2007-04-18

MS EFS and Vista security *features*

Everybody and their brother have commented on the chatty-ness on MS Vista. My one note on this is that the administrative dialog that appears whenever any one accesses an item that requires administrative privileges is that the solution is a dialog level. This is similar to debians DPKG prompt level setting which sets the dialogs between only serious messages (something which has the capacity to brick the computer if not answered) to trivial (Everything, no matter how trivial.)

Microsoft’s choice to do this method of alerting users is pointless clutter. It trains the user to press "OK" on everything, which is a terrible idea that is the root cause behavior to the MS in security problem. This behavior is caused by how they are handling authentication tokens. A second token is created carrying administrative privileges and adds to the users current authentication token for the purpose of using administrative functions.

We all some times say something like "... "What they ought to have done is ..." I remember saying it a lot in middle and high school, hence my concern about saying it too often. But creating a utility witch catalogs all apps, control panels requiring admin privileges which limits its access to the rest of the system. Take for instance an old version of a children’s learning software. Many schools must run the software from the server and it requires admin privileges to run. why not put it in a root jail?

The dirty solution is to use MS's virtualization software to run it on a virtual machine. Which is inelegant but it works I guess.

*SIGH*

On another note, I got some more information on MS's Bit blocker.

Bit blocker uses ether Microsoft’s TPM (Trusted Platform Module) to store an encryption key to unlock the disk at boot time.
Alternatively you can use a USB key drive to store the key. What this does is prevent some one from yanking the hard drive and digging out your data. The info is fair game once it is started, but you have server 2003 and Vista's security to contend with at that point.

Bit blocker creates a backup key when you setup the disk so that’s your only alternative if you lose the login key.
EFS which is encrypted files on the NTFS file system are encrypted with the users personal certificate AND their local administrator (if a stand alone machine) or the network administrators certificate (if in a domain). Given the reports that The federal government required MS to include keys for their own use I wouldn't put it past them to have included that too though I don’t have any evidence confirming my suspicions.

Bit blocker seems like a neat idea, it relies on the physical security of the TPM or a USB keychain. Another layer of security for physical protection cant hurt I guess. EFS I find useful only for keeping small children out of files they ought not be seeing. It has way too much big brother entwined within it to be of use to me.

Neocrypt or GPG or anything else for that matter is still the best option for WINTEL data security in my book.

2007-04-15

Solaris

So, you've just received your gratis Solaris 10 DVD set and you already know that your hardware works and has basic drivers because you used the
Hardware Check Tool ISO. However, the DVD boots but ends up complaining -- ERROR: The disc you insterted is not a Solaris OS CD/DVD?! Try setting the DVD drive as the slave drive on the main ATA channel with the HDD. It should boot and install fine then.

Target: ECS/PC Chips M963GV mobo w/ SiS 551GX/964L chipset and a 2.8GHz HT P4.

EDIT/UPDATE:

Now that it's installed and booted, you want to move the drive back to the secondary ATA channel, so each drive can have a channel to itself. The problem is that Solaris maintains a hard-set device map. Once booted to the install with the drive back on the secondary channel, a quick run of prtconf from a root terminal shows that ide, instance #1 (driver not attached), drat! With a bit of help from Google and a good blog at blogs.sun.com called PotstickerGuru, we get the command called devfsadm that will allow us to rebuild the device map. So issue devfsadm -r / from that root session, run prtconf again and the second channel should have been recognized and now show ide, instance #1 / sd, instance #1. Reboot, and the drive will be recognized and functional. Now we can stick in a CD-RW with the sfe driver for the SiS900 Fast-Ethernet chip and finally get the system online.

2007-04-06

We've moved - Kinda

I went ahead and switched our content the domain name that the HiR crew already had (http://www.h-i-r.net). Same people. Same content. New location!

2007-04-02

Kansas City 2600 Meeting this Friday! Join us!

Join the HiR crew in the food court at Oak Park Mall this Friday for the monthly 2600 meeting. We're open to discussing all things technological, and some things philosophical. We usually arrive sometime around 5:00PM. When you see a bunch of guys with black T-shirts and laptops, you've found us.