HP Keeps Installing Secret Backdoors In Enterprise Storage 193
Nerval's Lobster writes "For the second time in a month, Hewlett-Packard has been forced to admit it built secret backdoors into its enterprise storage products. The admission, in a security bulletin posted July 9, confirms reports from the blogger Technion, who flagged the security issue in HP's StoreOnce systems in June, before finding more backdoors in other HP storage and SAN products. The most recent statement from HP, following another warning from Technion, admitted that 'all HP StoreVirtual Storage systems are equipped with a mechanism that allows HP support to access the underlying operating system if permission and access is provided by the customer.' While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules—not a limitation built in to limit use of backdoors. The entry points consist of a hidden administrator account with root access to StoreVirtual systems and software, and a separate copy of the LeftHand OS, the software that runs HP's StoreVirtual and HP P4000 products. Even with root access, the secret admin account does not give support techs or hackers access to data stored on the HP machines, according to the company. But it does provide enough access and control over the hardware in a storage cluster to reboot specific nodes, which would 'cripple the cluster,' according to information provided to The Register by an unnamed source. The account also provides access to a factory-reset control that would allow intruders to destroy much of the data and configurations of a network of HP storage products. And it's not hard to find: 'Open up your favourite SSH client, key in the IP of an HP D2D unit. Enter in yourself the username HPSupport, and the password which has a SHA1 of 78a7ecf065324604540ad3c41c3bb8fe1d084c50. Say hello to an administrative account you didn't know existed,' according to Technion, who claims to have attempted to notify HP for weeks with no result before deciding to go public."
Comment removed (Score:5, Insightful)
Re:badg3r5 (Score:5, Informative)
Rainbow Tables: enabling ontopic first posts since 2013.
Re:badg3r5 (Score:5, Funny)
Would you rather deal with Rainbow Tables or Bobby Tables?
Re: (Score:3)
Why not both?'); UPDATE vulnerabilities SET failtype = 'Bobby' WHERE admin = 'fool'; --
Re: (Score:2)
If HP had decided to store their passwords properly, by using Bcrypt or Scrypt with a decently high work factor, we would not be having this discussion... their password could be badg3r5, and it would take at least 5 or 6 hours to crack using a dicitonary search with l33t-speak substitution, so there probably wouldn't be 50+ people having discovered it within a couple days :)
Re: (Score:2)
Let's face it, it's far more likely to be "HP1234" than anything as complex as l33t-speak.
Re: (Score:2)
Oh, wait... the SHA1 of "badg3r5" is actually 78a7ecf065324604540ad3c41c3bb8fe1d084c50.
(mushroom, mushroom)
Re:badg3r5 (Score:5, Insightful)
Oh wait... I thought you were joking!
The SHA1 of "badg3r5" really is "78a7ecf065324604540ad3c41c3bb8fe1d084c50".
http://www.sha1-lookup.com/index.php?q=78a7ecf065324604540ad3c41c3bb8fe1d084c50 [sha1-lookup.com]
HP used "badgers" in leet-speak for an NSA backdoor? Smells like they wanted people to know, to me. Maybe they didn't like what they were supposed to be doing, and stuck their tongue firmly in cheek at the implementation stage? "Screw the NSA - we'll give them a back door if they want it so much - and we'll make it so that researchers find it easily, so our business isn't damaged in the long term ("If we wanted you data so much, we'd have done a better job of hiding it - blame your government")
Re: (Score:3)
You think that's all they have?
What is the back door for iLO, the HP remote admin for servers? You don't think they'd put one in the storage but leave out the servers do you?
Re: (Score:3)
Re: (Score:2)
Re:badg3r5 (Score:5, Interesting)
I signed up to a website and was given a large block of passwords to crunch. I can't remember my block, but it was full of 7 character alpha-numeric passwords. There were some 6 character password blocks left to crunch, but 99% of them were complete.
My P3 450 crunched them all weekend and beyond. In return, I was given complete access to the MD5 rainbow tables, through some forms on a website.
It was a near-instant search.
