Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

HP Keeps Installing Secret Backdoors In Enterprise Storage

samzenpus posted about a year ago | from the that's-a-feature dept.

HP 193

Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public."

Sorry! There are no comments related to the filter you selected.

badg3r5 (5, Insightful)

ebubna (765457) | about a year ago | (#44257621)

wisconsin fan eh?

Re:badg3r5 (5, Informative)

Anonymous Coward | about a year ago | (#44257665)

Rainbow Tables: enabling ontopic first posts since 2013.

Re:badg3r5 (5, Funny)

shentino (1139071) | about a year ago | (#44258127)

Would you rather deal with Rainbow Tables or Bobby Tables?

Re:badg3r5 (2)

Anonymous Brave Guy (457657) | about a year ago | (#44258221)

Why not both?'); UPDATE vulnerabilities SET failtype = 'Bobby' WHERE admin = 'fool'; --

Re:badg3r5 (1)

mysidia (191772) | about a year ago | (#44258253)

If HP had decided to store their passwords properly, by using Bcrypt or Scrypt with a decently high work factor, we would not be having this discussion... their password could be badg3r5, and it would take at least 5 or 6 hours to crack using a dicitonary search with l33t-speak substitution, so there probably wouldn't be 50+ people having discovered it within a couple days :)

Re:badg3r5 (1)

JakartaDean (834076) | about a year ago | (#44258613)

Just out of curiosity, since it's relevant but perhaps well known to most here but me, are rainbow tables capable of mixed letters and numbers and, say, 8 character pw length already widely available and searchable that fast with ordinary hardware? Are all my passwords (for those places still not accepting passphrases, which is most I deal with) that vulnerable once /etc/shadows is accessed?

Re:badg3r5 (0)

Anonymous Coward | about a year ago | (#44259035)

Yes: http://www.sha1-lookup.com/index.php?q=78a7ecf065324604540ad3c41c3bb8fe1d084c50

Re:badg3r5 (1)

gl4ss (559668) | about a year ago | (#44258863)

Rainbow Tables: enabling ontopic first posts since 2013.

if it's that then it's the same as the previous.. unless the badgers post was joke then and now.

Re:badg3r5 (0)

girlintraining (1395911) | about a year ago | (#44257791)

Well, I know what this poster was thinking: "Quick! First post it, before someone else who can type faster than 9 words a minute writes an insightful and informative post giving away the secret sauce!"

Re:badg3r5 (-1)

Anonymous Coward | about a year ago | (#44258013)

Shut up, ham. Jame Gumb is waiting for you in the toolshed.

-- Ethanol-fueled

Re:badg3r5 (-1)

Anonymous Coward | about a year ago | (#44258123)

Eat a nigger dick. Just stuff that big black cock in your mouth.

Re:badg3r5 (2)

93 Escort Wagon (326346) | about a year ago | (#44258337)

That looks suspiciously like the sort of simple password my ex-boss used to insist we use for things like Domain administrator accounts on Windows. He was an HP-UX admin at one point - does HP offer a free "find a crappy password" tool?

Re:badg3r5 (0)

Anonymous Coward | about a year ago | (#44258845)

On *NIX, us real admins use apg(1) ref: http://linux.die.net/man/1/apg [die.net] .

Re:badg3r5 (2)

slashmydots (2189826) | about a year ago | (#44258829)

Woo, go badgers! By the way, I'm fairly certain they have little to no presence in Wisconsin. I'm an IT manager in WI and the closest HP support and sales agent is in Illinois or something like that. The password was either randomly generated, related to the meme video, or some other strange source.

Re:badg3r5 (2)

Mal-2 (675116) | about a year ago | (#44258883)

They need to get a snake grip on this before it mushrooms.

Yet another company to boycott (2)

ikhider (2837593) | about a year ago | (#44257627)

Besides Apple, Intel, and every social networking site and cloud service provider.

Re:Yet another company to boycott (0)

Anonymous Coward | about a year ago | (#44257691)

HPSupport acounts are not new, but hiding them is (5, Informative)

Anonymous Coward | about a year ago | (#44257659)

Years ago I worked on HP3000 servers and there was an hpsupport user on those systems as well. But on the 3000 series it was documented and every sysadmin was aware of it and could change the password if desired. Looks like HP still cares about customer service, but no longer cares about ethics. Sad. They were once a really great company.

Re:HPSupport acounts are not new, but hiding them (-1)

Elbereth (58257) | about a year ago | (#44257823)

Sad. They were once a really great company.

Yeah? When was that? The 1950s?

Re:HPSupport acounts are not new, but hiding them (4, Informative)

macbeth66 (204889) | about a year ago | (#44258165)

Actually, through to the early 80's. Hewlitt and Packard, the men, had a true sense of worth of their employees and treated them with respect. That was pretty much gone as the 80's rolled on. Packard was a changed man from his stint(s) in Washington. Then, of course, by the time Patricia Dunn was in charge, the company was a toilet. Pretexting, anyone? Yeah, sad.

Re:HPSupport acounts are not new, but hiding them (1, Funny)

jcr (53032) | about a year ago | (#44257877)

I used HP3000s back in high school. They had plenty of other security holes, too.

