BIOS hacks...

[Don Y]

We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

We also want to make the laptops \"valueless\" as pawnable items.
This population is disadvantaged so they -- or a family member,
friend, etc. -- could be enticed to converting a laptop to cash.
These laptops belong to The Program. (we aren\'t concerned about
the \"value\" being lost as much as the *effort* to create a
replacement -- labor is always in short supply)

On completion of the program (\"graduation\"), they are gifted
a \"real\" laptop. What the student does to -- or with -- THEIR
laptop is entirely up to them; it\'s *theirs*!

To make The Program\'s laptops more secure AND less valuable
(pawned, resold, etc.), I\'m trying to come up with a \"portable\"
means of altering them JUST ENOUGH that they won\'t install
software from DVD, over the network, etc. So, they boot into
*my* OS and run our applications. And, if stolen/sold/lost,
would prove to be of no value -- because they don\'t follow the
rules that a regular laptop would!

A cheap hack seems like just rearranging the BIOS entry points
could thwart the normal operations of \"a laptop\" -- yet still
allow all of that BIOS functionality to be accessed by our
applications (cuz we would use the corrected/broken binding).

This could be portable to different makes/models as the entry
points are standardized, even if the actual BIOS implementation
varies.

One notable problem would be if the (a) BIOS was signed and
my alterations rendered that signature invalid. Of course,
each vendor/model could have a different key so I\'d have
to solve this problem many times.

[I\'m not as worried about checksums as those can be bruteforced]

Any other suggestions for locking it down? Or, for working
around \"safeguards\" in the BIOS? (I\'ve also considered gluing the
optical drive shut with media in place and forcing that to
be the sole boot medium)

 

[Don Y]

On 10/17/2022 7:02 PM, Don Y wrote:

Any other suggestions for locking it down?  Or, for working
around \"safeguards\" in the BIOS?  (I\'ve also considered gluing the
optical drive shut with media in place and forcing that to
be the sole boot medium)

Hmmm.... maybe take a similar tactic with the disk drive?
I don\'t care if the laptops are locked into a given mechanical
configuration; I can always add an (privileged) application that
allows *me* to update the image on the GLUED SHUT disk bay!
That way, the optical bay could be crippled and those two
boot sources rendered inoperative.

[Wouldn\'t want to cripple the NIC as that would have value
to the application so I\'d need to find a way to defeat PXE boot]

 

[server]

Don Y <blockedofcourse@foo.invalid> wrote in news:til1fi$3lcfg$1
@dont-email.me:

We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

Run Linux on them and use a USB \'drive\' for the location of the
software you are pushing and allow ZERO hacks to the laptops and
monitor attempts of any. If these idiot students are going to
\"malware\" bristling sites, they ALSO need to be reprogrammed.

You could even run the Linux from a stick, so the laptop ONLY runs
what you put on the stick, and you could issue those almost even on a
daily basis.

You could even have the updates be online so a \"new stick\" could be
made by the student.

You could also run the laptop with no hard drive like the original
IBM XT had. We had to boot from a floppy and then our \"game\"
(NetHack) was on another floppy and that even had to be traded
occasionally back to the OS Floppy for the machine to continue.

 

[server]

Don Y <blockedofcourse@foo.invalid> wrote in news:til1fi$3lcfg$1@dont-
email.me:

We also want to make the laptops \"valueless\" as pawnable items.
This population is disadvantaged so they -- or a family member,
friend, etc. -- could be enticed to converting a laptop to cash.
These laptops belong to The Program. (we aren\'t concerned about
the \"value\" being lost as much as the *effort* to create a
replacement -- labor is always in short supply)

Silk screen print and or Laser etch a \"PROPERTY OF SUCHNSUCH\" \"DO NOT
PAWN\" sign on the lid of the laptop so that pawn shops know that they
are not the property of the holder.

 

[server]

Don Y <blockedofcourse@foo.invalid> wrote in news:til1fi$3lcfg$1@dont-
email.me:

To make The Program\'s laptops more secure AND less valuable
(pawned, resold, etc.), I\'m trying to come up with a \"portable\"
means of altering them JUST ENOUGH that they won\'t install
software from DVD, over the network, etc. So, they boot into
*my* OS and run our applications. And, if stolen/sold/lost,
would prove to be of no value -- because they don\'t follow the
rules that a regular laptop would!

