Announcement

Collapse
No announcement yet.

Boot Linux from your hard drive. In the firmware.

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Boot Linux from your hard drive. In the firmware.

    Someone at work posted this amazing discovery on our tech-chatter list.

    http://spritesmods.com/?art=hddhack

    The disk controller is also interesting as a generic controller board. You have three fairly capable CPU cores, with a pretty big amount of RAM connected to it. There's also an uart, for the serial port, and at least two SPI interfaces; one to the flash rom and one to the spindle controllers. You can load the code for the processor by updating an external flash chip, or even by using the serial port in the bootloader. To demonstrate the power of the chip, I ported a fairly ubiquitous bit of software to my HD. The demo is a proof-of-concept only, the serial port is the only peripherial that works, and no userspace is available yet. Nevertheless, I am still a bit proud to say I have installed Linux on my hard disk.

    #2
    Sent the URL to my Dad. He liked it:
    It is, it is! Wow. One cool piece of work. Reminds me of my own
    hacking days, before "hacking" got to be a term of opprobrium.


    I'm also impressed with the author. The guy has true integrity:
    Releasing the source-code for a security project always is a nasty subject. I want to release code, but I do not want to be responsible for a lot of permanently hacked servers... I decided to compromise: you can download the code I used here, but I removed the shadow-replacement code. Make note: I'm not going to support the process to get all this running in any way; it's a hack, you figure it out.
    Windows no longer obstructs my view.
    Using Kubuntu Linux since March 23, 2007.
    "It is a capital mistake to theorize before one has data." - Sherlock Holmes

    Comment


      #3
      So, you can have a hard drive that your PC boots Linux from, internally using a separate copy of Linux installed on its controller logic board to handle the hard drive's functionality. That's cool as hell!

      Also, there *must* be an Xzibit "Yo dawg" style joke in there somewhere...
      sigpic
      "Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all."
      -- Douglas Adams

      Comment


        #4
        I just the idiot sitting in the corner at the moment. So does this speed up the HDD read/write or boot time for the OS? Does it give me free HBO? Does it turn the cat orange?

        Not that I would be wanting to try it, sounds very cool and geeky but I had enough with my room mate's projects. He wants to take apart the microwave now... I better get ready for CPR.

        Comment


          #5
          Interesting read, like a novel for nerds...

          The part about "There also are a few things that make life easier, though. First of all, it seems Western Digital hasn't been intentionally obfuscating the code", made me think that WD didn't give it a thought that whitehat hacker would be looking into their device.

          The section, "If a blackhat hacker had somehow obtained root access to a server with this drive, he could...", was also informative; and scary.

          A world unknown to most people. This was some clever detective work, mix in with a lot of hardware/software knowledge.
          Boot Info Script

          Comment


            #6
            What if all hard drives were sold with a small dedicated linux install with a boot manager, data recovery tools, and basic internet access. THAT would be awesome!

            Please Read Me

            Comment


              #7
              An entire and expensive industry would be put out of business. Ergo, your idea will never see the light of day.

              Comment


                #8
                Originally posted by SteveRiley View Post
                An entire and expensive industry would be put out of business. Ergo, your idea will never see the light of day.
                Indeed, we can't solve too many problems. Network security and internet privacy could have been solved long time ago. Internet privacy is simple:
                - all cookies are by default discarded (all browser, every sessiop, all the time) except for websites specifically whitelisted. (this should be the default)
                - LSO cookies should be discarded by default (all browsers, all the time) without exception
                - javascript and flash should not load from 3rd party sites without permission
                - really any flash element should ask for permission before loading due to the vulnerabilities
                - applications should really ask to use the internet by default. Certain applications should ask to use the internet each time they need to. Obviously not the browser, but if I have an office program, I would like to know that it is not by default using the internet and why it would (checking for addon updates, refreshing list of addons, fetching online help, etc).

