The Paranoid PC – Part 4 – Hardware and Firmware Updates

Greetings patriots and privacy nuts:

I was going to have this be the final article, but I’m having a little trouble with the tail end, so we’re going to break it into two.

Before we begin today’s piece, just a word about common sense and OPSEC/PERSEC.  We all have our own tolerance for personal risk.  Those of us writing for TOWR accept the risk of writing with our real names and speaking out for our guiding principles and against tyrrany.  We run classes that almost certainly have been infiltrated and work hard to protect the identities of our students.

That said, please have respect for those around you.  If you’re a member of your group and stick your head up, all of those affiliated with you are at risk when the metaphorical (or literal) bombs start to drop.  There is a place for bold, principled stands, and there is a time to break out the rifles and say, “no more”.  However, Facebook is not the place to telegraph your punches or reveal your capabilities.  Answering a survey of, “How does your patriot group keep in contact outside of Facebook?” is the height of foolishness.  Our adversaries, whoever you see them as, now have an area to focus on.  An article from Kit goes into this in more detail, but for now, “Know your role and shut your hole!”

On to the PC article after the jump.

Today we do a few more minor cleanup tasks on the hardware and start working on re-establishing connectivity to the outside world.

As we start, I’d like to make you aware of a free software product which, if compatible with your system, is highly desirable: Libreboot.  Sadly our test system is incompatible.  Here’s a decent Youtube video showing the process.

Any time you’re monkeying with the firmware you’ll want to be very, very careful.  If the process goes sideways, you’re left with a brick that’s only good for parts.  I was in fact about to pull the trigger on replacing the firmware on the test machine when I double and triple checked the documentation just in time to realize that the particular model of laptop we’re testing with is incomplatible.  If I’d continued, the laptop would have been worthless.

So why would we take the chance?  With libreboot you have an open source BIOS replacement.  If there were any hidden backdoors in the manufacturer’s firmware they would be removed.  Backdoors in the firmware are difficult to detect or mitigate.  Libreboot is only available for a limited number of laptop models.  If an open BIOS is important to you make sure you buy one of those, being particularly aware of options such as GPU, LCD display, and so on.

Another item we discussed early on was the serial number issue.  The solution, if there is one, will vary based on manufacturer.  Buy a field tech a couple of beers and they’ll usually let you copy the tools.

Our project laptop is an IBM.  I’ll show you a couple of screenshots, but won’t go into much detail since this is model-specific.  Do your research and you’ll figure it out without a ton of trouble.

I’ve inserted the IBM Hardware Maintenance Disk and powered on the computer.  At the ThinkPad splash screen we have to hit ESC to enable read-write access to the EEPROM.


Once booted into the HMD, it’s a simple matter of going to Set System Identification, deleting the serial numbers, and replacing with fakes.  You should also probably assign a UUID as well.


Now that our hardware is as sanitized as we can make it, let’s start taking care of the rest.

We’ll likely want some kind of network connectivity, unless we’re doing our work offline and via USB drives (which is totally valid for the ultra-secure).  We’ll achieve that via USB Ethernet or Wireless adapters.  Follow the same suggested practices for obtaining a computer – offline, pay cash, no cameras.  These devices do have MAC addresses which again, could be hypothetically traced with enough resrouces by a motivated enough attacker.  They’re also a digital fingerprint which, again, a motivated attacker with resources could follow.  If you’re ever concerned that your activities are being tracked, it’s trival enough to dispose of a USB network device and replace it.


That completes our hardware concerns.  Next time, we’ll get Tails installed and running and call this project complete.

Author: Steve

Steve is a father of two, husband of one, devoted follower of Christ, IT guy, and jack of all trades. He's a liberty activist, blogger, gun lover, and general class radio operator. He read entirely too much Heinlein as a child and routinely fails at his attempts to become the "competent man".

Leave a Reply

Your email address will not be published. Required fields are marked *