New Two-Headed Hard Drive Intended To Secure Web Sites

dlur writes: "This article states that Scarabs (In Japanese), a Japanese company, is developing a hard drive with two heads, one read-only and another that is read/write. With this comes two cables, the read-only side going to the external web server, and the r/w cable going to an internal protected server. While this should make it quite a bit tougher for script kiddies to place their mark on a page, I doubt it will stop any real hackers from getting to a site's DB as that would still need to be r/w."

Snake Oil

[Carnage4Life]

Two hard drives heads, one OS, one root/administrator account. If your box is r00ted, it doesn't matter how many hard drives or hard drive heads you have you have still been 0wn3d.

Re:Snake Oil

[Xaoswolf]

Actually since the drive has two cables. One for the webserver, and another to go to another machine, that wouldn't need to have the same password. The computer that has the read/write capabilities doesn't even have to be on the network, so they would have to actually break physical security of the company to hack the web page.

Instead of saying that the sun can burn you, he told someone sitting in a dark closet that they are going to get burnt if they stay there. Still maybe not flamebait, but if you are going to type in l33t to look cool, at least read the article.

Still exploitable?

[Erasmus+Darwin]

It seems a malicious user could still attempt to serve defaced pages off of a ram disk on the compromised machine. Yes, a reboot will fix the problem, but that's only slightly more convenient than restoring a compromised system from backups. Furthermore, I suspect that the read-only harddrive would encourage admins to become lazier with regard to applying server patches, since the system would be perceived as "secure".

Protection from defacement only, and then iffy.

[Cutriss]

As Timothy points out, this only prevents script kiddies from being able to modify existing content using a backdoor or whatnot. However, it won't do anything about denial of service attacks, since the server software and its modules/plugins are all in RAM, and will still be receiving inputs. Buffer overflows and whatnot are still possible. However, defacements will at least go away, and those are the second-most high-profile types of attacks, as they're visible to the general public. Database attacks would be the worst, though, since, as Timothy again points out, they must be writeable.

Huh?

[Tom7]

You don't need to write to the disk to make a compromised server serve up bogus content.

Furthermore, we can already do this same thing by mounting a network file system (say) in read-only mode. Other than being funky, what's the point?

Re:Huh?

[Mark+Bainter]

The point is that it would be impossible to override this in software. I mean, following your logic you can also just make the files 444. But if someone gains access to that webserver at a high enough level they can change all that. With this scenario they can't.

Re:Huh?

[Jeppe+Salvesen]

This device would make it physically impossible to write. When you mount read-only, there is still at some level a possibility that someone might bypass the read-only lock.

I actually think this device has limited, but good applications. Anyone serving up static content would be a bit safer with this technology. Of course, logging traffic and such would be a bitch, but the server would only need a reboot if someone broke in.

No use for RDBMS-sites

[MattRog]

As the article poster touched on, this won't do anything if you're concerned with RDBMS integrity (and have a site which requires write access to your RDBMS).

For static content, it sounds like a cool idea, even if they get root all they can do is view things and not touch. Of course, if that compromised boxen is attached to an internal network to your RDBMS, then they can go to hax0ring the heck out of your DB, they just have to use whatever tools you have installed on the web server.

Hey before you go out and buy one

[t0qer]

Remember you can do the SAME thing with the hard drive you currently own and a CD drive. Here are some simple instructions...

A create your website
B burn it to CD
C modify httpd.conf, document root, set to /mnt/cdrom

Voila! and I didn't need to hire a team of japanese researchers to figure it out either.

Re:Hey before you go out and buy one

Better still use hdparm to set read-only bit on your HD, or cut the write line on the HD cable (we do this sometimes -- after setting hdparm's read-only though).

Re:What would be the input route?

[brsmith4]

Seeing as most large web sites don't serve their database off of their web server, I don't think this would be a problem. The code for the web page is served off of the server with that funky two-headed drive. Its read only to the internet, but the dynamic content, for instance user posts here on slashdot, are retreived and stored on a separate, secure db server. Your PHP, ASP, whatever, will call SQL queries to that server and not 'localhost' like (un)usual. Read the original posting. It pretty much states this already with the script kiddes vs. real hackers statement.

The Weakest Point

[ZipperHead99]

The weakest point any in system is and always will be the people running it and / or administrating it.

This kind of technology is a bit of a waste. The time and money would be much better spent on education and implementation of methodologies to minimize the risk of a break in, and how to handle it when it happens. (Because chances are, sooner or later, IT WILL) No matter how many firewalls or dual cable IDEs you have.

What a lame-brained idea

[Mad+Quacker]

Of course none of the R/W computers will be in any way attached to the internet.... in the best possible setup a machine that has access to both networks can be compromised, etc. If it's not, updating will be a major pain, so much so they might as well flip the read-only jumper on the drives between updates rather than use this system.

Aside from the obvious, there are much better uses for more than one head in a drive. Multiple simultaneous seeks, faster seeks, and twice the raw read rate. The market for this should be huge. Hard drive transfer rate is the bottleneck for most tasks, including boot time. All the while with less heat, power, and noise of the 7200+rpm drives.

Nasty thing to do to buffer cache

[wowbagger]

This would completely screw up any modern OS (or Windows).