                Network security is a bit more complicated, but one can easily frustrate blind hackers:
                - obviously hardware firewalls (should be standard between any networked device and a web connection)
                - software firewalls should interact with the web connection and be able to detect specific programs making requests. This would be useful for finding malware that is maliciously sending data on the user when it is obviously inappropriate or unnecessary
                - 2 or 3 factor authentication should be standard for most important web interfaces. I thought finger printer authentication or retinal scanneres would be standard fare for ALL computers... That would be a good default factor for accessing your hardware. I wouldn't want to be transmitting that information over the internet, but locally would be okay. Texting me an authorization code after I've attempted to login with a well formed password should be a must though everywhere.
                - 100% encrypted transmission of data across the internet. Understandably encryption is getting easier to hack, but at least slow down whoever is trying by increasing the level of encryption and applying it to absolutely everything. Should be a no-brainer

                With network security, some internet companies, like AT&T automatically ship routers with very good wifi SSID names and passwords (albeit number passwords, but very long and random), but long SSID names, non-broadcast SSID, WPA2 or better, and very long alphanumeric passwords should be standard for anybody's.

                LOL, sorry for too long post!!

                TLDR;

                I agree with what you said. People can't solve problems the "easy way".. just like with anti-virus, despite the fact that 100% of viruses are NOT in virus definition files when they are first released in the wild.. therefore antivirus will always be ineffective at protecting you from viruses. (virii?) Better to have an operating system that doesn't allow exploits, software ecosystem that distributes software free of malware, users who are educated on how to safely download software, constant updating of software, and constantly applying test cases to detect hinky stuff

                Comment


                  #9
                  Unfortunately, it's not so easy as you might think. Security is hard.

                  Originally posted by texaswriter View Post
                  - all cookies are by default discarded (all browser, every sessiop, all the time) except for websites specifically whitelisted. (this should be the default)
                  - LSO cookies should be discarded by default (all browsers, all the time) without exception
                  - javascript and flash should not load from 3rd party sites without permission
                  - really any flash element should ask for permission before loading due to the vulnerabilities
                  - applications should really ask to use the internet by default. Certain applications should ask to use the internet each time they need to. Obviously not the browser, but if I have an office program, I would like to know that it is not by default using the internet and why it would (checking for addon updates, refreshing list of addons, fetching online help, etc).
                  Mechanisms exist for Linux and for Windows to do all of these. But they aren't used. Why? They seriously impede usability. Maintaining application allow-lists is a major chore, especially in large enterprises. Furthermore, they are generally trivial to circumvent. Malware can impersonate approved applications. Device drivers can talk directly to hardware, bypassing most operating system controls. And people don't know how to answer security dialog boxes.

                  Originally posted by texaswriter View Post
                  - obviously hardware firewalls (should be standard between any networked device and a web connection)
                  - software firewalls should interact with the web connection and be able to detect specific programs making requests. This would be useful for finding malware that is maliciously sending data on the user when it is obviously inappropriate or unnecessary
                  Hardware firewalls are custom-built (read: expensive) appliances mostly containing standard stuff: x86 CPUs, RAM, PCI-E bus, etc. All the smarts are in the software installed into the appliance at the factory. There is nothing intrinsic to such a design that makes it "more secure" than the same software installed on an off-the-shelf server.

                  Originally posted by texaswriter View Post
                  - 2 or 3 factor authentication should be standard for most important web interfaces. I thought finger printer authentication or retinal scanneres would be standard fare for ALL computers... That would be a good default factor for accessing your hardware. I wouldn't want to be transmitting that information over the internet, but locally would be okay.
                  Biometrics are great identifiers. They are lousy authenticators. What's the difference? An identifier is claim, and necessarily must be public. An authenticator is proof of the claim, requiring a secret that only the claimant knows and a target can validate. Biometrics are not secrets. How do you revoke a finger? Read my article "It's me, and here's my proof: why identity and authentication must remain distinct."

                  Originally posted by texaswriter View Post
                  Texting me an authorization code after I've attempted to login with a well formed password should be a must though everywhere.
                  I am a big fan of this approach. Out-of-band transaction authorization wipes out entire classes of attacks. Phishing can become a thing of the past.

                  Originally posted by texaswriter View Post
                  - 100% encrypted transmission of data across the internet. Understandably encryption is getting easier to hack, but at least slow down whoever is trying by increasing the level of encryption and applying it to absolutely everything. Should be a no-brainer
                  Not a good idea at all. Traffic engineering, WAN optimization, and application profiling all become impossible in such a world, the cost of connectivity will rise, and performance will suffer. Firewalls will lose their ability to inspect traffic, negating the security they now provide.

