds of hostile environment. This server connects to RS-232 lines. If anything important was connected to the RS-232 cables (eg. an ultra-centrifuge), anyone with physical access could easily plug the cable in their laptop and take over the equipment. Someone opening a locked server cabinet and shorting a battery seems like a minor problem compared to the other havoc someone with physical access could wreak.

[free_electron]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

You fail to see the bigger picture.

This machine now no longer sits in a restricted zone , it's on dave's bench , and whatever twiddledum that released it from the government failed to sanitize it properly !
2 minutes work and there is a new root password ...

Here is personal experience : early 2000's some guys used a truck to ram the wall and window of a room adjacent to our computer room, they used a crowbar and/or pneumatic jack to force to the door to the computer room and ran off with two very expensive Sun servers including the attached disk array... took less than 5 minutes. ( we have video footage )

the machines held the (partial) data to some ASIC's we were working on ...

We notified Sun. a few weeks later they popped up with an IP address originating somewhere in a former USSR territory ...
These Sun machines 'call home'.  They were dismantled . the Motherboards were thrown away , the CPU'sand memory  unplugged and installed in other machines. for some reason these cpu's have a serieal number . so did the memory boards. the inventory program 'notified home; what was installed. lo and behold : there are our cpu's and memory boards ....

they nailed the guys eventually. we got burglared, as well as 3 or 4 other businesses that had the same machines.
turned out the delivery truck driver tipped the crooks of with lists of what he delivered where.

the hi end cpu and memory boards were not for export ... couldn't get them in pisspooristan. so they broke in , stole european machines, stripped them and smuggled parts .

that's why i was amazed that it is so easy to bypass root.

this is an industrial computer that came from the government. for all i care it controlled the timecard of the janitor and the acces to his broom closet.

problem is  it was government property and has not been properly sanitized ( drives nuked ) and that is a catastrophical failure...

Where i work machines are really 'sanitized' before discarded. Harddisks are going in a shredder... the TPM chips on the motherboards get a 'treatment' with a 10mm drill. Any workstation that has access to the designs has lockdown on USB. you can't connect external drives , usb sticks or whatever : the computer will not access them. the optical drives are removed. you cannot bring anything on these machines or take off these machines except through the network.
The only machine with tape drive and or disc burner sits in the computer room and only a few people have access to that thing

[alm]

The root password is irrelevant in this case. Only disk encryption (with the keys not stored on the same server, obviously) would help. Otherwise it takes about two minutes to access the filesystem from another system, regardless of the OS.

[Rufus]

The root password is irrelevant in this case. Only disk encryption (with the keys not stored on the same server, obviously) would help. Otherwise it takes about two minutes to access the filesystem from another system, regardless of the OS.

And what exactly does a national standards institute (or whatever the place it came from) have to hide? Especially on a computer which was probably just monitoring the operation of their time and frequency standards - if there was any 'information' in that system they are probably required to publish it anyway.

[c4757p]

And what exactly does a national standards institute (or whatever the place it came from) have to hide?

Lots of information that could be relevant to a hacker trying to infiltrate the rest of the system? I don't imagine standards institutes are that tempting as targets, but still, you could do some damage...

[NiHaoMike]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

I have used RTL8139 cards in a homemade pfSense router, it has operated for many years practically 24/7 and never had any issues with the network. (The RTL8111, however, doesn't like unusually short cables.)

[Monkeh]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

I have used RTL8139 cards in a homemade pfSense router, it has operated for many years practically 24/7 and never had any issues with the network. (The RTL8111, however, doesn't like unusually short cables.)

I've killed a few over the years. They've got a poor reputation for reliability, and are nasty little devices anyway. They're only common because they're dirt cheap. I suppose the common driver is an upside for this type of system, but I'd much rather they just lay in stock of decent Intel parts..

[Bored@Work]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

You fail to see the bigger picture.

The bigger picture? I think we have all seen that your bigger picture is to try to make a case against Linux. Well ...


BIOS not secure, because it can be overridden and/or reset?

Independent of the OS, most BIOS versions have that loophole.


Boot loader can be re-configured?

(a) the Linux loader can be locked
(b) surprise, surprise, the Windows loader accepts parameters, too.


Boot from a separate drive possible?

Sure, if you don't lock the boot interface down and/or block the physical interface. Windows suffers from the same loophole.


No encrypted drive in use?

Because the user didn't select that option during install on Linux. And for Windows? Only if you have an ultimate/pro version and select Bitlocker on install. Other Windows versions? Pay extra for third-party software.