The OS assumes that it, and it alone, modifies the disk, and that the disk won't change state without the OS making that change. This is one of the reasons you don't want to allow raw disk access from a VMWare or DOSemu session to a mounted file system - the emulated OS will access the disk, and the host OS's file system won't know about it. Boom! Instant corrupted file system.

In the case of this double-ended drive, the web server will assume that, since it has read the disk once, it needn't read that sector again. Then the write side computer modifies the disk, and the web server won't pick it up.

I'd rather see a disk with dual heads, and the logic to allow the system to read different sectors at the same time, all kept coherent by the drives controller as a way to increase throughput.

But to use this as a protection on a web server is just plain dumb.

Re:Nasty thing to do to buffer cache

[Hard_Code]

Uh, if one OS is completely unaware of another OS's access to hardware, there IS a rather large potential for corruption. Just imagine: web server starts reading file through read-only head, internal machine modifies said file, web server continues to read said file. What happens in this case? What happens if the file is deleted without the web server being notified?

It has nothing to do with drivers. Drivers live in an island called the operating system, and if those two islands are not connected, a driver on one machine will have no clue what a driver on the other is doing - they will both think they are accessing two completely different disks. Your argument might hold against VMWare if VMWare is really juggling and managing interrupts intelligently (so the operating systems don't step on each other) - but you didn't mention anything about this, and this certainly wouldn't hold for two entirely independent machines with no shared communication mechanism (the whole point of having an insecure web server use the read-only head, while the secure internal server uses the read/write head).

"Oh, and god forbid, what about NFS and Samba? Are the machines that host the NFS/Samba shares NOT allowed to change the contents of those systems?"

I'm not sure what your point is. NFS, Samba, and virtually any other network-based sharing system uses cumbersome slow-ass large-grained locking protocols. The article was about two completely seperate machines (no shared communication mechanism like NFS/Samba/sockets/shared mem - nothing).

Well it's a clever idea but...

[rocjoe71]

Some of the biggest e-commerce blunders have been allowing hackers to read credit card numbers, etc.

Sure, this new drive can protect existing data from destruction, but we need protection from the wrong people reading the information that's already in a website.

Gah.. do it in software.

[billcopc]

This is SO a gimmick. It is no replacement for a properly configured server that's 99.98% locked down. You're going to need a second machine to feed files onto the box anyway, so why not just grant the webserving box read-only access on the file server ? Ideally this server would be totally isolated from the internet, and wouldn't accept write requests coming from the web box. So the only way to update anything is to be sitting on a workstation on the inside, and then to have a valid login on the fileserver.

This is so frickin' simple, the only reason this Scarabs company is even in business is because there are too many idiots running semi-important servers out there. Having your network admin'd by a clueless fuck is not something that will be solved by a piece of buzzy hardware.

Re:Log server

[SuiteSisterMary]

I've had a similar idea when it comes to making a log server. If it is only physically possible to write to the log server, then there would be no way someone could erase their tracks.

Why do you think a lot of logservers print to a lineprinter? :-)

Hell, I think the upper levels of the old Orange Book *required* a hardcopy of logentries, in real time.

Re:More Speed?

[Krellan]

I thought of this as well, back when I interviewed at ReplayTV (I didn't get in, but that's neither here nor there).

Why not make a hard drive with two arms? They would be located 180 degrees apart from each other, so they would never bump into each other.

Each arm would be able to access the entire range of the hard drive.

One would be read-write and the other would be read-only, or both of them could be read-write if there would be no significant increase in cost.

This would be great for TiVo and ReplayTV units, which need to read large continuous amounts of data while writing large continuous amounts of different data! And it would be much quieter than the current one-arm drives, that have to thrash, making the units more appealing in a residential environment (one of the main complaints about the units is that the drives are too loud).

Considering the large quantities of drives that TiVo or ReplayTV use, is a special order out of the question? I'm sure this has been thought of before, and with a large enough order, anything is possible within reason. Western Digital made a custom drive for a large order, and found it to have such a good idea that it was officially added to their product line! (It's the larger 8MB cache in a "special edition" of their 100GB drive.)

Unfortunately this kind of drive would not work well with IDE. IDE is designed to wait for one command to complete before executing another command. So this means that the gain of being able to execute read-write commands in parallel would be neutered by this protocol. A solution is to use a SCSI drive that supports Tagged Command Queuing (TCQ)! This drive, if the controller and OS software support it, can stack up multiple commands that can be resolved in any order, as fast as the drive allows. This means that multiple outstanding commands could be sent to the drive, and the drive firmware would be free to execute them in the optimal order.

This would be a great advantage, as it could allow a slower drive to be used (less power consumption, less heat, less chance of failure). The slowness of the drive would be offset by the two arm design, making the drive effectively twice as fast. It might be even faster than that, as seek time would be reduced to almost nothing when reading or writing simultaneously from two different places!

The only disadvantage would be increased cost of having to use a SCSI drive (including controller) versus an IDE drive, and a one-time cost of having to add support for TCQ to whatever OS that is being used.

I wonder if a two-arm drive is being planned for use in ReplayTV or TiVo units? It seems like too good of an idea to pass up....

Re:slashdot freak show

[Phrogman]

That's odd. You would think that any Distro calling itself "Lesbian Linux" would not have "man" pages. I would think they would be called "womyn" pages or something :D