Assume that your 8 character passwords are fully hashed. All alpha-numeric passwords 7 characters and under were complete back then.
Asking Google to search for hashes is also fun.
Re: (Score:2)
Rainbow Tables: enabling ontopic first posts since 2013.
if it's that then it's the same as the previous.. unless the badgers post was joke then and now.
Re: (Score:3)
That looks suspiciously like the sort of simple password my ex-boss used to insist we use for things like Domain administrator accounts on Windows. He was an HP-UX admin at one point - does HP offer a free "find a crappy password" tool?
Re: (Score:3)
Re:badg3r5 (Score:4, Insightful)
I'm an IT manager in WI and the closest HP user support and sales agent is in Illinois
They definitely have people they don't let you talk to, and I'm betting those guys wrote this account into the software.
Re: (Score:2)
Badgers! We don't need no stinkin' badgers! (But apparently we get them anyway.)
Re: (Score:3)
They need to get a snake grip on this before it mushrooms.
Yet another company to boycott (Score:2)
Re: (Score:2)
HPSupport acounts are not new, but hiding them is (Score:5, Informative)
Years ago I worked on HP3000 servers and there was an hpsupport user on those systems as well. But on the 3000 series it was documented and every sysadmin was aware of it and could change the password if desired. Looks like HP still cares about customer service, but no longer cares about ethics. Sad. They were once a really great company.
Re: (Score:2, Funny)
Re: (Score:2)
Re: (Score:2, Interesting)
On the system I worked on, there is a manufacturing mode that only someone with Admin privilege AND a manufacture mode password generator can enable. This means only HP support personnel can turn it on if the customer allows it.
Once it is turned on, root access can be gained using a private key.
Re: (Score:2)
977533ed14dd55576b6bf27f869b040b68e39bd7
Re:HPSupport acounts are not new, but hiding them (Score:5, Informative)
Actually, through to the early 80's. Hewlitt and Packard, the men, had a true sense of worth of their employees and treated them with respect. That was pretty much gone as the 80's rolled on. Packard was a changed man from his stint(s) in Washington. Then, of course, by the time Patricia Dunn was in charge, the company was a toilet. Pretexting, anyone? Yeah, sad.
Re: (Score:3)
Um.....
http://en.wikipedia.org/wiki/United_States_Deputy_Secretary_of_Defense [wikipedia.org]
Eh? (Score:4, Insightful)
Without reading TFA, which I expect to be even more sensationalist crap:
I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.
Did I miss something?
If so, please synopsize in non-sensationalist terms.
Indeed, whatever the case: Please post a not-purposefully-scary summary of the actual problem below, because right now it sounds a whole lot like the not-backdoor that Remote Assistance is under Windows.
Re:Eh? (Score:5, Informative)
If so, please synopsize in non-sensationalist terms.
Non-bullshit, redacted by lawyers version:
Anyone with access to the NAS over the network and an SSH client can enter a username and password, gain elevated privileges to the cluster, and while not allowing access to the data directly from that interface, access can disable the cluster or delete all the data within it, as well as wiping out partition information, etc.
Re: (Score:3)
Sweet! Thanks.
I'll keep that in mind as I continue to not buy or specify HP products for a myriad of other reasons.
(That they killed Alpha and whatever was decent about Compaq was already sufficient. Nevermind the fact that their laptops are the least-service-friendly machines I've ever laid a screwdriver on. Or the crazy bullshit computers that I've wasted countless man-days troubleshooting unique problems on in the late 90s. Or the home-oriented desktops they once built which were impossible to open t
Re: (Score:2)
Re:Eh? (Score:4, Funny)
Well, better than underaged benchmark results.
Re:Eh? (Score:4, Funny)
Nevermind the fact that their laptops are the least-service-friendly machines I've ever laid a screwdriver on.
You sound like a crazy person. I bet you want to clean the fans or some such nonsense.
Re: (Score:2)
Yes, that.
Interestingly, I just acquired a Dell laptop from the same lineage as the "clean the fans" song.
There is a cover on the bottom, removable with one screw. Beneath is the heatsink. Just beyond is the fan.