They should not have a DVD player in them to begin with.

Also, you can use hard coded splash screens in a custom BIOS that
declares the school as the owner of the laptop with every boot attempt,
even before the OS gets loaded, that remains \"up\" until a certain key
is pressed to continue loading. Then a pawn shop would not touch it.
Include contact information and an assigned serial number on the splash
screen. I had a PC that played Fur Elise and Close Encounters music
from the PC speaker on every boot because I had boot software in it
that ran before the hand off to the OS.

 

[Martin Brown]

On 18/10/2022 03:02, Don Y wrote:

We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program.  We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures.  So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

How hard is very hard? And what OS are you running? It isn\'t so hard to
disable installing software for end users and make it something that
only the super user can do. You might be able to password protect the
BIOS access on some platforms too so they cannot alter the boot order.

How much is enough depends on the sophistication of your adversary.

Maybe a better AV is actually the solution to your problems.
(or installing the likes of Malwarebytes to unpick common malware)

We also want to make the laptops \"valueless\" as pawnable items.
This population is disadvantaged so they -- or a family member,
friend, etc. -- could be enticed to converting a laptop to cash.
These laptops belong to The Program.  (we aren\'t concerned about
the \"value\" being lost as much as the *effort* to create a
replacement -- labor is always in short supply)

Gouge \"XYZ STEAM PROGRAM\" into the lid with a soldering iron!
(or for neater a job with of those hot embossing kits)

Any other suggestions for locking it down?  Or, for working
around \"safeguards\" in the BIOS?  (I\'ve also considered gluing the
optical drive shut with media in place and forcing that to
be the sole boot medium)

I\'d be more inclined to solve the value problem by physically defacing
them so that they are not resaleable. There are also some very high tack
PU glues that can be used to attach inventory labels - same effect.

As a student when I lived in a really rough neighbourhood I had a quite
nice Motorola car radio with facia that had been altered to look like it
had already been stolen once which stopped thieves in their tracks.

Functionality was fine but resale value was effectively nil.


--
Regards,
Martin Brown

 

[Don Y]

On 10/18/2022 9:30 AM, Martin Brown wrote:

On 18/10/2022 03:02, Don Y wrote:
We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program.  We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures.  So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

How hard is very hard? And what OS are you running?

Now, we\'re planning on using one of my OS\'s -- to drive home the
point that \"this isn\'t a PC\". (It\'s an appliance that leverages
the hardware that is typically used in a PC)

It isn\'t so hard to disable
installing software for end users and make it something that only the super
user can do.

Yes, I built a lab, years ago, that locked down all of the machines
(so \"Tommy\" could walk up to a machine that \"Timmy\" had just used and
be assured that it is EXACTLY in the same state that it was when he
last used it, even though there is only one \"user\" account.

But, those machines were supervised. And, if any of them had been
hacked, one of the kids would have noticed it and commented.

You might be able to password protect the BIOS access on some
platforms too so they cannot alter the boot order.

There are hacks to defeat BIOS passwords on many laptops (I don\'t want
to have to research how \"secure\" each password implementation is).
Password protected *disks* can just be wiped -- they\'ve \"lost\"
nothing as they now have a clean disk!

> How much is enough depends on the sophistication of your adversary.

These are sorely disadvantaged clients. They have lots of TIME and
very little money. Those that aren\'t homeless will have a place to
keep their laptop out of the weather. Some of those will have a
car -- with a blue driver\'s side door on an otherwise yellow vehicle.
They purchased *used* tires (I didn\'t realize such a thing existed!).
Likely are driving without insurance -- or, pay-by-the-month coverage.
Etc.

If there\'s a way to get something for nothing, they will find it
(or already know of it).

Maybe a better AV is actually the solution to your problems.
(or installing the likes of Malwarebytes to unpick common malware)

That\'s one more thing that would have to be maintained. We\'re
looking at upwards of 1,000 seats so anything that has to be
done has to be done 1000X.

