четверг, 19 января 2017 г., 7:08:46 UTC+3 пользователь Asterysk написал: > On Thursday, 19 January 2017 03:04:32 UTC+4, tai...@gmx.com wrote: > > As always physical access is a checkmate situation, you need to not be > > an idiot and don't leave your stuff in overseas hotel rooms or not have > > secure locks on your door. > > Unless USB port seals (e.g. > http://www.padjack.com/padjack-versions/usb-port-lock/) are put in place as > soon as the laptop is removed from the manufacturers box it is impossible to > know whether someone has installed a device that has in turn infected > firmware. A similar situation for any DMA access ports (Thunderbolt etc) > > I'm interested in being able to take a possibly infected laptop (i.e. > infected with firmware malware) and reset it to a known safe starting point. > Coreboot seems to handle the BIOS (thank you for clarification that it > completely rewrite legacy and UEFI). Replacing the HD with a new SSD should > handle that firmware attack vector. That leaves the other EEPROMS. > > I figure, if I'm going to strip down my G505S to reflash with Coreboot, I > should see what other EEPROMs I can reflash. > > Apart from the obvious RAM and SSD upgrade and possible putting switches on > peripherals, are there any other hardware mods you can suggest for the G505S. > > Having sorted out the hardware, I am then going to be looking to use Qubes to > protect against any attempts to reflash through Malware and after thats done, > I'll be looking for ways to detect that any attack is being attempted. > > All in all I think I've got about a years work ahead !
To reduce the number of "EEPROMs" you could disconnect: a touch pad, DVD drive, web camera ; Maybe also a small board with LS-9901P part number (dont confuse with LA-9901P), see its' google pictures online - and according to G505S laptop's LA-A091P motherboard datasheet (which also contains a datasheet for laptop's smaller boards) this board has a Realtek chip for card reader. By the way, you could either find out what lines of flex cable the card reader is using, and install a custom jumper on them ; or maybe get a flex cable with the same number of pins / same pitch between them , find (from datasheet?) what lines that lonely USB port is using to get to Bolton-M3 FCH, get a USB female header and solder a custom adapter which adds only a USB port to laptop (so no card reader chip). Probably the hardest thing to do is to disconnect a web camera - you will need to tear down a screen which is quite risky. BTW screen also contains the internal reprogrammable memory (e.g. for storing EDID), and a malicious firmware could cause screen to transfer information through electromagnetic impulses (TEMPEST? - http://www.surasoft.com/articles/tempest.php ) Actually it is possible to remove a motherboard with CPU, CPU Fan, Heatsink, Power Jack Wire, and Power Button Board attached (could make a custom power button adapter with huge convenient buttons!) and create a custom case for all this stuff. If you are lucky you could find someone selling a used G505S with broken screen for very cheap price, and do that. This way you avoid webcam, screen, dvd drive, touchpad, card reader chip, and internal keyboard (see below why) Maybe don't need to seal the USB ports yet: it not just seriously reducing the usability of this laptop, but also makes it impossible to connect a USB keyboard. Maybe you would prefer that, when you type, your keystrokes are going through external keyboard's USB controller, rather than through laptop's Embedded Controller KB9012 which has a closed source firmware and controls PS/2-like laptop's internal keyboard. You could make your own open hardware USB keyboard with open source firmware, and using it will be slightly safer (and slightly less convenient) than laptop's internal one Also, another possible hardware mod (not related to security) - instead of DVD drive you could install a fan for extra cooling, see http://forum.notebookreview.com/threads/10mm-5v-cooler-instead-of-laptops-dvd-slimline-sata.797064/ . Although dont know if it worth it, because some really great external USB coolers are available - https://www.aliexpress.com/item/Mini-LCD-Vacuum-USB-Cooler-Air-Extracting-Cooling-Fan-Turbo-Radiator-Low-Noise-Desgin-for-Laptop/32231641439.html -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/80b3bae1-4efe-44eb-bbe2-d45d459db4ae%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
