back to article Sysadmin cracked military PC’s security by reading the manual

Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived. This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard …

Page:

    1. Ryan 7

      Re: Protected web pages

      In Firefox-like browsers, there's a nice little setting in about:config — dom.event.contextmenu.enabled

      Set it to False and the pesky javascript can no longer silently smother your right-click attempts.

    2. pavel.petrman

      Re: Protected web pages

      Once a university course required from me to hand over my assignment through a web form. It had a checker built into it (server-side), which had a bug in it that didn't let me hand over my assignment on time. Once I managed to track down the bug _in the assesing system_, all I had to do to upload the assignemnt file after the deadline had passed was to remove a disabled="disabled" from the form. Oh the sweet times of Opera 12 with its "Edit source" option (way back then we didn't have the nice development consoles we have now). Came the oral examination, I duly explained myself. The teacher sighed "If only you lot put as much energy into the assignment as half of you seem to invest into hacking my system". The fact I had to hack into it because he had a very rookie bug in his beloved system didn't seem to console him.

    3. ArrZarr Silver badge
      Happy

      Re: Protected web pages

      A few weeks back, we had a bug on some of our tech where it wasn't detecting that some information had indeed been input correctly and the save button was disabled.

      Looking at the page's source code, I noticed a HTML element specifying the button was disabled. Removing that element enabled the button and allowed me to save the data. Quick call with the devs confirmed that everything had saved to the database correctly.

      Cue fireworks and a victory parade saving the devs having to hotfix a bug on a Friday.

      1. Stevie

        Re: Cue fireworks and a victory parade

        Whereas I needed a change to a stored procedure which no-one claimed to own, in order to make it read a directory from the database instead of a hard-coded variable value >8o(

        I tried the obvious code difference but nothing worked. So I sent out a more general call for help and was told to report to one team leader, who now claimed the code and snottily told me he would take care of it and not to touch his stuff and so on and so forth.

        He erased my code, then called me upstairs again to show off the changes he had made. I took a look and told him it wouldn't work. He asked why I thought that. I answered that he had simply re-written the code I had put in - that didn't work. (I at least had the excuse that I am not a PL/SQL programmer; he was hired as an expert PL/SQL developer).

        I went away and noodled around for a bit and more by luck than judgement hit upon the way this tech was supposed to be coded. I wrote a test proc and ran it with all sorts of fail scenarios to make sure I had m'facts straight.

        I sent back my findings by email. Mr Expert then said I should make the change in the proc. I did so. He then insisted I move it over to the test system (despite my telling him I had already tested the file access code) and "test it". This involved creating a dataset from live data and about two hours hard work. When I was done, he snottily grabbed back his code and took the credit.

        Fast-forward a couple of years. There's a problem with the process this proc drives. Devs are speaking pompously to DBAs about "what are they going to do to upload the data". I am out sick that day, but get a phone call. I tell the DBAs to answer "Nothing. We do not upload this data. It is processed by code owned by Mr Expert. We have been expressly forbidden to touch this code or modify its working in any way. We stand ready to assist the developers in any way we can in the solution they devise to their vexing problem."

        Apparently the look on Mr Expert's face was classic as his make-it-someone-else's-problem strategem belly-flopped. And I laughed all the way through the four day remediation that resulted in Mr Expert losing much sleep. Fuggim.

        About six months after that we did a DataGurad switchover and another proc started bleating about directory access. It was clear another hard-coded variable value was to blame. I was called to task for changing the directory name, but pointed out that in fact that had not happened, and that I had placed a soft link as a temporary fix and professional courtesy on the old primary system to make everyone's buggy procs work the last time we had switched over, and that I had said that this was asking for trouble and that it was eventually bound to cause the exact problem we were seeing.

        I then went on to add that I would of course add the same soft link as a professional courtesy in the interest of not impacting the production schedule, but that the proc code needed to be fixed as a priority so it wouldn't happen again at the next switchover in six month's time or when we needed to redefine the file system under the directory object for SA reasons.

        I then tossed the ball even further into their court by saying that the code needed was already deployed by another dev group, and that Mr Expert had a proc he could show them that would explain how it all should work and that "his code" would be a robust way forward.

