I’ve UnDeparted from Microsoft

Published on by paranoidmikeLeave a comment

I’m back, baby!

Due to my recent un-departure from Microsoft, I am now employed again full time, and so far I’m loving the new job!

I’ve willingly rejoined the Borg as a Technical Program Manager on the MSSC (Microsoft Solutions for Security and Compliance) team. I’m once again on campus in Redmond, but this time (cf. my previous career as a member of MCS) I’m not relegated to one of the “satellite” buildings; rather I’m stationed (with the rest of the team) in Building 18 – right on main campus!

The past eight months away from Microsoft has been one amazing vacation, disconnecting from the non-stop email, the petty politics and my growing unease with how little I felt I’d accomplished in five years there. I spent much of that time playing with the dogs (a good thing), getting to know my wife (a very good thing) and teaching myself firsthand that I can survive post-Microsoft. Hopefully I’ve cleared out many of my demons, my fears and my old habits – on to a new and revitalized career.

What will I be doing as a TPM? Well, the MSSC team makes it their mission to develop and deliver “solutions for security” – sometimes humungo series of papers/recommendations/technical knowledge, sometimes focused white papers, sometimes “push-button” apps that solve problems outside the scope of traditional product development. Based on my expertise in data security (& peripherally around data protection), I expect to be contributing to security solutions that help Microsoft’s customers’ data more secure. I don’t know exactly what this means, but I know that it’ll involve a lot of technical depth in technologies like EFS, RMS and Vista’s Secure Startup/Full Volume Encryption. [I’ve only been on board for a couple of weeks, so beyond that only time will tell.]

Anyone out there with any gripes, concerns or ideas for improvement in these and related technologies? You’re more than welcome to drop me a line and I’ll see if I can’t carve out some time to hear you out. With any luck, in my new position, I’ll be able to get good ideas directly into the ears of those who develop those products. How’s that for service? I dare you to suggest something radical to me. 🙂

[Note: this means that from here on, and of course for all posts up to this point, my one nod to the corporate machine is to state for the record that everything I write here is the result of my own personal opinions and cannot be construed as the “official Microsoft stance” on anything, nor can my ramblings be ascribed to my employer in any form or fashion. Everything here should be taken “as-is” (although certainly I believe there’s merit in my leavings), and YMMV. Now go forth and enjoy it!]

Windows OneCare + VPN connections: manual configuration, with no warning?

Published on by paranoidmike1 Comment

I thought I was going nuts I tell ya. I’d been a Microsoft VPN end-user for years, and had even administered an MS VPN infrastructure back in the dark ages of NT4. I’d used the MS VPN client (aka “Connection Manager”) in all kinds of network environments and under the whole spectrum of security conditions, and I’d never been denied like I was denied this weekend.

Blame it on Windows OneCare I say – no, wait, that’s not fair – can’t blame it on a beta product. Heck, I guess it was my own fault for putting a beta product in production, eh? Live and learn. Hopefully this tale will help you avoid the same hair-pulling foolishness.

So: Windows XP Professional SP2, Toshiba Tecra M2 notebook, MN-700 802.11b/g wireless router, Comcast broadband service. I’d configured the MS VPN client connectoid for default settings, filled in the appropriate authentication details, and couldn’t complete the connection. The client would connect to the VPN server, and would count approx. 33 seconds while attempting to authenticate my credentials, and just kicked me out.

According to all the googl’ing I did, all suggested solutions revolved around configuring port forwarding on my wireless router. I hadn’t had to configure the router’s network settings for a year or so, and I’d had to reset the firmware once this summer, so while I didn’t think this was the problem, I certainly wasn’t sure. I certainly did know for sure that the Windows XP SP2 firewall would allow any outbound communications, and would allow back any responses to requests initiated from the computer, so I really didn’t think about it any further.