-jcr

Re:HPSupport acounts are not new, but hiding them (2, Interesting)

Anonymous Coward | about a year ago | (#44257965)

On the system I worked on, there is a manufacturing mode that only someone with Admin privilege AND a manufacture mode password generator can enable. This means only HP support personnel can turn it on if the customer allows it.

Once it is turned on, root access can be gained using a private key.

Consequences? (0)

Anonymous Coward | about a year ago | (#44257697)

So when does the DOJ prosecute the CEO of the corporation under the computer fraud and abuse act for unauthorized access of a computer system. Oh, I forget, like all corporations they are "too big to jail".

Re:Consequences? (0)

Anonymous Coward | about a year ago | (#44257809)

You're assuming that the DOJ isn't the one that insisted it be put in place.

Re:Consequences? (1)

Shavano (2541114) | about a year ago | (#44258093)

It's worse than that. The DOJ uses a HP system.

Re:Consequences? (2)

shentino (1139071) | about a year ago | (#44258135)

If the computer belongs to the corporation the CEO works for then chances are he already has authorization.

Re:Consequences? (1)

anagama (611277) | about a year ago | (#44258167)

The Feds probably paid for the backdoor.

Re:Consequences? (1)

SQLGuru (980662) | about a year ago | (#44258235)

It's probably buried in the TOS that you implicitly agreed to when you opened the box, so they're covered.

Re:Consequences? (1)

gmuslera (3436) | about a year ago | (#44258459)

Those laws are for people that does things against the government/corporations, not for corporations doing it for the government. Having backdoor will be the new normal, at least if people keeps buying from them.

And don't think the "consequences" will include removing them, the fix will only just put them more hidden, or reinstall them with the next update.

Eh? (3, Insightful)

adolf (21054) | about a year ago | (#44257729)

The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rulesâ"not a limitation built in to limit use of backdoors.

Without reading TFA, which I expect to be even more sensationalist crap:

I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.

Did I miss something?

If so, please synopsize in non-sensationalist terms.

Indeed, whatever the case: Please post a not-purposefully-scary summary of the actual problem below, because right now it sounds a whole lot like the not-backdoor that Remote Assistance is under Windows.

Re:Eh? (5, Informative)

girlintraining (1395911) | about a year ago | (#44257753)

If so, please synopsize in non-sensationalist terms.

Non-bullshit, redacted by lawyers version:

Anyone with access to the NAS over the network and an SSH client can enter a username and password, gain elevated privileges to the cluster, and while not allowing access to the data directly from that interface, access can disable the cluster or delete all the data within it, as well as wiping out partition information, etc.

Re:Eh? (2)

adolf (21054) | about a year ago | (#44257829)

Sweet! Thanks.

I'll keep that in mind as I continue to not buy or specify HP products for a myriad of other reasons.

(That they killed Alpha and whatever was decent about Compaq was already sufficient. Nevermind the fact that their laptops are the least-service-friendly machines I've ever laid a screwdriver on. Or the crazy bullshit computers that I've wasted countless man-days troubleshooting unique problems on in the late 90s. Or the home-oriented desktops they once built which were impossible to open the case on without subjecting them to severe punishment. I don't care if they're "better now," especially now that it seems plain that they're getting worse: I never bought 'em, never will.)

(Hay! Without HPAQ/DEC/MSFT's misgivings, we could have been doing the 64-bit OS dance fifteen years ago and had it all settled out long before now! Instead, Windows 8 still comes in a 32-bit incarnation.....)

Re:Eh? (1)

obarthelemy (160321) | about a year ago | (#44257859)

nice rant... didn't *the market* actually kill Alpha. And PA-Risc. And Itanium. And (mostly) POWER ?

Re:Eh? (0)

Anonymous Coward | about a year ago | (#44257899)

Yes. Alpha was firmly in last place in the rapidly-shrinking RISC market.

But don't bother Alpha fanboys with facts, they have 20 year old benchmark results to masturbate to.

Re:Eh? (3, Funny)

Kaenneth (82978) | about a year ago | (#44259019)

Well, better than underaged benchmark results.

Re:Eh? (0)

Anonymous Coward | about a year ago | (#44259071)

No, HP killed Alpha and PA deliberately as part of their chumming up with Intel after vacuuming (though it was more D&C) Compaq+DEC, while Itanium was dead in the water because VLIW is fucking hard to optimise for and it has been not much of a performance enhancement since Merced.

A lot of Alpha tech has been incorporated into modern Intel-compatible CPUs, which are now a heap of microcode anyway. But the instruction set monoculture is harmful and has led to severe stagnation, which is why all the interesting stuff happens in GPUs and dreams about reconfigurable CPUs are replaced with expectation of half a century of 386 with all its stupid rules and limitations.

It does not help, of course, that Microsoft has been scared of anything non-386 since the turn of the Billennium: Itanic Windows was created reluctantly; Windows RT is a fucking abortion; &c.

Re:Eh? (3, Funny)

khallow (566160) | about a year ago | (#44257867)

Nevermind the fact that their laptops are the least-service-friendly machines I've ever laid a screwdriver on.

