Engineer bought prison laptop and 1,200 incarcerated folks lost their devices(opencampusmedia.org)
opencampusmedia.org
Engineer bought prison laptop and 1,200 incarcerated folks lost their devices
https://www.opencampusmedia.org/2024/03/04/an-engineer-bought-a-prison-laptop-on-ebay-then-1200-incarcerated-students-lost-their-devices/
80 comments
I hope Zhang doesn't feel too bad for accidentally setting this in motion. The fault lies entirely with the manufacture's poor security practices and the overreaction of the corrections officials, but I bet there are still going to be people pointing fingers at him saying "you shouldn't have hacked that laptop and published your findings! Now all these students lost their laptops because of you!"
There aren't even any poor security practices. It's just security theatre and the DOC is overreacting.
The secure boot password was stored as a SHA-1 hash. The machine was designed in a way that the password effectively can not be changed. Those are poor security practices.
The bios password is known now, and you can't change it locally. Security practices aside, it does sound like collecting them and doing an update is required.
The article said the default admin password wasn’t changed. Thats not security theater that’s a legit goof. Why so cynical?
It does sound very much like an overreaction, from the manufacturer of these devices.
"The man who made the devices said there’s little someone inside could actually do with a hacked Securebook. They’d need to fashion a USB port, be able to install another operating system, and get access to a docking station, said Jeremy Schwartz, Justice Tech president. Even when the devices are docked, they’re not connected to the wider internet. "
"The man who made the devices said there’s little someone inside could actually do with a hacked Securebook. They’d need to fashion a USB port, be able to install another operating system, and get access to a docking station, said Jeremy Schwartz, Justice Tech president. Even when the devices are docked, they’re not connected to the wider internet. "
Eh, true. But then both sides of the political spectrum would have been up their asses had they just said, "relax, its no big deal." Not something you want to hear from a prison (even a not-for-profit prison).
When a critical part of a security system is defeated, saying “that’s okay we have other layers of security so they probably can’t do much” would be IMHO pretty horrible security practice. Taking the laptops away is horrible, but from a security perspective it’s not over reacting.
Assessing the balance between risk and the cost of mitigation sounds like it should be part of the basics.
It doesn't even help you get to the end of the exploit chain. To boot anything they still needed to tap the touchpad USB lines and attach preimaged external USB storage. It's a goof but it's not a goof worth making 1200 incarcerated people's lives harder.
Why is it so bad to let prisoners have internet access or unrestricted access to a device anyway?
Sure, they can commit crimes with it.
But prisons obviously don't care about their charges committing crimes or they would take serious measures to prevent violence.
Sure, they can commit crimes with it.
But prisons obviously don't care about their charges committing crimes or they would take serious measures to prevent violence.
These devices must now all be treated as if they’re rooted. That’s a gigantic security problem. Casual analysis here says “well it would be hard to install a new OS, so it’s not a big deal.” That is a terrible security assumption. We don’t know what other changes could be done to a rooted device, but anybody with a sensible security mindset would assume something undesirable is possible.
So, the outcome might be harsh, but it is NOT overreacting to promptly deal with secure devices becoming easily rooted.
So, the outcome might be harsh, but it is NOT overreacting to promptly deal with secure devices becoming easily rooted.
> I bet there are still going to be people pointing fingers at him saying "you shouldn't have hacked that laptop and published your findings! Now all these students lost their laptops because of you!”
I wonder if they’d be in prison if they were given a free education and laptops before whatever life choices they made that sent them to prison.
I wonder if they’d be in prison if they were given a free education and laptops before whatever life choices they made that sent them to prison.
People in most Western countries are given a free education. These people tend to be the ones that skipped out on school.
And sure, some are situational but at least from my school XP people were bunking because they thought they were too cool for school™
And sure, some are situational but at least from my school XP people were bunking because they thought they were too cool for school™
>free education
School?
[deleted]
Free education and laptops alone aren't enough for that.
They are certainly enough for some people, and really far from enough for others.
Knowing the shape of that distribution would be interesting.
Knowing the shape of that distribution would be interesting.
[deleted]
The person who shared the password publicly might feel a bit guilty.
That's something better suited for DMs
That's something better suited for DMs
If you follow the Twitter thread, the secure boot password was stored as a SHA-1 hash. So someone eventually brute forced it, and it's "N%(dU32p'".
But, the prisons can't just change the default, because the design is that it writes the bios setup, including the default password, back to the device at power down.
So, there didn't really appear to be any other option for the prisons other than collecting them all and sending them back for a fairly big update.
But, the prisons can't just change the default, because the design is that it writes the bios setup, including the default password, back to the device at power down.
So, there didn't really appear to be any other option for the prisons other than collecting them all and sending them back for a fairly big update.
>So someone eventually brute forced it
Just a few hours after it was starting to be brute forced, I'm sure I saw somebody finding the password being used in youtube presentation, perhaps for a related model or bios setup, and that solved the problem much quicker. They privated the video soon after so I didn't get to watch it, just saw the thumbnail.
Just a few hours after it was starting to be brute forced, I'm sure I saw somebody finding the password being used in youtube presentation, perhaps for a related model or bios setup, and that solved the problem much quicker. They privated the video soon after so I didn't get to watch it, just saw the thumbnail.
Do you have the URL for it? The page at least may have been archived somewhere.