                  Also, encryption is not getting easier to attack. 256-bit asymmetric encryption and 2048-bit symmetric encryption still require more time to defeat than the current age of the universe. I think that's good enough. Flaws, when found, are in implementations, not in algorithms.

                  Originally posted by texaswriter View Post
                  long SSID names, non-broadcast SSID, WPA2 or better
                  I've written previously that hiding your SSID gets you nothing; this not really a debatable point. The normal course of wi-fi creates probe frames and association frames, which by design contain your clear-text SSID regardless of how you've configured broadcast. Tools exist to sniff these from the air. Think back to my article about identifiers vs. authenticators. An SSID is an identifier. Trying to hide something not designed to be hidden will create a false sense of security, blinding you to the real threats. Obfuscation is not security.

                  Also: what's better in your mind than WPA2?

                  Originally posted by texaswriter View Post
                  Better to have an operating system that doesn't allow exploits, software ecosystem that distributes software free of malware
                  Neither of these is possible in the real world, for they require perfection. Humans aren't perfect, and can never create something that is perfect.

                  Originally posted by texaswriter View Post
                  LOL, sorry for too long post!!
                  You're still new here, apparently ... many of us regulars can carry on for quite a while sometimes.
                  Last edited by SteveRiley; Aug 15, 2013, 02:12 AM.

                  Comment


                    #10
                    whoops, sorry to hijack thread

                    Whoops, looks like my view of security and privacy is not very up to date. Thanks for the information.


                    Originally posted by SteveRiley View Post
                    Unfortunately, it's not so easy as you might think. Security is hard.


                    Mechanisms exist for Linux and for Windows to do all of these. But they aren't used. Why? They seriously impede usability. Maintaining application allow-lists is a major chore, especially in large enterprises. Furthermore, they are generally trivial to circumvent. Malware can impersonate approved applications. Device drivers can talk directly to hardware, bypassing most operating system controls. And people don't know how to answer security dialog boxes.
                    Yeah, I guess the model of computer security doesn't work well when people bypass these... I guess this model is just not sufficient. How could we change this to allow devices to only be accessible through the proper channels?

                    Originally posted by SteveRiley
                    Hardware firewalls are custom-built (read: expensive) appliances mostly containing standard stuff: x86 CPUs, RAM, PCI-E bus, etc. All the smarts are in the software installed into the appliance at the factory. There is nothing intrinsic to such a design that makes it "more secure" than the same software installed on an off-the-shelf server.
                    This is true of course. But does a "software" firewall installed on my computer make it easier to bypass, circumvent, or hack? I guess I've always assumed that it was better to have a "hardware" firewall ala router.


                    Originally posted by SteveRiley
                    Biometrics are great identifiers. They are lousy authenticators. What's the difference? An identifier is claim, and necessarily must be public. An authenticator is proof of the claim, requiring a secret that only the claimant knows and a target can validate. Biometrics are not secrets. How do you revoke a finger? Read my article "It's me, and here's my proof: why identity and authentication must remain distinct."
                    Very good article on this. I enjoyed reading this. Also, just a comment, I worked at a company in the automotive industry where a contractor that provided the robotics and the computer interfaces used a visual basic interface that used logins. These logins, although technically they had a "name", you didn't login with the name, only the password.. Which is to say: 1) click <login>, enter password. Obviously this is not a good idea because the difficulty of penetrating the system lowers as the number of users increases.


                    Originally posted by SteveRiley
                    I am a big fan of this approach. Out-of-band transaction authorization wipes out entire classes of attacks. Phishing can become a thing of the past.


                    Originally posted by SteveRiley
                    Not a good idea at all. Traffic engineering, WAN optimization, and application profiling all become impossible in such a world, the cost of connectivity will rise, and performance will suffer. Firewalls will lose their ability to inspect traffic, negating the security they now provide.

                    Also, encryption is not getting easier to attack. 256-bit asymmetric encryption and 2048-bit symmetric encryption still require more time to defeat than the current age of the universe. I think that's good enough. Flaws, when found, are in implementations, not in algorithms.
                    Good information again.


