My son has a downloaded copy of Ubuntu that he uses to "break" into my computer, bypassing Vista. I have two questions:
Can this damage my computer or corrupt my files? (I have lots of pictures)
Is there a way for me to block this disc from working as there are strict rules in our house for usage time on the computer and time limits?
This issue has come up on a couple SE forums already, so most of this is going to just be echoing my existing answers.
How can I prevent someone from accessing a Windows XP system via boot disk?
How to secure my Windows 7 PC?
A couple of fairly major issues exist here, which are really working against you:
Regarding physical access to the computer:
As security compromises of a PC go, physical access is perhaps by far the worst kind. Once an attacker (in this case, your son) literally has their hands on your computer, most other security methods in place are easily circumvented. That said, here's what you can do to prevent or hinder these attacks from affecting your system.
Also, for the first part of your question:
Can this damage my computer or corrupt my files? (I have lots of pictures)
Using a boot disk generally does not pose any inherent risks to your system's integrity. However, at this point your data is at the mercy of whomever is at the keyboard. If the system can be booted from removable media, whole-disk encryption may protect the data from being read or modified but it cannot protect the hard drive from being completely wiped if the attacker intends to do so.
Your best defenses here would be to follow the steps above as far as they are practical for you, and make sure it is understood that your rules will be strictly enforced with stiff penalties.
Your "strict rules" aren't very strict if you can't enforce them. I would suggest, depending on the age of your son, that you start enforcing your rules by attaching consequences to breaking them. You might look at options such as taking away his allowance or driving privileges, taking away his cellphone (or not paying for his access), or grounding him. The problem is not a computer problem or even a security problem: the problem is behavioral, and if he refuses to obey you he clearly does not respect you. Unless this is a joke or a game, he is headed for trouble as he grows older.
It shouldn't corrupt your files nor damage the computer - however there is always the possibility that file corruption could occur - hence the need for good backups always.
Change the BIOS so that it only boots from the hard disk and not CDs or USB sticks and enforce this restriction with a BIOS password.
To be honest I would say that your son will likely to be able to get around that.
As others have mentioned, you can make it harder for your son to boot a live CD by using a BIOS password, boot order and so on. Using a BIOS password has the added advantage that if he does clear it you will know next time you start the computer.
If you need to make sure he can't look at your files on the computer then the only way to be certain of that is to use disk encryption (such as TrueCrypt).
I hope I don't sound flippant, but have you let your son know you are aware of what he does and you'd like it to stop?
An old quote from computer security professionals I know is, "Once someone has physical access to your computer, it is no longer your computer." If you do not want someone using your computer, I would suggest some kind of physical access control.
At the risk of stating the obvious, confiscate the livecd and put blank cds in a locked cabinet. If he does a USB drive install, talk to the kid. Pull the "I'm disapointed in you" card. You don't want the kid running around using the computer from a livecd and letting him get the impression it's okay. If he wants, he could format the hard drive and install Ubuntu, accidentally or otherwise, easy to do on a livecd. That would leave you with all your data gone and stuck with an unfamiliar operating system. You don't want to give your kid power like that. If the kid is this tech savvy, back up the computer. That will limit the damage that can be done. Put the computer in a locked cabinet is a good suggestion, do that. But its only a matter of time until your kid finds some other way around it. Talk to the kid and try to work something out, tell him that you are worried by him getting around the walls you've set up for him and that its only a matter of time before he messes something up and gets in trouble with the whole family. You also might want to consider getting a cheap refurbished computer for him as a Christmas of birthday gift. If he can mess up his own computer and learn the consequences of his actions self-sufficently, then he doesn't need to put all of your data and the computer at risk.
Being a 'break' specialist during my time as a kid with computer restrictions, I would recommend that you actually lock away a part of the system. Something like the power cord or the mouse.
My father had this nifty trick he would use to prevent me from using the computer: He would pull out the HDD and lock it in the cupboard. Never was able to bypass that.
No, a live cd, and a live sessions can't damage your computer. But on the other hand you should be aware of the fact that via a live cd of Ubuntu, with some knowlegde, your computer privacy and even your computer security is at risk. But playing around with a live cd with good intentions, nothing is at risk.
sounds like your son is more tech-savvy than you ... not a good position to be in.
you have various options, ranging from simple to relatively complicated (also varying in effectiveness). before we begin, pls note that there are several reasons you should be slightly alarmed at the easy access yoru son has to your system. whether the ubuntu CD corrupts your system or not (i suspect it won't, but ya never know), if he is able to get admin access, he can then boot the machine, log in as administrator, & do whatever the hell he wants (eg, install questionable software). he might even install malware (by accident or otherwise), due to curiosity, desire to retain admin rights (i.e., backdoor of some sort), or some other motivation.
the "best" solution really depends on a lot of factors, so to maintain brevity, I'll give the "best" answer from a comprehensive standpoint: use FDE software like BitLocker, TrueCrypt, or whatever, to encrypt entire disk, requiring authentication to boot. If BitLocker, enable TPM in BIOS. Set primary HDD as first device in boot sequence. Password protect BIOS.
the advantage of above is it protects more than just your son running circles around you from a security standpoint. It also protects all your data in the event your machine is stolen (a nice bonus).
also:
talk to your son & advise him that he betrayed your trust. then, create a non-admin account for him to use, and give him a second chance. see what you did there? you've told him that his behavior was bad, but then entrusted him your machine to use responsibly, making him a stakeholder in the security of your machine (as he presumably won't want to betray your trust a second time). the good thing is the account is limited, acting as a sandbox of other user accounts, the operating system files, etc. (note: only do this if this is your machine, not your employer's). if done properly, this won't discourage his curiosity, will make him more responsible, making it a "win-win" scenario.
that's my advice ... but use your best judgment.
