EEVblog #458 - Industrial Computer

[firewalker]

Every time I tested "Single user mode" on a system, never found a non password protected login.

Haven't Ubuntu system though. 

The important thing is to protect GRUB as you would protect the user account. It's really really trivial.

Code: [Select]

password --md5 md5_hash_of_my_password
Alexander.

[Monkeh]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

[NickS]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

Yes you can make Linux do what you describe. No this computer doesn't need anything like that.
Full disk encryption (which Linux will happily do quite easily during installation) prevents anything from touching the hard drive without the password.

By the way the reason the kernel is so old is because it is Red Hat Enterprise Linux.
They don't care about new, they care about rock solid.

[Monkeh]

By the way the reason the kernel is so old is because it is Red Hat Enterprise Linux.
They don't care about new, they care about rock solid.

The kernel is so old because it's RHEL 3, which really is from 2003, and the last time they bothered to update it was in 2006. So they never maintained it anyway.

[alm]

A BIOS password can be set but with physical access I can clear the CMOS and the password is gone.

It would be possible, if you really needed it to make a PC pretty secure - make the BIOS require a password and not have an override.

I believe at least in the past IBM/Lenovo Thinkpads stored the password encrypted in EEPROM. It could not be reset by disconnecting a battery. Disk encryption was also connected to this. I'm not sure how hard it was to circumvent, but it was not a trivial exercise.

I see more reason for this kind of security for laptops than for industrial servers, however. A laptop might be exposed to all kinds of hostile environment. This server connects to RS-232 lines. If anything important was connected to the RS-232 cables (eg. an ultra-centrifuge), anyone with physical access could easily plug the cable in their laptop and take over the equipment. Someone opening a locked server cabinet and shorting a battery seems like a minor problem compared to the other havoc someone with physical access could wreak.

[free_electron]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

You fail to see the bigger picture.

This machine now no longer sits in a restricted zone , it's on dave's bench , and whatever twiddledum that released it from the government failed to sanitize it properly !
2 minutes work and there is a new root password ...

Here is personal experience : early 2000's some guys used a truck to ram the wall and window of a room adjacent to our computer room, they used a crowbar and/or pneumatic jack to force to the door to the computer room and ran off with two very expensive Sun servers including the attached disk array... took less than 5 minutes. ( we have video footage )

the machines held the (partial) data to some ASIC's we were working on ...

We notified Sun. a few weeks later they popped up with an IP address originating somewhere in a former USSR territory ...
These Sun machines 'call home'.  They were dismantled . the Motherboards were thrown away , the CPU'sand memory  unplugged and installed in other machines. for some reason these cpu's have a serieal number . so did the memory boards. the inventory program 'notified home; what was installed. lo and behold : there are our cpu's and memory boards ....

they nailed the guys eventually. we got burglared, as well as 3 or 4 other businesses that had the same machines.
turned out the delivery truck driver tipped the crooks of with lists of what he delivered where.

the hi end cpu and memory boards were not for export ... couldn't get them in pisspooristan. so they broke in , stole european machines, stripped them and smuggled parts .

that's why i was amazed that it is so easy to bypass root.

this is an industrial computer that came from the government. for all i care it controlled the timecard of the janitor and the acces to his broom closet.

problem is  it was government property and has not been properly sanitized ( drives nuked ) and that is a catastrophical failure...

Where i work machines are really 'sanitized' before discarded. Harddisks are going in a shredder... the TPM chips on the motherboards get a 'treatment' with a 10mm drill. Any workstation that has access to the designs has lockdown on USB. you can't connect external drives , usb sticks or whatever : the computer will not access them. the optical drives are removed. you cannot bring anything on these machines or take off these machines except through the network.
The only machine with tape drive and or disc burner sits in the computer room and only a few people have access to that thing

[alm]

The root password is irrelevant in this case. Only disk encryption (with the keys not stored on the same server, obviously) would help. Otherwise it takes about two minutes to access the filesystem from another system, regardless of the OS.

[Rufus]

The root password is irrelevant in this case. Only disk encryption (with the keys not stored on the same server, obviously) would help. Otherwise it takes about two minutes to access the filesystem from another system, regardless of the OS.

And what exactly does a national standards institute (or whatever the place it came from) have to hide? Especially on a computer which was probably just monitoring the operation of their time and frequency standards - if there was any 'information' in that system they are probably required to publish it anyway.

[c4757p]

And what exactly does a national standards institute (or whatever the place it came from) have to hide?

Lots of information that could be relevant to a hacker trying to infiltrate the rest of the system? I don't imagine standards institutes are that tempting as targets, but still, you could do some damage...

[NiHaoMike]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

I have used RTL8139 cards in a homemade pfSense router, it has operated for many years practically 24/7 and never had any issues with the network. (The RTL8111, however, doesn't like unusually short cables.)

[Monkeh]

A Realtek NIC in a high reliability system. Somebody needs a new, lower paid job.

I have used RTL8139 cards in a homemade pfSense router, it has operated for many years practically 24/7 and never had any issues with the network. (The RTL8111, however, doesn't like unusually short cables.)

I've killed a few over the years. They've got a poor reputation for reliability, and are nasty little devices anyway. They're only common because they're dirt cheap. I suppose the common driver is an upside for this type of system, but I'd much rather they just lay in stock of decent Intel parts..

