> Open-ended question: if you buy a used laptop from an untrusted source, > and you would like to clean it as thoroughly as possible, what is the best > way to make sure all the firmware is either factory-reset or updated to a > trustworthy state?
That depends on the motherboard. A lot of systems have a "BMC" which is, in itself, a little linux system. That needs to upgrade itself, if it refuses, you really can't. This is going to sound depressing, but the only way to know for sure is to pop the eeprom and program it with an external programmer. I have been dealing with security for well over a decade and it used to be that someone did something stupid and someone found it and exploited it. Today, every single little thing is scrutinized and any sort of perfectly reasonable expectation of "security" is nonexistent. In fact, whenever consulted, I say you can't make a secure system if a user has access to it. A user can not use a system without enough security compromises to allow a hacker to get in. All you can rely on is perimeter security. Yes, even Linux. There are two strategies: (1) go paranoid. Build your base C compiler and then build your real C compiler, then build your BIOS. Flash the bios with an external programmer. Then build your OS, and on and on. (I do know someone who has done this more than once.) (2) Do the best you can. Monitor network traffic, DNS queries, outbound socket connections, and so on. Keep a backup. There is no security. _______________________________________________ Discuss mailing list [email protected] https://lists.blu.org/mailman/listinfo/discuss
