Sign in / up

back to article Sysadmin cracked military PC’s security by reading the manual

Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived. This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *

Page:

    1. jake Silver badge
      Reply Icon

      Re: Only cracking I have done is

      Padlocks are only meant to slow down crimes of opportunity. Nobody with a clue ever suggested they were secure in the first place. Same for desk/file cabinet locks, your front door, automobile, & etc.

      33 0 Reply
      1. MonkeyBob
        Reply Icon
        Facepalm

        Re: Only cracking I have done is

        Reminds me of when we got about half a dozen desktops back to head office for a RAM upgrade at a place I used to work. Spent about 30 seconds trying to open the padlocks with a pair of pliers which only got as far some minor dents in the lock. Then turned the pliers on the loops on the case the locks went through, it was lick putting a hot knife through butter.

        21 0 Reply
        1. Alan Brown Silver badge
          Reply Icon

          Re: Only cracking I have done is

          "Then turned the pliers on the loops on the case the locks went through, it was lick putting a hot knife through butter."

          Yes, but also very obvious to a casual observer that it's been fiddled with.

          If you pop a padlock you can close it again. If you break it, you can remove it. We've had both instances occur.

          There are _much_ harder locks to pick than standard pin or barrel jobbies but there's no point going harder than what holds the lock down.

          12 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Only cracking I have done is

            " but there's no point going harder than what holds the lock down."

            Before the advent of cannon - stone castles were reasonably impregnable to direct attack. However - at night it was impractical to keep opening and closing the main gates. So they often had a small postern gate tucked away in the outer wall. This was the weak spot that was prone to phishing or bribery - letting a small enemy force in to open the main gate.

            11 0 Reply
            1. Doctor Syntax Silver badge
              Reply Icon

              Re: Only cracking I have done is

              "stone castles were reasonably impregnable to direct attack."

              A bit more laborious but you could also undermine the walls. It needed some sort of shelter unless to approach. You shored up the excavation with wooden props until a enough length of wall was undermined and then light a fire to burn the props out. I think this how "mine" also came to be used for an explosive device.

              14 0 Reply
              1. Anonymous Coward
                Reply Icon
                Anonymous Coward

                Re: Only cracking I have done is

                " I think this how "mine" also came to be used for an explosive device."

                The word "undermine" could possibly be assumed to have the same origin - in its figurative usage of an unexpected collapse of a position.

                Not sure when someone replaced the burning of the props with a load of explosives. Guy Fawkes didn't have to do any physical mining. The technique was used to devastating effect when multiple underground mines were detonated at Messines in 1917.

                Wikipedia:

                " The joint explosion of the mines at Messines ranks among the largest non-nuclear explosions of all time."

                4 0 Reply
                1. Mark 85
                  Reply Icon

                  Re: Only cracking I have done is

                  There was a battle in the US Civil War where that was done also. Link: https://en.wikipedia.org/wiki/Battle_of_the_Crater

                  4 0 Reply
              2. Glenturret Single Malt
                Reply Icon

                Re: Only cracking I have done is

                Making holes in castle walls is also the place where that much misused or misunderstood word, a petard, would be used appropriately.

                5 0 Reply
          2. Montreal Sean
            Reply Icon

            Re: Only cracking I have done is

            I recently had a locksmith out to my house to fix the mortise lock ony 100 year old front door.

            While here he also took a look at my 5 year old dead bolt I had added to the door for extra security.

            The dead bolt is a mechanical Weiser SmartKey (https://ca.weiserlock.com/en/deadbolts/)

            He said they don't recommend them because they are pick proof so if I lose my key they would need to drill out the cylinder.

            Isn't pick proof an advantage?

            6 0 Reply
            1. onefang
              Reply Icon

              Re: Only cracking I have done is

              In the security business it's always a compromise between security and convenience. It's much more convenient of you don't have to lock your door, and make sure you have your key on you when you try to get back in. Your locksmith was telling you the other end of that compromise, if you do manage to lose your key, then it's very inconvenient for the locksmith to get through it. Which may mean more expense for you as you'll now have to replace the lock that was drilled out. It may mean more inconvenience for you if there are multiple copies of the key that may need to be replaced now, coz others have the key. It is however more secure, coz thieves can't pick the lock.

              Only you can decide where in the spectrum between security and convenience annoys you the least. You makes your choices and you takes your chances.

              8 0 Reply
            2. jake Silver badge
              Reply Icon

              Re: Only cracking I have done is

              Find a new locksmith. Weiser only claims "pick resistant". Usually takes three or four minutes, but I can get past one ... and I'm hardly a professional.