You sound like a crazy person. I bet you want to clean the fans or some such nonsense.

Re:Eh? (1)

adolf (21054) | about a year ago | (#44258053)

Yes, that.

Interestingly, I just acquired a Dell laptop from the same lineage as the "clean the fans" song.

There is a cover on the bottom, removable with one screw. Beneath is the heatsink. Just beyond is the fan.

The heatsink itself is copper, and can be easily removed, cleaned/rinsed/whatever, and reinstalled.

Yay.

Re:Eh? (1)

dbIII (701233) | about a year ago | (#44258353)

I bet you want to clean the fans or some such nonsense.

Only Mac fans. There's no cute women that are fans of HP or MS Windows laptops.

Re:Eh? (2)

Anonymous Coward | about a year ago | (#44258131)

I read comments like this a lot, and they don't entirely gel with my experience of HP stuff.

Their "consumer" products are truly horrible, and whether it's a laptop, desktop, printer or MFP, you're best advised to just keep walking; but their business-class hardware still seems pretty decent.

For instance, the nx6320 laptop I used to use made it pretty easy to swap drives, RAM, clean fans, anything you might want to perform at home as a modestly skilled and equipped self-tech; but the 4710s I bought to replace it, a "consumer" product with (for the time) excellent specs for the price, is horrible - replacing the hard drive basically requires starting at the top and taking the thing apart (top cover, display, keyboard, ...) until you work your way down to a very cheap looking HDD bay. I expect they didn't plan to perform much maintenance on them at all, and didn't make it any easier than a tight budget would allow.

Back in the day, when HP were an instrument company making their way into the IT space, they built essentially all of their hardware in-house and it was, in its way, almost beautiful. Today, it seems they buy in or contract out almost everything, particularly at the consumer end; and I expect they to pay much closer attention to the quality of what they are peddling to business, because that segment will expect them to actually maintain it for years into the future and they don't like working on shitty gear any more than the rest of us.

Re:Eh? (2)

mysidia (191772) | about a year ago | (#44258283)

So "no direct access to data" probably isn't saying much --- just about the limitations of what capabilities the admin UI has.

Posturing by HP to attempt to reduce the perceived severity of the issue?

While not allowing access to the data directly from that interface,

There are probably commands they would be able to type that might enable an additional iSCSI, FC, or NFS initiator to connect; possibly an initiator running on an IP address controlled by the person using the backdoor.

People can do other things on their computers besides load up SSH sessions; if they've got IP connectivity to the storage unit.... it reasons they might use the admin UI to change the configuration in other ways that impact their level of access

Re:Eh? (2)

JakartaDean (834076) | about a year ago | (#44258707)

Anyone with access to the NAS over the network and an SSH client can enter a username and password, gain elevated privileges to the cluster, and while not allowing access to the data directly from that interface, access can disable the cluster or delete all the data within it, as well as wiping out partition information, etc.

So anyone including unhappy ex-employees who still have access to the network or physical access to a machine, and who might be interested in holding their former employer to ransom? Including current employees eager to become ex-employees and interested in changing this password in case their reference letter isn't what they wanted? Including anyone who can get the IP address and is interested in shit-disturbing? It sounds like a race to change this password is on as every single unit probably is a target now.

Re:Eh? (1, Insightful)

Anonymous Coward | about a year ago | (#44257861)

Don't know about sensationalist but it is a call for Murphy's Law to remind them of their foolishness. One of the many ways in the computer world that "if something can go wrong, it will go wrong" is "if there is a backdoor in software, it will be found and/or leaked and it will be exploited". So yeah, nothing to see here, everyone grab their tin foil hats with blinders and move along and remember Keep It Simple, STUPID, just as your superiors and government overlords request/demand and don't worry, obscurity is effective isn't it?

Re:Eh? (1)

Anonymous Coward | about a year ago | (#44258005)

Yes, you missed something. Customer action is not required to grant access. Customer permission is only required by HP's internal rules, not by the backdoor itself.

Re:Eh? (1)

endus (698588) | about a year ago | (#44258095)

Right, so when someone writes a worm that exploits this, NBD!

Re:Eh? (5, Informative)

Charliemopps (1157495) | about a year ago | (#44258107)

I doubt it. We've got some software like this, and while we were having trouble one day and I was on the phone with their support (who was about as skilled as your local broadband support tech) proceeded to log into our equipment, duplicated my administrator account, log in as me, and start making changes. The log even reported the changes as being done by me. When I realized what was going on I started yelling into the phone "What the fuck do you think you're doing? Holy fucking shit?!?!" The tech on the other end was rather surprised I was upset "Excuse me?" he asked... "How did you just do all that?!?! This is on OUR servers, behind OUR firewall!!! You're under contract with us, none of this should be possible! physically, or legally!" all he said was "Well they don't let me see the contracts. I just click this "Clone account" button and there we go..."

I reported the whole thing to our security director. It ended up in the lawyers lap. Their software basically just tunneled its way out of our network. There were other reasons their software needed to connect to them so they just used the same port to allow their support techs to have basically more access than I, the senior administrator had. Now, instead of having a secure product, we have an unsecured product and the only thing protecting us from them is a "more specific" contract that, again, their techs have no access to read. Also, given the regulations we're under, that tech was violating federal law without even knowing it.