My approach is to just not let anything onto the machines.
\"No, you can\'t play games on it. No, you can\'t view porn.
No you can\'t surf the web. No, you can\'t order stuff from
Amazon. etc.\"

[In the past, we\'ve had other programs where we distributed
\"real\" PC\'s -- with genuine MS & Office licenses, Av installed,
etc. We spent probably half of our time removing malware from
machines when their users would come in complaining \"it doesn\'t
work\". Of course, they wanted us to recover their SCHOOL work
from the machine, not just reinstall everything! Note that
this is all done for free with volunteer labor. How long do you
think you can keep volunteers when they see how their \"clients\"
are abusing their time? \"Well, my brother used it to look at
girly pictures...\" \"My sister wanted to play an adventure
game, online...\" etc.]

We also want to make the laptops \"valueless\" as pawnable items.
This population is disadvantaged so they -- or a family member,
friend, etc. -- could be enticed to converting a laptop to cash.
These laptops belong to The Program.  (we aren\'t concerned about
the \"value\" being lost as much as the *effort* to create a
replacement -- labor is always in short supply)

Gouge \"XYZ STEAM PROGRAM\" into the lid with a soldering iron!
(or for neater a job with of those hot embossing kits)

It wouldn\'t stop someone selling it to a friend for $10 (remember,
they got it for free so it\'s like they just got a free $10 bill!)
You\'re not going to see these in a storefront or have a cop notice
one and arrest the possessor for receiving stolen property.

These kids are always one step ahead of any policies you put in place.
They\'ll come in and take (with permission), 10 pair of undershorts
(NIB) from inventory. Next week, they\'ll be back for 10 more!
(surely the first 10 haven\'t worn out, already?! No, they are
selling or trading them to friends -- for cigarettes, cash, etc.)

If you put a limit on how many pair of underwear they can take
(and TRACK it -- at some cost to yourself), they\'ll take book bags.
Or, backpacks. Or, cans of vegetables. Or diapers (\"I didn\'t know
you had a kid, Tyrone?\")

[It is REALLY easy to become jaded dealing with these sorts! OTOH,
there are some who are truly appreciative and don\'t abuse the
system. Would you penalize all of them, equally?]

[[I won\'t be able to stop folks from trying to cash in on the
laptops. But, hopefully, the folks that they trade/sell them
to will quickly discover that there isn\'t much that THEY can
do with them. E.g., I\'m putting tiny disks -- 16GB -- and
reducing available RAM -- 4GB -- so you can\'t even part them
out!]]

Any other suggestions for locking it down?  Or, for working
around \"safeguards\" in the BIOS?  (I\'ve also considered gluing the
optical drive shut with media in place and forcing that to
be the sole boot medium)

I\'d be more inclined to solve the value problem by physically defacing them so
that they are not resaleable. There are also some very high tack PU glues that
can be used to attach inventory labels - same effect.

As a student when I lived in a really rough neighbourhood I had a quite nice
Motorola car radio with facia that had been altered to look like it had already
been stolen once which stopped thieves in their tracks.

Functionality was fine but resale value was effectively nil.

I buy a fair bit of kit at local auctions. Or, rescues from stuff that is
being recycled. Most of it LOOKS \"used\", has inventory tags, \"PROPERTY OF\",
etc. I\'m a bit obsessive so clean all of this stuff off before I bring
a piece of kit into the house (I\'m going to give it a thorough cleaning,
anyway, so why not spend the extra time and remove those \"unremovable\"
tags, as well?). I\'ve no desire to be pushing \"sticky\" buttons because
someone happened to have poor hygiene or was a smoker, etc.

But, if I was the type that didn\'t care about these things, I\'d just
leave them \"as is\" -- it doesn\'t affect usability!

I lived in a less-than-desirable neighborhood when in school. And, have
worked in places where people were KILLED. But, never really felt as
bad off as these folks. I.e., I always knew it was a temporary thing,
for me; it\'s FOREVER for these folks! :<

 

[whit3rd]

On Monday, October 17, 2022 at 7:02:35 PM UTC-7, Don Y wrote:

We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

We also want to make the laptops \"valueless\" as pawnable items.

