lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 15 Jun 2007 23:20:14 -0400
From:	Kyle Moffett <mrmacman_g4@....com>
To:	Jan Engelhardt <jengelh@...putergmbh.de>
Cc:	Phillip Susi <psusi@....rr.com>, "R.F. Burns" <burnsrf@...il.com>,
	Lee Revell <rlrevell@...-job.com>, linux-kernel@...r.kernel.org
Subject: Re: PC speaker

On Jun 15, 2007, at 15:34:52, Jan Engelhardt wrote:
> Perhaps live cd? In which case, the OP should, as recommended in  
> this thread already, deactivate choosing boot devices, if that's  
> possible.
>
> (Unfortunately, newer BIOSes with 'integrated bootmenu' with F8 or  
> so, but I have not seen a way to deactivate _that_ menu.)

Heh, with virtually every PC BIOS I've seen, the procedure is  
something like this:

1)  Reboot into BIOS
2)  Set a BIOS "Supervisor Password" (as opposed to "User" or "Boot"  
password)
3)  Go to the "Boot Devices" list and uncheck everything except "Hard  
Disk"
4)  Go to the "USB Stick Hard Disk Emulation" feature and turn that off
5)  Save settings to BIOS and reboot (Usually "F10" or "ESC-Y" )

The "Integrated BootMenu (F8)" stuff only lists boot devices that are  
enabled in the BIOS.  If everything but the hard disk is disabled  
then pressing (F8) is _really_useful_ :-)
   1) Boot from Hard Disk
   2) Enter BIOS Setup

Of course, choosing option 2 is also quite an entertaining thing for  
the student:
,--------------------------.
| Enter Password: ******** |
`--------------------------'

And since they don't actually know the password, it's followed by the  
inevitable:
,--------------------------.
|     Invalid Password     |
`--------------------------'

Admittedly there are more things to turn off than with older BIOSen,  
but there are also more features too.  Of course, with OpenFirmware- 
based systems (like the PowerPC macs) it's scriptable and doesn't  
require rebooting.
   1)  Install the "nvsetenv" utility via your distro

   2)  Encode your password by xoring each character's ascii value  
with 0xAA and printing the result in hex.  This perl oneliner will do  
it easily (Change 'my-password' to your plain-text password).
     perl -ne 'map { printf "%%%02x", 0xaa ^ ord($_) } split //, $1;  
print "\n"' my-password

   For example, the password "linux" is encoded as "%c6%c3%c4%df%d2"

   3)  Run "nvsetenv security-password %c6%c3%c4%df%d2", where the  
hex stuff is your encoded password

   4)  Run "nvsetenv security-mode command"

Then it auto-locks all possible ways of modifying the open-firmware  
boot device or specifying alternative boot options.  The only way to  
get around it on most systems is with the firmware-reset button on  
the inside of the case or moving RAM around and rebooting with some  
magic key combo held down (Cmd-Opt-P-R on mac systems).  Typically if  
your students can do that there's exactly nothing you can do to  
prevent them from doing whatever they want.  They could always just  
stick in a different hard-drive, after all.

Cheers,
Kyle Moffett

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