The heatsink itself is copper, and can be easily removed, cleaned/rinsed/whatever, and reinstalled.
Yay.
Re: (Score:2)
Only Mac fans. There's no cute women that are fans of HP or MS Windows laptops.
Re: (Score:2)
I read comments like this a lot, and they don't entirely gel with my experience of HP stuff.
Their "consumer" products are truly horrible, and whether it's a laptop, desktop, printer or MFP, you're best advised to just keep walking; but their business-class hardware still seems pretty decent.
For instance, the nx6320 laptop I used to use made it pretty easy to swap drives, RAM, clean fans, anything you might want to perform at home as a modestly skilled and equipped self-tech; but the 4710s I bought to replac
Re: (Score:2)
I have the HP 3070A multi-purpose print/scan/copy thingy and I've been very happy with it. Easy to use, reliable, works flawlessly over WiFi (both print and scan), stable drivers and good print quality. Then I also have the cheapo HP 635 laptop, fully plastic (as expected for the price point) but has served very well, nice display too.
Basically my recent experiences of their consumer stuff have nothing to complain about.
Re: (Score:2)
Re: (Score:3)
So "no direct access to data" probably isn't saying much --- just about the limitations of what capabilities the admin UI has.
Posturing by HP to attempt to reduce the perceived severity of the issue?
While not allowing access to the data directly from that interface,
There are probably commands they would be able to type that might enable an additional iSCSI, FC, or NFS initiator to connect; possibly an initiator running on an IP address controlled by the person using the backdoor.
People can do o
Re: (Score:3)
Anyone with access to the NAS over the network and an SSH client can enter a username and password, gain elevated privileges to the cluster, and while not allowing access to the data directly from that interface, access can disable the cluster or delete all the data within it, as well as wiping out partition information, etc.
So anyone including unhappy ex-employees who still have access to the network or physical access to a machine, and who might be interested in holding their former employer to ransom? Including current employees eager to become ex-employees and interested in changing this password in case their reference letter isn't what they wanted? Including anyone who can get the IP address and is interested in shit-disturbing? It sounds like a race to change this password is on as every single unit probably is a targ
Re: (Score:2)
Why would just anyone have access to this machine via SSH?
Have you not heard of firewalls? Whatever connects to this NAS just needs CFS/NFS access on the regular network. SAN type protocols would be VLANed off and SSH would be limited to the administrative machines at the very least. This all assumes people did their jobs correctly.
Re: (Score:3)
Right. ANYONE who can access the local network, or if the device is internet accessible ANYONE on the internet, can enter the username HPSupport and the password badg3r5.
This is a wide open highly dangerous back door, which was (formerly) protected by nothing more than the hope that (1) no one bothered to notice that HP publicly offered this sort of remote support and (2) the hope that no one who did notice it bothered spending 20 seconds on Google to find a website [md5decrypter.co.uk] that could instantly decode the SHA-1 "78
Re: (Score:2)
Right, so when someone writes a worm that exploits this, NBD!
Re:Eh? (Score:5, Informative)
I doubt it. We've got some software like this, and while we were having trouble one day and I was on the phone with their support (who was about as skilled as your local broadband support tech) proceeded to log into our equipment, duplicated my administrator account, log in as me, and start making changes. The log even reported the changes as being done by me. When I realized what was going on I started yelling into the phone "What the fuck do you think you're doing? Holy fucking shit?!?!" The tech on the other end was rather surprised I was upset "Excuse me?" he asked... "How did you just do all that?!?! This is on OUR servers, behind OUR firewall!!! You're under contract with us, none of this should be possible! physically, or legally!" all he said was "Well they don't let me see the contracts. I just click this "Clone account" button and there we go..."
I reported the whole thing to our security director. It ended up in the lawyers lap. Their software basically just tunneled its way out of our network. There were other reasons their software needed to connect to them so they just used the same port to allow their support techs to have basically more access than I, the senior administrator had. Now, instead of having a secure product, we have an unsecured product and the only thing protecting us from them is a "more specific" contract that, again, their techs have no access to read. Also, given the regulations we're under, that tech was violating federal law without even knowing it.