        No credit for me, but everyone went away, if not happy, secure in the knowledge that the problem could be fixed with minimal effort and I got to avoid another "you own the code for the next four hours" ploy and no need to keep track of stupid soft links to cover dev arses.

  1. alain williams Silver badge

    IBM asked me for a password

    In about 1987 we borrowed a 6150 from IBM for use at a trade show. The 6150 was IBM's first AIX (their Unix) machine. It did not have a lot of disk so I removed about 1/2 the operating system so that we could make a decent demo of our application.

    After the event we returned the machine.

    A fortnight later I had a call from someone in Warwick. They wanted to know what I had changed the root password to. I told them, but was astounded that IBM were not going to just completely wipe/re-install the whole operating system - I would not trust a machine that had been loaned out to someone like me!

    Also: did they not know how to break into their own machine at the hardware level ?

    1. jake Silver badge

      Re: IBM asked me for a password

      Yeah, that was the RT ... Not even IBM's internal folks really bothered learning much about 'em. Under powered, over priced, and not very compatible with anything else. Died after a very short (5 years?) and not very useful life. Like most such bits of born-orphaned kit, there has been a fairly active fan scene around 'em since the early '90s. Fun to play with, if you are into that kind of thing.

      Note that AIX was IBM's second version of un*x, the first was PC/IX which was based on System III and ran on the IBM XT ... Yes, you read that right. Look it up if you need a giggle :-)

      1. Alistair
        Windows

        Re: IBM asked me for a password

        *cough*

        You met that pile too jake? Bizzarre use of CTL keys.

        (data entry, back in my teens)

  2. Elmer Phud

    Compaq 'security'?

    Back in the days of Compaq they used to have the facility for a power-on password.

    They were also very nice in having little diagrams on the inside of the cover to show where the DIP switches and other bits were.

    One day my manager was doing the usual box-ticking on security and asked if I'd got a power-on password.

    "Oh, yes" says I, "It's there" -- pointing to a small chip embedded in blue-tac on top of the monitor.

    'WTF???'.

    "You asked for it, it's there in that chip. That chip that when removed allows anyone access."

    'Fair enough, well done, you have a power-up password', ticks box.

    One of those rare managers who understood what I was saying.

    1. Waseem Alkurdi

      Re: Compaq 'security'?

      As if it's any different today?

      For most home machines, you can simply reset the CMOS (battery or jumper) or use a master code calculated from a hash displayed when maxing out password attempts.

      And people are surprised ...

      1. Prst. V.Jeltz Silver badge

        Re: Compaq 'security'?

        If you've got physical access to the machine "cracking it" isnt a worry so much as something you should be embarrassed if you cant do. ie more than likely possible (see many tricks described above)

        It'd take a hell of a setup to stop a half decent techie armed with boot disks , drive caddy , dipswitches , screwdriver , downtime , permission to tinker etc etc .

        Encryption is probly the only way.

        1. Wensleydale Cheese

          Physical access beats all

          The saying I came across many years ago was:

          "Physical access beats all"

          But yes, depending on where the passwords are stored, encryption for disks at rest is probably the only way,

          1. Anonymous Coward
            Anonymous Coward

            Can anyone shed light on how the recommendation soundbites are obtained

            "Physical access beats all"

            You know she said it.

          2. Yet Another Anonymous coward Silver badge

            Re: Physical access beats all

            "Physical access beats all"

            Orange book security standards allowed you assume physical security

            Windows NT claimed to meet C2 level security, except for the network susbsystem.

            So the machine was perfectly secure, so long as it wasn't networked and you could control physical access !

            Not actually that silly, C2 required you to log certain actions in a secure manner. One other manufacturer we tested did log these events, but provided no way of viewing them. The Orange book just said they had to be logged, it didn't mention retrieval.

        2. Norman Nescio Silver badge

          Re: Compaq 'security'?

          It'd take a hell of a setup to stop a half decent techie armed with boot disks , drive caddy , dipswitches , screwdriver , downtime , permission to tinker etc etc .

