

School's Laptop Spying Software Exploitable from Anywhere - adg001
http://www.freedom-to-tinker.com/blog/jhalderm/schools-laptop-spying-software-exploitable-anywhere

======
ErrantX
This is an excellent piece in the first place. But the following quote (from
towards the end of the article):

 _Remote administration products like Absolute Manage carry large risks
because they intentionally create a mechanism for a remote third party to take
control of the machine. This can be powerful in the right hands but
devastating if exploited by attackers. There will always be a risk of abuse by
authorized parties, as alleged in the students' lawsuit against Lower Merion
School District, but correctly designed technology should at least prevent
unauthorized third-party attacks by making sure only authorized parties can
issue commands. This requires getting authentication right--exactly what
Absolute Manage failed to do._

is superb.

------
ZachPruckowski
"since the same, easy-to-discover key is used in every client"

OH, COME ON! Seriously? Like even beyond some external attacker, if the key is
the same on every client, students could wreck havoc pretty easily if they
find it. That's like setting every locker in the school to the same combo and
hoping no-one notices.

"If the attacker knows the IP address of the server a client is trying to
contact, he can just impersonate a freshly-booted client and ask the server to
send him the correct SeedValue."

OK, no. If you have to have it like this, at least install the SeedValue when
you set up the computer.

"If the server is unreachable from outside the firewall, clients that are
rebooted away from the local network will be unable to obtain a SeedValue. In
this situation, the clients insecurely default to accepting arbitrary commands
without even the protection of a SeedValue."

:HeadDesk:

~~~
nooneelse
I have invented a new metal for locks. It is impervious to all attempts to cut
or melt it... unless you wrap it in aluminum foil, in which case, it behaves
just like butter.

------
hga
Cargo Cult Cryptography.

------
xenophanes
lol. apparently it's hard to hire competent hackers to make super evil
software?

