Writing Exchange

Bill Taroli :neurodiversity:<a href="https://infosec.exchange/@wendynather" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@wendynather</a> SPARC workstations caused some serious trauma! I wonder if therapists specialize in that…Seriously, though, I do have dreams like that sometimes. Can’t move. Can’t scream. Can’t stop. Thankfully I have a decent dose of other ones to make up for them. <a href="https://federate.social/tags/Sun" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Sun</a> <a href="https://federate.social/tags/SPARC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SPARC</a> <a href="https://federate.social/tags/OpenBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenBoot</a> <a href="https://federate.social/tags/OBP" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OBP</a> <a href="https://federate.social/tags/RetroComputing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RetroComputing</a> <a href="https://federate.social/tags/nightmare" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#nightmare</a>

Tom Lyon ✅SPARC Open PROM Toolkit Reference Summary (1990) - full scan: <a href="https://drive.google.com/file/d/1FvSH6pM1DERn5cI98gbaeVnqZofv0EQd/view?usp=sharing" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://drive.google.com/file/d/1FvSH6pM1DERn5cI98gbaeVnqZofv0EQd/view?usp=sharing</a> <a href="https://mastodon.social/tags/SPARC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#SPARC</a> <a href="https://mastodon.social/tags/OpenBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenBoot</a>

šel pro krev 🇺🇦weekend timewaster <a href="https://metalhead.club/tags/OpenBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenBoot</a> <a href="https://metalhead.club/tags/OpenFirmware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenFirmware</a> <a href="https://metalhead.club/tags/Forth" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Forth</a>

marado"What the history of <a href="https://ciberlandia.pt/tags/OpenBoot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenBoot</a>, <a href="https://ciberlandia.pt/tags/Phrack" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Phrack</a>, <a href="https://mastodon.social/@Mudge" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@Mudge</a> & <a href="https://ciberlandia.pt/tags/Solaris" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Solaris</a>, can teach us about the wisdom (or not) of <a href="https://ciberlandia.pt/tags/Apple" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Apple</a>’s building their <a href="https://ciberlandia.pt/tags/iPhone" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#iPhone</a> <a href="https://ciberlandia.pt/tags/security" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#security</a> debugging-backdoor-NSA-hack thing"<a href="https://alecmuffett.com/article/108789" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://alecmuffett.com/article/108789</a>

