the bblog

school-provided computers and big brother

There was an interesting question on /b/ the other day, concerning how safe it was to use a school provided laptop to perform sensitive work. This is a topic near and dear to my heart, since I used a school laptop for the school year 2006- 2007, as part of the Shoreline Schools laptop program.

(Latest in a series, now, a blog post based on a thread reply.)

The correct answer is, of course, that it is not at all safe for sensitive work. It's their computer, so you must assume that the OS is compromised. High security modes ("Private browsing mode") means nothing at all if the program itself is rooted. You'll have to boot into another operating system entirely to avoid whatever they've put on the computer.

This may not even be enough. At DEFCON 2009, K. Chen demonstrated (but read the paper first) execution of arbitrary hostile code on the microcontroller of an Apple aluminum keyboard by exploiting a poorly designed firmware update.

This particular attack has quite a few limitations: it only works on one keyboard, and can't contain an useful keylogger since there's only eight kilobytes of flash; but that's more than enough space for a little program, that, say, opens up a terminal window at midnight and downloads a spyware package.

Hardware keyloggers are ancient, though to my knowledge nobody has thought of using one to bootstrap a spyware infection, even on to a freshly reformatted computer.

For this particular threat scenario, this is very, very unlikely, unless the school outsources tech support to the NSA; but the point is made: it is their computer, so it's compromised. You cannot completely trust it.

However. While you cannot fully trust it, there are less rigorous standards of trust that can be applied.

Like all ubiquitous surveillance programs, capability does not denote intent. They might have installed any number of devious rootkits, hardware snoopers, or trusted computing platform trojans; but have they? And if they have, are they even being monitored? And if they are monitored, and on a regular basis, do they care about users engaging in mundane illegalities, or do they only bring the hammer down on people using school hardware to write bomb threats?

Some of this can be implied through side-channel signals (they cannot be conducting any kind of surveillance program if they have a three man IT department) or through more obvious routes. Public schools may be required to disclose this, depending on jurisdiction, and how much of an asshole the lawyer asking is.

UPDATE:
Howdy kiddies. If you got here by googling "hack shoreline schools laptop" or something else along those lines: I don't know how, though it should be fairly trivial. I haven't even touched one since 2007, when I graduated.

That being said, the point of this post was that you can't trust a hacked laptop to stay hacked, and if they suspect anything at all, they can just demand a physical inspection, at which point you'll be suspended. Get a job, buy a netbook, look at porn on that. Sermon ends.