Don't trust your vendors. My management has, after this and several other incidents, come to the conclusion that these sorts of products are more trouble than they're worth. In the near future we'll be building it all in-house and dropping vendors like this. Some stuff, like oracle and microsoft, will be hard to dump. But I bet that given enough time even they will be gone and we'll be on something open source.

Re:Eh? (5, Informative)

AdamWill (604569) | about a year ago | (#44258249)

The thing you're missing is this part:

"While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules - not a limitation built in to limit use of backdoors."

i.e. there is not actually any kind of technical restriction on the use of the backdoor, there is no actual customer control over it. When they say 'we can only use it with the customer's permission' what they mean is 'we told our reps only to use it with the customer's permission and we hope they do what we say, and no-one else finds it, so now...oops'.

Re:Eh? (3, Informative)

mysidia (191772) | about a year ago | (#44258271)

I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.

The requirement for permission is sociological and based on adherence to company procedures and policies of HP.

If HP had chosen to require physical manipulation of the storage device, collecting a serial number or code printed ONLY on the device, or another method of OPT-IN selection by the storage admin, then I am sure there would be no complaint.

The problem is some HP support employees have access to a God code that grants administrative access to any piece of gear, and it's the same for all customer units, AND probably the code continues to work, even if some customer service employees are terminated, that might know the code.

It's poor security against insider abuse, regardless.

Re:Eh? (1)

cheater512 (783349) | about a year ago | (#44258591)

That is the HP version yes.

The reality version is similar, but get rid of the bit about a customer needing to enable it and replace HP Support with anyone.

And with this... HP has lost all my respect. (0)

Anonymous Coward | about a year ago | (#44257731)

I've been having an ongoing driver problem with my printer. Today -- I've tried multiple times to notify HP; they want me to pay them to open a case to report a bug. Now, I find out that they have multiple back doors?....

Time to walk away.

It's standard practice (4, Interesting)

msobkow (48369) | about a year ago | (#44257739)

Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.

Yes, it's a security hole.

But it's also standard practice and should come as no surprise to anyone.

Re:It's standard practice (0)

Anonymous Coward | about a year ago | (#44257789)

Been building Opensolaris/Nexenta based SAN's for years.

Never had a single account I didn't know about.

I don't understand why this would be "carry on as normal" to anyone.

Re:It's standard practice (5, Interesting)

Anonymous Coward | about a year ago | (#44257849)

IBM has, on midrange POWER systems, a service ID that has a constantly changing password. In case of loss of passwords and the like (mind you, passwords for the Service Processor, not the OS itself) you can call IBM and the CE will come, log with the service ID and wait on the phone till rochesters tells him what the password for that machine at that time is.
Neat system, if someone ever finds out how the key is computed it could be defeated but its a lot harder than say, a hard coded password...
DS4000 series System Storage DO have a hardcoded user/pass but the controller has rlogin turned off by default so unless you get to the cage and log in via serial cable it's safe...

Re:It's standard practice (0)

Anonymous Coward | about a year ago | (#44259081)

DS4000 series System Storage DO have a hardcoded user/pass but the controller has rlogin turned off by default so unless you get to the cage and log in via serial cable it's safe...

As it should be. I hate appliances which can't be recovered with physical access to the device. If someone (who isn't supposed to) manages to get that kind of access to the device, you've fucked up security in much more significant ways.

Re:It's standard practice (5, Interesting)

Anonymous Coward | about a year ago | (#44258055)

Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.

So trusting any vendor about any security is out of the question. Rolling your own stack is the only way to actually retain any control over your mission critical data.

But it's also standard practice and should come as no surprise to anyone

Or perhaps it is one of the "Seventeen Techniques for Truth Suppression" - 8. Dismiss the charges as "old news."

http://cryptome.org/2012/07/gent-forum-spies.htm [cryptome.org]

Re:It's standard practice (1)

AHuxley (892839) | about a year ago | (#44258587)

Even the low end, small brand prosumer/business grade ethernet, quality firewall with wireless and 3G dongle units seem to send something back.
Forums usually have the question why is my new, quality firewall phoning home?
Its only an anonymous diagnostic tool that cant be turned off and users are to be thankful for the low cost of the unit, low power usage, cool running and great support... cpu and memory is great too...

No not really (4, Informative)

Sycraft-fu (314770) | about a year ago | (#44258085)

The right answer is a service account they can have activated, if needed. On the EqualLogic (Dell) we have that is how it is done. When they need to work on the system, they have you connect to a WebEx session. They then request control of the PC. They have you log in to the system using your admin account, and they can then set the password on an "fse" account, which they can use to access service functions you aren't supposed to get at. Once they are done, they encourage you to change the fse account to a different password.

That is how it is properly done: They get in using your system, with you monitoring what they do, and you lock out access after they are done.