I diddled with the router’s configuration a few different ways:

  • I tried to find the setting in the Connection Manager software that would allow me to override the automatic protocol selection, but despite my best efforts, it’s been well-hidden by the good folks in our IT department who setup this well-designed end-user configuration.
  • I forwarded 1723/tcp, 1723/udp, 1721/tcp, 1721/udp, thinking each time I added one, “Well maybe I’ve just forgotten my protocol settings – I’ll just try one more”.
  • I forwarded 500/udp, since one article reminded me that IPSec NAT-T (NAT Traversal) worked over 500/udp.I used dynamic forwarding; I used persistent forwarding (I ifgured dynamic was sufficient, since the router would detect my requests, but after that failed I figured persistent *had* to work. Nope.)
  • I finally configure the virtual DMZ to point to my computer’s IP address. I’d avoided it to this point since it would remove most protections the router afforded from my PC, but at this point I was getting desparate.

No dice. That’s when I finally gave in, and despite my better judgment (I’d NEVER had to do this before), disconnected the wireless router and connected the computer directly to the broadband “modem”. When I couldn’t make the connection even then, I knew the problem wasn’t with the port forwarding…

I finally had another look at the Windows Firewall configuration, and this time I really wondered why it continually reported that the firewall was “Off”, even though it also said that “For your security, some settings are controlled by Group Policy”. Did our IT group really disable the Windows Firewall on us through GPO? If so, what was it they were using to secure our systems? I knew I hadn’t installed any third party firewall like BlackIce… [oh hell. That’s right.]

That’s when it finally dawned on me to dig into the Windows OneCare software. Now, when I look at the client, there’s nothing that jumps out at me related to Windows Firewall – the three main blocks of reported info in the main window are “Protection Plus”, “Performance Plus” and “Backup and Restore”. Buried in the middle of the Protection Plus category is a single line simply labelled “Firewall: Auto”, which had until now escaped my attention.

I engaged my brain and chose the “View or change settings” selection, then grabbed the Firewall tab and hit the “Advanced settings…” button. While you can choose either “Program List” or “Ports and Protocols” to enable new exceptions in the OneCare firewall, I knew that there was no typical executable that uniquely identifies the VPN client connectoid, and thus it’d be difficult to nail down an .exe to add to the “Program List”.

Turning to the “Ports and Protocols” list, I finally had a stroke of luck. There appears to be a default configuration already set up for the “GRE” protocol – IP protocol 47, the control channel used by PPTP. I simply added another exception that I named “PPTP”: Protocol TCP, Port range 1723 to 1723, and retried the VPN client.

Of course it went through immediately.

I assume this’ll help any of those of you who are also running the beta of Windows OneCare Live, but I hope this’ll be made easier for folks by the time this releases. I’ll file a bug on this and see if the OneCare Live folks can’t help automate this somehow – if I got tripped up by it, I’m sure there must be others who’ll also be stumped.

Epilogue: I haven’t bothered to check which of the router configurations are still necessary once the OneCare firewall was properly configured. It may be that the DMZ setting is still needed, or perhaps the MN-700 actually does tranparently forward MS VPN traffic correctly (as I’d originally expected). Let’s leave that as an exercise for the class, shall we? Until next time…

[category: general security]

Windows Vista’s Full Volume Encryption & TPM part 5: does FVE require a TPM or not?

Published on by paranoidmikeLeave a comment

Tonight I stumbled on a rant that quoted a Microsoft web site around various Vista features including Full Volume Encryption (FVE). The stunning thing for me was the following quote (emphasis mine):

“Windows Vista supports full-volume encryption to prevent disk access to files by other operating systems. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip. The entire system partition is encrypted-both the hibernation file and the user data. It also stores encryption keys in a Trusted Platform Model (TPM) v1.2 chip, if one is available on the PC.”

Did I read that right? Does this mean that FVE can actually encrypt the entire system partition whether there’s a TPM 1.2 chip on the system or not? Presumably if this is true, the key to encrypt the volume is stored in the 50 MB partition that is required to store the pre-boot partition that supports FVE. That is, the key is stored in software.

So how does this improve upon what’s available in Windows XP? Frankly I don’t know right now, but I can take a couple of educated guesses. Presumably the Secure Startup sequence requires a user-supplied password before it can decrypt the Vista system partition, so this means there’s yet another password for an attacker to have to brute-force.