[Bored@Work]

There should be a mode where , no matter how you boot, you need a password (whether user or root) before the machine lets you do anything. ( config change, hardware install whatever. )

Why? Its in a restricted zone bolted in to a rack and all it does is control a bunch of RS232 ports.

You fail to see the bigger picture.

The bigger picture? I think we have all seen that your bigger picture is to try to make a case against Linux. Well ...


BIOS not secure, because it can be overridden and/or reset?

Independent of the OS, most BIOS versions have that loophole.


Boot loader can be re-configured?

(a) the Linux loader can be locked
(b) surprise, surprise, the Windows loader accepts parameters, too.


Boot from a separate drive possible?

Sure, if you don't lock the boot interface down and/or block the physical interface. Windows suffers from the same loophole.


No encrypted drive in use?

Because the user didn't select that option during install on Linux. And for Windows? Only if you have an ultimate/pro version and select Bitlocker on install. Other Windows versions? Pay extra for third-party software.

Or, get a secure BIOS and hard drives with on-board encryption. And then scratch your head if your secure BIOS is really that secure, and the hard drive encryption does work at all.


The above issues are either issues of the PC platform as such, it was never made to be secure, or of the user/admin, who didn't plan for a secure setup. You can get more secure PCs. Ask a military contractor near you. Pay a premium. Or be clever. Do a risk assessment. Likehood of the thing going missing vs. business impact if it does. CAPEX and OPEX.

That the drive was not wiped is also an error that has nothing to do with the OS. That part of the Australian government either doesn't have disk-wipe or disk-disposal procedures, only weak ones, or the procedures weren't followed. They are far from being the only ones. There are companies out there having fun buying used drives on eBay and then generating statistics about the goodies they found. Same with buying used cell phones.

[Hypernova]

** In environments where such precautions might be considered the passwords are usually written down and then held in a very safe safe somewhere.

Otherwise known as that PostIt note stuck next to the monitor. 

[grumpydoc]

Otherwise known as that PostIt note stuck next to the monitor

Has to be a Post-It note to military standards, of course 

[Alana]

Most secure PC network i sen as techie was in express freght company. Boot only from main hdd locked by bios password and employees using limited/guest accounts in winXP.
And from what i remember it was more because of company emplyeed people from the streed and wanted to avoid mess on their computers done by computer-illiterate users than for true security reasons.

[amyk]

I believe at least in the past IBM/Lenovo Thinkpads stored the password encrypted in EEPROM. It could not be reset by disconnecting a battery. Disk encryption was also connected to this. I'm not sure how hard it was to circumvent, but it was not a trivial exercise.

If you have physical access, not hard.

"Anything humans make, humans can break."

[Psi]

Once you have physical access to the machine the security is broken

[MacAttak]

Sorry to be discussing the actual video

I recognize the rack case that was used in this machine - I owned two of them a few years back. My old house had a spare room that I converted into a server room (dedicated power and cooling). These were in one of my racks along with a huge APC UPS and external SCSI RAID cage.

I forget the brand, but it was pretty widely used (and many other companies OEM'd the same hardware and slapped their name on it). Roughly $500 each, for the case and all of the drive/card mounting hardware. If I recall, they were not very easy to get if you weren't a system builder.

HEAVY AS HELL. Once filled up with drives / PSU / cards, it was too heavy to install into a rack without help.

[westfw]

About the Serial Cards:

BASIS is a company that acquired the communications products from Cirrus Logic, quite a ways back.  I think they were later acquired by Intel (~2001.)

They have/had some really nice serial chips.  The CD180 was one of the earlier octal uart chips, and it included a number of features that actually made it relatively usable even on systems with limited processing power (it turns out that 8 async ports communicating full duplex at 38400bps presents quite a high interrupt load, if you're using conventional uart interrupts.)  Back in the day, the chips were heavily used in (for example) dialin terminal servers, including The cisco-500 and the Livingston Portmaster (IIRC.)  The CD1400 used on the cards in this box are slightly newer 4-port uarts; IO-mapped, significant FIFOs, special character recognition, HW support for both HW and SW flow control, etc.

The cream of the crop were the CD24xx 4-port uarts.  These were lovely little microcoded things that did both sync and async, DMA, and assorted high-level protocols (Async PPP and HDLC especially.)   They were heavily used on cisco 25xx, terminal servers, multiport async cards for 2600 and 3600 series routers, and the multi-personality async/sync cards for various routers.  Later versions of the chip had the microcode in RAM, so that it was downloadable from the host cpu.  I like to claim some personal responsibility for that particular feature; when Cirrus came to cisco, way back when, to get our help with (and sell us) the new chip, they offered us a "debug version" that used external ram for microcode, and my eyes lit up and I said "can we get those in production quantities?  Having "fixable" microcode has saved our butts SO many times..."  (and they could, and we did use them, and it did save our buts...) (and we were already using about the same fast static ram chips for our own downloadable microcode, so they weren't "expensive" to us.)

Later (cisco) products used in-house designed ASICs.  But you know, it can be harder to get your in-house ASIC teams to listen well to product requirements than it is to get an external vendor to listen.  Sigh.

[ejeffrey]

blah, blah, blah.

Yes, Linux supports full disk encryption.  It also supports a relatively secure partial disk encryption (something windows basically doesn't do in a useful way.

The point is, the existence of a default way to boot the computer from the console without a password is not evidence for or against any kind of security, and your seizing on the existence of recovery mode as evidence of insecurity is a sign of ignorance.