Well, if the program is compatible with tether to a central machine,
you could just give out Xterminals, that interact with a central server
(or cloud service). That\'s kinda hard on the network attachment side,
but it does have rather slight resale value. And, a fresh image is
a quick way to make the virtual machine pristine.

Less adventurous, consider Apple\'s walled-garden. The App store only
takes owner-privilege orders.
Apple\'s \'Back to My Mac\' scheme gets rather snippy if the owner wants it to,
and could be released at graduation time so the student can keep their
decals or other bling...

 

[Don Y]

On 10/18/2022 9:06 PM, whit3rd wrote:

On Monday, October 17, 2022 at 7:02:35 PM UTC-7, Don Y wrote:
We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

We also want to make the laptops \"valueless\" as pawnable items.

Well, if the program is compatible with tether to a central machine,
you could just give out Xterminals, that interact with a central server
(or cloud service). That\'s kinda hard on the network attachment side,
but it does have rather slight resale value. And, a fresh image is
a quick way to make the virtual machine pristine.

These kids are underprivileged. Many are homeless (not usually
\"sleeping-under-a-bridge\" homeless but, \"sleeping-on-tom\'s-couch-TONITE\"
homeless. So, they need a small footprint/portable solution -- as
they will likely have to lug it around as their \"home\" changes.

Those that have \"homes\" are usually rentals. And, change pretty
regularly, as well (likely \"failure to pay rent\" forcing a change
of address). And, internet access FROM HOME is just not realistic.

[Lots of people get their internet by lurking around coffee shops
or public libraries. It\'s not uncommon to see a car sitting
outside a library in the dark of night -- likely surfing the web
or some other access \"for free\"]

Less adventurous, consider Apple\'s walled-garden. The App store only
takes owner-privilege orders.
Apple\'s \'Back to My Mac\' scheme gets rather snippy if the owner wants it to,
and could be released at graduation time so the student can keep their
decals or other bling...

I\'m hoping to make it reasonably obvious that \"this isn\'t a PC\"
by hosting a non-windows UI. Some will undoubtedly think they
can still extract value by selling their laptop; and, when the
*buyer* realizes that he can\'t do anything with it, word should
spread that this \"opportunity\" doesn\'t bear fruit.

Unlike \"real\" laptops, there won\'t be a constant need for
\"security updates\", application upgrades, etc. So, the
flexibility that is available with a real PC isn\'t needed.
I\'ll update the apps each semester but no more frequently
(because doing so is costly, in terms of labor).

 

[server]

Don Y <blockedofcourse@foo.invalid> wrote:

A cheap hack seems like just rearranging the BIOS entry points
could thwart the normal operations of \"a laptop\" -- yet still
allow all of that BIOS functionality to be accessed by our
applications (cuz we would use the corrected/broken binding).

Hmm, \"Secure Boot\" would be a joke if you could do this. So
it would be very interesting if what you want to do works.

--
Waldek Hebisch

 

[whit3rd]

On Tuesday, October 18, 2022 at 10:42:54 PM UTC-7, Don Y wrote:

On 10/18/2022 9:06 PM, whit3rd wrote:
On Monday, October 17, 2022 at 7:02:35 PM UTC-7, Don Y wrote:
We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

We also want to make the laptops \"valueless\" as pawnable items.

These kids are underprivileged. Many are homeless (not usually
\"sleeping-under-a-bridge\" homeless but, \"sleeping-on-tom\'s-couch-TONITE\"
homeless. So, they need a small footprint/portable solution -- as
they will likely have to lug it around as their \"home\" changes.

Have you considered the OLPC devices?
Rugged, simple, and fairly easy to maintain (but not using a lot
of resale-able parts).

<https://wiki.laptop.org/go/XO-4_Touch>

 

[Don Y]

On 10/26/2022 9:11 PM, whit3rd wrote:

On Tuesday, October 18, 2022 at 10:42:54 PM UTC-7, Don Y wrote:
On 10/18/2022 9:06 PM, whit3rd wrote:
On Monday, October 17, 2022 at 7:02:35 PM UTC-7, Don Y wrote:
We loan laptops to students as part of a STE(A)M program.
These laptops contain courseware for the program. We want
to minimize the cost (effort) to maintain these, during the
program (i.e., if one \"goes down\", then the student immediately
needs a replacement).

