Slashdot Mirror
AU Government To Build "Unhackable" Netbooks
bennyboy64 writes "In what may be one of the largest roll-outs yet of Microsoft's new Windows 7 Operating System, Australia's Federal Government decided to give 240,000 Lenovo IdeaPad S10e netbooks to Year 9-12 students. Officials are calling them 'unhackable.' iTnews reports that the laptops come armed with an enterprise version of the Windows 7 OS, Microsoft Office, the Adobe CS4 creative suite, Apple iTunes, and content geared specifically to students. New South Wales Department of Education CIO Stephen Wilson said that schools were 'the most hostile environment you can roll computers into.' While the netbooks are loaded with many hundreds of dollars worth of software, 2GB of RAM, and a 6-hour battery, the cost to the NSW Department of Education is under $435 (US) a unit. Wilson praised Windows' new OS: 'There was no way we could do any of this on XP,' he said. 'Windows 7 nailed it for us.' At the physical layer, each netbook is password-protected and embedded with tracking software that is embedded at the BIOS level of the machine. If a netbook were to be stolen or sold, the Department of Education is able to remotely disable the device over the network. Each netbook is also fitted with a passive RFID chip which will enable the netbooks to be identified 'even if they were dropped in a bathtub.' The Department of Education also uses the AppLocker functionality within Windows 7 to dictate which applications can be installed."
This needs a "goodluckwiththat" tag...
...when Slashdot news beginning with "Australian Government" won't necessarily end with a rephrasing of "shows off its technological naivety".
This is the same govt. that put a guy in jail on child pornography charges for having a Simpson's parody porno on his computer.
Ignorance and arrogance seem to always walk hand in hand.
I just spoke to a friend in Australia.. its been pwned already using the nuke the bios and boot from a livecd method.
They even disabled the RFID.
"Tracking software embedded at the BIOS level"? Last I checked, those "tracking schemes" just force-fed Windows some driver/app at the BIOS level. Install any other OS and it becomes useless (not to mention that BIOSes these days aren't even hard to hack). As for the RFID, I don't see how disassembling it and taking it out is rocket science. Nevermind that the students themselves are going to be owning any kind of app installation protection in the blink of an eye.
Sorry, using software to secure a platform against its physical holder has never worked for long, but even just trying to do it on an insecure platform like an x86 PC is beyond useless. None of this is has even a remote chance of working without the heaviest-handed TPM-on-CPU-die functionality and signing of each and every piece of software, but that has no chance of working because no one would want such a platform, it would be painful and expensive to develop, and it could never exist given the buggy and insecure nature of PC software in general.
Video game consoles with strong hardware security and tightly controlled software environments with little interoperability requirements get cracked all the time to run homebrew and/or pirate games, what makes these people think their little netbook won't be?
For what it's worth, Linux vs. Windows here makes little difference. The entire scheme is doomed to fail from the start due to the nature of a PC solution like this. Sounds like Microsoft just sold these guys a bunch of nonexistent security.
What is it with governments and hubris? If they had just shipped all these laptops without any mention of "unhackableness", you know what would have happened?
1: 240,000 kids would have gotten reasonably secure systems with useful software on them
2: People would have noticed how secure and safe the systems were, and appreciated the low rate of problems they experienced
3: Eventually, some smart students would have figured out how to bypass all the security so they can play world of warcraft or something, but nobody would have cared and it wouldn't have gotten any press
Instead, some asshat announces to the world "Bow to our unhackable laptops! We are awesome! HAHAHA!", and now thousands of hackers and security researchers out there have made it their personal crusade to find a way to totally decimate all the security on the box. You're right... It's gonna take about 1 month for an exploit for these things to make it to the front page on slashdot. Fucking idiots.
Footnote:
Yes, I'm aware that security through obscurity is no security at all, but that's not the issue here. The issue is that instead of nobody caring or trying to break the reasonable security they've implemented, now they've got thousands of people working on it. THAT does matter.