Don't trust your vendors. My management has, after this and several other incidents, come to the conclusion that these sorts of products are more trouble than they're worth. In the near future we'll be building it all in-house and dropping vendors like this. Some stuff, like oracle and microsoft, will be hard to dump. But I bet that given enough time even they will be gone and we'll be on something open source.
Re: (Score:2)
Sounds like you need a better security director, a better firewall/network infra admin, and some junior guy to read logs and watch the seim. The better question here is how/why was this device able to tunnel in/out of your network without someone explicitly allowing it? What you allow unfiltered egress from your data center? If you do your vendors are the least of your problems.
Re: (Score:3)
You didn't need to swear at the tech guy, manners goes a long way.
Fuck you.
You self-important, overblown dick.
Hypocrite much?
Re: (Score:2)
Troll or just stupid?
A succinct explanation for people that might be dumb enough to think like that: if all your security can be bypassed remotely with a click of a button then you have no security.
Re:Eh? (Score:5, Informative)
The thing you're missing is this part:
"While HP describes the backdoors as being usable only with permission of the customer, that restriction is part of HP's own customer-service rules - not a limitation built in to limit use of backdoors."
i.e. there is not actually any kind of technical restriction on the use of the backdoor, there is no actual customer control over it. When they say 'we can only use it with the customer's permission' what they mean is 'we told our reps only to use it with the customer's permission and we hope they do what we say, and no-one else finds it, so now...oops'.
Re:Eh? (Score:4, Informative)
I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.
The requirement for permission is sociological and based on adherence to company procedures and policies of HP.
If HP had chosen to require physical manipulation of the storage device, collecting a serial number or code printed ONLY on the device, or another method of OPT-IN selection by the storage admin, then I am sure there would be no complaint.
The problem is some HP support employees have access to a God code that grants administrative access to any piece of gear, and it's the same for all customer units, AND probably the code continues to work, even if some customer service employees are terminated, that might know the code.
It's poor security against insider abuse, regardless.
Re: (Score:2)
That is the HP version yes.
The reality version is similar, but get rid of the bit about a customer needing to enable it and replace HP Support with anyone.
Re: (Score:2)
Unfortunately, that is exactly where the problem starts, but not ends.
The backdoor is available without customer interaction! HP is lying in its statement - it is not technically wrong, but intentionally misleading. So they know they are lying, too. And it seems they are also refusing to fix it.
Re: (Score:2)
I grok this to mean that a backdoor exists for customer service, which can be activated by a customer (by two factors: permission and network access), and that without action on the part of the customer, said backdoor is closed.
"Permission" isn't much of a safeguard against criminals. They tend to do stuff without it.
(Isn't that the very definition of "criminal", i.e. doing stuff they don't have permission to do?)
You miss the point by miles (Score:2)
The point is not that such access exists, the point is that it is NOT DOCUMENTED.
It's standard practice (Score:5, Interesting)
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
Yes, it's a security hole.
But it's also standard practice and should come as no surprise to anyone.
Re:It's standard practice (Score:5, Interesting)
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
So trusting any vendor about any security is out of the question. Rolling your own stack is the only way to actually retain any control over your mission critical data.
But it's also standard practice and should come as no surprise to anyone
Or perhaps it is one of the "Seventeen Techniques for Truth Suppression" - 8. Dismiss the charges as "old news."
http://cryptome.org/2012/07/gent-forum-spies.htm [cryptome.org]
Re: (Score:2)
Forums usually have the question why is my new, quality firewall phoning home?
Its only an anonymous diagnostic tool that cant be turned off and users are to be thankful for the low cost of the unit, low power usage, cool running and great support... cpu and memory is great too...
Not even common decency (Score:3)
They don't even have the common decency to at least choose a password that isn't already in every rainbow table on the planet.