The most common way for a laptop to be compromised is via
malware, not hardware failures. So, we want to make it
\"very hard\" to install software on the laptops that would
require a system reinstall.

We also want to make the laptops \"valueless\" as pawnable items.

These kids are underprivileged. Many are homeless (not usually
\"sleeping-under-a-bridge\" homeless but, \"sleeping-on-tom\'s-couch-TONITE\"
homeless. So, they need a small footprint/portable solution -- as
they will likely have to lug it around as their \"home\" changes.

Have you considered the OLPC devices?
Rugged, simple, and fairly easy to maintain (but not using a lot
of resale-able parts).

https://wiki.laptop.org/go/XO-4_Touch

We rely on donated items -- \"zero cost\". There are LOTS of laptops
that are routinely \"retired\" as part of normal business upgrade cycles.
(\"LOTS\" is a REALLY big number. Disturbingly so!) And far more
*desktops* but those are impractical for these clients.

[I might have to process 4 or 5 *pallets* of donations in a given week]

The challenge is always to figure out how to leverage these donations
(items) with minimal added labor to service the largest possible
client base. I develop lots of automation to make \"building\"
(and tracking and maintaining) them easier to avoid the need for
additional labor (volunteer labor is \"free\" but has other associated
costs -- like being unreliable! PAID labor quickly becomes a
constraint on how large a client base you can practically support)

So, I need an approach that I can apply to different makes/models
equally as I can\'t be ASSURED that I will ever have more than *one*
of any given make/model. (the psychological aspect is yet another
issue that has to be managed; you don\'t want kids thinking that
someone else got a \"better\" computer than they did)

The BIOS hack, in theory, would be applicable to all devices. Even
if the actual BIOS differs from one machine to another.

But, it may not be practical to devote the time to sorting out how
to alter each BIOS within the constraints that the BIOS imposes on
modification (ages ago, a simple checksum was a sufficient POST
measure; now I suspect many BIOSes are cryptographically signed,
or, have other measures in place to prevent malware from overwriting
their contents)

If this is ever funded as part of the mainstream curriculum,
then someone else will sort out how to address the issue -- maybe
doing a large bulk purchase or approaching a big donor for a
CASH donation that can be converted into equipment.

 

[Martin Brown]

On 27/10/2022 06:01, Don Y wrote:

The BIOS hack, in theory, would be applicable to all devices.  Even
if the actual BIOS differs from one machine to another.

Given that many are now UEFI aren\'t you always going to be fighting a
losing battle since anyone sufficiently skilled will be able to reverse
engineer things to get past whatever you interpose.

It is probably also better for your clients to have experience on a
system that is approximately Windows like if not Windows.

But, it may not be practical to devote the time to sorting out how
to alter each BIOS within the constraints that the BIOS imposes on
modification (ages ago, a simple checksum was a sufficient POST
measure; now I suspect many BIOSes are cryptographically signed,
or, have other measures in place to prevent malware from overwriting
their contents)

I think you might have to accept some level of attrition rate with the
ones that you loan out. Physically defacing them would be my solution to
make their resale value low or non-existent.

Even if you lock it down the internal ram memory has a sufficient book
value that some enterprising individual will take it out and sell it.

Way back we had an entire university building stripped of ram from all
of the PCs over a long weekend. They left behind a hell of a mess.

--
Regards,
Martin Brown

 

[Don Y]

On 10/27/2022 6:24 AM, Martin Brown wrote:

On 27/10/2022 06:01, Don Y wrote:

The BIOS hack, in theory, would be applicable to all devices.  Even
if the actual BIOS differs from one machine to another.

Given that many are now UEFI aren\'t you always going to be fighting a losing
battle since anyone sufficiently skilled will be able to reverse engineer
things to get past whatever you interpose.

I think that\'s a pretty high bar -- for the students *and* anyone that they
are likely to encounter.

It\'s one thing to \"discover\" that you can reenable the optical drive in the
BIOS settings and boot from (e.g.) some \"installation media\" to overlay
a disk image with something more \"commodity\". But, trying to understand why
booting from that optical disk repeatedly leads to a crash (when the
installer tries to invoke something via a modified BIOS entry point)

It is probably also better for your clients to have experience on a system that
is approximately Windows like if not Windows.