However, I gotta wonder whether a software-based Secure Startup boot password is any different from a SYSKEY boot password – no complexity requirements, never needs to be changed, and impossible to manage [pretty much by design] over a large population – how do you archive and recover such a boot password? If so, then this is a just as dangerous/difficult to manage a security control as SYSKEY is.

OK, so I got excited there for a sec, but on further reflection, maybe this isn’t any better than we had before. In fact, it’s even scarier: what if I forgot my Secure Startup boot password, and its encryption key was stored in software? What do I do then? Presumably ALL my data is encrypted with that key (now irretrievable); whereas with SYSKEY I lost the OS but presumably could recover my data, now I’ve lost both the OS and my data. Ugh, sounds pretty gross to me.

I think I read about some capability to archive the encryption key used by Full Volume Encryption, but I’ll have to dig around to confirm (a) if it’s true, and (b) how it works. Until then, consider this entire sub-rant one man’s opinion, no more.

TPM 1.2 hardware news: integrated chipset launched for AMD K8 systems

Published on by paranoidmikeLeave a comment

http://www.digitimes.com/news/a20051208PR207.html

Note that ULi had desktop motherboard vendors lined up at the launch event, but not PC system OEMs for desktops or notebooks. Between this and the fact that the chipset is aimed at AMD (not Intel, which still appears to be the CPU vendor used most of the time by most OEMs) I don’t believe this will have a major impact on the business market. However, it’ll definitely help get the next-gen TPM hardware into the hands of many consumers and small organizations.

That’s just a good thing, no matter whether the TPM technology helps secure PCs via Linux, Windows-based third-party TSS apps or via the Windows Vista Secure Startup feature. Personally I’m just happy to see increased uptake of the TPM hardware by PC technology vendors.

Categories TPM

Digital Cameras being called a "hacker tool" now?

Published on by paranoidmikeLeave a comment

This article focuses on the use of the camera as a “digital storage device”, as if the fact that the camera is somehow a “more surreptitious” way to copy data off the computer than any other USB & similar storage device (flash drive/thumb drive/memory stick/MMC/SD card).

I really hope that the author of the article was the only one surprised by this “unexpected” use of a digital camera as a way to slurp data off a computer. I also hope that we don’t see a wave of specific “no digital cameras allowed” security policies spring up in response to this. I would think any reasonably well thought out security policy would either (a) forbid the use of all portable storage devices, or (b) accept the risk of any and all such devices equally (since they all have the potential of being used maliciously).

I really thought I misread the title of the article – I had to read it three times to make sure I wasn’t the one with the big misunderstanding.

I figured they must be talking about the use of digital cameras to take pictures of the screen (a totally unpreventable vector), or they were talking about camera-enabled cell phones (which at least are more difficult to separate from “legitimate use” than a simple camera).

Big deal.

So you can use yet another bulky USB-enabled device to copy data from a computer and take it off-premises. If there’s ANY organization left out there that still hasn’t thought through the threat of the use of portable storage media to copy large quantities of data off-premises, I doubt they’re going to finally say “oh crap!” when they read this.

It’s far cheaper and easier to hide from prying eyes the use of a tiny little USB drive (most as small a digit on your hand) – far less likely to draw attention than plugging in a fist- (or larger) sized camera into a work computer.

To steal a phrase from Bruce Schneier, this is yet another example of a “movie plot threat” that has little relation to any reasonable assessment of overall security risk to most any organization.

[category: general security]

Dell licensed TSS from Wave Systems – soon shipping TPM-enabled notebooks?

Published on by paranoidmikeLeave a comment

http://www.extremedrm.com/article/Dell+to+Ship+Wave+Security+Software+on+New+PCs/165909_1.aspx

Not often we get a public hint of upcoming release plans from the computer vendors like this, but it looks like Dell has made a stronger commitment to the TPM wave that is catching fire with most major computer vendors.