          Encryption is probly the only way.

          Which is why I use LUKS to give my data (at rest) a modicum of privacy.

          As far as I know, I'm not trying to protect myself against 'state actors', so 'Evil Maid' attacks, or custom hard-drive and/or network device firmware is not something I need to protect myself against, yet. No doubt some enterprising malware author is working on changing that. Systems really ought to have the option of a physical write protect/enable switch on the UEFI firmware.

      2. Anonymous Coward
        Anonymous Coward

        Re: Compaq 'security'?

        "For most home machines, you can simply reset the CMOS [...]"

        In the old days doing that also cleared the hard disk "geometry" settings that were also stored in the CMOS. You had to know the original virtual cylinder/head/sector values - to be able to access the data on the disk. There were usually several feasible variants.

        1. Alan Brown Silver badge

          Re: Compaq 'security'?

          "You had to know the original virtual cylinder/head/sector values "

          Which were usually written on the top of the drive.

          1. Zippy's Sausage Factory

            Re: Compaq 'security'?

            "You had to know the original virtual cylinder/head/sector values "

            Which were usually written on the top of the drive.

            For old enough drives, they weren't. I used to carry around a book with thousands of CHS values for various drives in it.

            Plus, for added laughs, people would often put the wrong number of heads or sectors in. So the drive would sort-of work, but not all of it would be accessible. And they would then get cross when you tried to upgrade their PC. "How can I have lost all my files?????"

        2. CrazyOldCatMan Silver badge

          Re: Compaq 'security'?

          You had to know the original virtual cylinder/head/sector values - to be able to access the data on the disk

          Which were, pretty often, written on the disk drive itself..

          On enterprise-class drives anyway.

        3. Alistair
          Windows

          Re: Compaq 'security'?

          in compaqs the CHS values were usually printed on the disk........

      3. John Brown (no body) Silver badge

        Re: Compaq 'security'?

        "For most home machines, you can simply reset the CMOS (battery or jumper) or use a master code calculated from a hash displayed when maxing out password attempts."

        If it's a desktop Intel MoBo, you just change the CMOS jumper from 1-2 to 2-3 and power on. It boots to the BIOS config screen with an extra menu item, top left, where you can remove/change the power on and BIOS passwords.

        It's all about levels of security. Most cases have a loop you can padlock, some have a key-lock, some have neither. It depends on the level of security you require. Using something like bitlocker to encrypt a drive gives a great feeling of confidence, and for most use cases, that confidence is probably justified. Someone really determined might just break in and replace the ROM with something a little more co-operative to nefarious acts or find some other way of getting some malware onto the system, maybe by hacking in via the Management Engine or something. Levels of security (and cost thereof) needs to be commensurate with the value of the data being protected.

  3. Anonymous Coward
    Anonymous Coward

    Insecurity by anti-virus

    1998 - at the start of the Y2K remediation project in one of the big banks of the day.

    We were using Windows NT without admin privileges. As you might be aware, doing IT in those days without it was neigh on impossible (we weren't provided any tools for the job bar a basic text editor and compiler)

    There were no portable apps then either, so an installation was required for everything else we'd need to do our job (like hex editors and the like).

    After logging in, there was an init script that ran the antivirus in it's own DOS window. Somehow (wasn't on purpose Guv', I swear) I found out that you could Ctrl+C into that window to get a DOS prompt retaining the privileges the anti-virus ran with (guess what those were) and, from there, do whatever you wanted to, including - but not limited to - changing user privileges.

    (A/C 'cause you never know)

    1. CrazyOldCatMan Silver badge

      Re: Insecurity by anti-virus

      it was neigh on impossible

      Unless you start horsing around.

      1. Anonymous Coward
        Anonymous Coward

        Re: Insecurity by anti-virus

        "Unless you start horsing around."

        Don't make me rein you in!

    2. Anonymous Coward
      Anonymous Coward

      Re: Insecurity by anti-virus

      Year ago I work for an IT consulting company. We had a contract with a local county government to install a bunch of new PCs at various locations (300+ PCs). It was a little insulting that we were hired to do such grunt-work, but the money was way too good to pass up.