The school districts (there are many, here. I don\'t understand why there
isn\'t just *one*!) each have their own approach to the use of computers.
One did away with text books more than a decade ago -- in favor of
iPads (or some other Apple product). So, an approach that favors
PCs over iPads has an inherent bias.

We\'re treating these as \"appliances\". E.g., if you were teaching a chess
course, you could conceivably have an electronic chess \"game\" that you
let students hone their skills against. You could equivalently
design a laptop that ONLY plays chess; no Solitaire, Notepad, Explorer,
IE, \"updates\", etc.

But, it may not be practical to devote the time to sorting out how
to alter each BIOS within the constraints that the BIOS imposes on
modification (ages ago, a simple checksum was a sufficient POST
measure; now I suspect many BIOSes are cryptographically signed,
or, have other measures in place to prevent malware from overwriting
their contents)

I think you might have to accept some level of attrition rate with the ones
that you loan out. Physically defacing them would be my solution to make their
resale value low or non-existent.

We expect to lose some units. The pilot program is just a few dozen seats for
the first year. So, even if ALL of the machines \"grew legs\", it wouldn\'t be
hard to replace them.

But, we plan on doubling enrollment with each successive year (only a
3 year grant) so a high loss rate would be annoying -- just from the
labor standpoint (remember, the laptops are donated so there is no real
lost \"cost\", there).

The hope is that word gets out that there is no value to stealing the
laptops; that they have no real use other than as \"appliances\".

[And, unlike a chess game, how many people want to steal interactive
text books??]

Even if you lock it down the internal ram memory has a sufficient book value
that some enterprising individual will take it out and sell it.

I can get by with very little RAM/disk. Most laptops have a pair of SODIMM
slots; I could populate with the tiniest devices possible and still have
gobs of RAM to spare -- but too little to be worthwhile to pilfer
(given that your \"customer\'s\" laptop likely also only has two slots
and at least one is populated, already, adding e.g., 2G is a yawn).

I have some 512MB (that\'s an M, not a G) SSDs that easily store my OS and
applications; what value those to anyone else? (I\'ve not yet located
a source for these, in quantity, but have found plenty of 16G devices...
still pretty tiny for any other use, unless you have a second drive slot)
One option I have is to load an image from a CD (glued in place) into
RAM and execute entirely out of RAM and 86 the writable disk. This makes
boot time longer but I don\'t think unbearably so. A bigger worry is
that of read failures, etc.

Way back we had an entire university building stripped of ram from all of the
PCs over a long weekend. They left behind a hell of a mess.

Yeah, someone once stole all the scope probes from one of the labs
at school. Hard to secure a probe to a \'scope so it was an \"accident\"
waiting to happen!

 

[John Walliker]

On Thursday, 27 October 2022 at 19:49:33 UTC+1, Don Y wrote:

On 10/27/2022 6:24 AM, Martin Brown wrote:
On 27/10/2022 06:01, Don Y wrote:

The BIOS hack, in theory, would be applicable to all devices. Even
if the actual BIOS differs from one machine to another.

Given that many are now UEFI aren\'t you always going to be fighting a losing
battle since anyone sufficiently skilled will be able to reverse engineer
things to get past whatever you interpose.
I think that\'s a pretty high bar -- for the students *and* anyone that they
are likely to encounter.

It\'s one thing to \"discover\" that you can reenable the optical drive in the
BIOS settings and boot from (e.g.) some \"installation media\" to overlay
a disk image with something more \"commodity\". But, trying to understand why
booting from that optical disk repeatedly leads to a crash (when the
installer tries to invoke something via a modified BIOS entry point)
It is probably also better for your clients to have experience on a system that
is approximately Windows like if not Windows.
The school districts (there are many, here. I don\'t understand why there
isn\'t just *one*!) each have their own approach to the use of computers.
One did away with text books more than a decade ago -- in favor of
iPads (or some other Apple product). So, an approach that favors
PCs over iPads has an inherent bias.