I dont understand why this would be considered unhackable. Exploits have already been released for windowed 7.
It is quite simple: Microsoft said that it was unhackable, so as far as the idiot politicians were concerned it must be true.
What grates with me is that the Australian Federal Government is spending money training kids to use MS s/ware - something that will stay with them for the rest of their lives. The MS marketing department must be overjoyed.
What education should be about is understanding, if you just train someone in one version of s/ware many just adopt a point and click approach with little understanding of what they are doing. You need different sorts of s/ware to make them think. Schools should use a mixture of: MS, Mac & Linux PCs.
While the netbooks are loaded with many hundreds of dollars worth of software, 2GB of RAM, and a 6-hour battery, the cost to the NSW Department of Education is under $435 (US) a unit.
The netbooks have hundreds of dollars of software loaded and still only cost $435 a unit. So the cost of the unit is being subsidized and the department is hailing this as some big leap forward in cost of ownership? And some of the big changes are related to the BIOS.
Already, the department has noted the loss or damage of just six netbooks out of the 20,000 rolled out since August - and have tracked one teacher using their device on a field trip in New Zealand.
Yeah, really cool that the school can track and potentially monitor everyone using one of these devices, even if the machine is not physically turned on via the RFID tags. Now there's a big win.
DET also uses the AppLocker functionality within Windows 7 to dictate which applications can be installed on the device.
Even better. Add McAfee filtering to control content and MSFT's own antivirus technology...add up what all that would cost in a real world enterprise. Just the software costs alone would dwarf the cost of the device.
I look at the cost of the device, the software and all the centralized control and think, "Or just install Linux and get 95% of that functionality right out of gate." And the 5% you don't get is the spying and monitoring part. What lesson is the school teaching here?
This is certainly a win for someone, but I'm not sure it's the students and teachers.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
Why would anyone issue a challenge like that over netbooks for students? Unhackable? Bullshit! Some hacker out there is going to take that as a challenge and hack into the thing in, I'm guessing, less than a week. And some poor student is going to have his netbook hacked because some nimrod decided to talk smack about how awesome-sauce these netbooks are and described it a "unhackable." Unreal...
I work for one of the departments involved, hence the anonymous post.
This is typical government posturing, and has nothing little to do with the what's actually going on.
From what I've seen, the RFID chips are redundant, they're using the machine's BIOS UUID to track machines through software, I don't think they even record the embedded RFID codes at all, as that requires a physical reader device, and they're not handing them out to schools. Normally, RFID tags aren't used for anti-theft, but for inventory tracking.
The BIOS tracking is pretty standard and off-the-shelf, it's not designed to stop professionals, but it will catch stupid thieves. Software protection is not huge, but most 'problems' will be met with an F12 network boot and a fresh system image, so the harm students can do will be limited and easily reversible. Students get limited space to save their work, and that is backed up centrally, so they shouldn't lose any data. On top of that, most questionable sites are blocked by the internet proxies, so that cuts out lots of potential sources of harmful stuff.
Really, the true protection the laptop gets is that every student receives one for free, but a replacement laptop has to be paid for out of their parent's pockets. Students will learn to be careful with them or face punishment from their parents.
There's lots of other silliness going on though, especially as it's my tax dollars going to waste.
For example, the enterprise agreement for the Adobe CS4 suite was a big deal. They spent millions purchasing the software before anyone had actually tried running any of it on an actual laptop. Only after the government had signed the contracts did they bother, only to find out that the screens were too small. All of the Adobe dialog boxes were designed for a vertical height larger than the physical screen resolution, so the OK/Cancel buttons are cut off. The workaround was to install a driver that supports a larger virtual desktop and pans the screen around. It's hideous. This is what happens when you let politicians make technical purchasing decisions.
Similarly, the laptops are rather anemic, which is expected for a netbook, but a lot of the software and content they want to publish is very video-centric. Apparently some types of video, like Flash content and h264, don't always play well, and high-res content is a slide show.