On the original thread they tweeted about people using brute force, then the next tweet after that is this [0]:
>This thread is going viral, thank you all for the like and repost! Update on the password, they literally just shared the password in a video
[0] https://twitter.com/zephray_wenting/status/17617384499655026...
>This thread is going viral, thank you all for the like and repost! Update on the password, they literally just shared the password in a video
[0] https://twitter.com/zephray_wenting/status/17617384499655026...
The article quotes the manufacturer as saying that even with the password there's basically no risk of the devices being misused:
> The man who made the devices said there’s little someone inside could actually do with a hacked Securebook. They’d need to fashion a USB port, be able to install another operating system, and get access to a docking station, said Jeremy Schwartz, Justice Tech president. Even when the devices are docked, they’re not connected to the wider internet.
It sounds like one very valid option they had was to just change the password as part of the regular maintenance and replacement schedule on the very reasonable assumption that no one would be able to attach a USB port to their laptop within the confines of the prison.
> The man who made the devices said there’s little someone inside could actually do with a hacked Securebook. They’d need to fashion a USB port, be able to install another operating system, and get access to a docking station, said Jeremy Schwartz, Justice Tech president. Even when the devices are docked, they’re not connected to the wider internet.
It sounds like one very valid option they had was to just change the password as part of the regular maintenance and replacement schedule on the very reasonable assumption that no one would be able to attach a USB port to their laptop within the confines of the prison.
The author didn't attempt it, but it seems pretty clear 4 of the pins on the exposed docking port would be a USB bus. So all you need really is a usb stick, some wires, and some patience.
The particular connector used even looks like you could directly insert/wedge thin gauge wires, no soldering required on that end: https://imgur.com/a/7T3agdg
The particular connector used even looks like you could directly insert/wedge thin gauge wires, no soldering required on that end: https://imgur.com/a/7T3agdg
So the (over dramatic) decision was made by someone with little knowledge but with power and probably responsibility.
That happens too often in this world.
That happens too often in this world.
Which could have been handled gracefully over time without disturbance if the person would have responsibly just contacted the IT of the prisons, instead of publishing the method and password in the wild.
So many official idiocies get justified as "an abundance of caution." One might almost hope the phrase itself would become a warning sign of impending mistake; allowing officials to avoid the predictable disasters that follow.
> incarcerated folks
AKA "prisoners". If only we could find a way to harness all these euphemism treadmills for electricity generation, then that might provide an actual social benefit
AKA "prisoners". If only we could find a way to harness all these euphemism treadmills for electricity generation, then that might provide an actual social benefit
Off topic, but other than the goofy green touchpad I gotta say I love the aesthetics. I'd totally rock a transparent laptop.
I think it's totally on topic.
I'm surprised more electronics doesn't do it. Maybe it costs to much to manufacture clear casing to consumer spec. Maybe there's no demand among the NPCs
You can get a prison TV, radio, remote - https://www.ebay.com/sch/i.html?_nkw=%22Clear+Tunes%22
Typewriter - https://www.ebay.com/sch/i.html?_nkw=Swintec+2410
I'm surprised more electronics doesn't do it. Maybe it costs to much to manufacture clear casing to consumer spec. Maybe there's no demand among the NPCs
You can get a prison TV, radio, remote - https://www.ebay.com/sch/i.html?_nkw=%22Clear+Tunes%22
Typewriter - https://www.ebay.com/sch/i.html?_nkw=Swintec+2410
They took them away to give them security updates. Non-story.
> Students said they were given little information about when and if the devices would be returned, and many wondered if they’d lose access to the work saved on the laptops, which need to be placed into a dock to upload or download information. Students enrolled in community colleges also expressed concern that they lost access to their devices immediately before winter quarter finals.
Not exactly a non-story… one women’s prison was put on lockdown so the laptops could be seized. I get that a lot of Americans like their carceral state really carceral, but the article makes it pretty clear that just having the default password doesn’t get you a lot with a device that has no usable ports.
Not exactly a non-story… one women’s prison was put on lockdown so the laptops could be seized. I get that a lot of Americans like their carceral state really carceral, but the article makes it pretty clear that just having the default password doesn’t get you a lot with a device that has no usable ports.
[deleted]
Which they didn't need to do in such a disrupting manner. Story
Aside, "published on a hacker website" referring to hackaday tickled me pink.
My question is -- why was a prison laptop on sale on Ebay in the first place? If they're soooooo concerned about security, maybe don't have these out in the wild?
I'm betting a prison employee stole that from work and sold it on the sly to make an extra few hundred bucks. Probably breaks some rules, no?
I'm betting a prison employee stole that from work and sold it on the sly to make an extra few hundred bucks. Probably breaks some rules, no?
The article covers this:
> So how does a prison laptop end up on eBay?
> The laptop that Zhang bought came from a state whose corrections department contracts with a Milwaukee-based nonprofit to dispose of its old laptops. But instead of recycling the devices, the organization resold them, selling out of 100 Securebooks after Zhang’s post went viral.
> So how does a prison laptop end up on eBay?
> The laptop that Zhang bought came from a state whose corrections department contracts with a Milwaukee-based nonprofit to dispose of its old laptops. But instead of recycling the devices, the organization resold them, selling out of 100 Securebooks after Zhang’s post went viral.
Ah thanks, missed it!
[deleted]
sandspar(11)