We\'re treating these as \"appliances\". E.g., if you were teaching a chess
course, you could conceivably have an electronic chess \"game\" that you
let students hone their skills against. You could equivalently
design a laptop that ONLY plays chess; no Solitaire, Notepad, Explorer,
IE, \"updates\", etc.
But, it may not be practical to devote the time to sorting out how
to alter each BIOS within the constraints that the BIOS imposes on
modification (ages ago, a simple checksum was a sufficient POST
measure; now I suspect many BIOSes are cryptographically signed,
or, have other measures in place to prevent malware from overwriting
their contents)

I think you might have to accept some level of attrition rate with the ones
that you loan out. Physically defacing them would be my solution to make their
resale value low or non-existent.
We expect to lose some units. The pilot program is just a few dozen seats for
the first year. So, even if ALL of the machines \"grew legs\", it wouldn\'t be
hard to replace them.

But, we plan on doubling enrollment with each successive year (only a
3 year grant) so a high loss rate would be annoying -- just from the
labor standpoint (remember, the laptops are donated so there is no real
lost \"cost\", there).

The hope is that word gets out that there is no value to stealing the
laptops; that they have no real use other than as \"appliances\".

[And, unlike a chess game, how many people want to steal interactive
text books??]
Even if you lock it down the internal ram memory has a sufficient book value
that some enterprising individual will take it out and sell it.
I can get by with very little RAM/disk. Most laptops have a pair of SODIMM
slots; I could populate with the tiniest devices possible and still have
gobs of RAM to spare -- but too little to be worthwhile to pilfer
(given that your \"customer\'s\" laptop likely also only has two slots
and at least one is populated, already, adding e.g., 2G is a yawn).

I have some 512MB (that\'s an M, not a G) SSDs that easily store my OS and
applications; what value those to anyone else? (I\'ve not yet located
a source for these, in quantity, but have found plenty of 16G devices...
still pretty tiny for any other use, unless you have a second drive slot)
One option I have is to load an image from a CD (glued in place) into
RAM and execute entirely out of RAM and 86 the writable disk. This makes
boot time longer but I don\'t think unbearably so. A bigger worry is
that of read failures, etc.
Way back we had an entire university building stripped of ram from all of the
PCs over a long weekend. They left behind a hell of a mess.
Yeah, someone once stole all the scope probes from one of the labs
at school. Hard to secure a probe to a \'scope so it was an \"accident\"
waiting to happen!

We once had visitors who removed all the Sun workstations from a lab in
just a few minutes. They didn\'t waste time unplugging all the cables - they
just cut them all with bolt cutters.

John

 

[Don Y]

On 10/29/2022 2:40 AM, John Walliker wrote:

On Thursday, 27 October 2022 at 19:49:33 UTC+1, Don Y wrote:
On 10/27/2022 6:24 AM, Martin Brown wrote:

Way back we had an entire university building stripped of ram from all of the
PCs over a long weekend. They left behind a hell of a mess.

Yeah, someone once stole all the scope probes from one of the labs
at school. Hard to secure a probe to a \'scope so it was an \"accident\"
waiting to happen!

We once had visitors who removed all the Sun workstations from a lab in
just a few minutes. They didn\'t waste time unplugging all the cables - they
just cut them all with bolt cutters.

At the opposite end of the \"moron spectrum\", we had a break-in at one of
the non-profits I work with. LOTS of video surveillance as cameras were
essentially free and setting up a PC to record was equally free.

Each of the rooms has a door with a large window from about waist height
up to almost the top of the door. The perps knew exactly which room
to target (they had likely been in the building during working hours
and seen everything as we had a pretty tolerant \"guest policy\").

The doorknobs were *handles* oriented horizontally. They tried to LIFT the
handle and it wouldn\'t budge. They deduced the door must have been locked
and, so, broke the window to gain entry.

For the next few minutes, you could see them crawling in and out of the room
through this window, carrying equipment along the way.

The amusing part, of course, is that the door handles open DOWNWARD, not up!
Had they, at any time, pressed down on the handle, the door would have
opened willingly.

The annoying part is that their stupidity meant we had to clean up a
fair bit of broken glass AND replace the window!