Dell has added TPM chips to a couple of desktops, but has consipicuously been missing anything on their portables. I’m hoping we’ll see a notebook (and maybe a Tablet?) come out from Dell real soon now that has a TPM chip. Even better, since Dell has delayed all this time, perhaps they’ve been holding out for a production-ready TPM 1.2 chip…?

Gateway stole a leadership position from Dell by releasing their 14″ widescreen Tablet before Dell had a chance to reach that market. Of interest to me was their forward-thinking inclusion of a TPM 1.2 chip as well. Let’s hope Dell is readying a catch-up response to this, and that they’ll blow us away with TPM 1.2 chips across all their new systems from here on out!

Categories TPM

Windows Vista’s Full Volume Encryption & TPM, part 4: available PCs that include TPM 1.2 chip

Published on by paranoidmikeLeave a comment

[Edit: corrected the Broadcom adapter model #, and removed the listing for the Dell Precision 380 Workstation, which turns out to only have a TPM 1.1b chip via the Broadcom BCM5751 chip.]

Since I only talked about Tablet PCs in part 2, I figure I owe it to the community to collect together a listing of any and all shipping PCs that include a v1.2 TPM chip.

What follows are all Servers, desktops, notebooks and Tablets that I could confirm currently include a TPM 1.2 chip:

Servers
none to date

Desktops & Workstations
Dell Optiplex GX620
http://www1.us.dell.com/content/products/productdetails.aspx/optix_gx620?c=us&cs=555&l=en&s=biz
Gateway FX400XL (via Broadcom NIC referenced here)
http://www.gateway.com/products/GConfig/proddetails.asp?system_id=fx400xl&seg=hm
Gateway FX400S (via Broadcom NIC referenced here)
http://www.gateway.com/products/GConfig/proddetails.asp?system_id=fx400s&seg=hm
Gateway FX400X (via Broadcom NIC referenced here)
http://www.gateway.com/products/GConfig/proddetails.asp?system_id=fx400x&seg=hm
Gateway E-6500D SB (via Broadcom NIC referenced here)
http://www.gateway.com/products/gconfig/proddetails.asp?system_id=e6500dsb&seg=sb
HP Compaq Business Desktop DC7600 (via Broadcom NIC)
http://h10010.www1.hp.com/wwpc/us/en/sm/WF04a/12454-64287-89301-321860-f56.html
Vector GZ desktop
http://www.pdspc.com/products/vectorgz.aspx

Notebooks
Gateway M250 Series
http://www.gateway.com/products/gconfig/prodseries.asp?seg=sb&gcseries=gtwym250b
Gateway M460 Series
http://www.gateway.com/products/gconfig/prodseries.asp?seg=sb&gcseries=gtwym460b
Gateway M680 Series
http://www.gateway.com/products/gconfig/prodseries.asp?seg=sb&gcseries=gtwym680b

** HP TC4200 [THEORY: the TPM is an orderable part (Part #383545-001, $42.00 list price), which implies that it’s a removable/replaceable part (and thus that a TPM 1.2 chip could be swapped in later), but this is only an unconfirmed theory on my part] **

Tablets
Gateway M280 Series
http://www.gateway.com/products/gconfig/proddetails.asp?seg=sb&system_id=m280eb

Bonus 1: Add-on Components
Broadcom BCM5752 & BCM5752M network controller chips (which has an integrated TPM 1.2 chip)
http://www.broadcom.com/press/release.php?id=700509

Bonus 2: Linux drivers
Linux driver with support for Infineon’s TPM v1.2 chip
http://www.prosec.rub.de/tpm/

And again, don’t forget to check Tony McFadden’s TPM Matrix. NOTE: I only used Tony’s TPM Matrix to start my search – I haven’t copied any entries without external confirmation, so there may be disagreements between our pages. When in doubt, remember that unless I could confirm a TPM 1.2 chip was included in a PC system, I did not list that system here. Tony’s page is meant to be more comprehensive, so he lists both PC systems with TPM 1.1 chips as well as those with unknown chips or which haven’t been confirmed to include a TPM chip.

P.S. Do you know of any other PC systems shipping a TPM 1.2 chip? If so, add your comment below!


