Sysadmin cracked military PC’s security by reading the manual
All it took was a three-fingered salute and some autoexec.bat action
On-Call Welcome once more to On-Call, The Register’s attempt to make Fridays tolerable by bringing you fellow readers’ tales of terrifying tech support jobs they somehow survived.
This week, meet “Guy”, who told On-Call he grew up in the golden age of the microcomputer, meaning that by the time he joined his local Army National Guard unit he was familiar with machines like the TRS-80, Ti-99/4A, C-64 and Apple II.
One day National Guard HQ delivered a new PC to Guy’s unit. His prior experience meant he was given the job of making it work.
His problems started immediately because Guy’s superior “explained that the guys from HQ had set everything up, but had forgotten to give them the password to get into the system.”
The PC in question was a Zenith Data Systems 286 that Guy powered up after “throwing the big toggle switch on the side, waiting a while for a lovely green screen with a menu would pop up.”
Drug cops stopped techie's upgrade to question him for hours. About everythingREAD MORE
Without a password, nothing else was possible at that point.
Guy figured there had to be a way around that impasse, so “looked at the system, tried variations of CTRL-C, CTRL-BREAK and CTRL-ALT-DEL. Nothing seemed to work. So, I asked for the manual, started looking through it, and started laughing.”
Why the chuckles? Because “Zenith Data Systems at the time had a lovely diagnostic set built into ROM. To access it, all you had to do was hit CTRL-ALT-INSERT instead of CTRL-ALT-DEL.”
And one of the diagnostic options available after CTRL-ALT-INSERT was “a boot to command prompt, bypassing the autoexec.bat file”.
Guy told us he “happily did the CTRL-ALT-INSERT, got to the command prompt, made a backup copy of the autoexec.bat file and wrote another .bat file to put everything back the way I'd found it, and removed the password bits from the autoexec.bat file.”
But Guy’s clever effort seemed to have been in vain, because just as he was finishing, a call came in from HQ with the password.
Guy’s boss “laughed and told them that one of his guard members was able to bypass the entire ‘security system’ and access the PC”.
Which was when Guy was told to “wait here” while a rather serious discussion started about his exploits.
“I'll admit to being a bit nervous about it, but figured I was asked to do it by an officer higher in rank than me, so I hadn't had a choice.”
Guy’s nervousness was the right reaction, because he was soon subjected to quite the grilling by his superiors.
His response was to “meekly raise my hand and say ‘I read the manual’.”
Which didn’t go down well, so Guy “pulled out the manual, opened it to the page on diagnostics, read the applicable section, then went through the steps.”
“Their jaws just dropped, speechless, staring. They'd been assured that no one could get past the security in the autoexec file since CTRL-C.”
Guy was then asked to restore the PC to its seemingly secure state and told not to say anything about his finding to anyone.
Several months later, folks from National Guard HQ returned, “opened the skin of the PC system and replaced a ROM chip”. And with that, Guy’s exploit became impossible.
“I found out later that I'd gotten a commendation for finding the vulnerability and reporting it,” Guy concluded.
On-Call assumes whoever signed off on the purchase got the opposite!
Have you cracked the surely-not-crackable? If so, click here to write to On-Call and perhaps we’ll feature your story here on a future Friday. ®
Sponsored: Becoming a Pragmatic Security Leader