              4 1 Reply
      2. Jeroen Braamhaar
        Reply Icon

        Re: Only cracking I have done is

        "Locks exist to keep honest people honest" - some wise person whose name I forgot.

        8 0 Reply
    2. macjules
      Reply Icon

      Re: Only cracking I have done is

      I once was given a batch of Zenith Data Systems 286 boxes to try and "recover" (auction lot, no idea of passwords). Luckily I had a very clever local sysadmin who told me to follow these steps:

      1) Switch off the computer

      2) Open the box

      3) Unplug the floppy drive form the main board

      4) Start the computer

      5) You are now in the BIOS.

      6) Reset the password and switch off the computer

      7) Plug the floppy drive back in

      8) Voila!

      42 0 Reply
      1. Loyal Commenter Silver badge
        Reply Icon

        Re: Only cracking I have done is

        The laptops we have at work have a similar exploit I discovered.

        They are DELLs locked with a boot password, which prevents access to the BIOS - one password for the user, which we are told, and one admin password, which we aren't told.

        When installing a RAM upgrade, and booting, you are presented with a helpful, "The installed RAM amount has changed" message, and helpfully allowed straight into the BIOS. I didn't change the passwords, but I could have...

        19 0 Reply
        1. gazzerdaman
          Reply Icon

          Re: Only cracking I have done is

          That doesn't work I'm afraid - it let's you into the BIOS screens on Dell laptops but any editable fields are locked unless you enter the password.

          5 0 Reply
        2. 404
          Reply Icon

          Re: Only cracking I have done is

          > They are DELLs locked with a boot password

          Try a Panasonic Toughbook, it_is_not_the_same...

          I had a (actually this one I'm on) Panasonic CF-53 I picked up on CL* for $200 and it was locked down to a fair-thee-well. Took it apart, motherboard is in three separate pieces, no matter what, it held on to it's password like it's life depended on it. After about two months of exclusive kitchen table priority(there is nada on web for Toughbooks btw), finally gave up and sent it off to Panasonic to clear the password. Cost me like $200.

          *It was legit. Somebody used it to pay off a landscaper and the landscaper didn't know what he had so... It's a good machine lol.

          7 0 Reply
          1. PC Paul
            Reply Icon

            Re: Only cracking I have done is

            I'm not sure if that's the same one I was asked to get into. It turned out it had one of those TPM chips in and about the only thing you can do is send it back to the manufacturer or get it to a surface mount rework bench and swap the chip out.

            4 0 Reply
            1. Martin
              Reply Icon
              FAIL

              Re: Only cracking I have done is

              I was once waiting in reception for an interview at a security company.

              Someone came in, went into the internal door, which had a keycode lock. She hesitated, and looked towards the security guard, who called out "3285" so she could get in....

              (Just to add to the fun, I didn't get the job - I was a contractor, but for some reason the agent had sent me for an interview for a permie position.)

              7 0 Reply
    3. Mike Lewis
      Reply Icon

      Re: Only cracking I have done is

      A program I was using on a UNIX box was setuid root. It had a menu option to start a shell which turned out to be a root shell. I reported the security hole to the sysadmin and my manager and thought nothing more about it. One day, the sysadmin was away and we had four programmers starting. My manager asked me to break in and set up their home directories. I did so and told the sysadmin what I had done when he returned so he could check my work. He was fine about it but my manager was furious that I had told him, saying the sysadmin would fix the problem so we couldn't break in any more. That didn't happen. Every four to six weeks, I'd get a call from the sysadmin saying he had forgotten the root password and asking me to break in to reset it.

      33 0 Reply
    4. Spanners Silver badge
      Reply Icon
      Pirate

      Re: Only cracking I have done is

      As a student, I lived in what would originally have been a rather posh house now converted to multiple occupancy. One person kept his bike 3combination padlocked to bottom of the ornate iron bannisters in a position that was right the way I wanted to go. I would pick the lock and hang the bike from the top of the bannisters. He never figured it out.

      A few years ago, a relative was helping a lad with a few problems. To stop his bike being stolen again, he proudly showed a combination padlock of a type I recognised. I told him that this was not gong to help him. As he felt it would be all right, I asked him to time me and picked it in about 20 seconds. I hope he got something better!

      22 0 Reply
    5. Andrew Moore
      Reply Icon

      Re: Only cracking I have done is

      Me too. But I've now moved on to regular padlocks...