If I were to make a back door system, I'd make sure customers knew about it. I'd make it so that a physical switch had to be activated on the device itself in order for the back door to be used. Activating the switch would be plainly obvious, with both physical indicators on the device and in management software, with auditing and warnings that the back door has been activated - an
No not really (Score:5, Informative)
The right answer is a service account they can have activated, if needed. On the EqualLogic (Dell) we have that is how it is done. When they need to work on the system, they have you connect to a WebEx session. They then request control of the PC. They have you log in to the system using your admin account, and they can then set the password on an "fse" account, which they can use to access service functions you aren't supposed to get at. Once they are done, they encourage you to change the fse account to a different password.
That is how it is properly done: They get in using your system, with you monitoring what they do, and you lock out access after they are done.
Now maybe they are going to have access all the time for proactive monitoring. Fine, that is a service some like (we may take Dell up on it if they start offering it). Again the right method is an account set up by the customer, not one hardcoded in. Why? Well because of shit like this. If it is hardcoded in, and you can't change it, then if someone discovers the access, it is bad times.
For that matter I've never seen this on Cisco stuff either. The recovery for that is via serial, I've never seen a remote override from Cisco. Maybe it is there, but I've never seen them use it.
Re: (Score:2)
Pretty every much hardware/software stack combination that I ever encountered over 30+ years of programming had a "back door" admin account to allow the vendor to get into the systems to repair damage. This is nothing new.
Those other ones tended to be acknowledged and documented.
There is a big difference between a hole in the wall you know about, and one you don't.
But it's also standard practice and should come as no surprise to anyone.
You can't plug or safeguard against security holes that are kept secret.
Re: It's standard practice (Score:3)
Correct: It should come as no surprise to anyone. Which is why it shouldn't be hidden.
Re: (Score:2)
Yes, it's a security hole.
If you know about it, you're in the firing line when shit hits the fan. If you work in a sector with specific regulations on data handling, eg PCI, HIPAA, Sarbanes Oxley, they're pretty much excluded from that sector. It is a due diligence failure on your part as the person recommending / implementing the system.
Re:It's standard practice (Score:5, Interesting)
IBM has, on midrange POWER systems, a service ID that has a constantly changing password. In case of loss of passwords and the like (mind you, passwords for the Service Processor, not the OS itself) you can call IBM and the CE will come, log with the service ID and wait on the phone till rochesters tells him what the password for that machine at that time is.
Neat system, if someone ever finds out how the key is computed it could be defeated but its a lot harder than say, a hard coded password...
DS4000 series System Storage DO have a hardcoded user/pass but the controller has rlogin turned off by default so unless you get to the cage and log in via serial cable it's safe...
Slashdot Lameness... Deleted (Score:5, Informative)
The password you're looking for is badg3r5. So there. Go forth, my minions! In other news, Slashdot's corporate overlords apparently no longer believe in full disclosure, as it had in the past, and now omit critical information probably because their lawyers have more say in the editorial process than the submitter, editors, or anyone with a clue to spare. :(
The *can* access the data on the device (Score:5, Informative)
The earlier article said they can reset user passwords, if they can do that, they can grant themselves access to the data.
http://www.theregister.co.uk/2013/07/09/hp_storage_more_possible_backdoors/
" lost admin passwords are resettable by HP. One, from November 2011, states: “You will need to call support and they can get into the backed and reset it for you. 1-800-633-3600 'Lefthand Solutions'”. The other, posted by a LeftHand product manager in 2009, states: “Call support. They can reset the password remotely.”
So they CAN get access to the data, because they can change the configuration to give themselves access.
Re:The *can* access the data on the device (Score:5, Funny)
Probably another case of "they cannot do X because it's in the customer support rules".
Re: (Score:2)
In this litigious dog eat dog sue at the drop of a hat world, it's entirely possible that ignoring your lawyers will get you obliterated rather than simply censored.
If someone has a gun to your head, do you keep your mouth shut and live, or do you mouth off, get your brains blown out, and wind up never able to talk about *anything* again?
Re: (Score:3)
If someone has a gun to your head, do you keep your mouth shut and live, or do you mouth off, get your brains blown out, and wind up never able to talk about *anything* again?
Say "what" again! Say! "what"! again! I dare you! I double-dare you, motherfucker! Say "what" one more goddamn time!
