The BOFH returns with a fresh batch of overconfident Security hires, a suspiciously brand-new PC under his arm, and a recovery partition that has plans of its own. A reminder that the most dangerous payload in any office runs on social engineering, not silicon.
There is a particular kind of hardware story that never shows up in a spec sheet, and Simon Travaglia's latest BOFH episode is built entirely around it. The machine at the center of this one isn't notable for its core count or its memory bandwidth. It's notable for being a Trojan horse with stickers still on the chassis, and for what it teaches about the difference between securing a network and understanding one.
The setup: a brand-new PC walks out the door
The episode opens with the BOFH carrying a PC out of the Security office under his arm, claiming he's taking it back to archive its contents and reset it to factory defaults. Company policy, he says, for when someone has been let go. And people have been let go. The previous Security team's idea of an industry-standard procedure involved endless pastries, pirated movies, and a boardroom liquor cabinet that kept mysteriously emptying until HR found the evidence in Security's own recycling bin.
Enter the new Head of Security, a keen new broom blocking the doorway. His opening moves are textbook on paper. He isolated the Security department onto a completely separate internet feed, firewalled off from the rest of the company. He started logging every piece of equipment leaving the building. On the surface, network segmentation and asset tracking are exactly what you'd want from someone serious about the job.
The problem is that none of it addresses the actual threat standing in front of him.
Why the recovery partition matters
The BOFH's stated concern is the one technical detail worth pausing on, because it's real. He warns that if malware is installed on the recovery partition, restoring the machine to factory defaults will simply reinfect it. The Head of Security waves this off, confident that a fresh image from the recovery partition equals a clean machine.
This is a genuine gap in a lot of people's mental model of how a PC restores itself. A factory reset doesn't pull a pristine image down from the manufacturer. It pulls from a partition that lives on the same drive as everything else, and that partition is just storage. On many systems it's a hidden NTFS volume, sometimes a dedicated OEM partition in the GPT layout, holding a WIM or ESD image plus the recovery environment. If an attacker can write to that volume, or swap the image it deploys, then the reset that's supposed to sanitize the machine becomes the mechanism that redeploys the payload.
The defenses that exist against this are real but uneven. UEFI Secure Boot validates the bootloader chain, and on modern hardware the recovery environment is signed. But the recovery image itself, the thing that gets laid down onto the OS partition, is not always protected with the same rigor, and an attacker with administrative access to the drive before it leaves their hands has plenty of room to operate. Firmware-level implants are the nastier cousin of this attack, surviving not just a reset but a full drive wipe, because they live in SPI flash rather than on the disk at all.
None of which the Head of Security wants to hear, because he's already decided the machine looks almost new, still has its stickers, and looks fairly high end. He takes the risk. He takes the machine.
The actual exploit was never the partition
The technical misdirection is the joke. The BOFH wasn't worried about the recovery partition. He was counting on the new Security team being the kind of people who shave with Occam's razor, as he puts it, seeing someone walk out with a PC and immediately thinking office theft rather than asking whether that person brought the machine in themselves, waited for footsteps, and then made for the exit.
The shiny high-end machine was bait. A wise person, the BOFH notes, would not simply upgrade their desktop with a newer, nicer item without first scanning it, precisely because it might carry an infected OS and an infected recovery partition. A Security team jockeying for the 2IC position is not, collectively, a wise person. The PFY's machine gets its ping. The trap is sprung. Give it half an hour to trash the network, the BOFH advises, before heading downstairs to ask why all the machines in the office have gone crazy.
The homelab lesson buried in here is one every builder eventually learns the hard way. The threat model that matters is rarely the one in the datasheet. You can segment your network beautifully, log every asset, firewall yourself into a corner, and still get owned by hardware you voluntarily plugged in because it looked nice. Supply chain trust, the question of where a device has been and who had write access to it before you booted it, is the part that asset tags don't cover.
The payoff
The close is pure BOFH. The way to finish the new Head of Security isn't the trashed network alone. It's the stash of company laptops in the boot of his car as he leaves the parking basement, with the Head of HR standing right there to see it. Why does HR need to be present? Because one of those laptops is HR's own.
Chaos, as the title borrows from a certain other schemer, is a ladder. For the BOFH it has always been less a ladder than a maintenance tool, applied liberally to anyone ambitious enough to think a two-minute phone call and a firewall rule make them competent. The new broom swept in confident he was up to date with IT security and the like. He was up to date on the controls. He was nowhere near up to date on the person handing him the hardware.
You can read the full episode and the rest of the long-running series over at The Register's BOFH archive, where the body count among IT middle management continues its steady climb.
Comments
Please log in or register to join the discussion