Forwarded from: William Knowles <wkat_private> http://news.independent.co.uk/digital/features/story.jsp?story=139444 Andrew Brown 25 February 2002 It would be quite easy to make a car that no one would find it worthwhile to steal: just ensure that a secret code had to be entered into the immobiliser every time it was refuelled; and that if the code was wrongly entered or forgotten, the car could only be restarted by replacing the whole engine. It sounds absurd, and would certainly diminish the second-hand market in any brand that adopted it. Yet many IBM laptops are protected in a very similar way. They contain a secret password which, if it is forgotten or lost, simply cannot be replaced. Without the password, the whole computer is an inert lump of plastic. The hard disk, too, can be protected in a similar way; if that has been done, it doesn't help to remove the hard disk and put it into another machine to analyse. Without the original password, the hard disk cannot be read, even in a different machine. It is an awe-inspiring deterrent to thievery and very valuable as a means of guarding corporate data. If MI5 or the army used systems like that, it would matter less how many drunken operatives left their laptops in bars. No one could ever get the information out of them. If al-Qa'ida had used IBM laptops, it could have left them all over Kabul and its work would have remained locked on a hard disk – rather than being decoded, as it was, by some journalists who bought a second-hand PC there that the organisation had used to write letters and e-mails. But cast-iron security has some ghastly consequences in the civilian world. There are four passwords that can be set on an IBM ThinkPad, and the most insidious one can sit there for years, undetected. This is the BIOS supervisor password, which controls access to the most basic features of the computer. The program stored in a computer's BIOS is really its spinal cord: it tells the central processor about all the other parts: the screen, the keyboard, and even the memory. Without it, the machine is paralysed. Typically, the BIOS is stored in a "flash" memory chip, which can be reprogrammed as needed if the computer is upgraded – provided, of course, that you have the superviser password, which is itself stored, encrypted, on the chip. Normally, you need to upgrade the BIOS program only when upgrading the operating system, because a computer loaded with Windows 98 when it was bought will need a BIOS upgrade to make the power-management features work under Windows 2000 or XP. But if you do start the BIOS upgrade and haven't got the code, your valuable computer will be transformed within seconds into a hunk of worthless plastic that will never work again without expensive surgery, and from which the data may never again be extracted. You finish the upgrade and the machine restarts; then you're asked for the BIOS password. The equivalent in a car would be a code that had to be entered only when the car was started for the first time after an oil change. It is one of the unforgettable sensations that computer ownership has to offer: one moment you're tapping away at a piece of routine maintenance, and the next you find your stomach has taken up ski-jumping. Technologically, the position is simple. If the machine is out of warranty, you're screwed. IBM quotes a figure of "at least £1,000" to replace the motherboard [with the BIOS]. If your machine is still under warranty, says Mike Wallace, the manager responsible for ThinkPads in the UK, an IBM dealer can repair it within a week. But after that, the simplest thing is simply to buy a new and more modern machine. If a disgruntled employee were to put such a password on his company's laptop, and then forget it, his employers would have a real problem. It's like changing the combination of a company safe. Yet it need not always be an irresponsible action. Arguably, you should protect your own machine in this way (if you can); otherwise any hostile party who gets hold of it first can lock you out of your own machine. The first appearance of these cryptographic fortresses is in large companies: Shell, for example, has more than 90,000 laptops and desktops in 1,000 offices around the world. They are all Compaqs now, or soon will be; and all are protected not only with passwords but smart cards, so you can't use them without opening both a hardware and a software lock - and these cards can all be centrally reprogrammed, like hotel-room key cards, to ensure that access can be tightly controlled and monitored on a day-to-day basis. Some of the latest IBM machines have an even more terrifying form of security: a small, built-in camera for face recognition. If the laptop doesn't like your face, you can't use it at all. There is a way to bypass this, involving two more passwords, making a total of six or more for the one laptop. But we are definitely heading toward a future in which you don't ever want to forget your laptop password. It doesn't matter to large companies, which can at last manage a huge and mobile collection of laptops as if they were all physically present in the IT department, with someone watching them all the time. Schools, too, would find this sort of security much more effective than physical locks. But it's a taste of the future. More and more hardware will be protected in this way. As everything becomes lighter and more modular, and drives and batteries can be swapped almost as easily as mobile-phone covers, so manufacturers will provide more and more clever embedded cryptography to protect your property. Mobile phones can now be disabled over the network once reported stolen, and it's easy to see that this could be done with wireless-enabled laptops, too. Within 10 years, it should be easy enough to fix cars so that all the embedded computers they rely on are protected with a password. The fantasy with which this article started, of a car that no one would bother to steal, would become a reality. Once everyone is used to such ideas, society will adjust. It will be understood that you no more sell a computer or a car without its passwords than you now sell a house without its keys. But we are still a long way from there, and the transition period is going to be full of nasty shocks for people who buy second-hand protected goods. The web is full of sites on how to clear laptop passwords, but they don't work reliably on all machines. The protection on Toshiba machines is fairly easy to defeat; IBM ThinkPads are the hardest; Dell and Hewlett Packard sit somewhere in the middle, to judge by the price list at Password Crackers Incorporated, a company in Maryland that sells replacement password chips for most laptops for $30-100 (£20-70). These chips have to be soldered on to the motherboard by a skilled technician in a proper workshop, and if the hard disk has a password set as well, the old chip must be sent back to Password Crackers to have that password extracted for another $50 (£35). This is not at the moment a very big business, according to Bob Weiss, the company's president, because most people who find their new laptop has locked them out simply give up in despair. But he expects it to grow steadily over the next 10 years. And - speaking as someone who has been locked out of an IBM ThinkPad bought secondhand - it's hard to argue with him. Andrew Brown is author of 'The Darwin Wars' and is currently writing a book about unravelling the genome of the nematode worm *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 02:54:14 PST