[W1ndman] won’t win any security awards for this build, but it’s an interesting idea. On many Linux-based systems commands can be run with administrator privileges by prefacing them with the keyword ‘sudo’. Normally you’d be asked for a password but [W1ndman] used the Pluggable Authentication Modules (PAM) to authenticate via his own shell script. That script checks a code from this rotary dial for authentication. An Arduino takes care of listening for each digit that is entered and then sends the code via USB for comparison with a stored file. We’re not sure if that stored code is in a plain file or is otherwise protected, but at the very least this prevents you from using ‘sudo’ willy-nilly.
oblig: http://xkcd.com/838/
Very light on the details, but a clever (if not terribly secure) idea.
Also a nice proof-of-concept for more mature ideas. Like PAM-sudo authentication with an RFID reader or something along those lines.
Dial 911 to reboot system :D
exactly what i needed to launch my own minuteman brb
reminds me of sudo su
heh nice
I don’t run Linux, but if I did, I’d definitely have to go for dual-key-switches-and-a-big-red-covered-button authentication for Sudo.
I dabbled with a method of reading a 700 series rotary phone Dailer with an Arduino a couple of years back, if anyone needs the finer details… http://www.fizzpop.org.uk/?s=rotary+dialler
Midge
Sounds like UAC from hell…
Still awesome.
Here’s one to go with it…. Change all caps to your information…
Address=MYADDRESS;Password=MYPASS; User=USERNAME; Command=’MYCOMMANDS;MORECOMMANDS’; expect -c ‘spawn ssh $User@$Address; expect “password:” ; send “$Password\n” ; expect “~#” ; send “$Command\n”; expect “~”; send “exit”‘
This bit of code will allow Arduino to control a computer with login. It’s all done with shell and the expect command, so no need to preconfigure anything. Just have a script watch arduino and if serial says to do something, do it.
Guessing Mike Szczys doesn’t use linux much.
sudo is a program that lets users run commands as root. It’s got nothing to do with linux. And sudo could be installed on any GNU operating system.
@Andrew,
I think you’re just being pedantic here. Realistically, most people’s exposure to “sudo” is from linux/unix. While it might technically be available to all GNU derivatives, Linux is the one that jumps to mind.
Also, Mike uses linux exclusively on his home computers. I had to ask him to set up a virtual windows machine to do something for me once.
@Andrew would it make you happier if we replaced Linux with *nix?
But if I understand this whole thing correctly, doesn’t the rotary dial just pulse the contact pairs closed/open a number of times based on the number you ‘dial’?
Couldn’t you do the same thing with a momentary pushbutton and just tap it the correct number of times? Isn’t that pretty much all ‘Pulse Dial’ was?
I used to dial phones without (accessible)keypads by connecting and disconnecting their leads this way.
Isn’t this considered security through obscurity?
Those rotary pads just generate a series of pulses (# pulses for # dialed), so if you know this, it should be relatively easy to spoof.
Just curious..
@ Andrew Parting
Did you know that Mike Sczyzs is a contributor to mythicalLibrarian? mythicalLibrarian is a likely competitor for the largest bash script in the world. http://code.google.com/p/mythicallibrarian/source/browse/trunk/mythicalLibrarian
Also, Mike Sczyzs wrote the MythDataGrabber script which interfaces a Linux database. His linux experience is very broad and robust.
Btw… sudo is exclusive to POSIX operating systems, meaning you won’t find it on Windows. Linux is the “Q-tips” of POSIX. I think he is right in his wording and I wouldn’t question it.
@medix
I think we can assume that a particular number is required. A big number is a big number, irrespective of how it is communicated.
My computer, my rules. Too many idiots out there worried about nothing. I run sudo -s and stay powered up all day.
Man… it would take WAY too long to dial in “sudo ‘make me a sandwich'” on that phone…
“I don’t run Linux, but if I did, I’d definitely have to go for dual-key-switches-and-a-big-red-covered-button authentication for Sudo.”
^^ THIS!
Once I’m no longer exclusively on a laptop, I may have to build this into my PC case…
Looking at the sourcecode provided on the instructables site, i wood say the security of this hack is rather non-existing.
the password is saved as plain text an compared to the output of the serial-tty coming from the arduino.
it would be much more efficient if part of the password was related to the switch-timing of the rotary dial.
“with great power comes great responsibility.”
In short, if there’s a chance you’re going to ‘\rm -rf /’, don’t be on the sudo’er list, or limit the commands you can run through sudo. Whilst I admire the originality, if you need this to prevent you using sudo ‘willy-nilly’ then maybe a reconsideration of your role is required.
http://hackaday.com/?s=searchlight and a red sudo phone and Battux will come:)
Very nice. I’d be using the 700 series dial.
How about using the rest of the phone as an IP handset. Would also make a nice enclosure for the dial.
BTW for other brits here, 700 series dials are pretty heavily sprung. I replaced the one in my 746 with one from a Trimphone slightly modded to fit the hole so it doesn’t slide about when you’re dialling one-handed.
This would be interesting for remote users. Have a red light start flashing to indicate a user has requested sudo access (with an LCD showing the user name of course). Only an admin with the “code” and physical can allow the request. Of course this assumes good security practices in the implementation……
Anyway my problem was with “prefix with the keyword sudo,,
It implies that either he doesn’t understand what’s going on when you use sudo or he is dumbing down a SERIOUSLY simple concept.
Obviously he thinks we’re idiots I simple insulted him back.
(As an aside the things you posted trying to make him seem like a linux genius wasn’t especially amazing).
You could just have a big red button that the script causes to blink. If the button isn’t pressed then the system doesn’t sudo.