Or, get a secure BIOS and hard drives with on-board encryption. And then scratch your head if your secure BIOS is really that secure, and the hard drive encryption does work at all.


The above issues are either issues of the PC platform as such, it was never made to be secure, or of the user/admin, who didn't plan for a secure setup. You can get more secure PCs. Ask a military contractor near you. Pay a premium. Or be clever. Do a risk assessment. Likehood of the thing going missing vs. business impact if it does. CAPEX and OPEX.

That the drive was not wiped is also an error that has nothing to do with the OS. That part of the Australian government either doesn't have disk-wipe or disk-disposal procedures, only weak ones, or the procedures weren't followed. They are far from being the only ones. There are companies out there having fun buying used drives on eBay and then generating statistics about the goodies they found. Same with buying used cell phones.

[Hypernova]

** In environments where such precautions might be considered the passwords are usually written down and then held in a very safe safe somewhere.

Otherwise known as that PostIt note stuck next to the monitor. 

[grumpydoc]

Otherwise known as that PostIt note stuck next to the monitor

Has to be a Post-It note to military standards, of course 

[Alana]

Most secure PC network i sen as techie was in express freght company. Boot only from main hdd locked by bios password and employees using limited/guest accounts in winXP.
And from what i remember it was more because of company emplyeed people from the streed and wanted to avoid mess on their computers done by computer-illiterate users than for true security reasons.

[amyk]

I believe at least in the past IBM/Lenovo Thinkpads stored the password encrypted in EEPROM. It could not be reset by disconnecting a battery. Disk encryption was also connected to this. I'm not sure how hard it was to circumvent, but it was not a trivial exercise.

If you have physical access, not hard.

"Anything humans make, humans can break."

[Psi]

Once you have physical access to the machine the security is broken

[MacAttak]

Sorry to be discussing the actual video

I recognize the rack case that was used in this machine - I owned two of them a few years back. My old house had a spare room that I converted into a server room (dedicated power and cooling). These were in one of my racks along with a huge APC UPS and external SCSI RAID cage.

I forget the brand, but it was pretty widely used (and many other companies OEM'd the same hardware and slapped their name on it). Roughly $500 each, for the case and all of the drive/card mounting hardware. If I recall, they were not very easy to get if you weren't a system builder.

HEAVY AS HELL. Once filled up with drives / PSU / cards, it was too heavy to install into a rack without help.

[westfw]

About the Serial Cards:

BASIS is a company that acquired the communications products from Cirrus Logic, quite a ways back.  I think they were later acquired by Intel (~2001.)

They have/had some really nice serial chips.  The CD180 was one of the earlier octal uart chips, and it included a number of features that actually made it relatively usable even on systems with limited processing power (it turns out that 8 async ports communicating full duplex at 38400bps presents quite a high interrupt load, if you're using conventional uart interrupts.)  Back in the day, the chips were heavily used in (for example) dialin terminal servers, including The cisco-500 and the Livingston Portmaster (IIRC.)  The CD1400 used on the cards in this box are slightly newer 4-port uarts; IO-mapped, significant FIFOs, special character recognition, HW support for both HW and SW flow control, etc.

The cream of the crop were the CD24xx 4-port uarts.  These were lovely little microcoded things that did both sync and async, DMA, and assorted high-level protocols (Async PPP and HDLC especially.)   They were heavily used on cisco 25xx, terminal servers, multiport async cards for 2600 and 3600 series routers, and the multi-personality async/sync cards for various routers.  Later versions of the chip had the microcode in RAM, so that it was downloadable from the host cpu.  I like to claim some personal responsibility for that particular feature; when Cirrus came to cisco, way back when, to get our help with (and sell us) the new chip, they offered us a "debug version" that used external ram for microcode, and my eyes lit up and I said "can we get those in production quantities?  Having "fixable" microcode has saved our butts SO many times..."  (and they could, and we did use them, and it did save our buts...) (and we were already using about the same fast static ram chips for our own downloadable microcode, so they weren't "expensive" to us.)

Later (cisco) products used in-house designed ASICs.  But you know, it can be harder to get your in-house ASIC teams to listen well to product requirements than it is to get an external vendor to listen.  Sigh.

[ejeffrey]

blah, blah, blah.

Yes, Linux supports full disk encryption.  It also supports a relatively secure partial disk encryption (something windows basically doesn't do in a useful way.

The point is, the existence of a default way to boot the computer from the console without a password is not evidence for or against any kind of security, and your seizing on the existence of recovery mode as evidence of insecurity is a sign of ignorance.