      3 0 Reply
      1. Julian Bradfield
        Reply Icon

        Re: Only cracking I have done is

        Last year I was at a conference on a Californian university campus, staying in shared dorms, the apartments of which had hotel style card door locks. Late at night, I went out to look for Perseids. As I shut the door, I realized I had the cafeteria card in my hand, not the door card. My roommates were all drinking the night away with their buddies in other rooms.

        Just before resigning myself to a night on the doorstep, I thought, ok, why just try the old credit card trick. Five seconds with the nice flexible cafeteria card, and I was back in...

        Can't imagine how any lock can yield to that these days!

        25 0 Reply
    6. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Only cracking I have done is

      I have done this, legitimately. I had a bike which had a locky-up thing with a combination lock (this was in the late 1970s before decent bike locks). I had cycled to the local town and locked the bike up before meeting some friends and spending the evening in the pub I think, having decided I could walk the bike home (no lights, not stupid enough to ride up the A5 in the dark, drunk, with no lights even as a teenager).

      Problem: where I'd locked it up was dark, and it was midnight. So I spent what seemed like a long time (I was drunk, would have been less long if sober) solving the combination by feel: at any point the lock was hanging on one of the wheels, so when that wheel got into the right place the lock would move a bit, at which point you knew that digit was right. Iterate on the other wheels until it comes open. The 'drunk' problem was remembering which wheels you had solved, while not able to see the lock clearly.

      15 1 Reply
    7. Sam Jelfs
      Reply Icon

      Re: Only cracking I have done is

      If you want to fall down a youtube rabbit hole of lock picking I suggest checking out the channels of Bosnian Bill and the Lock Picking Lawyer.

      https://www.youtube.com/user/bosnianbill

      https://www.youtube.com/channel/UCm9K6rby98W8JigLoZOh6FQ

      12 0 Reply
      1. Martin-73 Silver badge
        Reply Icon

        Re: Only cracking I have done is

        Yes, Bill especially is entertaining to watch even if you're never going to pick locks

        3 0 Reply
      2. Fred M
        Reply Icon

        Re: Only cracking I have done is

        I found that the transparent padlock and pick sets on Amazon for about £15 are a good start too. Great as a present for someone you think might like lock picking.

        3 0 Reply
    8. steviebuk Silver badge
      Reply Icon

      Re: Only cracking I have done is

      Same here. A few years back I locked my bike against the railings on the sea front. Came back thinking "What If I forget the combo one day. That would be annoying". I put it what it was, it wouldn't open. WTF! Proper annoyed as it def was the combo.

      Wondered around town looking for options (as in going in hardware stores to look for massive bolt cutters). Couldn't find any was repeatedly told it wouldn't work. Found a bike shop and spoke to the guy there. He asked what lock it was. Told him and he said "Well some you just need to put tension on them and turn the dials. Then you'll feel it pop".

      I'd called the police first, the local number to warn them I'm not stealing the bike if you see me with bolt cutters. I went and tried what the guy said thinking it wouldn't work. And my god it did. One of the fucking numbers had changed while I was in the shops. I guess the lock was cheap and must of knocked the setting as I was locking it. Threw the crap away and ended up getting one with a key instead.

      12 1 Reply
      1. dajames
        Reply Icon

        Re: Only cracking I have done is

        I guess the lock was cheap and must of (sic) knocked the setting as I was locking it.

        ... or, perhaps, some passing wag had picked the lock, changed the combination, and locked it again.

        Maybe a friend of the guy in the bike shop -- he seems to have known how to go about such a prank.

        3 0 Reply
    9. derfer
      Reply Icon

      Re: Only cracking I have done is

      I work across lots of different types of sites, with lots of different levels of security. Many of these sites use the combination door locks.

      I was shown a trick by a locksmith whilst working on a police station to bypass some of the basic types of these locks. I showed him my trick that works with about one in five of the locks (including the none basic ones): the code would be written somewhere near the door, often on the door frame.

      The locksmith claimed I was exaggerating so we walked through the police station and stopped near every code door lock we saw. I managed 2 out of 5 on that site, including the code lock on the door of the evidence room!

      9 0 Reply
    10. oldfartuk
      Reply Icon
      Alert

      Re: Only cracking I have done is

      Many years ago I was tasked with installing Keypad Security Locks in Social Services offices across the county. I was told not to change the passcode from the default 123456, as having different passcodes at different offices confused the Social workers. Whixch of course entirely defeated the object of having the locks,.

      8 0 Reply
  2. fuzzyfelt

    BS

    If the security was just a password prompt in the autoexec.bat file, then there were a million different ways to circumvent that. The easiest would have been to press shift or F5 when it said "Starting DOS" to skip autoexec.bat and config.sys. Or boot from floppy.