You can set the BIOS to not boot from CD and put a password on it, but he will still be able to reset BIOS if he has physical access. If he boots into a livecd, he can practically do anything to the files if your drive(s) are not encrypted. Figuratively speaking, you can't ever completely restrict his access to the computer, but there are many things you can do, like stated above.
Well I guess a little security is better than none. So this what i think can be done Get to your SECURITY settings under BIOS and put in an BIOS administrator password.
Under the boot options make sure booting from CD/DVD ROM drive is unchecked, if it is a matter of order make sure it is at the bottom.
But you should also make sure that you uncheck booting from USB because it is also possible to boot from a USB flash drive that has been configured.
If you need more advise on how to do that I would appreciate your reply.
You ever watch Ferris Bueller's Day Off? "nuff said. Kids are kids, they do stuff.
With that being said, the issue is your enforcement of your rules under your own authority.
On the other hand, got to admit that your kid sounds pretty smart and resourceful and came up with a creative solution to gain his computer access - kinda like something I would have done back in the day. lol - in fact I did. Back in my day the computer was an IBM PC XT and I figured out a low-tek way to gain access to the BBS boards on dial-up - I went to the local hardware supply store at the age of 13 and purchased an extra long telephone cord and used that to connect the phone line from kitchen all of the way into the living room and sneaked the internet using free AOL dialup time cards.
Have you sat down and discussed with your kid as a family what his intentions are in utilizing a live-cd to bypass any current restrictions placed on the computer? Have you set clear boundaries with constructive and consistent positive reinforcement methods for behavioral modification? (negative reinforcement ie punishment is less effective than positive reinforcement - give incentives that reward acceptable behavior within social norms.)
Restrict physical access by removing a key piece of hardware like the power-cord and keyboard. Remove the CD-ROM drive from the computer (do you really need access to it) and disable the USB boot and CD-ROM boot in the BIOS and password the BIOS. See if that effectively solves your problem and monitor the situation.
You could also resort to relocating the computer to a more public or private arena of the house, depending on what would be more effective. Use a "nanny cam" scenario that secretly records any future computer usage may also give you some peace of mind.
You could remove the power cable to the computer and unplug the router, severing power to the computer and access to the Internet. This would limit the child's use of the computer unless they figured out that a replacement power cable costs a couple dollars, which they could use to restore power and connectivity.
It appears that any technical barriers that you put up may be circumvented faster than you can implement new ones.
Any further advice would wander into the realm of parenting advice. This isn't really about the computer. It sounds like it's about trust and boundaries.
I realize this thread is a little old but I'd like to toss in a couple suggestions. The comments about configuring the boot order in BIOS so that the computer will not boot from CD/DVD or USB are right on. So is the suggestion to password protect the BIOS. I would add that if your BIOS has the option, turn on the Chassis Intrusion feature which will alert you if the covers have been taken off of the computer.
Regarding the encryption of files and the disk, if you are using a Professional version of Windows then you can use EFS to encrypt files, however you need an Ultimate version to encrypt the whole disk. The other options, as mentioned, are PGP or Trucrypt. The danger is that you might lose access to the files yourself. In the case of EFS and BitLocker(Windows Vista and 7 ultimate) you will be provided a key for the encryption. Save the key somewhere besides your computer. Burn it to a CD or use a USB. The reason is that EFS and Bitlocker are tied to your password. If your son happens to reset your password then he will cause all of your encrypted files to be inaccessible.
As far as allowing this behavior...violating the security of a protected computer, which is essentially ANY computer, is a felony offense. While this may not apply to a computer in your house it will apply to any other computer. A felony offense will prevent him from ever having a computer job and any other well paying job. There are many juvenile hackers who have discovered this. Schools are becoming much more proactive at detecting and preventing this kind of behavior. My point is, you are helping him by preventing this behavior, not harming his creative abilities. There are ways to learn Ethical Hacking that are legit but if he has had problems with law enforcement he may not be accepted into a college IT program.
If I was your son, the ONLY way to prevent booting from a DVD is to physically remove the drive. (google DVD drive replacement and your laptop's model number. It's usually just a few screws to get to it and takes about 30 seconds. Keep the drive in your car locked and check it daily, or just leave at your office)
Even if you put a BIOS password on it I would clear it.
The only other issue with this is the USB ports/SD Card slot.
