Re: Inmate Hackers

[Dan White <dwhite () olp net>]

On 11/01/10 09:58 -0500, Justin Scott wrote:
> > There is a lot of content about "thin client hacking". One
> > of the most common ways to hack a thin client is simply open
> > up "help". This is a separate program that contains links to
> > other programs, the command prompt, and the web browser to
> > the Internet.
>
> On a related note, I've been tossed into a project where I could use some
> advice.  One of my clients is hoping to put some computers in a prison for
> inmates to use for specific applications (let's just say online learning for
> the sake of discussion).  The plan involves putting a computer into a kiosk
> style enclosure which would boot from a Debian Live CD (no hard disk in the
> computer) running a customized version of Webconverger
> (www.webconverger.com).  This is a custom version of Debian Live which boots
> into a stripped down Mozilla web browser.  It would have a home page coded
> into it and the address bar would not be available.  The boot menu is
> password protected, and the keyboard would not have function keys on it.
> The network layout calls for a firewall that only allows egress traffic to
> certain public IP addresses where the application lives.
>
> Any thoughts on how this could be torn to shreds by someone who really knows
> what they're doing?

Find out what window manager the system is using. Find out what keyboard
shortcuts are available for that window manager.

Figure out default usernames, passwords, shells, /etc/inittab config (are
logins accepted virtual terminals or serial port).

Are any network ports open?

What boot order is configured within the BIOS? Is PXE enabled? Is there
physical access to the network by some other means?

-- 
Dan White
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.