    Further, I'm not sure how a ROM option could have affected the OS once the machine had booted.

    2 28 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: BS

      "Further, I'm not sure how a ROM option could have affected the OS once the machine had booted."

      If you read the article, it says that Ctrl-Alt-Insert was a diagnostics mode which would have been on ROM and that's where the option not to run autoexec.bat was found.

      Thus, a ROM change with that option removed would have been the fix. We don't know the machine had a floppy disk.

      Pretty sure F5 was only introduced around MS-DOS 6, so if you were running that on a Zenith 286 you've got some other military technology on the go! Could have just lept forward in time to a point where they had the password though....

      39 0 Reply
      1. fuzzyfelt
        Reply Icon

        Re: BS

        We don't know what version of DOS it had - before MS-DOS had the F5 skip, it was available on other DOSes.

        So what you're saying is this machine booted DOS from ROM (Possible but very expensive in the 286 era) and had all other boot mechanisms, such as floppy drives, floppy pin headers, SCSI headers, expansion boards, blocked so you couldn't plug something in?

        I doubt it - autoexec.bat security sounds more like a hindrance rather than security.

        5 7 Reply
        1. GlenP Silver badge
          Reply Icon

          Re: BS

          If you read the article the person was not a PC engineer. He wouldn't have had boot floppies, drives, etc. available, few people would have back then. It also wasn't unusual for PCs to have physical locks on them to stop tampering.

          21 0 Reply
      2. John Brown (no body) Silver badge
        Reply Icon

        Re: BS

        "Thus, a ROM change with that option removed would have been the fix. We don't know the machine had a floppy disk."

        Yep, we had a couple of PCs that needed to be "secure". I wrote a password routine as a device driver loaded by config.sys, so a bit more difficult to by-pass than autoexec.bat and then we fitted a key switch into the case that controlled the 12v line to the floppy drive. It passed the BIOS POST but wouldn't spin a disc without the key inserted and turned to the on position. Obviously whole HDD encryption wasn't really an option then. We also patched the OS on the user machines to look in a different place for the FAT/Directory sectors. Discs being taken in or out of the office then had to pass through the one of the "secure" PCs dedicated to the task of being the gatekeeper which virus scanned them and relocated the FAT/Directory sectors to the correct place for internal or external use. This allowed disks to move freely but made sure they were as virus free, at least internally.

        9 0 Reply
    2. Daniel von Asmuth
      Reply Icon

      Re: BS

      Once upon a time the physics department terminated my computer and relegated me to a noisy room with a desk and a PC equipped with only one wordprocessor (ChiWriter, an abomination).

      I was able to secure the PC with a few commands in the autoexec.bat file

      @ECHO OFF

      MODE MONO

      PARK

      The first two insured that onlookers were not shown what was going on, the last one parked the hard drive and halted the processor (the latter act was non-standard). I would switch on the computer and terminate the batch job with <CTRL-C>, and run a different batch file to start the word processor. The rest of the department thought the box was broken, since <CTRL-ALT-DEL> would not reboot it. (security by obscurity was effective in this case)

      11 0 Reply
    3. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: BS

      @fuzzyfelt

      It's the very nature of Basic Input Output System to provide access to the underlying hardware and if it's not in BIOS then it has to be coded into the OS.

      It's not difficult to request a modified 'secure' BIOS if you buy enough/have the right connectons (think government agency)

      4 0 Reply
  3. David Knapman

    Thankfully this was during integration testing, and I was doing my best to break things.

    ~Year 2000

    We were developing a secure system for the MOD. The client machines we were working on were going to be running a locked down version of Windows NT with keyboard equipped with a magnetic card reader. To log in you had to insert the card and that supplied your username, effectively. You then entered your password and logged in. Any removal of the card had to lock the machine or abort the login process and leave the machine secure. That seemed to work fine.

    Separately, we had additional software installed that, after login, but before showing the desktop, would show you information about your last login session - e.g. when/where. That seemed to work fine.

    Unfortunately, whilst that dialog was being shown, it was impossible to lock the machine. Which meant that so long as you choose to remove the card before acknowledging the dialog, you'd end up logged in with no card inserted.

    Loved showing that one to the guys who had lovingly crafted these separate systems.

    41 0 Reply
    1. Sir Runcible Spoon
      Reply Icon
      Joke

      They're always building better idiots :P

      11 0 Reply

    2. This post has been deleted by its author

      1. JimboSmith Silver badge
        Reply Icon

        At a previous employers a good few years ago they used an industry standard DOS program. It was still a DOS version despite XP now being the latest windows version. Each brand had a mission critical database on the system that you needed to be authorised for before you could read or edit the data. The security was such that giving a user a level of access for each database were possible. The program needed at least one administrator to be set to assign other users their access level. There was read only/read and write only/administrator (with ability to dump data out). They also required you to license each database each month by manually inputting a code they gave you every 30 days.

