I spent fifteen years running the IT infrastructure for a relatively large (1600+ student) school, so I understand that it can be a really thankless task. Because of this, I have done what I can to work with my kids’ school and their device policies. I trust that the people in the school are doing things with the best intentions, but earlier this month my trust in the school was severely shaken when I discovered that my son’s laptop had been compromised… by the school’s IT vendor!

To give some background, when my second daughter moved up to secondary school (the Irish equivalent of junior high and high school combined) a few years ago, hers was the first class to be asked to buy laptops that would be used in place of physical books. The school was very specific that the laptops be a certain model and have a specific version of Windows installed on them. An opportunity was provided to buy the laptops through Wriggle, an Irish IT company that the school used to manage this process. Wriggle sweetened the pot by offering three years of support and promising that the laptops would be securely locked down so students wouldn’t be able to access inappropriate websites, etc.

The thing is, I am not going to entrust my childrens’ IT security to random third parties. While I’m sure that Wriggle provides a useful service for the vast majority of the population, it’s not useful for me, and I really appreciate that the school didn’t mandate buying the laptop through Wriggle. I bought the laptop externally with the required version of Windows and allowed the school to install MS Office and their ebook software onto it. I then joined the laptop to my Microsoft Family Safety account, and set up screen time limits and sane web security and application limits. This worked fine for the last couple of years. The laptop ran into the usual Windows problems, but nothing out of the ordinary, and was reliable enough for my daughter to get her classwork done.

Last September, my son started secondary school and I went through the same process again. This time the spec was for a much nicer system, and, once again, I purchased the laptop externally, joined it to my Microsoft Family Safety account, and set up all the necessary security configuration before sending him to school to have them to install MS Office and their ebook software. I never heard any complaints, so I assumed everything was fine.

At some point earlier this month, I noticed that I hadn’t received any of the Microsoft Family Safety emails for my son’s laptop in months, so I decided to take a look at his laptop. Imagine my surprise when I went to the login screen to see two users, his own and a… wriggle24 user? No, make that a wriggle24 administrator?! He then logged into his account and a message popped up saying that Microsoft Family Safety was disabled due to the group policies put in place by the administrator. And, to top it off, TeamViewer (a remote access tool, commonly used for support) had been installed! In other words, a new admin had been created on the laptop, all of the restrictions that I had setup had been disabled, and remote access to the laptop had been set up, all without my knowledge!

Now, I do want to be clear that I don’t think this was done maliciously by either the school or Wriggle. My suspicion is that Wriggle has provided the school with a script of some kind and said that if anyone’s laptop wasn’t set up correctly, they should just run the script. This is entirely legitimate… if the laptop is managed by Wriggle. The failure here is that Wriggle took control of my son’s laptop, even though his was not a Wriggle-managed laptop. This is a major breach of trust! I intentionally purchased the laptop outside of Wriggle to ensure that I had control, and that control was usurped without my consent. Even worse, this was done without even informing me!

This was completely unacceptable, so I informed the school that I was re-establishing control of both of my kids’ laptops, and then took the somewhat extreme step of wiping Windows and installing Fedora Silverblue on them instead. It turns out that the school’s ebooks are all available online, so my kids are using the online versions of the books. And the MS Office web applications work just as well as the Windows versions, so they haven’t had any document compatibility issues. Aside from the learning curve that comes with switching from Windows to Fedora, there have been two main issues:

1. Flatpaks and printing. Why is it so hard? Chrome is unable to print anything, so the kids are having to “Save to PDF” and then print the PDF using document viewer.
2. My son gets homework in the form of a PDF that he’s supposed to fill in using the laptop’s digitizer. I started him with Inkscape, but it’s UI is really complex and he’s looking for something as simple as MS Paint. There are plenty of simpler offerings out there on Flathub, but the main feature he’s looking for is that the eraser restores the original PDF rather than leaving a white background, and none of the simple options offer that functionality.

So what have I taken away from this? First, Wriggle needs to have safeguards against taking control of devices not purchased through them. There should be no way that their configuration ends up on a laptop not purchased through them, if for no other business reason than it’s not in their interest to waste their resources supporting non-Wriggle devices.