Now maybe they are going to have access all the time for proactive monitoring. Fine, that is a service some like (we may take Dell up on it if they start offering it). Again the right method is an account set up by the customer, not one hardcoded in. Why? Well because of shit like this. If it is hardcoded in, and you can't change it, then if someone discovers the access, it is bad times.

For that matter I've never seen this on Cisco stuff either. The recovery for that is via serial, I've never seen a remote override from Cisco. Maybe it is there, but I've never seen them use it.

Re:No not really (0)

Anonymous Coward | about a year ago | (#44258287)

For that matter I've never seen this on Cisco stuff either. The recovery for that is via serial, I've never seen a remote override from Cisco. Maybe it is there, but I've never seen them use it.

There's not a remote over-ride, but they can execute a command which generates a one-time password which has an expiration timer, which will allow that login to gain access to special manufacturer commands. As far as I'm aware, you an only do that with a login which already has maximum access. It's just a way to keep the people using the hardware from being able to get into some of the internals of the Cisco IOS, in particular the functions which control the license level of the software.

Nobody who is serious about making Carrier-grade equipment has a recovery account that you can get to over normal connections- it's all done via some type of console port. Some manufacturers use serial, some use ethernet, hell I've even seen one that used a crappy stereo mini-plug jack. The important factor is that it's a special port that isn't ever used for anything else, and even then most hardware lets you change the default password during the initial device setup.

Re:It's standard practice (1)

vux984 (928602) | about a year ago | (#44258289)

Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.

Those other ones tended to be acknowledged and documented.

There is a big difference between a hole in the wall you know about, and one you don't.

But it's also standard practice and should come as no surprise to anyone.

You can't plug or safeguard against security holes that are kept secret.

Re: It's standard practice (2)

DigitAl56K (805623) | about a year ago | (#44258699)

Correct: It should come as no surprise to anyone. Which is why it shouldn't be hidden.

Slashdot Lameness... Deleted (4, Informative)

girlintraining (1395911) | about a year ago | (#44257741)

The password you're looking for is badg3r5. So there. Go forth, my minions! In other news, Slashdot's corporate overlords apparently no longer believe in full disclosure, as it had in the past, and now omit critical information probably because their lawyers have more say in the editorial process than the submitter, editors, or anyone with a clue to spare. :(

Re:Slashdot Lameness... Deleted (1, Insightful)

purpleidea (956832) | about a year ago | (#44257785)

The password you're looking for is badg3r5.

Yikes! That's not even a very good password.

This is a huge backdoor/security issue. This is another bit of proof that proprietary software is never okay.

Check out gluster instead maybe! All that's missing is a FreeBIOS.

Re:Slashdot Lameness... Deleted (4, Insightful)

girlintraining (1395911) | about a year ago | (#44257833)

This is a huge backdoor/security issue. This is another bit of proof that proprietary software is never okay.

If by "never" you mean "widely used", then I'm going to go with... nope. Here's the thing -- corporations are what buy most software. Corporations are willing to spend large piles of money on software. And corporations don't want security that cannot be defeated because a malicious person (or a perfectly ordinary employee with an asshole manager they want to get revenge on!) could disable it in a way it cannot be recovered from.

They pay massive amounts of money for support contracts that demand minimal downtime. There's nothing in that contract, or even a single fuck given, to security -- which is why you get convenient fast-recovery options like this... that have the "small" side effect of having giant unpatchable security holes in it. The worst of it is, the patch will probably take some custom (weak) hashing function that generates a unique password based on the serial number of the device... like so many other first responses many other vendors over the years have implimented... and then someone will figure out the hashing function and you'll have to run a 'keygen' then and probe the SNMP interface before doing the exact. same. goddamned. thing.

The balance between security and convenience has always slanted heavily towards convenience. Saying "proprietary software" is to blame for this is disengenuous at best. Open source software tends to be used by people who give at least half a fuck about security -- but look at the projects that have gone mainstream. Firefox, for example, and it's attaching NTFS AD streams to downloaded files (just like internet explorer!) and integration with internet options (just like internet explorer!) control panel... all to please their corporate overlords. Oh, and bonus -- you can't override it. So if your corporate overlords screw up, Firefox is just another target waiting to be exploited. And the list goes on. The reason why open source appears more secure is because the people who use it are somewhat more experienced. It has nothing to do with open source itself -- it is purely the people who are using it that have created a (albeit imperfect) culture of security around the products.

Corporations are people, HP backdoors are HP (0)

Anonymous Coward | about a year ago | (#44258079)

"Corporations are willing to spend large piles of money on software"

Corporations are just a lot of people working for a company. If those individuals don't want this, then the corporation doesn't want this.

Do you think any company wants a backdoor open to its company data? The medical data is protected by criminal law, the corporate secrets contain the value in the company, the employee data is a critical business secret covered by lots of laws, the stock related financial data it is a breach of the financial regulations to let outsiders see that.

The idea that corps want these back doors is just garbage. The idea that everything has these backdoors is just garbage. They've spent a lot of time worrying over whether Chinese made kit has backdoors, yet the one with the discovered back door is HP.

This is a HP problem.

And given the MS revelations, a closed source software problem. The idea that a company will expose itself to loss of trade secrets, bankruptcy lawsuits, criminal liability for staff , just so that a HP man can save a trip out site to reset a password is just garbage.