alecmWhat the history of OpenBoot, Phrack, Mudge & Solaris, can teach us about the wisdom (or not) of Apple’s building their iPhone security debugging-backdoor-NSA-hack thingIn the days before people really, really, cared about security — when it was more amazing that mainstream computers worked at all rather than that they offered falsifiable guarantees about privacy and integrity, and most of all in the days before hackerdom decided that it would be great if all the world’s computation ran on “…surely 640Kb is enough for anyone?” glorified MS-DOS personal computers rather than on architectures specifically designed to carry the weight of “big data”… back in those days there was the concept of a monitor.By monitor we don’t mean VDU nor LCD screen, but instead that what you considered to be your entire computer operating system was something which could be paused, inspected, poked, amended, restarted or halted, all by a little parasitic computer system which probably polled the device tree and booted it up in the first place. The consequence of the monitor was that — beyond being a mere “boot loader” — you were essentially running your entire operating system kernel under a live debugger on a 24×7 basis. This “debugger” was the monitor; sometimes it was separate hardware, sometimes it was just a firmware-level subsystem with which you could interrupt your operating system at any point, and call back into. At Sun Microsystems (in particular, but much the same was available elsewhere) the monitor evolved into a complete and flexible little solution called OpenBoot, which subsequently became a PCI standard (<a href="https://flylib.com/books/en/3.126.1.41/1/" rel="nofollow noopener noreferrer" target="_blank">it is/was(?) even in MacOS</a>) and it was massively powerful.Unfortunately: with great power comes great responsibility, which (per the first paragraph) people were not really aware of, yet.So, in July 1998, <a href="https://en.wikipedia.org/wiki/Peiter_Zatko" rel="nofollow noopener noreferrer" target="_blank">Mudge</a> posted in Phrack an article titled <a href="http://phrack.org/issues/53/9.html#article" rel="nofollow noopener noreferrer" target="_blank">“FORTH Hacking on Sparc Hardware” explaining how to use the monitor to change the UID of your shell process to be zero/the root user:</a><pre><code>Fire up the trusty OpenBoot system via L1-A and get the pointer to thecred structure via :ok hex f5e09000 18 + l@ .f5a99858ok goNow, get the effective user id byok hex f5a99858 4 + l@ .309 (309 hex == 777 decimal)ok goOf course you want to change this to 0 (euid root):ok hex 0 f5a99858 4 + l!ok gocheck your credentials!Alliant+ iduid=777(mudge) gid=1(other) euid=0(root)</code></pre> tl;dr — press some keys, type a magic incantation in Forth and you become “root”Let’s just say that OpenBoot was a very powerful and essential medicine… but that provision of that power caused security side-effects/issues that were not going to go away in any short period of time. An <a href="https://www.giac.org/paper/gcih/182/privilege-elevation-system-memory-editing-sun-sparc-platform/101427" rel="nofollow noopener noreferrer" target="_blank">excellent little white paper from GIAC</a> provided a synopsis and context from a few years later, in 2001.<blockquote>The technique of elevating user privileges by manually editing system runtime memory is an exploit that can be used to subvert all operating system security measures. This vulnerability is not operating system platform specific and exists in all computer hardware that utilizes a programmable firmware component for hardware control and bootstrapping procedures. This paper will explain this vulnerability as a class of exploit and utilize the SUN Microsystems’ OpenBoot programmable ROM (PROM) and Solaris as a technical example.<a href="https://www.giac.org/paper/gcih/182/privilege-elevation-system-memory-editing-sun-sparc-platform/101427" rel="nofollow noopener noreferrer" target="_blank">https://www.giac.org/paper/gcih/182/privilege-elevation-system-memory-editing-sun-sparc-platform/101427</a></blockquote> Speaking as one of the people who had to clean up the mess: we/Sun Microsystems should have done a lot more to mitigate the ability of people to get at this powerful medicine; this issue was significant amongst others which drove Sun’s internal security community to create and force the adoption of <a href="https://docs.oracle.com/en/operating-systems/solaris/oracle-solaris/11.4/secure-sys-dev/using-secure-default-configuration.html#GUID-815E7957-FFC3-4F2C-8EE4-1CE27D5BE709" rel="nofollow noopener noreferrer" target="_blank">the “Secure By Default” initiative</a>, and to formalise customer provision and promote adoption of <a href="https://docs.oracle.com/cd/E19056-01/sec.tk42/819-1504-10/SST_RN.html" rel="nofollow noopener noreferrer" target="_blank">the Solaris Security Toolkit</a> which (amongst many other configuration changes) locked-down several different routes by which the OpenBoot monitor could be exploited.From the perspective of 2023: this all should have happened 5, perhaps 10 years before Mudge’s posting, but there was neither the corporate will — nor customer will/expertise — to address the matter at that time.So when I look at Apple, and t<a href="https://alecmuffett.com/article/108745" rel="nofollow noopener noreferrer" target="_blank">here’s an apparent hardware debugging widget in the memory which can be driven by undocumented means to poke the entire system</a>, for a device which they are literally advertising as robust and secure, my reactions are basically:<ol><li>Dude…</li><li>Dudes…</li><li>Dudettes…</li><li>What the fuck?</li><li>This is history repeating itself…</li><li>Like really, what the fuck?</li><li>At least when we did it, it was in a world where hardly anyone cared.</li></ol> <a class="" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/threads?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/mastodon?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/hacker_news?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Falecmuffett.com%2Farticle%2F108789&linkname=What%20the%20history%20of%20OpenBoot%2C%20Phrack%2C%20Mudge%20%26%20Solaris%2C%20can%20teach%20us%20about%20the%20wisdom%20%28or%20not%29%20of%20Apple%E2%80%99s%20building%20their%20iPhone%20security%20debugging-backdoor-NSA-hack%20thing" rel="nofollow noopener noreferrer" target="_blank"></a><a class="" href="https://www.addtoany.com/share" rel="nofollow noopener noreferrer" target="_blank"></a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/apple" target="_blank">#apple</a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/essay" target="_blank">#essay</a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/mudge" target="_blank">#mudge</a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/openboot" target="_blank">#openboot</a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/operation-triangulation" target="_blank">#operationTriangulation</a> <a rel="nofollow noopener noreferrer" class="hashtag u-tag u-category" href="https://alecmuffett.com/article/tag/sun-microsystems" target="_blank">#sunMicrosystems</a><a href="https://alecmuffett.com/article/108789" rel="nofollow noopener noreferrer" target="_blank">https://alecmuffett.com/article/108789</a>

Recent searches

Search options

Administered by:

Server stats:

#OpenBoot