Rocksolid Light

Welcome to Rocksolid Light

mail  files  register  newsreader  groups  login

Message-ID:  

"Language shapes the way we think, and determines what we can think about." -- B. L. Whorf

tech / sci.electronics.design / More silly security

SubjectAuthor
* More silly securityDon Y
`- Re: More silly securityJan Panteltje

1
More silly security

<uvbrm4$2fn2h$6@dont-email.me>

  copy mid

https://news.novabbs.org/tech/article-flat.php?id=136360&group=sci.electronics.design#136360

  copy link   Newsgroups: sci.electronics.design
Path: i2pn2.org!i2pn.org!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: blockedofcourse@foo.invalid (Don Y)
Newsgroups: sci.electronics.design
Subject: More silly security
Date: Fri, 12 Apr 2024 10:40:20 -0700
Organization: A noiseless patient Spider
Lines: 47
Message-ID: <uvbrm4$2fn2h$6@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 12 Apr 2024 19:40:21 +0200 (CEST)
Injection-Info: dont-email.me; posting-host="383f47e25ca18ff0b6928d6e570fd3bc";
logging-data="2612305"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX192tpKi+LKBUIugImV1UGaP"
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.2.2
Cancel-Lock: sha1:SoamclwReOlVdF1uIFo7Ryg29MU=
Content-Language: en-US
 by: Don Y - Fri, 12 Apr 2024 17:40 UTC

APC UPSs have (or can have) a network management option.
Most usually, an add-in card with (at least) a NIC and
some services hosted by the UPS (web interface, sshd,
ftpd, etc.).

Most UPSs don't have a traditional UI. Often, a serial
console is available -- via a (trivial to make) special cable.

To get the interface card to a known state, there is a RESET
pinhole available. One would think holding the RESET for
some abnormal amount of time would force the card to
resume it's default settings -- IP, password, etc.

APC, however, have implemented a more bizarre scheme:
Press RESET.
Wait a few seconds for indicator on the card to rapidly flash
Press RESET, again.
Repeatedly strike ENTER on serial console until prompt appears.
Use default credentials to log in.
This must be accomplished in the first 30 seconds else the existing
settings (ALL of them, including username and password) remain as is.

[Keep in mind that for a racked UPS, you've got your head inside
the rack on the BACK side of the UPS to access the RESET pinhole.
And, the UPS is likely *low* in the rack making access challenging.
Presumably, a laptop sitting nearby to act as the serial console]

I do not see the rationale for this. The person has physical
access to the UPS *and* the power cords for the devices that
it protects (and powers, even when mains power is available
THROUGH the UPS!).

The person is free to alter the persistent settings for any of
these parameters after this ritual is performed.

So, what is the silly 30 second timeout achieving? Is it there
to protect against someone ACCIDENTALLY pressing RESET? Is it
there to ensure the existing password can remain intact even if the
user successfully accesses the console and opts not to change the
existing password?

This seems unduly complicated vs. simply "Press RESET for 10 seconds
to reset credentials (and IP?)"

I'm looking at other (UPS) manufacturers' products to see if they are
similarly convoluted for some reason...

Re: More silly security

<uvd33h$h501$1@solani.org>

  copy mid

https://news.novabbs.org/tech/article-flat.php?id=136365&group=sci.electronics.design#136365

  copy link   Newsgroups: sci.electronics.design
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail
From: alien@comet.invalid (Jan Panteltje)
Newsgroups: sci.electronics.design
Subject: Re: More silly security
Date: Sat, 13 Apr 2024 04:53:04 GMT
Message-ID: <uvd33h$h501$1@solani.org>
References: <uvbrm4$2fn2h$6@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; ISO-8859-15
Content-Transfer-Encoding: 8bit
Injection-Date: Sat, 13 Apr 2024 04:53:05 -0000 (UTC)
Injection-Info: solani.org;
logging-data="562177"; mail-complaints-to="abuse@news.solani.org"
User-Agent: NewsFleX-1.5.7.5 (Linux-5.15.32-v7l+)
Cancel-Lock: sha1:w+q3u46zvbcUYgjccoyfKxt8/dg=
X-Newsreader-location: NewsFleX-1.5.7.5 (c) 'LIGHTSPEED' off line news reader for the Linux platform
NewsFleX homepage: http://www.panteltje.nl/panteltje/newsflex/ and ftp download ftp://sunsite.unc.edu/pub/linux/system/news/readers/
X-User-ID: eJwNwoERABAMA8CVaJpgHFrdfwTun1BXDBflrA+ahmWmnVqndkC3GqBjmcDNTB9fNHa75PYImuZ0DS09QXMUsg==
 by: Jan Panteltje - Sat, 13 Apr 2024 04:53 UTC

On a sunny day (Fri, 12 Apr 2024 10:40:20 -0700) it happened Don Y
<blockedofcourse@foo.invalid> wrote in <uvbrm4$2fn2h$6@dont-email.me>:

>APC UPSs have (or can have) a network management option.
>Most usually, an add-in card with (at least) a NIC and
>some services hosted by the UPS (web interface, sshd,
>ftpd, etc.).
>
>Most UPSs don't have a traditional UI. Often, a serial
>console is available -- via a (trivial to make) special cable.
>
>To get the interface card to a known state, there is a RESET
>pinhole available. One would think holding the RESET for
>some abnormal amount of time would force the card to
>resume it's default settings -- IP, password, etc.
>
>APC, however, have implemented a more bizarre scheme:
> Press RESET.
> Wait a few seconds for indicator on the card to rapidly flash
> Press RESET, again.
> Repeatedly strike ENTER on serial console until prompt appears.
> Use default credentials to log in.
>This must be accomplished in the first 30 seconds else the existing
>settings (ALL of them, including username and password) remain as is.
>
>[Keep in mind that for a racked UPS, you've got your head inside
>the rack on the BACK side of the UPS to access the RESET pinhole.
>And, the UPS is likely *low* in the rack making access challenging.
>Presumably, a laptop sitting nearby to act as the serial console]
>
>I do not see the rationale for this. The person has physical
>access to the UPS *and* the power cords for the devices that
>it protects (and powers, even when mains power is available
>THROUGH the UPS!).
>
>The person is free to alter the persistent settings for any of
>these parameters after this ritual is performed.
>
>So, what is the silly 30 second timeout achieving? Is it there
>to protect against someone ACCIDENTALLY pressing RESET? Is it
>there to ensure the existing password can remain intact even if the
>user successfully accesses the console and opts not to change the
>existing password?
>
>This seems unduly complicated vs. simply "Press RESET for 10 seconds
>to reset credentials (and IP?)"
>
>I'm looking at other (UPS) manufacturers' products to see if they are
>similarly convoluted for some reason...

I have this cheap UPS:
https://panteltje.nl/pub/APC_UPS_ES700_waveform_25W_edison_bulb_load_IMG_0270.JPG
the output is NOT a sinewave..
Came with ethernet cable etc, after some playing around whith that interface decided better leave it disconnected..
Has been powering my Raspberries Pies, monitor, PC, most electronics on the table now for 5 years..
Comes in about every day for short few period interrupts when the power company switches things,
you can hear that, if it starts beeping I plug it into the big 250 Ah pure sineave lipo
stuff I have if I think it is important to keep stuff on..
No ethernet needed and no hacking possible.
Still running on the same battery... not bad.
I like the multiple mains sockets too.
Think this model is no longer sold.

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor