New Two-Headed Hard Drive Intended To Secure Web Sites

dlur writes: "This article states that Scarabs (In Japanese), a Japanese company, is developing a hard drive with two heads, one read-only and another that is read/write. With this comes two cables, the read-only side going to the external web server, and the r/w cable going to an internal protected server. While this should make it quite a bit tougher for script kiddies to place their mark on a page, I doubt it will stop any real hackers from getting to a site's DB as that would still need to be r/w."

slashdot freak show

[tps12]

First a 60-foot squid, now a mutant two-headed hard drive. What next, the announcement of the Bearded Lady Linux distro?

Re:slashdot freak show

[The_Guv'na]

Nope, no bearded lady as yet. You'll just have to make do with Lesbian Linux.

Ali

Re:slashdot freak show

[Phrogman]

That's odd. You would think that any Distro calling itself "Lesbian Linux" would not have "man" pages. I would think they would be called "womyn" pages or something :D

More Speed?

[1010011010]

This sounds like a nice drive to use in TiVo-type units as well, so that the read head can return data as the r/w head updates the media, rather than flopping the only head back and forth.

Re:More Speed?

[Krellan]

I thought of this as well, back when I interviewed at ReplayTV (I didn't get in, but that's neither here nor there).

Why not make a hard drive with two arms? They would be located 180 degrees apart from each other, so they would never bump into each other.

Each arm would be able to access the entire range of the hard drive.

One would be read-write and the other would be read-only, or both of them could be read-write if there would be no significant increase in cost.

This would be great for TiVo and ReplayTV units, which need to read large continuous amounts of data while writing large continuous amounts of different data! And it would be much quieter than the current one-arm drives, that have to thrash, making the units more appealing in a residential environment (one of the main complaints about the units is that the drives are too loud).

Considering the large quantities of drives that TiVo or ReplayTV use, is a special order out of the question? I'm sure this has been thought of before, and with a large enough order, anything is possible within reason. Western Digital made a custom drive for a large order, and found it to have such a good idea that it was officially added to their product line! (It's the larger 8MB cache in a "special edition" of their 100GB drive.)

Unfortunately this kind of drive would not work well with IDE. IDE is designed to wait for one command to complete before executing another command. So this means that the gain of being able to execute read-write commands in parallel would be neutered by this protocol. A solution is to use a SCSI drive that supports Tagged Command Queuing (TCQ)! This drive, if the controller and OS software support it, can stack up multiple commands that can be resolved in any order, as fast as the drive allows. This means that multiple outstanding commands could be sent to the drive, and the drive firmware would be free to execute them in the optimal order.

This would be a great advantage, as it could allow a slower drive to be used (less power consumption, less heat, less chance of failure). The slowness of the drive would be offset by the two arm design, making the drive effectively twice as fast. It might be even faster than that, as seek time would be reduced to almost nothing when reading or writing simultaneously from two different places!

The only disadvantage would be increased cost of having to use a SCSI drive (including controller) versus an IDE drive, and a one-time cost of having to add support for TCQ to whatever OS that is being used.

I wonder if a two-arm drive is being planned for use in ReplayTV or TiVo units? It seems like too good of an idea to pass up....

Still exploitable?

[Erasmus+Darwin]

It seems a malicious user could still attempt to serve defaced pages off of a ram disk on the compromised machine. Yes, a reboot will fix the problem, but that's only slightly more convenient than restoring a compromised system from backups. Furthermore, I suspect that the read-only harddrive would encourage admins to become lazier with regard to applying server patches, since the system would be perceived as "secure".

But.... But.....!

[The_Shadows]

Too easy... Must resist!
Nah, forget it.

"I mean, two heads are better than one."

Protection from defacement only, and then iffy.

[Cutriss]

As Timothy points out, this only prevents script kiddies from being able to modify existing content using a backdoor or whatnot. However, it won't do anything about denial of service attacks, since the server software and its modules/plugins are all in RAM, and will still be receiving inputs. Buffer overflows and whatnot are still possible. However, defacements will at least go away, and those are the second-most high-profile types of attacks, as they're visible to the general public. Database attacks would be the worst, though, since, as Timothy again points out, they must be writeable.

Re:Protection from defacement only, and then iffy.

[Dalroth]

However, it won't do anything about denial of service attacks, since the server software and its modules/plugins are all in RAM, and will still be receiving inputs.

That's a nice point, however, I don't think this should have any impact on your decision wether to use this product/strategy or not.

DOS attacks are a problem that are near impossible to solve no matter what hardware you may have (even your 10's of thousands of dollars worth of Cisco routers). This product isn't targetted at DOS attacks.

Buffer overflows and whatnot are still possible.

BUT BUT BUT! They are FAR less effective. One of the problems with overflows are that they give you access to the machine. The danger is when they can login to the machine, install all their hacking tools, packet sniffers, and what not. That's where the real damage is done.

Now, if the ENTIRE hard disk on the web server is read only, and the machine that they use to make changes to the partition is on a complete seperate network (perhaps not even connected to the internet at all) this could be a VERY effective way of limiting damage done (especially if you are carefull about what applications are installed on your server to begin with).

Database attacks would be the worst, though, since, as Timothy again points out, they must be writeable.

Finally, this is not necessarilly true as well. If you run a website that provides the user with realtime information (such as stock quotes, or mortgage rates), most of the data is coming from some source internal to your company. You can easily make that database readonly for the web server, and seperate any minimal user info database into it's own read/write database thus further limiting the damage they can do. In fact, if you aren't doing this already you're probably doing something wrong. Here at work we have two seperate copies of our database (replicated in realtime). One is linked directly to our internal accounting system and updated frequently. The other is 100% read only and ALL reports are run from that.

I'm not nitpicking you, or anybody in particular. This is a GREAT option. It's not perfect yes, but if you really think about it, you can use this thing in many very very powerfull ways (and as mentioned above you can do some similar things by tweaking IDE cables and useing CD roms). Same thing can be said for Linux router distributions running off of read only 3¼ floppies or CD-Roms! :)

Bryan

Huh?

[Tom7]

You don't need to write to the disk to make a compromised server serve up bogus content.

Furthermore, we can already do this same thing by mounting a network file system (say) in read-only mode. Other than being funky, what's the point?

Re:Huh?

[Mark+Bainter]

The point is that it would be impossible to override this in software. I mean, following your logic you can also just make the files 444. But if someone gains access to that webserver at a high enough level they can change all that. With this scenario they can't.

Re:Huh?

[Jeppe+Salvesen]

This device would make it physically impossible to write. When you mount read-only, there is still at some level a possibility that someone might bypass the read-only lock.

I actually think this device has limited, but good applications. Anyone serving up static content would be a bit safer with this technology. Of course, logging traffic and such would be a bitch, but the server would only need a reboot if someone broke in.

No use for RDBMS-sites

[MattRog]

As the article poster touched on, this won't do anything if you're concerned with RDBMS integrity (and have a site which requires write access to your RDBMS).

For static content, it sounds like a cool idea, even if they get root all they can do is view things and not touch. Of course, if that compromised boxen is attached to an internal network to your RDBMS, then they can go to hax0ring the heck out of your DB, they just have to use whatever tools you have installed on the web server.

NFS?

[Micah]

Well an external web server could be set up to mount everything NFS read only. Seems like that would be a bit simpler.... ...but since 99% of sites are dynamic it seems to be an impossibility anyway...

Hey before you go out and buy one

[t0qer]

Remember you can do the SAME thing with the hard drive you currently own and a CD drive. Here are some simple instructions...

A create your website
B burn it to CD
C modify httpd.conf, document root, set to /mnt/cdrom

Voila! and I didn't need to hire a team of japanese researchers to figure it out either.

Re:Hey before you go out and buy one

[doughnuthole]

Or you could put a switch on IDE pin 23, the write line. Flipping the switch to disconnect the line would prevent any data from being written, while still having the higher speeds and lower seek times of a hard drive.

It would be simple to just flip the switch, modify your files and then switch it back when you are done so no changes can be made later.

Even better, put it on an electronic keyswitch mounted on the front of the box, and you have an effective security system for things like demo stations and kiosks.

Re:Hey before you go out and buy one

[Jonny+290]

Yeah, and some dumb overclocker kid at the colo puts a UV cold cathode in there cause it 'looks cool' and erases the whole fuckin thing. :)

Neat idea, in all seriousness.

What a lame-brained idea

[Mad+Quacker]

Of course none of the R/W computers will be in any way attached to the internet.... in the best possible setup a machine that has access to both networks can be compromised, etc. If it's not, updating will be a major pain, so much so they might as well flip the read-only jumper on the drives between updates rather than use this system.

Aside from the obvious, there are much better uses for more than one head in a drive. Multiple simultaneous seeks, faster seeks, and twice the raw read rate. The market for this should be huge. Hard drive transfer rate is the bottleneck for most tasks, including boot time. All the while with less heat, power, and noise of the 7200+rpm drives.

Nasty thing to do to buffer cache

[wowbagger]

This would completely screw up any modern OS (or Windows).

The OS assumes that it, and it alone, modifies the disk, and that the disk won't change state without the OS making that change. This is one of the reasons you don't want to allow raw disk access from a VMWare or DOSemu session to a mounted file system - the emulated OS will access the disk, and the host OS's file system won't know about it. Boom! Instant corrupted file system.

In the case of this double-ended drive, the web server will assume that, since it has read the disk once, it needn't read that sector again. Then the write side computer modifies the disk, and the web server won't pick it up.

I'd rather see a disk with dual heads, and the logic to allow the system to read different sectors at the same time, all kept coherent by the drives controller as a way to increase throughput.

But to use this as a protection on a web server is just plain dumb.

Re:Nasty thing to do to buffer cache

What a party pooper. Here we are having a perfectly
good time talking about something we know absolutely
nothing about and along comes an educated person that
decides to spoil the party with a little knowledge.
Damn you and all of your technology. ;.)

Re:Nasty thing to do to buffer cache

[Hard_Code]

Uh, if one OS is completely unaware of another OS's access to hardware, there IS a rather large potential for corruption. Just imagine: web server starts reading file through read-only head, internal machine modifies said file, web server continues to read said file. What happens in this case? What happens if the file is deleted without the web server being notified?

It has nothing to do with drivers. Drivers live in an island called the operating system, and if those two islands are not connected, a driver on one machine will have no clue what a driver on the other is doing - they will both think they are accessing two completely different disks. Your argument might hold against VMWare if VMWare is really juggling and managing interrupts intelligently (so the operating systems don't step on each other) - but you didn't mention anything about this, and this certainly wouldn't hold for two entirely independent machines with no shared communication mechanism (the whole point of having an insecure web server use the read-only head, while the secure internal server uses the read/write head).

"Oh, and god forbid, what about NFS and Samba? Are the machines that host the NFS/Samba shares NOT allowed to change the contents of those systems?"

I'm not sure what your point is. NFS, Samba, and virtually any other network-based sharing system uses cumbersome slow-ass large-grained locking protocols. The article was about two completely seperate machines (no shared communication mechanism like NFS/Samba/sockets/shared mem - nothing).

Well it's a clever idea but...

[rocjoe71]

Some of the biggest e-commerce blunders have been allowing hackers to read credit card numbers, etc.

Sure, this new drive can protect existing data from destruction, but we need protection from the wrong people reading the information that's already in a website.

Ahem

[The_Shadows]

So sayeth the article:

Hackers will be unable to attack Web sites protected by a new security system unless they can change the laws of physics, according to Naoto Takano

I'm working on it all ready. So far I've managed to get the relativity theory down to E/2 = MC^(1.9)

And standard Earth Gravity now has a value of 8.8m/s/s.

Up.

And don't try to fill up a garbage bag anytime soon. I've been playing with volume. They're now "Garbage Bags of Holding."

good for dumb MBAs / VC and idiot security staff

[noahbagels]

Great.

Now, we have to explain one more thing to VCs and MBAs. All they know is there is this thing called a website that exists on a thing called a webserver.

Hasn't anyone on /. ever taken a security class?
Has anyone on /. ever worked in on security projects and/or audits?

Let me break it down for the rest of you:
This ads exactly zero extra security for a well-run website. Most well-run sites already have seperately firewall'd http-webservers and database machines. Some well-run sites have the application server on yet a third firewall'd network (or vlan etc).

Any place worth 5cents will not have valued data sitting on an httpd server!

This is really Ooooga-Boooga in a nutshell for VCs and MBAs trying to make a buck on security-scared VCs and MBAs running other companies.

I don't buy it.
Secure your site properly - as one other poster mentioned, for the less-funded (read: cheap/poor/startup/blah) company/service you can simply mount a CD-R with your site's static content on it. Even JSPs can live on a CDr (as long as they're precompiled into servlets, or there's a scratch disk for the JSP-container to compile them).

Re:Log server

[SuiteSisterMary]

I've had a similar idea when it comes to making a log server. If it is only physically possible to write to the log server, then there would be no way someone could erase their tracks.

Why do you think a lot of logservers print to a lineprinter? :-)

Hell, I think the upper levels of the old Orange Book *required* a hardcopy of logentries, in real time.

Prior Art?

[El_Smack]

According to this "The God Janus, husband of Jana, is known as the custodian of the universe, the God who watches over doors and gateways, and the two-headed God of ... "

Please send any patent inquires to
Cesear, Emporer of Rome
123 Pantheon Drive

Industry rejected multi-head drives long ago...

[Zinho]

From the article:
"The original idea of a hard disk having two heads emerged around 1985..."

Funny that the technology hasn't been implemented after all this time... Or has it?

From the StorageReview.com reference section:
"Such hard disks have been built. Conner Peripherals, which was an innovator in the hard disk field in the late 1980s and early 1990s (they later went bankrupt and their product line and technology were purchased by Seagate) had a drive model called the Chinook that had two complete head-actuator assemblies: two sets of heads, sliders and arms and two actuators. They also duplicated the control circuitry to allow them to run independently. For its time, this drive was a great performer. But the drive never gained wide acceptance, and the design was dropped. Nobody to my knowledge has tried to repeat the experiment in the last several years.

There are several reasons why it is not practical to make a drive with more than one actuator. Some are technical; for starters, it is very difficult to engineer. Having multiple arms moving around on a platter makes the design complex, especially in small form factors. There are more issues related to thermal expansion and contraction. The heat generated inside the hard drive is increased. The logic required to coordinate and optimize the seeks going on with the two sets of heads requires a great deal of work. And with hard disk designs and materials changing so quickly, this work would have to be re-done fairly often.

However, the biggest reasons why multiple actuators designs aren't practical are related to marketing. The added expense in writing specialty electronics and duplicating most of the internal control components in the drive would make it very expensive, and most people just don't care enough about performance to pay the difference. Hard disks are complex technology that can only be manufactured economically if they are mass-produced, and the market for those who would appreciate the extra actuators isn't large enough to amortize the development costs inherent in these fancy designs. It makes more sense instead to standardize on mass-produced drives with a single actuator stack, and build RAID arrays from these for those who need the added performance. Compare a single 36 GB drive to an array of four 9 GB drives: in effect, the array is a 36 GB drive with four sets of everything. It would in most cases yield performance and reliability superior to a single 36 GB drive with four actuators, and can be made from standard components without special engineering."

So, from the looks of things, it would be easier and cheaper to use single-head drives in easy-to-put-together configurations than put two heads in the same drive. Admittedly, the StorgeReview.com reference's author didn't mention setting up a read-only/read-write scheme, but the logic still works. I'd guess that it would still be easier to make a RAID container that provides read-only access on one channel and read-write on another.

Again, from the article:
"Scarabs is also working on a different version of the technology--instead of putting two heads on a hard disk, the company is connecting two SCSI interface circuits to a conventional hard disk with one head, one set to send read-only electronic signals and the other to send read/write signals."

This company already knows that their gimmick drive won't sell. No one will buy an over-priced drive with higher probability of failure over a (comparatively) cheap SCSI trick that requires no extra moving parts.

Re:Snake Oil

[Xaoswolf]

Actually since the drive has two cables. One for the webserver, and another to go to another machine, that wouldn't need to have the same password. The computer that has the read/write capabilities doesn't even have to be on the network, so they would have to actually break physical security of the company to hack the web page.

Instead of saying that the sun can burn you, he told someone sitting in a dark closet that they are going to get burnt if they stay there. Still maybe not flamebait, but if you are going to type in l33t to look cool, at least read the article.