If he was to create a USB bootable drive he would still be able to boot that, however you would physically see the USB drive plugged in, OR he could do the same thing on an SD card which you would have to physically look into the SD card slot.
Regardless of disk encrypting and attempts of physical security it sounds like your son is already one of us (security minded engineer) since physical access is the killer to all security measures you may want to just buy a cheap computer or laptop off of craigslist or ebay and have it be theirs. To limit time on their machine, take the power cord (and battery as well if a laptop) when you don't want them using the machine.
If you want to limit what they can access online then buy a decent router and block traffic on that level. Change the password to administer the router to something EXTREMELY random like "!S!@$#wf¥V║e@f#f3#$f3" and check every week that he didn't reset the router back to defaults to overcome this. (If I was your son I might just leech access off of one of the neighbors, so again there is a way around almost everything.) to get really secure on online access pull their wifi card so they have to be physically connected with the onboard network card and keep an eye open for a USB wifi adapter that he might sneak on onto it to try to bypass that security measure.
Depending on your son's age and moral values he has the potential to become a good producer in a modern society, please don't hold them back since most introverts tend to hold a grudge he will remember how you treat him on this issue. Give them their own computer and chances are if he's that bright with electronics have them help find and buy a broken system (together) for pennies on the dollar and rebuild it, your son might just suprise you and start a side business repairing machines while hopefully staying out of trouble.
good luck, and I hope my son (who is 2 years old right now) grows up to become like your son, which is coincidently similar to how I grew up.
By the way, when I was grounded as a kid the only way my parents could keep me off my computer was to take ALL of the cords, since I bought a few spare cords as well I would still bypass this security measure in the middle of the night or when I knew that they would be working late. Point being, with physical access all bets are off on security, it's only a matter of time to bypass it.
My apologies that I have talked about getting around every single security measure, I do this so that you don't have false hopes on keeping them out. Working in I.T.Sec isn't for everyone since it takes a certain deductive reasoning mindset, point being nothing is truly impenetrable. I'm just being accurate. And if your son had his own laptop you could always take it away from him (or if you are really upset shoot it like that father did on youtube http://youtu.be/kl1ujzRidmU )
Most home routers support time of day restrictions. This should remove most of the incentive to boot the LiveCD until you at least got home from work. If you're using PPPoE he won't be able to circumvent it without actually breaking into the router itself... which is a lot trickier than using an Ubuntu CD.
You could also lock down the PC, but it depends how techie you are. Physically lock the case, put a bios password on the machine, remove the CD, USB and network from the boot sequence. It's not foolproof, but he'd have to pick the lock and blow away your password to be able to boot the machine. The loss of your password would be evidence that he'd been breaking the rules.
(+1 to the parenting comments. Don't let this get out of hand.)
I would suggest that you install Oracle VirtualBox. It's completely free, and in my opinion one of the most amazing bits of software out there. Your son can then freely install Ubuntu (or pretty much any other operating system that will run on a PC) as a Virtual Machine (VM), which is then run from within Windows. It's very easy to install and configure.
I use it at work, as the corporate Operating System is Windows XP, but I do all my work in Linux, and it saves me the bother of setting up dual boot or whatever. It runs smootly (I would say with no noticable slowdown) on my fairly standard dual core Toshiba notebook.
This doesn't completely stop him from being able to break Windows, but it should make it a whole lot less likely!
The one question not asked is what restrictions are we talking about?
I would guess we're not talking about a local game, as there are few that would work on Windows and *nix.
There are the time limits, but I ask again what is the purpose of the time limits - so I guess we're really talking about limiting time on the internet and/or access to certain websites.
Working on that assumption (I know, the problem with assumptions...) You could do a lot of the access controls already mentione. (I do like Iszi's suggestions best), but maybe the issue is that we're not looking at the right level to add controls.
If your end goal is to limit access to the internet in general and/or certain specific sites, you may want to move up to your router's access controls and/or use a different DNS service like OpenDNS.
Most modern routers will let you enforce time limits and access restrictions based on the MAC address. This way it's based on the NIC and it doesn't matter what he boots into. There is one little footnote I should add to this option - it is possible to spoof the MAC address. Ok, there are two footnotes I should add - he could log into the router if you do not have a good password in place. For the first footnote, there are other questions that cover that issue in more depth than I have the skill to cover. As to the latter, look at Steve Gibson's Password Haystacks page and listen to the linked podcast.
Services like OpenDNS (I only mention that one in particular because that is the one I am familiar with) will let you enforce content filtering at the DNS level. Your child would have to know how to manually set up an alternate DNS to bypass that. Not impossible, but more effort than booting up a Live CD.
Even after implementing one or both of the above suggestions, you still need to look at the parenting end of this issue. (again, back to Iszi's answer) There is no such thing as a hack-proof system - any security one person can set up, another can find a way around given time and access.
Install parental control software on the computer to restrict access to the sites, so he will get nothing interesting to do on the internet.
Well, as there were several good solutions given already, I would suggest some of the more-time-taking securities. Remove your cd-rom and/or usb port connections. Though this can be bypassed as your son can bring his own cd-rom.