It depends a whole lot on how calm you can stay under the pressure.
Re:Slashdot Lameness... Deleted (Score:5, Insightful)
This is a huge backdoor/security issue. This is another bit of proof that proprietary software is never okay.
If by "never" you mean "widely used", then I'm going to go with... nope. Here's the thing -- corporations are what buy most software. Corporations are willing to spend large piles of money on software. And corporations don't want security that cannot be defeated because a malicious person (or a perfectly ordinary employee with an asshole manager they want to get revenge on!) could disable it in a way it cannot be recovered from.
They pay massive amounts of money for support contracts that demand minimal downtime. There's nothing in that contract, or even a single fuck given, to security -- which is why you get convenient fast-recovery options like this... that have the "small" side effect of having giant unpatchable security holes in it. The worst of it is, the patch will probably take some custom (weak) hashing function that generates a unique password based on the serial number of the device... like so many other first responses many other vendors over the years have implimented... and then someone will figure out the hashing function and you'll have to run a 'keygen' then and probe the SNMP interface before doing the exact. same. goddamned. thing.
The balance between security and convenience has always slanted heavily towards convenience. Saying "proprietary software" is to blame for this is disengenuous at best. Open source software tends to be used by people who give at least half a fuck about security -- but look at the projects that have gone mainstream. Firefox, for example, and it's attaching NTFS AD streams to downloaded files (just like internet explorer!) and integration with internet options (just like internet explorer!) control panel... all to please their corporate overlords. Oh, and bonus -- you can't override it. So if your corporate overlords screw up, Firefox is just another target waiting to be exploited. And the list goes on. The reason why open source appears more secure is because the people who use it are somewhat more experienced. It has nothing to do with open source itself -- it is purely the people who are using it that have created a (albeit imperfect) culture of security around the products.
Customers Demand It (Score:5, Informative)
I work for a large networking appliance company. We know these backdoors are a bad idea from a security standpoint. The problem is, customers demand them. They call up and want something fixed--or a customization or diagnosis or whatever--and many times the only way to resolve the issue is to access the box. Most times it's a configuration problem on their end, but often the quickest way to figure this out is to access the internal databases.
On our appliances our backdoors are completely optional--if you disable it, support is completely unable to access the box, period (I know because I helped to write it). But you wouldn't believe how irate customers become when you tell them that you can't help them, even though they're the ones who _chose_ to disable the support access, and clicked through all the warnings.
Could these backdoors be made more secure? Absolutely. But developing, say, a storage appliance and developing a secure remote access protocol (both in terms of software as well as access control) are worlds apart. SSH and SSL are just tiny elements in an overall solution.
I'm not one to argue that convenience and security are necessarily opposed. But it is incredibly hard to find the small set of solutions that provide both maximum convenience and maximum security. And even if you've found a solution in that set, it's incredibly hard to prevent it from degrading over time as developers come and go, introducing bugs as they add and fix features.
Not so bad with TOPT (Score:3)
I work for a large networking appliance company. We know these backdoors are a bad idea from a security standpoint. The problem is, customers demand them. They call up and want something fixed--or a customization or diagnosis or whatever--and many times the only way to resolve the issue is to access the box. Most times it's a configuration problem on their end, but often the quickest way to figure this out is to access the internal databases. On our appliances our backdoors are completely optional--if you disable it, support is completely unable to access the box, period (I know because I helped to write it). But you wouldn't believe how irate customers become when you tell them that you can't help them, even though they're the ones who _chose_ to disable the support access, and clicked through all the warnings.
This was my exact experience when working on telco infrastructure equipment years ago. We knew it was bad security but customers wanted it.
If working on such equipment today I would expect that we would incorporate a time-based one-time password that the customer would have to provide to our support person. Hardly perfect but a bit better than what seems to be common place today.
Re: (Score:2)
Hmm are switches possible? (Score:2)
That's a pretty nifty idea.
Is it possible to engineer the appliance so that instead of using passwords sent remotely to access the appliance, access is only granted when a physical switch is flicked on by the consumer? i.e.
Operator: Okay, we are connected to your system, press the red button now.
Customer: *press*
Operator: Okay now were in. Gimme a few minutes while we check your system.
Re: (Score:2)
Problem is: Customer is sitting in Mahogany Towers and the equipment is sitting in a co-loc facility miles away.
Re: (Score:2)
Re:Hmm are switches possible? (Score:4, Interesting)
It is absolutely possible, and not at all a bad idea.
When I have set servers up for remote support, I just add a script they can run to open a support tunnel to the phone home server. They can have it run on startup or they can run it on request (or refuse to run it, of course).
On a custom build device like a NAS, the button would be easy enough.
Re: (Score:2)
Re: (Score:3)
Do you mean this [thedailywtf.com] story, written by Jake Vinson?
Here's an edited version of the text for those too lazy to click on the link (used without permission, but go visit the site [thedailywtf.com] anyway as it has lots of amusing - if not entirely truthful - anecdotes)
Re: (Score:2)
Customers demand backdoors, period. And as long as there are backdoors, there are going to be exploits for them.
Backdoors for service accounts don't have to be trivial to exploit. If you ship a secret backdoor with the sort of simple password protection this one has, you deserve to go out of business over the resulting negligence lawsuits.
Freedom (Score:3, Funny)
When you buy an 'Merican product you are buying Freedom!
Re: (Score:2)
If you buy it from China you get half the Freedom for half the price.
-
Meh (Score:3)
They're going bankrupt anyway so this issue will take care of itself.
NEXT!
Re: (Score:2)
Every single day (Score:3)
Re: (Score:3)
Typical (Score:2)
No one listens to the security group no matter how badly they get hammered. This is just dumb shit. If I ran the world everyone who was involved with implementing this would be fired immediately.
Remote access for customer support is a great thing...just build it right. It's really not that hard at all to build it right...probably even easier than building it this stupid ass way.
Why Multi-Level Security is So Important (Score:2)
Re: (Score:2, Insightful)
Public Internet? Really? That's all your concerned about? How about any business that requires auditable data access/manipulation and or is concerned in the least about insider threat? How about the ability of the mail clerk to nuke your entire storage array if he gets hacked off and decides to quit and leave a going away present. Outsider threats are the least of your concerns with a hole like this. But thanks for your brilliant security advice.
Uh-oh! (Score:5, Funny)
78a7ecf065324604540ad3c41c3bb8fe1d084c50 ? Really ? Crap... that's the combination to my luggage.
Standard Practice (Score:5, Interesting)
You people do realize that for *years* high end disk arrays shipped with *gasp* modems.
So if a problem occurred the array could 'phone home', open a case, upload logs and tell the vendor a problem took place. Then the vendor could dial in, diagnose the problem and dispatch a CE with the replacement part.
The techs accessing the arrays over the modems couldn't 'download' the customer data. Yes there were some companies that wouldn't allow the modem to be installed and would often have to sign very long legal documents basically saying that if a hardware failure happened and the vendor wasn't notified, the customer assumed responsibility.
The LeftHand Path (Score:5, Informative)
Actually for those that administer these systems this is old news...
I worked for a financial institution that had two four node clusters of storage products [one was SATA based and the other SAS based] which were developed by LeftHand Networks which ran on HP storage servers [DL320s] and Dell hardware as well. Shortly after we installed the clusters, HP bought LeftHand... and the LeftHand OS [then called SAN i/Q] became an HP only product [they dropped support for other hardware]. at that time (2008) this support back door already existed... I had occasion to allow a LeftHand support engineer access to a node which had taken itself off line... and the only way to bring it back was the command line backdoor -- It was part of the LeftHand OS / Cluster Administration software... LeftHand OS is a actually Linux with some custom cluster control / management software.
The real issue of this account is that it allows a third party access to an interface that the owner of the hardware cannot access-- yep, that is right LeftHand did not trust its clients with access to the command line on their storage server products... you were buying a very complex "Storage Appliance" which *required* a support contract... they were designed as a RAID 5 Cluster. Each Node was set up as a RAID 50 array and then the nodes were then clustered as Raid 5... you could lose a lot of drives and still have a cluster which at the time was something unique on the market
On the other had (the left one?) the Support Engineers at LeftHand were extremely knowledgeable of their products [It was then a start up and at least in part employee owned] and they were actually concerned and responsive to the needs of their customers... I was sad that the senior Support folks cashed out and moved on when HP bought them...