P.P.S. What have I learned in my searches for TPM 1.2-integrated PC systems? Here’s a couple of tips that may be helpful if and when you off on your own search:

  1. If the spec sheet only mentions non-version-specific phrases such as “TPM chip”, “TPM Embedded Security Chip” or “the TCG standard” [emphasis mine], you can and should assume that the chip is a TPM 1.1 chip. Anytime I was able to confirm a TPM 1.2 chip, the PC system vendor made specific and repeated mention of the 1.2 version number. [Apparently this is a big differentiator, though few if any references on the Internet have clarified why.]
  2. If you are looking into a PC that was shipped before Summer 2005, you can rest assured that it did NOT ship with a TPM 1.2 chip, since the TPM chip vendors didn’t have production chips on the market until at least mid-summer of 2005.

Agree with Keith Brown’s "do not display last user name" rant

Published on by paranoidmikeLeave a comment

I’m with Keith here [note: in the interests of minimizing duplication, I’ve hacked his post down to the most stinging statements. Go read it yourself if you’re interested in a good discussion of the problem.]

A security countermeasure that isn’t all that

The password that you just entered went into the user name text box of the login dialog. When you hit enter, you attempted to log into your workstation using your password as the user name and a blank password. Because this login failed it’s logged in the Event Log. Guess what’s in there? Yep, it’s your password!
So in the interest of making your machine more secure, it is actually compromised…

… As Schneier constantly reminds us, security is all about tradeoffs. What do you gain by turning on the DontDisplayLastUserName feature? Given that it only takes effect when you’re logged out, not when your workstation is simply locked, not much! There are an awful lot of people who rarely log out of their machines (me included), and rather lock their workstations instead.
… If a countermeasure makes things harder (and more risky) for legitimate users, and doesn’t provide any real impediment for an attacker, it’s a bad tradeoff.
… I’d suggest picking up a copy of Jesper & Steve’s book, which provides really practical advice for securing Windows. It’ll help prevent these sorts of mistakes in the future!

This kind of blind use of security “countermeasures” really bothers me. I used to be a blind follower of security checklists in my early career too, so I can’t say I don’t understand the impulse that drives this sort of behaviour.

Still, I can’t believe that after all these years of people publishing these checklists, and lots of other people using them and seeing the consequences of their use, they still get published and used like this – i.e. ignorant of the consequences.

I get pretty frustrated when I see people take security measures like this and end up shooting themselves in the foot. At best, they’re no further ahead overall. At worst, they’ve taken a giant leap backwards, and made it even *easier* for an attacker to escalate themselves and do some *real* damage to your computing assets.

Damn. I really want this setting to be discarded, just like I want to see the “account lockout” setting retired in favour of a more sophisticated, goal-oriented, actually-accomplishes-what-it-sets-out-to-do countermeasure. I am all in favour of more configurability in a system, to give people more options so they can accomodate special circumstances when required – BUT – when a “special purpose” setting like this actually ends up being used blindly by everyone in unsuitable circumstances, and ends up making things WORSE, well that’s when it’s time to seriously reconsider.

Creating the Saved Password

How often does “DontDisplayLastUserName” actually do something security-useful:

  1. Computer boots up
  2. Computer is Restarted
  3. User logs off

VS. times when it can potentially hurt:

  1. User locks computer
  2. User places computer on Standby (and computer is set to lock on resume)
  3. User places computer in Hibernate mode (and computer is set to lock on resume)
  4. Computer goes into Standby or Hibernate according to Power Management configuration (and computer is set to lock on resume)

I don’t have any statistics to back up the opinion I’m about to assert, so I’ll just have to use my own user behaviour as a model and let you decide how often it happens from there:

  • I rarely power down my computer:
    • perhaps once a week or so because something has leaked too many resources over time (e.g. Virtual Memory, GDI Objects, Handles) and I need to free them up
    • perhaps once every couple of weeks because I’ve installed something that includes a kernel-level driver (display, network) or because I’ve installed an update that replaces an in-use system-level file
  • I almost never log off my computer – why bother? It’s a single-user machine almost all the time:
    • My home desktop is used by my wife or houseguests maybe once a month
    • My work notebook is used almost never by anyone else, and if I let them use it, I’ll usually just fire up a fresh browser instance (or RDP client) and let them borrow it while I’m there – I just don’t let people log on to my work computer – no reason to, that I’ve found
  • I very frequently (e.g. dozen times a day or more) end up with my work notebook locked:
    • anytime I move from the house to the office, I’ll put it in Standby or Hibernate
    • I’ll pull it open for a while on the bus to or from work and then Hibernate when I walk off
    • anytime I go from my office to a meeting (usually 1-3 per day), I’ll S/H while I carry it around
    • anytime I walk away from my notebook, I’ll lock it (Windows-L was a wonderful addition to XP)

Under such circumstances, how often do you think I’d accidentally enter my password in a blanked-out username field? Thankfully, I haven’t had that setting forced on me since I forced it on the domains which I administered in my old job as a sysadmin (i.e. 6+ years ago, before I “saw the light”). So I don’t know how often that’d actually happen now – I have no immediate experience to back it up. But if a smart guy like James gets tripped up by it once in a while, then I’m sure I’m no smarter/more attentive than he is.

Exploiting the Saved Password

OK, so let’s assume that for a significant number of computers configured to not display the last username, the user’s password ends up saved in a Security Event Log entry. That log is only readable by members of BUILTIN\Administrators and any process in the LOCALSYSTEM context on Windows up to and including XP (but can be modified on Windows Server 2003, as per Eric Fitzgerald’s article here).

So what’s the big deal? On systems where both (a) physical access is unavailable (e.g. servers) and (b) all patches have been been applied, the risk of a random attacker who doesn’t already have an Admin-level account of getting an admin-level account is usually pretty small (let’s hope – okay, this is probably asking too much, but let’s just assume for the moment, okay?).

However, on systems where either (a) or (b) is FALSE (e.g. (a) on a desktop or especially notebook computer – physically accessible to many classes of attacker; e.g. (b) on a computer where root-level exploits have not been patched), I caution you strongly that “Do not display last user name” may end up giving an attacker a means to retrieve the user’s logon password IN CLEARTEXT and be able to access any resources to which that user account has been granted access.

EFS/RMS Alert!

If you are using a Windows logon-based encryption technology (e.g. EFS, RMS), then you should be doing everything in your power to make it difficult for a physical attacker to discover or guess the user’s logon password – right?!? So my advice: along with all the other things that I’ve recommended in the past (and continue to recommend), I strongly urge you to NEVER set the “Interactive logon: Do not display last user name” setting on any client PC (desktop, notebook aka Windows 2000, Windows XP) where you believe Windows logon password-based encryption is being used.

Note: I am NOT trying to steer you away from these technologies. What I AM attempting to do is to (a) illustrate one cogent, real-world example of why this “Do not display last user name” setting can be more harm than good to your overall security posture, and (b) emphasize yet another way that attackers could be “assisted” in attacking EFS- or RMS-protected data – and what you can to do prevent that.

So there.

[category: general security]

Windows Vista’s Full Volume Encryption & TPM, part 3: links & background reading

Published on by paranoidmikeLeave a comment

Paul Thurrott indicates that FVE will appear in Enterprise & Ultimate editions of Vista:
http://www.winsupersite.com/showcase/winvista_beta1_vs_tiger_02.asp

Bart DeSmet digs in deep on EFS, TPM, Secure Startup and more:
http://community.bartdesmet.net/blogs/bart/archive/2005/08/17/3471.aspx

David Berlind speculates on possible incompatibility between Vista/TPM & virtual machine technology:
http://blogs.zdnet.com/microsoftvistas/?p=17

George Ou shines light on a potential key export “backdoor” for FVE, and his ideas on why smartcards would be an ideal FVE key storage mechanism:
http://blogs.zdnet.com/Ou/?p=109