If I recall, China's People's Liberation Army is part-owner of Lenovo.
Exactly why do the Aussies thing there won't be back doors built into the hardware or BIOS?
What education should be about is understanding, if you just train someone in one version of s/ware many just adopt a point and click approach with little understanding of what they are doing. You need different sorts of s/ware to make them think. Schools should use a mixture of: MS, Mac & Linux PCs.
You seem to have severely misunderstood the purpose of these machines.
etch-a-sketch!
And don't discount the importance of it, either. All security, no matter what type it is or how it is implemented, is basically designed to slow down anybody who might try to break it. Indeed, security through obscurity itself does this, but the actual slowdown it provides is minimal, and it adds an extra cost: it is difficult to tell when somebody out there has successfully broken your security. By opening up, you can get a bunch of people working on your security to strengthen it, to help offset the few people who might be interested in breaking it.
Anyway, why would you go to such great lengths to slow down any individuals who might see a profit in cracking your systems, then go and piss off a bunch of 1337 haxxorz all over the world and get thousands of them working on the problem in parallel? Kinda defeats the purpose of using strong security in the first place, doesn't it?
... give the impression that Austalia's governors are stupid fucks.
The Roku vidio player is an excellent example of security through "meh". It's almost an ideal box for a Boxee or MythTv frontend, but it is pretty much unhackable (cryptographically signed u-boot, kernel, and ramdisk). They've released their sources (but not their crypto key) months ago, yet not one single crack is available for it.
Why? Because (a) they don't make a big deal of the security features to the public, b) it's stupid cheap ($99 USD), and (c) It Just Works.
The combination of all three make 'meh'. Due to (a) there is no implicit challenge to the security community, (b) trumped the TiVo problem of trying to get 'more value for your money' out of an expensive piece of kit, and (c) prevents your Average Joe hacker from wanting to break a working (and useful to him) device.
Good counterexamples are TiVo, Linksys routers, and the Wii.
For TiVo, it was expensive enough that people wanted to get more value for their money, and felt it was time well spent to hack it.
With Linksys routers, It just Doesn't Work caused people to spend a lot of time finding a way to make some perfectly good equipment work at all for them.
The Wii advertised to the community that it was unhackable, which promptly cause all manner of security professionals to take up arms and figure out how to hack it.
Right, well, I actually attend one of the schools who have a deployment of these laptops.
There's a label on the bottom that threatens you that if you steal it the police will find you. There's tamper-proof screws, so normal phillipshead's wont do the job. The BIOS is obviously passworded, and I managed to break the bootloader of Windows 7 by pressing ESC twice. No OS found apparently.
For "secure" laptops, you can right click pretty much anything and run it as an admin. We ran cmd.exe as an admin to create a proper Admin account. Completely bypasses AppLocker. Apparently, according to the laptop admins, the government wont allow printer drivers that aren't already part of Windows 7, so no printing for you.
The laptop maintainers don't even have administrator access. They have to box the laptops up and ship them to a centre to be "fixed", even if it's as simple as reinstalling a driver. Pathetic.
It's only early days, and the nuking of the bios can be done easily, through Wubi or other means, but USB boot is disabled so you'll have to find alternative means. And I know it's likely moot to post so late after the rush, but I had to say it.
Btw, it's CS4 Elements, it's not the true suite. And it includes Dia, the open-source diagram editor, which I found odd. Open source deployments always amuse me.
To finish, Firefox is not included by default and has many issues when installing, as you don't have access to Program Files, so it confuses the installer to no end unless you change where you're installing it to.
These laptops require ethernet access to activate and are mapped to a single username, so good luck using it if you don't have a Department of Education account. The all have filtering software so no porn for you kids, even when at home. Myspace and Facebook are blocked even from home connections. It's a rather horrible crippled setup that I'd wish upon no-one.
Welcome to the future of computing. Homeschool your kids.
Disagree != mod troll.