I have a friend who worked somewhere with a draconian password policy (changing every 2 weeks, long length, no overlap with old passwords, etc). That company also had barcode scanners attached to most of their computers. He told me that a lot of people would have a barcode taped up under their desk and just point the scanner at the barcode to login (since most scanners just sent what they scan as keyboard input).
Awhile back I was looking at cheap ways to automate drive imaging on a air gapped PC. There are KVM hardware products that simulate mouse,keyboard, sometimes USB drives. I have a couple of them from that time period, the main problem is they have their own janky software that only works on Windows to run them.
It occurs to me that barcode scanner is an adjacent idea and probably has some versatility advances. Really what they wanted was a way to send stored keystrokes from one PC to another and the barcode was just a commonly available way to do it.
Something like a USB rubber ducky (https://shop.hak5.org/products/usb-rubber-ducky) would probably work great for this use case. They market it towards pentesting but it's useful for automating general system administration as well.
I just had to reimage my girlfriend's Windows laptop, which managed to utterly corrupt it's Windows install, all by itself, to the point it couldn't even reset itself.
For some ungodly reason, this personal laptop to be used for watching netflix had bitlocker turned on by default. 48 digit keys are obscene. It was so painful to try any triage or repair step because every single reset would require typing in all 48 digits. It's so stupid.
Meanwhile, what wasn't turned on automatically? System restore. God forbid you set aside 20gb for a chance at recovery. I had to reinstall from raw Windows installer. Now the speakers don't work, because Asus doesn't aknowledge that they've even sold this model of laptop, only showing drivers for the version of the laptop with an OLED screen, which uses a different wifi chipset and audio chipset, so it keeps trying to stomp over the drivers!
Microsoft actually has a driver updater with windows update that downloads and installs not just basic drivers but also OEM crapware onto your PC. It is on by default.
I know this because I had a PC where Microsoft insisted on installing a broken GPU driver that left me with nothing but a black screen. I had to install windows on that PC with it disconnected from the internet because if Windows Update merely got wind of the driver existing it would insist on downloading and installing it even after disabling driver updates.
It seems like the disable option is hidden in the advanced tab of the ancient computer properties dialog, I can't remember seeing it in the mess of new settings menus but those change all the time so I don't really bother learning them anyway.
Also anyone who's plugged in a Razer product has seen the driver download mechanism in action. Razer drivers include the installer for their Synapse software so you get the installer prompt when plugging one in.
As annoying as I think it is that they let the hardware manufacturers include software like that in the bundles uploaded to Windows Update, I wouldn't be surprised if they're actually offering the experience most people expect (the software is a part of the product's whole feature set after all).
IIRC SDIO sources drivers from various motherboard, peripheral, and prebuilt/laptop vendors (not always the same company that made your laptop!), and does not always pick the latest/best version or the right driver for a peripheral. Personally I use it when I can't find a driver myself, and it often finds a working driver (but possibly not always).
Why would Microsoft prioritize silly feature like auto discovery of hardware and installing the drives when they could put that time towards more meaningful features. For example, more Ads, making the systems settings menu worse, more Bing AI features, etc
Okay so uh, I tried this tool. It seemed awesome. Except out of the 30ish drivers it installed, several of them were entirely wrong and not needed, to the point that they made boot up hang as multiple drivers waiting on each other crashed and failed and windows finally killed them.
It didn't even install the missing/incorrect driver! Asus's nagware that got autoinstalled by windows update managed to install the correct one, which is insane because I feel like I installed 5 different versions of the exact driver Asus asked to install while troubleshooting and there was zero sound each time. WTF.
Anyway, that app is way too aggressive. It's just throwing Hardware IDs against some list and installing whatever it finds and that's not how Hardware IDs can work in practice.
BTW YubiKeys can be programmed to input passwords by simulating a keyboard. Some mice and keyboards can also be programmed with macros stored in onboard memory. (e.g. A4Tech mice)
Pretty interesting solution. At least it removes many of the errors stemming from reading keys over the phone, etc., but it also proclaims to remove the risk of distributing BitLocker keys - but that's precisely what they did - just in barcode form.
The obfuscation might prevent the intern from figuring out what is going on, but there are plenty of barcode-scanning apps for phones that show you the data stored in a barcode.
They didn't distribute the bar codes, they had peoples bring their laptops to IT where the IT staff used the scanner to scan the code from the screen of a machine they themselves controlled.
You're right that the article later on describes it like that but then the concerns about distributing the key or dictating it over the phone don't make sense.
Because then you'd need to mail out these USB keys and hope that they don't go missing or are misused before IT can force a key rotation. Also the time involved in buying and creating the USB keys for all remote employees. Just have everyone bring their laptop to the closest office, IT can scan the key off their machine for the laptop, and now they can quickly delete the offending CrowdStrike files. If you mailed them out, employees would still need to be walked through on deleting the files and would need the right access to do so.
If you have 5 IT workers processing 200 remote employees at each office and the resolution takes only 5 minutes, you can get the work done in 3 hours. Building USB keys and waiting for them to be mailed out for every employee probably takes longer than it took to write the basic barcode script.
> How can you rotate the bitlocker key? I was under the impression that it’s permanent.
The actual key key is not changeable, but the "recovery key" is not actually the key (or a representation of it) but is another password that unlocks the actual key. As already mentioned, this can be done in one click on an admin console, and even on personal systems you could change it (even to all zeroes if you're stupid enough) using the manage-bde command-line program.
Woltz is pleased that his idea translated into a swift recovery, but also a little regretful he didn't think of using QR codes – they could have encoded sufficient data to automate the entire remediation process.
I don't follow this, what could they have done with QR codes?
I used to work in an archive, and the Symbol LS2208 was a pretty great scanner. The model is also old enough, that you can find them branded Symbol, Motorola, and Zebra.
I had my own cheat sheet to reprogram it, eg. changing the final character to tab or enter, scan on trigger press or always scan. It struggled a little with black barcodes on navy blue labels, but that's a terrible idea anyway.