William Knight vaguely alludes to some proprietary algorithms used in FVE that could lead to “a possibility of in-memory attacks for keys.”
http://www.contractoruk.com/002386.html

David Berlind speculates again on a possible use of the TPM by Windows Product Activation (totally unconfirmed at this point):
http://blogs.zdnet.com/microsoftvistas/?p=44

An out-of-date but still “best there is” collection of TPM-related hardware, software and integration information:
http://www.tonymcfadden.net/tpmvendors.html

And last but not least, Microsoft’s Technical Overview of FVE:
http://www.microsoft.com/whdc/system/platform/pcdesign/secure-start_tech.mspx

Windows Vista’s Full Volume Encryption & TPM, part 2: FVE on Tablet PC?

Published on by paranoidmike1 Comment

OK, so where was I when I last left the TPM topic? Oh yeah

Frankly I don’t know what to think about the state of TPM-backed data encryption. I really *want* to be able to say “yeah baby – your best bet for securing data on a laptop will be Vista’s FVE” (or any other OS-level TPM-backed file encryption option). For a few hours, I actually believed it could be true – not just for an individual, but for any really big organization as well.

However, the past couple of months’ effort has me pretty much convinced otherwise. I’m not exactly optimistic for the prospect of widespread TPM-secured data protection in the near future.

It looks to me like Full Volume Encryption (FVE) in Windows Vista won’t be a viable option for anyone who isn’t prepared to drop a bundle on new computing hardware at the same time. That’s because there’s almost no computers – especially mobile computers – on the market that have a v1.2 TPM.

While I realize that there are other IHV- and ISV-supplied TSS packages to support TPM-backed file encryption, I am mostly focused on Vista FVE for a couple of reasons:

  1. Until a service is provide in-the-box with the OS, my experience with customers is that integrating vendor-specific security software is a huge hassle, and not supportable at scale over shorter periods of time (e.g. 2-3 years).
  2. There’ll often be more than one TPM-enabled package to support – generally, it looks like an organization will have multiple packages, one for every desktop/notebook/tablet/server vendor that integrates a different TPM module.
  3. It’s not clear at this time how the TSS packages are licensed, but I’ll take a SWAG and assume that you’re only licensed to use the TSS package on the system with which it was shipped, and that you’ll have to pay extra to use that package on PCs that were shipped with a different TSS package.
  4. An organization could scrap the bundled software packages entirely and just license a third-party product across the board (e.g. Wave), but the choices are pretty limited from what I’ve seen, and personally (without having had any hands-on experience to support my gut feeling) I don’t know how much confidence I’d have locking my organization’s most prized data up under this – e.g. what’s the enterprise management (archival & recovery, configuration management, identity management) story like?
  5. [Disclosure: I’m a former Microsoft employee, security consultant and spent most of my tenure consulting on EFS, RMS and other security technologies.]

I’ve been in the market for a new laptop for a while, and one of the reasons for my recent obsession with TPM is that (a) any purchase I make now will have to last well beyond the release data of Vista, (b) since I intend to continue to leverage my Windows security expertise, I should really get a computer that supports FVE so I get first-hand knowledge of how it works, and (c) you generally can’t add a TPM chip to a computer after you’ve purchased it (with at least one known exception).

Oh, and I’ve committed myself to the Tablet PC variant, since I am a committed “whiteboard zealot” and I expect to use the freehand drawing capability quite a bit.

So my mission is to find a Tablet PC that meets my “requirements”:

  • TPM v1.2 chip
  • max RAM > 1 GB
  • dedicated video RAM > 32 MB (to support the lunatic Vista graphical improvements)
  • can run from battery for at least three hours a day (e.g. bus rides to and from work, meetings away from my desk)
  • won’t break my wrist if I use it standing up (e.g. weight under 5 lbs)
  • will withstand dropping it once in a while – I’m more than a bit clumsy

I have spent countless hours scouring the Internet for TPM-enabled Tablets. After my intial survey of the PC vendors’ offerings, I figured there’d be at least a couple of options from which to choose. However, the longer I looked, the more bleak it became. Of the major vendors of Tablet PCs (Acer, Fujitsu, Gateway, HP, Lenovo, Motion and Toshiba), I have so far found exactly ONE Tablet on the market with a v1.2 TPM chip.