Second, schools need to think carefully about how they provide student hardware. While I completely understand the desire for standardized hardware, there’s a danger of conflict of interest in pushing parents to purchase hardware through the same vendor that provisions the software required for the school. If nothing else, they need to ensure that there’s a process for getting the school’s required software onto laptops not purchased through the hardware vendor without giving control of the laptop to the hardware vendor.

Finally, as a parent, I will not be allowing the school or its proxies to manage my kids’ laptops. When my last child reaches secondary school, his laptop will have Fedora on it from the first day, and, if that requires more work on my side to ensure it does what he needs, that’s a small price to pay for the peace of mind.

Questions or comments, please reply on Bluesky.

In case you can’t tell by the title of this post, I’m… mildly… annoyed with HP right now. The story starts with my just-over-a-year-old HP Pavilion laptop that has been having problems with its power brick.

While I was at work on Monday, the laptop started running on batter power even when it was plugged in, but when I got home, everything worked perfectly. I assumed it had something to do with the power at work, and wondered whether it might even be firmware related. I looked through the newest BIOS’s changelog, and, sure enough there was something mentioned about power and charging, so I downloaded it and updated my BIOS.

At least, that’s what I would have done if I was running Windows. Unfortunately for me, I’m not. I don’t even have a dual-boot system because I haven’t really needed Windows for years, and, when I do, a VM does the job just fine.

The only BIOS update HP offers is a Windows exe file, so I downloaded it, and ran cabextract to get the files off it. The tool lshw told me that my motherboard was an 0820D, and the zip contained a file called 0820DF45.bin (the BIOS revision is F.45), so I had everything I needed. I put the bin file on a USB, rebooted into HP’s recovery tools, and then went to firmware management, selected the bin file… and fail! It sat there telling me that I need a signature file for the firmware.

So I searched for the signature file, but it wasn’t in the exe. I googled for it, and found a lot of people who seem to be in the same boat. One suggestion was to run the exe on a Windows system and select the “Put BIOS update on USB” option. Sounded easy enough, so I booted my Windows VM, ran the exe, accepted the stupid EULA (I’m pretty sure I saw something in the forty-third paragraph about dancing on one leg while balancing a cupcake on my nose), installed the BIOS updater, and… nothing. After twenty seconds or so, a message popped up, “This program might not have installed correctly. Install using compatibility settings?” Yeah, thanks. After multiple attempts at different compatibility settings… still nothing.

I googled around a bit more, and found a 2GB HP USB image that you can use to recover your BIOS if it gets corrupted. Sweet! I downloaded it, and several hours later, I found out it only has the original BIOS revision (complete with a signature file!), but not my latest update!

At this point, I was desperate. My final hope was to figure out some way to boot my laptop into Windows. I have an 500GB SSD with a grand total of 30GB free, so that wasn’t an option. What about a Live USB? I mean, Linux distributions have had Live CDs and USBs forever, so it must just work in Windows, right?

Nope. Not unless you have Windows 10 Enterprise with it’s Windows-to-go feature. Luckily, the guys over at Hasleo software have created a nifty little tool called WinToUSB that does the same thing. I copied my VM image over to a USB, booted from it, and ran the BIOS update.

It worked perfectly and even offered to put the BIOS update on a USB! It seems that HP, in their infinite wisdom, have designed the updater so it refuses to start unless you’re on an HP machine.

To add insult to injury, all the updater does is copy the BIOS bin file and its signature onto the EFI partition, where it gets updated after a reboot. As far as I can tell, the signature file is generated on the fly by the updater, which begs the question… Why? Why generate the signature on the fly, rather than just stick it in the embedded CAB file with the BIOS images? Why require an HP system to generate a USB image containing the BIOS update? Why require your users to dance on one foot while balancing a cupcake on their nose?

And, as further insult (or maybe we’re back to injury), the BIOS update didn’t fix my charging problem, and it turns out that my just-out-of-warranty power brick is dying. Thanks, HP. You guys rock! After three HPs laptops in a row, I think it may be time for a change.

Picture of burning laptop by secumem, used under a CC BY-SA 3.0 license