      We get on site at the first location, get a bunch of the PCs set up, but can't join them to the domain (Windows NT 4.0 days). They had tried to create a non-admin account for us that could still join PCs to the domain. So after having four people waiting around for more than half a day, we just created our own admin account on their domain. You really have to love Microsoft's half-assed attempt at security.

      It was annoying to be treated as a "dumb contractor" when we were much better admins than the government guys!

  4. Waseem Alkurdi

    Windows security

    Any script kiddie can boot from some Linux and run 'chntpw' on the SAM file.

    I saw IT admins fall in fear when they see this.

    BitLocker? We've heard of it.

  5. Nano nano

    Electricity meter optical data interface

    The "password" for the electricity meter "Flag/1107" optical data interface is crackable with a few Xors ....

  6. Anonymous Coward
    Anonymous Coward

    Many years ago a friend had ADSL broadband installed. The ISP supplied router wasn't very reliable - but couldn't be replaced because the unique user's broadband login password in the config wasn't known. The help desk had no idea what it might be - "it should just work".

    A browser "view source" of the config page for broadband showed the password field as clear text. A decent ADSL router was then installed and ran for years without problems.

    Recently the friend upgraded to 35mbps. The ISP supplied a new router - and wanted their old one back in exchange. Luckily*** it was still in its box in a cupboard - in apparently pristine condition.

    ***The friend is a "tidy" person who throws things away if they appear to be unused.

  7. Anonymous South African Coward Bronze badge

    Anybody who managed to haxx0r a Dell Sonicwall yet?

    Supposedly to be very secure.

    1. jake Silver badge

      Never needed to. I've never seen any "in the wild".

      1. Anonymous Coward
        Anonymous Coward

        Sonicwall must be really fast.

        1. tony trolle
          Coffee/keyboard

          in my mind I just heard some sounds

          ding ding ding-ding

          Sonic the Hedgehog

          oh dear

      2. Anonymous Coward
        Anonymous Coward

        Sonicwalls? Many out there, but mostly in smaller orgs methinks. You're unlikely to find one in a big org. I have several dozen in play of assorted shapes, sizes and ages. They're generally better than most others I've used and are mostly stress free. The old 'can't handle VoIP' rumours are (mostly, now) just down to idiot VoIP providers and sellers who really don't have a clue. Haven't been able to break into one though, at least not yet. If you lock down the management, enable the stealth and don't leave anything stupid open they're pretty safe from opportunistic eyes and scans. Even a 'safe mode' boot doesn't wipe the admin password, only a factory reset does. The latest UI version is pretty swift.

        A/C b/c you're not hacking mine.

    2. 404

      Russians sailed right through a 10 year old Sonicwall I begged somebody to replace...

      Last time I heard, charges on their CC processing company was over $150k... smh

  8. Anonymous Coward
    Anonymous Coward

    Early in my IT support career I learned that a way past O/S security constraints was to treat the media as data to a different O/S.

    In my early days our mainframe ran several different O/S types depending on the jobs. The operators would prime the configured O/S from tape to the disk as the need arose during the day.

    The new disk O/S had a bug that it would not create new users properly. I found that I could use the system tape as data to a program on another O/S - and add a few blocks containing new users' information.

    1. Wensleydale Cheese
      Happy

      "Early in my IT support career I learned that a way past O/S security constraints was to treat the media as data to a different O/S."

      I recall a certain Word document which had some "interesting" history, but hidden from view for Word users.

      I forget what protection was in place, but dropping it onto a non-Windows O/S and dumping the raw contents of the file revealed all, in clear text.

      It's also a good technique for discovering files which Windows hides.

      1. Anonymous Coward
        Anonymous Coward

        I recall a certain Word document which had some "interesting" history, but hidden from view for Word users.

        I forget what protection was in place, but dropping it onto a non-Windows O/S and dumping the raw contents of the file revealed all, in clear text.

        I company I worked for sold access control systems that had a database on the PC. Open that database up in Wordpad, do a search for Admin, right next to it was the password in plain text!

        To be fair, they did change that rather quickly!

