Microsoft

I know that I said this was going to be a security blog, but I figured I would continue on my rant on Vista after this happened. Ok, so there I was...

I saw on Betanews.com a article on Vista Hardware Assessment Tool Addresses Upgrade Dilemmas by Scott M. Fulton, III of Betanews, which toted of a Windows XP tool to check for hardware compatibility for Vista. Curiosity got the best of me, so I downloaded it (25.5 MB). I simply wanted to see if my machine could handle Vista. Installation starts and tells me that it needs SQL Server 2005 Express and that it is going to download and install it for me. And I’m thinking (Oh great, my computer is now going to have an outdated Microsoft SQL server on my system. yay me!) I click ok, whatever. It downloads, then installs SQL Server 2005 Express, and starts to install “Windows Vista Hardware Assessment” (just a tangent, but shouldn’t there be something like “tool” or “wizard” on the end of that?) and it gets to a certain point and stops for a bit. It continues after about 10 minutes. And then stops again at about 65%. At this point I need to go to bed and I do so. I wake up the next morning to be greeted with the following screen:

Yes it was still at around 65% and no my computer wasn’t frozen. So I came to the conclusion that if I can’t even install the “Assessment” then my computer isn’t compatible. I also get the added treasure of a failed install of SQL Server 2005 Express. I wouldn’t suggest this tool until it gets looked at again, or some third party makes the same tool without the need of a \insert expletive here\ SQL Server. But, that’s just my take on things, I’m just another security guy in a room with a small sign on the door that says “IT Dept”. What would I know? jd P.S. Richmond has tried it’s hand at WGA again. Check out my digg article here: http://www.digg.com/tech_news/Windows_Genuine_Advantage_Part_2

Alright, before you start sending hate mail or posting comments on how you hate my mother for giving birth to me, bare with me. So, Microsoft puts out their new operating system that is “A New Day”. Microsoft at the launch states that they are already “full speed ahead on SP1”. Microsoft releases that they will be releasing Vienna’s successor in 2009. Those are the facts. Or, as I like to call them “Time-insensitive” facts. Now time to as you a question: Who is Microsoft’s biggest customer? That’s RIGHT! Big business. Now, what am I thinking as a “Big business” executive that is looking to upgrade my infrastructure? Right again! I am going to think that Vista has held up this long, I am going to wait for Vienna and save myself the time and money of upgrading to an OS that already has vulnerabilities that aren’t patched, “a la SP1”, that will cost me millions to deploy globally, and it’s server counterpart is still in beta, or, just wait for Vienna and hope for the best. It’s a hard decision and that is why they get paid the big bucks, but come on Microsoft. The whole wow, shock and amaze factor is gone and these corporate execs are put between a rock and a hard place. But, that’s just my take on things, I’m just another security guy in a room with a small sign on the door that says “IT Dept”. What would I know? jd

I’m going to start this whole security thing by taking a look at the new BitLocker technology built in to Vista. Before I begin, I want to specify that I am by no means an expert on BitLocker and all of my information comes from the Microsoft site and a face to face with the engineers at Launch Tour 2007. So lets begin with requirements. You must have a modern motherboard which has a “TPM” or Trusted Platform Module. The reason I say must, is that there IS a third mode where you store your keys on a USB drive. However, if you do this, you are carrying around your keys in clear text on a USB drive. If that didn’t scare you in the least bit, then you are either a rather large individual who scares people enough for them not to want to get near you, or you don’t care about security, in which case you don’t need BitLocker. So, now that we have the disclaimer out of the way, here is a thousand word on how Bitlocker works: Basically, your keys are stored on this TPM and are used to unlock the MFT, which has the full volume keys that unlocks the rest of the drive. Cool, we’re in the clear, right? Q1: What if I want to put the HD into another computer? The new computer’s TPM will not have the correct keys. Well, if the computer was connected and a part of an AD domain err.. I mean “tree”, then you can supposedly find those keys and “PUSH” them to the new TPM. No, the engineer did not know how to “PUSH” said keys. However you could also unlock it using a 36 hex value key. That you can right down.. on a piece of paper... that you might keep near or with your laptop... Q2: What are the other two modes, and which one do I want? Transparent operation mode: In this mode, BitLocker is completely transparent to the user. You just boot and log in. Bitlocker still encrypts the whole drive as you see above. But the “authentication” step is where Bitlocker checks to see if “boot files” have remained unmodified. I would be interested in finding out exactly which files it checks and what it checks for. User authentication mode: In this mode, during boot, before any HD files are accessed, the user is prompted for a PIN. In my opinion, if your boss is dead set on using Bitlocker on all of your drives, you should insist on this one. (But guess what, for all those roadies that keep your computers in “Sleep”, BitLocker doesn’t mean anything. With a U3 device and a cool cygwin script, I can make a unencrypted copy of the system, even if it’s locked out) So to break it down in conclusion: You have to have newer hardware, AD, roadies who don’t rely on “SLEEP” and educated users. Something tells me the last part of that would be a bit hard to accomplish. But, that’s just my take on things, I’m just another security guy in a room with a small sign on the door that says “IT Dept”. What would I know? jd For more info, check out the wikipedia article: Wikipedia -> Bitlocker