You sir are A grade shill.

The *can* access the data on the device (5, Informative)

Anonymous Coward | about a year ago | (#44257863)

The earlier article said they can reset user passwords, if they can do that, they can grant themselves access to the data.

http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
" lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”

So they CAN get access to the data, because they can change the configuration to give themselves access.

Re:Slashdot Lameness... Deleted (0)

Anonymous Coward | about a year ago | (#44258181)

The password you're looking for is badg3r5. So there. Go forth, my minions! In other news, Slashdot's corporate overlords apparently no longer believe in full disclosure, as it had in the past, and now omit critical information probably because their lawyers have more say in the editorial process than the submitter, editors, or anyone with a clue to spare. :(

My dog has more say in editing Slashdot stories than Slashdot editors do.

And he's out in the back yard. In a thunderstorm. Taking a dump.

Re:Slashdot Lameness... Deleted (1)

shentino (1139071) | about a year ago | (#44258273)

In this litigious dog eat dog sue at the drop of a hat world, it's entirely possible that ignoring your lawyers will get you obliterated rather than simply censored.

If someone has a gun to your head, do you keep your mouth shut and live, or do you mouth off, get your brains blown out, and wind up never able to talk about *anything* again?

Re:Slashdot Lameness... Deleted (2)

Mal-2 (675116) | about a year ago | (#44258865)

If someone has a gun to your head, do you keep your mouth shut and live, or do you mouth off, get your brains blown out, and wind up never able to talk about *anything* again?

Say "what" again! Say! "what"! again! I dare you! I double-dare you, motherfucker! Say "what" one more goddamn time!

It depends a whole lot on how calm you can stay under the pressure.

Re:Slashdot Lameness... Deleted (0)

Anonymous Coward | about a year ago | (#44258743)

badg3r5??? badg3r5???? we don't need no stinkin' badg3r5!!!!

Customers Demand It (5, Informative)

Anonymous Coward | about a year ago | (#44257745)

I work for a large networking appliance company. We know these backdoors are a bad idea from a security standpoint. The problem is, customers demand them. They call up and want something fixed--or a customization or diagnosis or whatever--and many times the only way to resolve the issue is to access the box. Most times it's a configuration problem on their end, but often the quickest way to figure this out is to access the internal databases.

On our appliances our backdoors are completely optional--if you disable it, support is completely unable to access the box, period (I know because I helped to write it). But you wouldn't believe how irate customers become when you tell them that you can't help them, even though they're the ones who _chose_ to disable the support access, and clicked through all the warnings.

Could these backdoors be made more secure? Absolutely. But developing, say, a storage appliance and developing a secure remote access protocol (both in terms of software as well as access control) are worlds apart. SSH and SSL are just tiny elements in an overall solution.

I'm not one to argue that convenience and security are necessarily opposed. But it is incredibly hard to find the small set of solutions that provide both maximum convenience and maximum security. And even if you've found a solution in that set, it's incredibly hard to prevent it from degrading over time as developers come and go, introducing bugs as they add and fix features.

Well DUH (0)

Anonymous Coward | about a year ago | (#44257913)

They could

A) Actually TELL people about it

B) put a switch on the box to disable it when it's not in use

but perhaps these solutions are "too difficult"

and you sound WAY TOO MUCH like a marketroid, spewing tech speak and making excuses

Hmm are switches possible? (1)

Camael (1048726) | about a year ago | (#44258103)

That's a pretty nifty idea.

Is it possible to engineer the appliance so that instead of using passwords sent remotely to access the appliance, access is only granted when a physical switch is flicked on by the consumer? i.e.

Operator: Okay, we are connected to your system, press the red button now.
Customer: *press*
Operator: Okay now were in. Gimme a few minutes while we check your system.

Re:Hmm are switches possible? (1)

PPH (736903) | about a year ago | (#44258325)

Problem is: Customer is sitting in Mahogany Towers and the equipment is sitting in a co-loc facility miles away.

Re:Hmm are switches possible? (0)

Anonymous Coward | about a year ago | (#44258357)

and they can't pay someone to do it? point a camera at the gear to make sure the switch is in the proper positiion

are you an engineer or a marketing person? because you have NO chops for problem solving

Re:Hmm are switches possible? (1)

Anonymous Coward | about a year ago | (#44258399)

IBM ESS Storage Systems have something like that. You connect the serial cable, log in as SERVICE and the password is displayed on the cluster's panel. So you must be in front of the ESS itself to service it....

Re:Hmm are switches possible? (1)

StuartHankins (1020819) | about a year ago | (#44258635)

Most colo contracts include "hands and eyes" time where they will hard power-cycle machines, push a button, grant physical access to a vendor who is pre-approved to do some work... simple things. Whether you trust them enough to do that and whether it's a good idea to do that are separate issues. In the case of an emergency though it really helps.

Re:Hmm are switches possible? (3, Interesting)

sjames (1099) | about a year ago | (#44258415)

It is absolutely possible, and not at all a bad idea.