      2. stephanh

        strings

        Old trick of using Unix "strings" on MS Word .doc files. Often showed deleted content!

        I have also used Vim to edit "locked" sections in Word documents

  9. Jedit Silver badge
    Joke

    "I read the manual"

    To be fair, putting the instructions on how to bypass your security in the manual is about the safest thing you can do. Nobody tech-savvy would ever think to look there, and nobody else ever reads the manual.

  10. Anonymous Coward
    Anonymous Coward

    I had one of those

    cheap "safes". In said safe I kept ALL my lock picking gear (it's a bit of a hobby of mine) including the 8pin cylinder pick to pick the safe.

    Ahh yes, the safe that the batteries had expired and I had no idea where the key was. Probably put safe (no pun intended) years ago and long since buried somewhere.

    So, knowing it WAS relatively easy to pick off I went to the local lock smith to be told "cant open it mate, you'll need to angle grind it!" "But there's a pick in the safe, surely YOU, a LOCKSMITH, have a pick and the knowhow to use it". "No mate, as I said I can angle grind it open". So I left.

    Went home and started to think how to open it. Then I saw, under the keypad a recessed "earphone" socket! Bingo, a connector for an external battery pack!!!!

    Safe opened, picks removed. Safe then repaired and new lock with keys fitted.

    1. DropBear

      Re: I had one of those

      If it was one of the typical small, cheap domestic safes you tend to see in hardware stores and hotel rooms, I remember seeing a YouTube video with a guy opening a bunch of them in at least six different braindead-simple ways. Those keep nobody except a toddler out.

  11. Anonymous Coward
    Anonymous Coward

    Redacted pdfs

    Not copy-protected as it was ok to copy non-redacted information.

    Select (including redacted content), copy, paste.

    Redacted content now visible - text had simply been set to black with a black background!

    Also seen redacted documents where the "hover" information had been forgotten about.

    1. Andy Taylor

      Re: Redacted pdfs

      This is how we know how much McLaren got fined (and lots of other interesting information) in 2007, the FIA didn't properly redact the documents.

      1. Anonymous Coward
        Anonymous Coward

        Did Yossarian "redact" letters during his hospital stay? Nay!

        in 2007, the FIA didn't properly redact the documents

        I think it was still being called "censoring" or "blacking out" back then.

        "Redacting" is one of those Orwellianisms that the Younger Bush and, to a greater extend, the Obama Establishment Construct (the O.E.C.) "brought to the table".

        So to say.

  12. Lee D Silver badge

    A bunch of machines in an IT suite that I was revamping for a school, all tied together with serious steel cables, attached to the machines with some quite serious adhesive on a plate secured direct to the metal chassis of the machines.

    Because they were all interlinked, and the cables padlocked together, you couldn't steal one without the one next to it, and so on. I thought it was going to be a nightmare of having to reimage them all in-situ or going through a bundle of different padlocks key endlessly to separate them, but I thought I'd give things a shot to see if there was an easier way.

    I knew that you couldn't just pull the computers apart by brute force - I'd witnessed one fall to the floor hard and just dangle there by the plate/cable, and seen a few cursory demonstrations by big strong men trying to pull on them.

    But every system has a weakness. In this case, the hefty metal plate that was epoxied in some manner to the chassis that everyone assumed was inseperable. Like with a maglock, it's not how strong it attaches when you pull laterally against the lock, it's how you can break that lateral surface area connection.

    Turns out, a small flatblade screwdriver inserted into a tiny sliver of a gap between the chassis and plate, and then a small "twist" rotation of the head at normal hand strength would easily separate the two surfaces. Despite the fact that you could probably tie the offending articles to two vehicles driving in opposite directions and only ever snap the cables not the attachment, once you got the hang of it, you could literally walk down the row, stab, twist, stab, twist and fire the plates off the machines at high speed with nothing more than a basic hand tool and hand-tight motion. And no damage to the machines.

    Headmaster of the school came past about 20 minutes after he'd said he'd go get me the keys, saw the pile of hefty steel cables and plates on the floor and his now "insecure" IT Suite and was flabbergasted. We never bothered to put them back on. (And, yes, I had permission to remove them if I could, before you ask).