        However I spotted a flaw with this because after entering the code it just left a licensed database on the server. If you had a copy of the program you could simply copy the database file/files to your computer and use that to access the data. You just used your own login on your version of the program and bingo you had access until the code needed to be reentered. So you could have a month of access doing that to a competitors data. Once you did though it was easy as admin on your version to dump the data out. Of course you had to get access first but a disgruntled employee or a hacker could do that. I pointed this out to both my employers and the firm concerned. The employers were quite concerned and took measures to restrict access to where the databases were stored on the system. The software company didn't think it was a major problem and it would doubtless be fixed in the Windows version when it arrived shortly. The problem with that was the windows version had been "arriving shortly" for some time.

        12 0 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          At my work we used to have an application that needed to be installed on almost all of our PCs. It used a licensing mechanism that had a license server that needed an encrypted list of the MAC addresses of each PC. We would have to call the vendor with a new MAC address each time we replaced a PC, and they would remote in and add the encrypted MAC to the license server. It was a huge pain in the backside. We had plenty of licenses, more than we actually had PCs.

          So, one day after having to deal with replacing a couple of PCs, I decided to look into how their licensing worked under the hood. There was a dll named exlicense.dll, Not very well hidden! It turns out that the dll exported only two functions: InstallLicense() and CheckLicense(). The CheckLicense() function simply returned TRUE or FALSE, depending on if the license server said the license was valid or not. It took me less than 10 minutes to build my own exlicense.dll that always returned TRUE. I also implemented the InstallLicense() function in case it got called from somewhere. I even patched the installer to use my dll.

          10 0 Reply
          1. Doctor Syntax Silver badge
            Reply Icon

            "It took me less than 10 minutes to build my own exlicense.dll that always returned TRUE"

            That's Windows for you. Always making you do things the long way round.

            ln true CheckLicense

            4 0 Reply
  4. Nolveys

    Pci compliance failure failure

    I used to subcontract to someone who did pci compliance tests. One time a bunch of issues came up and we worked to patch them. As we patched things and modified configs the issues went away one by one until only one remained.

    Supposedly the remaining issue should have been covered by a software upgrade we did, but it persisted. My boss had to go do other things and left me to investigate. I downloaded the exploit reference code and ran it against the server...nothing. I mucked around with the code and still nothing.

    After hours and hours of trying to get the exploit to work my boss called me. Turned out he hadn't quite scrolled to the end of the pci scan list and was looking at the second last report in the list, the one right before the service in question had been upgraded.

    11 0 Reply
  5. steelpillow Silver badge
    Facepalm

    Protected web pages

    Can't tell you how many times I have encountered a "protected" web page, hit View > Page Source and copy-pasted what I was looking for into a text editor.

    It stared to die out once when server-side was all the rage, but now we are back in a world of client-side and serverless, it seems to be coming back into its own again.

    36 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Protected web pages

      Not to mention the web pages that have little widgets that cover the text if you're not allowed to read it, that you can just right click > inspect element > delete node > carry on.

      30 1 Reply
      1. Nick Kew
        Reply Icon

        Re: Protected web pages

        Many years ago I used to frequent newsgroups on web development subjects. This was a big FAQ: lots of people asking how to protect a page, and many who had trouble with "you can't". Even when viewing source was explained (as in the FAQ).

        @Mycho - alternative solution - read the page in question in a text-only browser such as lynx. I do that from force of habit, having started before the days when graphical browsers had the kind of tools you use.

        9 0 Reply
        1. jake Silver badge
          Reply Icon

          Re: Protected web pages

          Second on lynx ... There are other, arguably better, text-only browsers, but my fingers know lynx. That'll happen to a guy when he's been using software for a couple decades or so ... Why a text only browser? Well, think about it. 99% of everything useful that you browse is text[0], right? So it only stands to reason.

          [0] And would probably be perfectly readable in 7-bit ASCII, at that!

          12 0 Reply
      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Protected web pages

        "Not to mention the web pages that have little widgets that cover the text if you're not allowed to read it, that you can just right click > inspect element > delete node > carry on."

        You mis-spelled "the porn video I want to watch but am too cheap to pay for full access to view"

        7 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Protected web pages

          No I didn't, I pay for my porn.

          5 1 Reply

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like