When HP took over that all went out the window... by 2009 the front end of the support operation went to Mexico and if you really did need a support engineer they would have the engineer call you [previously the Support number was a direct line to the support engineers]
Now my recollection was the reason that HP bought them was that LeftHand had a product that was better than HP's offerings at the time... so it should not be surprising that the LeftHand code base evolved / moved into other products...
The bottom line is that the only way to get access to the command line of a LeftHand node required either SSH access or a modem connection. As an administrator, giving network access to black hats by failing to block access SSH access to sensitive systems from unknown IP space just shows you are an idiot. While I understood the reason for the back door my only real fear of it was that some HP trainee engineer would wipe a cluster and take down the vSphere cluster that the storage cluster supported. The fact that my boss did not know the password made the system safe... since my boss knew nothing about server systems or networks...
Re:The LeftHand Path (Score:5, Informative)
Was about to say the same thing here as well; we had some of the G1 LeftHand units foisted upon us as a "cheap" SAN solution about three years ago, very soon after the HP buyout you mentioned.
It was probably more likely due to the fact that the salesman over-promised, the company under-spent (seriously, they expected 1Gb NICs to be fast enough to feed over 300 VMs) and the HP techs set them up wrongly (the same RAID50 setup you describe), but we had endless problems with them - performance was predictably rubbish but a single disc failure kept causing the node to reboot. Anyway, because of the continual problems with the LH, we basically had an HP tech dialling into the nodes at least once a week to firefight the issue du jour, simply because certain node failures could only be remedied this way for some inexplicable reason. HP refused to let us know the backdoor, so one of the network team installed a keylogger on the box they dialled into via WebEx to activate the backdoor which captured teh badgers as it went in. So eventually we were able to fix our nodes much quicker, but it was annoying as hell and a cynical person might say the "backdoor admin" mode was only there to justify support contracts. If I was the kind of person to work in LH's marketing department I would have spun this backdoor as a "Cloud-based administrative control and recovery system" because it was slow, overpriced and unreliable.
Eventually we got a new head of ops who wasn't as much of a yes-man to the director (who by this point was being hauled over the coals for the shitty performance and reliability of his much-vaunted SAN solution) and HP recanted and bought back the LH and sold us a 3par instead (of which performance, support and reliability have been exemplary), and the fact that HP had basically bullied us into a position of "we're going to backdoor you literally and figuratively" was a big factor in negotiating ourselves a good price.
Based on my experience, I'd avoid anything to do with the LeftHand forever more, the whole support infrastructure was just the putrid icing on top of a very shitty cake.
Obvious? (Score:3)
Would this fact not have been obvious the first time someone called support?
Really, Myron? (Score:2)
Re: (Score:3)
If the computer belongs to the corporation the CEO works for then chances are he already has authorization.
Re: (Score:2)
The Feds probably paid for the backdoor.
Re: (Score:2)
It's probably buried in the TOS that you implicitly agreed to when you opened the box, so they're covered.
Re: (Score:2)
Those laws are for people that does things against the government/corporations, not for corporations doing it for the government. Having backdoor will be the new normal, at least if people keeps buying from them.
And don't think the "consequences" will include removing them, the fix will only just put them more hidden, or reinstall them with the next update.
Re:Consequences? (Score:5, Informative)
You've got it backwards. The computer abuse laws are for jailing the evil hackers who published the information.
Re: (Score:2)
Re: (Score:2)
Huawei ... rumors
Am I the only one that remembers the actual holes? https://www.computerworld.com/s/article/9229785/Hackers_reveal_critical_vulnerabilities_in_Huawei_routers_at_Defcon [computerworld.com]
(Sure it might not have been an intentional backdoor but still works as one. I don't see why we shouldn't treat security issues like this.)