    If I found it, you can be sure anyone determined to steal those machines knew it too, even if they hadn't brought bolt-cutters.

    Similarly, schools all used to just buy expensive projectors and dangle them from their high-ceilings on long-rods. In time, people became aware of the necessity of a "swing test". Literally, if you can't swing from the rod with your full weight then it only takes seconds to get the projector down and walk off with it. Sure, you'll damage the hell out of the ceilings/joists, but burglars tend not to care if they can walk out with £1000 of kit in ten seconds.

    Despite then being told by several places that "our projectors have to survive a swing test", never did find anyone who even suggested it was possible to build or fit such an item if you're just attached to joists and your ceilings are 14 foot height, so the pole has to be at least 8 feet long. They learned quickly that leverage and brute-force beats ingenuity every time. After that, they started to buy projectors that were marked educational use only (destroying resale value on the main markets), had passcodes to stop them turning on, that weren't as valuable, or that mounted "short-throw" so at least the thieves only damaged a £50 bracket rather than created a £1000 ceiling repair for their insurers.

    1. Boothy

      Reminds me of something that happened to me many many moons ago now.

      We were decommissioning some equipment, and for security, they too had epoxied some large plates onto the top of the cases, which in turn had large chains welded onto them, then some large padlocks to fasten to the wall. This gear had been in there for probably 20 years (this was custom electronic control gear, full of relays etc. not servers). You could access the insides for maintenance (side panels), you just couldn't remove the gear itself, not easily anyway (in theory).

      Turns out no one had any idea where the keys were, and so they were thinking of getting a disk cutter/angle grinder (too big for bolt cutters) to cut the chains. I wasn't keen on this idea, as I still needed to get the stuff off site, and really didn't want chains etc stuck to them.

      I noticed that the surface looked like it was painted, on closer inspection, it was actually some sort of plastic coating. So out with the Stanley, cut a groove in the surface a short way from the plate, then used a blade on its own to lever up the plastic, it just peeled off. I placed a flat wide chisel in between the metal top and the plastic coating, to see if this could pop the plate off. A few taps with universal adjustment device (i.e. a large hammer), and the plates just came off, still glued to the plastic layer!

    2. Shred

      > tied together with serious steel cables, attached to the machines with some quite

      > serious adhesive on a plate secured direct to the metal chassis of the machines.

      I remember those well. You didn't even need a screwdriver. Just grab a computer and drag it across the desk, while letting the cable holding the plate back. A nice steady lateral force would slide the plate off the computer. It seems the makers assumed that thieves would only ever try to pull the plate away from the box. Uni students used to remove the plates this way purely for fun.

  13. Chairman of the Bored

    Pro tip

    Buying a pick set just to learn a new, maybe useful skill? $50 and much fun

    Teaching your secretary how to pick locks on filing cabinets and so forth so she can do parts of her job more effectively? Now they are worth their weight in gold.

    And as soon as I get my new drill mill... bump keys!

  14. Grant Fromage

    As Heaviside said "we reverse this"

    My then boss was on hols in the states for 2 weeks, he had all the back up copies in one of those under desk on wheels drawer units. One of the Cd`s had got scratched (to the naked eye that badly) and wasn`t seen as viable media. I arrived with the brains trust trying to pick the lock to no avail in full flap, " ok we drill the lock out no biggie, however...." I turned it upside down, one of the drawers sort of wilted , a GPO #6 screwdriver moved it a little further in and it unlatched from the locking bar, bingo! drawer out and removed the bar.

    We got the disks made, 2 copies one for where backups should have been in the 24/7 workshop, not a managerial drawer.

    . It was paperclip and several years of old crap armageddon in the drawer unit though.

  15. Anonymous Coward
    Anonymous Coward

    I'd tell you but might get in shit

    mmm...

    managed access to some "financial" history of some one who was very hated, when I was a kid (before misuse of computers became law) saw mortgage and credit card data (whiskey and dog food)

    anon as still not sure if mi5 would hunt me down....

    1. gotes

      Re: I'd tell you but might get in shit

      The Queen?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like