                    Originally posted by SteveRiley
                    I've written previously that hiding your SSID gets you nothing; this not really a debatable point. The normal course of wi-fi creates probe frames and association frames, which by design contain your clear-text SSID regardless of how you've configured broadcast. Tools exist to sniff these from the air. Think back to my article about identifiers vs. authenticators. An SSID is an identifier. Trying to hide something not designed to be hidden will create a false sense of security, blinding you to the real threats. Obfuscation is not security.

                    Also: what's better in your mind than WPA2?
                    Okay, read that link too. Great information. Too answer your question, the only thing that I can think of is WPA2 Enterprise.
                    15 Reasons to Use Enterprise WLAN Security




                    Originally posted by SteveRiley
                    Neither of these is possible in the real world, for they require perfection. Humans aren't perfect, and can never create something that is perfect.


                    You're still new here, apparently ... many of us regulars can carry on for quite a while sometimes.
                    Last edited by texaswriter; Aug 16, 2013, 09:47 AM.

                    Comment


                      #11
                      Originally posted by texaswriter View Post
                      Whoops, looks like my view of security and privacy is not very up to date. Thanks for the information.
                      Security is what I do for a living

                      Originally posted by texaswriter View Post
                      Yeah, I guess the model of computer security doesn't work well when people bypass these... I guess this model is just not sufficient. How could we change this to allow devices to only be accessible through the proper channels?
                      Tighter coupling of the software to the hardware. But this comes with its own set of trade-offs: your ownership and control of the software is reduced. For those of us in the FLOSS world, that trade-off is unacceptable.

                      Originally posted by texaswriter View Post
                      This is true of course. But does a "software" firewall installed on my computer make it easier to bypass, circumvent, or hack? I guess I've always assumed that it was better to have a "hardware" firewall ala router.
                      Host-based firewalls are excellent for limiting inbound access to listening services that you can't stop or otherwise control. They are absolutely useless for stopping outbound access, contrary to what many people wish to believe. A firewall on a separate device is more appropriate for this function. It does not matter whether that separate device is a NAT router, a Linux box running iptables, or a Windows box running Microsoft Threat Management Gateway even. (Yes, TMG is one kick-ass firewall. Too bad Microsoft is discontinuing it.)

                      Originally posted by texaswriter View Post
                      Very good article on this. I enjoyed reading this. Also, just a comment, I worked at a company in the automotive industry where a contractor that provided the robotics and the computer interfaces used a visual basic interface that used logins. These logins, although technically they had a "name", you didn't login with the name, only the password.. Which is to say: 1) click <login>, enter password. Obviously this is not a good idea because the difficulty of penetrating the system lowers as the number of users increases.
                      That's a terrible design. It removes an important security principle: the ability to audit behavior. You cannot trace actions back to individuals when all actions take place in the context of a single login. Horrible, just horrible.

                      Originally posted by texaswriter View Post
                      Okay, read that link too. Great information. Too answer your question, the only thing that I can think of is WPA2 Enterprise.
                      WPA2 is the strongest wi-fi protection we have right now. WPA2 supports two forms of authentication: Personal and Enterprise. WPA2-Personal relies on secrets shared between supplicants (computers) and access points. WPA2-Enterprise relies on RADIUS-based authentication servers. Both offer equivalent protection of information over the air. Their differences lie in how authentication is performed. In a large enterprise, you really don't want to be manually configuring secrets on hundreds of APs and thousands of computers. Instead, you install digital certificates everywhere (easy to do with deployment tools) and configure a central RADIUS server to validate certificates and allow computers to connect to access points.

                      Comment


                        #12
                        Originally posted by SteveRiley View Post
                        Security is what I do for a living
                        You sir are very knowledgeable!!

                        Originally posted by SteveRiley
                        That's a terrible design. It removes an important security principle: the ability to audit behavior. You cannot trace actions back to individuals when all actions take place in the context of a single login. Horrible, just horrible.
                        Sorry if I didn't make this clear. There were individual passwords that were tied to an individual name. You logged in with the password though and then the name popped up. But it is still horrible as you say, perhaps equally horrible as just one password.

                        Comment

                        Working...
                        X