 

[Phil Hobbs]

John Walliker wrote:

On Thursday, 27 October 2022 at 19:49:33 UTC+1, Don Y wrote:
On 10/27/2022 6:24 AM, Martin Brown wrote:
On 27/10/2022 06:01, Don Y wrote:

The BIOS hack, in theory, would be applicable to all devices. Even
if the actual BIOS differs from one machine to another.

Given that many are now UEFI aren\'t you always going to be fighting a losing
battle since anyone sufficiently skilled will be able to reverse engineer
things to get past whatever you interpose.
I think that\'s a pretty high bar -- for the students *and* anyone that they
are likely to encounter.

It\'s one thing to \"discover\" that you can reenable the optical drive in the
BIOS settings and boot from (e.g.) some \"installation media\" to overlay
a disk image with something more \"commodity\". But, trying to understand why
booting from that optical disk repeatedly leads to a crash (when the
installer tries to invoke something via a modified BIOS entry point)
It is probably also better for your clients to have experience on a system that
is approximately Windows like if not Windows.
The school districts (there are many, here. I don\'t understand why there
isn\'t just *one*!) each have their own approach to the use of computers.
One did away with text books more than a decade ago -- in favor of
iPads (or some other Apple product). So, an approach that favors
PCs over iPads has an inherent bias.

We\'re treating these as \"appliances\". E.g., if you were teaching a chess
course, you could conceivably have an electronic chess \"game\" that you
let students hone their skills against. You could equivalently
design a laptop that ONLY plays chess; no Solitaire, Notepad, Explorer,
IE, \"updates\", etc.
But, it may not be practical to devote the time to sorting out how
to alter each BIOS within the constraints that the BIOS imposes on
modification (ages ago, a simple checksum was a sufficient POST
measure; now I suspect many BIOSes are cryptographically signed,
or, have other measures in place to prevent malware from overwriting
their contents)

I think you might have to accept some level of attrition rate with the ones
that you loan out. Physically defacing them would be my solution to make their
resale value low or non-existent.
We expect to lose some units. The pilot program is just a few dozen seats for
the first year. So, even if ALL of the machines \"grew legs\", it wouldn\'t be
hard to replace them.

But, we plan on doubling enrollment with each successive year (only a
3 year grant) so a high loss rate would be annoying -- just from the
labor standpoint (remember, the laptops are donated so there is no real
lost \"cost\", there).

The hope is that word gets out that there is no value to stealing the
laptops; that they have no real use other than as \"appliances\".

[And, unlike a chess game, how many people want to steal interactive
text books??]
Even if you lock it down the internal ram memory has a sufficient book value
that some enterprising individual will take it out and sell it.
I can get by with very little RAM/disk. Most laptops have a pair of SODIMM
slots; I could populate with the tiniest devices possible and still have
gobs of RAM to spare -- but too little to be worthwhile to pilfer
(given that your \"customer\'s\" laptop likely also only has two slots
and at least one is populated, already, adding e.g., 2G is a yawn).

I have some 512MB (that\'s an M, not a G) SSDs that easily store my OS and
applications; what value those to anyone else? (I\'ve not yet located
a source for these, in quantity, but have found plenty of 16G devices...
still pretty tiny for any other use, unless you have a second drive slot)
One option I have is to load an image from a CD (glued in place) into
RAM and execute entirely out of RAM and 86 the writable disk. This makes
boot time longer but I don\'t think unbearably so. A bigger worry is
that of read failures, etc.
Way back we had an entire university building stripped of ram from all of the
PCs over a long weekend. They left behind a hell of a mess.
Yeah, someone once stole all the scope probes from one of the labs
at school. Hard to secure a probe to a \'scope so it was an \"accident\"
waiting to happen!
We once had visitors who removed all the Sun workstations from a lab in
just a few minutes. They didn\'t waste time unplugging all the cables - they
just cut them all with bolt cutters.

John

Olt-time circuit columnist Tom Kneitel used to say that scope probes
were marked \"10:1\" because they ten to one away when you\'re not looking.

Cheers

Phil Hobbs

--
Dr Philip C D Hobbs
Principal Consultant
ElectroOptical Innovations LLC / Hobbs ElectroOptics
Optics, Electro-optics, Photonics, Analog Electronics
Briarcliff Manor NY 10510

http://electrooptical.net
http://hobbs-eo.com