When I have set servers up for remote support, I just add a script they can run to open a support tunnel to the phone home server. They can have it run on startup or they can run it on request (or refuse to run it, of course).

On a custom build device like a NAS, the button would be easy enough.

Re:Hmm are switches possible? (0)

Anonymous Coward | about a year ago | (#44258473)

There's a story floating about regarding a server box that occasionally locked up and needed to be reset. Just a simple press of the reset button is all. (The server wasn't so critical that they needed a backup or anything, but it needed to be up.) After the Nth time being called in during nights and weekends to do this, the tech came up with a solution: a second box with a CD drive, positioned in front of the first. The second box pinged the first- if it didn't respond the second box ejected the CD tray, which was positioned so it would tap the reset button on the first box.

Between that, and taping/wedging the button in, it's not as good a security measure as you might think.

Re:Hmm are switches possible? (0)

Anonymous Coward | about a year ago | (#44258489)

Social engineers have been pretty good at tricking people into pushing red buttons* based on flimsy pretenses. You probably need a lid on the button with a sign that says in big print "OFF LIMITS - RISK OF INJURY OR DEATH" or "IF SOMEONE ASKED YOU TO PRESS THIS BUTTON, CONTACT SECURITY IMMEDIATELY".

* among other things, Kevin Mitnick tricked Pacific Bell technicians into giving him access to the FBI's wiretap system, which he then used to listen in on the FBI agents investigating him.

Re:Well DUH (0)

Anonymous Coward | about a year ago | (#44258679)

(I wrote the above post)

We actually support a one-time password scheme--actually a small randomly generated password which is a seed to a prime number generator which in turn is used to generate keys for strong PKI authentication. However, what happens if for whatever reason the management GUI breaks and they can't access the script to generate the password and keys, or even just to re-enable support access.

I can guarantee you that whatever bright idea you think you have, it's not even remotely a perfect solution. These people buy these boxed solutions because they want convenience. Even if the appliance is for "security" (i.e. a firewall of some sort), the analysis is the same. They want stuff to work, and they want it to work now, period. And the more complex these appliances, the more crap that can go wrong. The feature list on these boxes fills volumes; these aren't your grandparents' packet pushers.

Also, companies like mine and HP acquire many of their products through acquisition, not in-house development. Many times some product you just acquired was developed by imbeciles or neophytes who got lucky and won that particular market. So even though in-house you have lots of expertise on dealing with these issues, any particular product may have been implemented by a one-hit wonder team who did in okay job on the product's primary functionality but fubar'd the rest of the generic functionality.

Then your in-house developers want to fix all the problems but marketing and management are telling you to move on because the product is already selling like hot cakes so why spend any time on fixing what isn't, to their eyes, broken. Of course, this kinda if idiocy as absolutely the fault of the company. So its the company's fault for not fixing it, but not their fault for the stupid decisions in the first place.

I'm not defending a decision to leave a fixed password for the root account of a box. While that particular decision is egregious, the notion of keeping backdoors is not. Customers demand backdoors, period. And as long as there are backdoors, there are going to be exploits for them.

Not so bad with TOPT (2)

perpenso (1613749) | about a year ago | (#44258033)

I work for a large networking appliance company. We know these backdoors are a bad idea from a security standpoint. The problem is, customers demand them. They call up and want something fixed--or a customization or diagnosis or whatever--and many times the only way to resolve the issue is to access the box. Most times it's a configuration problem on their end, but often the quickest way to figure this out is to access the internal databases. On our appliances our backdoors are completely optional--if you disable it, support is completely unable to access the box, period (I know because I helped to write it). But you wouldn't believe how irate customers become when you tell them that you can't help them, even though they're the ones who _chose_ to disable the support access, and clicked through all the warnings.

This was my exact experience when working on telco infrastructure equipment years ago. We knew it was bad security but customers wanted it.

If working on such equipment today I would expect that we would incorporate a time-based one-time password that the customer would have to provide to our support person. Hardly perfect but a bit better than what seems to be common place today.

Re:Customers Demand It (0)

Anonymous Coward | about a year ago | (#44258229)

Then use the serial on the box as a method for generating the password or something. You don't even have to start thinking ssl and ssh things. Don't have a standardized password for all boxes. That's just nuts. Anyone that can get past the firewall can pwn the equipment.

Re:Customers Demand It (1)

gmuslera (3436) | about a year ago | (#44258493)

With a fixed, weak master password that is not adviced in the documentation nor requested to changed to a safe one on install/configuration? That is a plain backdoor. That they managed to built security on it to enable you to control what authenticated users can see or do only make it worse, is not that they don't know how to authenticate users or have secure passwords. Not only they sold you a backdoor, but also show how idiot they think you are.

Sounds fair (0)

Anonymous Coward | about a year ago | (#44257749)

What do you expect? How are HP supposed to keep prices down if they can't sell your personal information and home made porn?

If you use closed OS product, you clearly have no interest in security.

Freedom (3, Funny)

Taantric (2587965) | about a year ago | (#44257777)

When you buy an 'Merican product you are buying Freedom!

Meh (2)

WOOFYGOOFY (1334993) | about a year ago | (#44257929)

They're going bankrupt anyway so this issue will take care of itself.

