As it has been known for at least a year, the intelligence agency, the
Equation Group, is capable of reprogramming or reflashing a computer
hard drive's firmware with malicious code. Needless to say, this
is unsettling. I find it peculiar that I have read no articles about this
malevolent act. You have been posting articles about hardening a server
with specific encryption algorithms and hash message authentication
protocols, but not against protecting your hard disk against hackers and
such. My idea is to read the firmware of the hard disk upon purchase and
then to compare this hash value with future firmware reads. If there is
no way to do this, it could be an entertaining article to appear in your
magazine. I would be thankful to read an article about this in the near
future, and I am sure many of the Linux supporters around the world,
will appreciate this as well.
—
Vincent
Kyle Rankin replies: You are right that there aren't many articles out there about protecting a server against malicious hard disk firmware. The closest coverage we've had in Linux Journal was an approach you can use to protect against malicious motherboard firmware by using the completely Free Software Libreboot BIOS. See the Hack and / “Libreboot on an X60” series (in the March, April and May 2015 issues of LJ) and the follow-up “Flash ROMs with a Raspberry Pi” (November 2015).
With a combination of Libreboot as your BIOS and using only hardware that has free software firmware, you could use the same Raspberry Pi you used to flash your BIOS to pull a copy of the BIOS periodically while the laptop is off and compare checksums to confirm nothing has changed. Unfortunately, this approach validates only the motherboard firmware, not the hard disk firmware. So far, I haven't seen any successful projects that free up hard disk firmware like Libreboot and Coreboot has for the BIOS.
I wanted to thank you for one of the best technical articles I have ever read (see “Understanding Firewalld in Multi-Zone Configurations” by Nathan R. Vance and William F. Polik). It was very helpful, and I totally agree that firewalld is under-documented.
The only issue I had with the article was that if I copied and pasted any of the
code onto the command line, it would not run.
—
Mike Tarkowski
William Polik and Nathan Vance reply: We are glad you appreciated the additional documentation on firewalld. If the example commands do not run for you, you will want to check the following:
Is firewalld installed on your system; verify with which firewall-cmd.
Is firewalld running on your system (instead of iptables, for example); verify with systemctl status firewalld.
Make sure commands are being run as root or with sudo.
Also note that this does not appear to be an issue with content of the article, but rather with embedding of hidden characters in the PDF formatting of the article. If you type the commands yourself, rather than copying and pasting, they work fine.
I just read the September 2016 issue of LJ and this article (“Hard Drive Rescue with a Raspberry Pi and Relay” by Andrew Nii Addo) is so awesome, it made my day! I never thought of using a Raspberry Pi to cycle a hard disk! it makes so much sense once I read the article.
This basically confirms my belief that LJ is a necessity and not a luxury.
Thanks for sharing your work in the article—great idea.
—
Guru
Can you ask Dave Taylor to forward his code for the Mars lander to the ESA?
Apparently, they've
been having some problems with the reverse thrust settings on the
Schiaparelli lander. (See Dave's Work the Shell column in the September, October and
November 2016 issues.)
—
David Terry
Dave Taylor replies: Sounds like a good plan, because a shell script is the best possible choice for our next interplanetary adventure vessel!