One.

And not exactly the industry standard for large enterprise deployment – Gateway!

Did I mention that Windows Vista will require the v1.2 chip to support Secure Startup and Full Volume Encryption?

Oh, and did you hear that Microsoft is trying like h*** to get Tablet PCs in the hands of as many users as possible?

Geez Louise, I even went so far as to contact Fujitsu (who have a really fantastic Tablet with a v1.1 TPM chip) to see if they were sitting on any about-to-be-released v1.2-enabled Tablets, asking them the following:

Could you give me some idea of the following:
– whether Fujitsu is committed to integrating v1.2 TPM chips in their computing products?
– when we can expect to see Tablet PCs with v1.2 TPM chips integrated into them?
– Any planned model or series of Tablets that the v1.2 TPM chips will be used in e.g. Lifebook 4000 series, Slate vs. Convertible, etc.?

And this is the response I got:

We fully intend to continue our support of TPM and transition to v1.2.

However, at this time we can not provide a date as to when this will be available. Fujitsu company policy and NDA agreements with suppliers do not allow us to publicly disclose future plans prior to product launch.

So what’s a guy to think? Right now we’ve got exactly one FVE-ready Tablet on the market, and according to this guy, the big wave of computer upgrades in the business sector may already be passing by. [Let me ignore the fact that I haven’t looked into notebooks yet, and assume that TPM v1.2-equipped notebooks are just as scarce. I’ll check into this further and report back.]

Between now and the shipment of Vista (perhaps October 2006, if you can believe these rumours), less than a year away, am I to believe that hordes of TPM v1.2-equipped PCs will show up on people’s desks? If so, then perhaps there might be a minority of organizations who would consider testing the Vista FVE technology (though I doubt they’d be ready to standardize on it, assuming – rightly – that they’ll have less than a majority of Vista FVE-ready PCs in their organization).

But even if TPM v1.2-equipped PCs were to quickly dominate these organizations, would I feel comfortable urging such organizations to adopt Vista to enable use of FVE to protect their data? I honestly don’t know – I don’t feel a resounding “YES” coming on, but neither do I feel a “NO” building in my gut. Perhaps it’s because I feel like this question won’t be practical for a number of years yet.

By requiring the v1.2 TPM chip for FVE & Secure Startup, I believe that:

  • Third-party TSS packages will get a lot of leeway to take the “organizational standard” position – especially for those TSS packages that also support v1.2 TPM chips
  • Most mid-sized to large organizations won’t be in a position to adopt FVE & SS as their data protection standard until say 2008 or later.

This leaves me wondering what data will be left to protect by then? Given the fact that most organizations are being forced through one regulation or another to encrypt customer-sensitive data, I believe that the next couple of years will be the final window for unencrypted user data to reside on client PCs.

Put another way: if you’re the InfoSec officer in charge of recommended strategies for regulatory compliance & avoiding liability, wouldn’t you rather just encrypt every disk on every “physically insecure” PC throughout the organization? That’s one sure-fire way to know that users haven’t accidentally stored a sensitive file in an unencrypted volume, folder or file. Only then would the organization be able to claim that a lost or stolen PC did not contain unencrypted customer data.

[Now, sure, in 3-5 years there’ll be room to re-evaluate the technology used to maintain protected data on hard drives, and it’s quite possible that by then Vista’s SS & FVE will get the nod from many organizations. Migrating from one highly-technical solution to another is never easy in large orgs, and is pretty scary for small outfits or self-supporting end users, but I’m leaving the door open for the landscape to change beyond my wildest imaginings in the 3-5 year timeframe…]

Does anyone see things differently? Does Vista FVE look like it’ll capture a significant portion of the “data protection” market? I’d really like to be wrong about this – it would suck if the best “free” on-disk data protection technology to come out of Microsoft won’t be practical for the majority until long after they had to commit to another on-disk encryption solution.