NEXT!

Re:Meh (1)

dbIII (701233) | about a year ago | (#44258395)

They have too many people mixed in with politics to go bankrupt. The taxpayer will fund purchases of their stuff whether it is shit or not.

Every single day (2)

spire3661 (1038968) | about a year ago | (#44257983)

My worst fears of how deep spying has gone keep getting confirmed. Pretty much every single major vendor is backdoored by the NSA one way or another.

Re:Every single day (2)

dbIII (701233) | about a year ago | (#44258411)

While you could be correct I'd blame this especially stupid backdoor on HP instead. They need to be badgered about it and stop treating people like mushrooms.

Typical (1)

endus (698588) | about a year ago | (#44258105)

No one listens to the security group no matter how badly they get hammered. This is just dumb shit. If I ran the world everyone who was involved with implementing this would be fired immediately.

Remote access for customer support is a great thing...just build it right. It's really not that hard at all to build it right...probably even easier than building it this stupid ass way.

Prepare for the coming Chimpout (-1)

Anonymous Coward | about a year ago | (#44258171)

Lock and load, my friends. The Planet of the Apes 2013 is upon us. Trayvon chimpout 2013 will be the chimpout to out chimp all others.

Trayvon's nigger ape friends are going to come looking for you white boy. Be prepared when they show up at your door!

Why Multi-Level Security is So Important (1)

zbobet2012 (1025836) | about a year ago | (#44258305)

Your SSH ports should never be exposed to the public internet directly. Generally you want a "jump" box that is a very tight and tied down system (selinux/freebsd) with RSA keys to get in. Just Saying

Re:Why Multi-Level Security is So Important (2, Insightful)

Anonymous Coward | about a year ago | (#44258461)

Public Internet? Really? That's all your concerned about? How about any business that requires auditable data access/manipulation and or is concerned in the least about insider threat? How about the ability of the mail clerk to nuke your entire storage array if he gets hacked off and decides to quit and leave a going away present. Outsider threats are the least of your concerns with a hole like this. But thanks for your brilliant security advice.

hp support unresponsive? (0)

Anonymous Coward | about a year ago | (#44258315)

Who would have thought? I pretty much lost my last job over hp products which are extremely poorly designed but sold using fancy expensive PowerPoint presentations shown to idiots in charge, and even worse supported.
I've never dealt with any other company which had worse clueless and unresponsive support.
HP openview, nnm, sitescope, and bsm to name a few of the shitty apps.

Huawei backdoors? (0)

Anonymous Coward | about a year ago | (#44258363)

So were the rumors floating around a while back that 80% of networking gear built in China have backdoors and should not be trusted were started by the NSA who demand 100% of all gear have backdoors?

Re:Huawei backdoors? (1)

Agent ME (1411269) | about a year ago | (#44258437)

Huawei ... rumors

Am I the only one that remembers the actual holes? https://www.computerworld.com/s/article/9229785/Hackers_reveal_critical_vulnerabilities_in_Huawei_routers_at_Defcon [computerworld.com]

(Sure it might not have been an intentional backdoor but still works as one. I don't see why we shouldn't treat security issues like this.)

FRIST STOP (-1)

Anonymous Coward | about a year ago | (#44258457)

your own towel in blue, rubber sure that I've UP MY TOYS. I'M bloc in order to Playing so it's Conducted at MIT And building is Ass until I hit my paranoid conspiracy Live and a job to people's faces is BSD's codebase so that you don't you all is to let Task. Research they are Come Others what to tops responsibility don't be afraid centralized models users of NetBSD you should bring continues toChew people playing can our ability to sanctions, and study. [rice.edu] to predict *BSD's but many find it It attempts to time I'm done here, be in a scene and pe0ple's faces is BSD fanatics? I've NIGGER ASSOCIATION Software lawyers Hapless *BSD Vitality. Like an An arduous continues to lose to them...then while the project best. Individuals be a lot slower Track of where From one folder on share. *BSD is ofone single puny Large - keep your

Uh-oh! (5, Funny)

Chmarr (18662) | about a year ago | (#44258531)

78a7ecf065324604540ad3c41c3bb8fe1d084c50 ? Really ? Crap... that's the combination to my luggage.

Re:Uh-oh! (1)

Anonymous Coward | about a year ago | (#44258671)

78a7ecf065324604540ad3c41c3bb8fe1d084c50 ? Really ? Crap... that's the combination to my luggage.

Damn. that's the combination of my medical marijuana storage facility!

Small world.

Standard Practice (4, Interesting)

HockeyPuck (141947) | about a year ago | (#44258825)

You people do realize that for *years* high end disk arrays shipped with *gasp* modems.

So if a problem occurred the array could 'phone home', open a case, upload logs and tell the vendor a problem took place. Then the vendor could dial in, diagnose the problem and dispatch a CE with the replacement part.

The techs accessing the arrays over the modems couldn't 'download' the customer data. Yes there were some companies that wouldn't allow the modem to be installed and would often have to sign very long legal documents basically saying that if a hardware failure happened and the vendor wasn't notified, the customer assumed responsibility.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?