So, we’re all well aware that the second Tuesday of every month is “Patch Tuesday”, right?
[If you’re not aware of this, please learn now that Microsoft releases security patches on the second Tuesday of every month, so that I.T. folks don’t have to scrabble and panic to schedule time for download, analysis, test and deployment at random intervals throughout the year.]
The afternoon of Patch Tuesday is rapidly turning into Drafting Wednesday.
“Patch Drafting” is the new industry-standard practice of releasing patches as soon after Microsoft’s patches as possible.
The theory behind it, as far as I can make out, is that if you publish your patches just after Microsoft, you’ll get less hostile coverage in the computer press, because they’ve already written that week’s “Scary Patches – Sky Is Falling” story, and can’t write another one for that week’s issue.
So, next Patch Tuesday – which will be October 10th 2006 – pay close attention that afternoon and the following day to see what patches are being issued by people who want to get them in “under the radar”.
Isn’t that exactly the opposite of what we want our patching processes to be?
In a recent article on the trend of banning underweight models from appearing in fashion shows, Giorgio Armani is quoted as saying that he prefers models “on the slender side” because “the clothes I design and the sort of fabrics I use need to hang correctly on the body”.
Would it be grossly unfair of me to characterise this as Giorgio saying that he’s a designer of limited skill, only able to work within his particular niche, and only capable of, or interested in, designing clothes for a very slim section of humanity?
I think that if he were a truly world-class designer, he’d find a way to make fabrics “hang correctly” on real people.
The key method that is left enabled by default is that of providing the key from the on-board TPM chip, after it has verified the boot code.
The two previous methods were TPM + PIN, where the user had to enter a 4-to-20 digit numeric key; and USB, where the TPM chip didn’t necessarily play any part, but the user had to provide a 128-bit key on a USB thumb-drive.
These methods are still available, if you want to go through an onerous Group Policy change, but they are hidden from users because, apparently, they are too complex for most users to use correctly.
Given that Bitlocker is an acknowledgement that the user is carrying data that we’d like to see made inaccessible rather than hand it to hackers, I’m sceptical that we should be assuming that the user – or more precisely, the system installer, is incapable of following technical instructions.
That aside, the use of TPM alone, followed by the statement from the BitLocker crew that BitLocker is designed to protect against offline attacks on a stolen laptop, suggests that they may have lost sight of their goal.
First, yes, strictly speaking, BitLocker does protect against an offline attack on the hard drive, no matter what keying material is used – TPM, TPM+PIN, or USB.
But that’s only half of the picture.
If I steal your laptop, protected by BitLocker, with TPM alone, I have everything I need to bring the system from a powered-off, encrypted, protected state, to a powered-on, decrypted, less-protected state. If I know an attack against your OS that can be achieved through any of the numerous holes on the outside of the machine (usually labeled “ports”), I can attack that machine at my leisure, while it’s running.
Quite simply, all I need do is wait for the next Vista exploit to do the rounds, and I can attack through the network, or the USB, or the parallel connection, or the 1394, or …
And while I respect the work that has been done to secure Vista, I’m certain that there will be a way to exploit a machine, “protected” by BitLocker and TPM, to which I have physical access.
[Maybe I don’t have to wait so long – USB devices, after all, get direct access to the system’s memory.]
Better by far is a solution where the keying material is kept away from the computer (such as the USB or TPM+PIN methods), so that the computer is not only protected against incursions into the operating system before it boots, but is also prevented from booting until you can provide keys that indicate you are the owner.
As it stands, Bitlocker + TPM – the only option available by default – will only protect the operating system from pre-boot incursion. Unlike other drive-encryption software, it will then allow the boot to proceed, exposing a wider attack surface to the thief.
My departure from Microsoft is very nearly reaching its first anniversary.
As befits someone approaching that milestone, my thoughts drift to … the non-compete clause.
That’s the niggling part of the contract every Microsoft employee signs, and which restricts them, to lesser or greater extent, from engaging in any activity considered to be competitive to Microsoft, using knowledge gained while working at Microsoft.
Now, in my case, the non-compete clause is weak to begin with – a condition I made of my employment was that I could continue my WFTPD work, which was, in some ways, directly competitive to Microsoft’s FTP server in IIS.
It’s further weakened, I’d say, by the fact that Microsoft sent me to exactly one class while I was there – the mandatory coding security class – and bought me one book – the mandatory “Writing Secure Code”.
But, weakened or not, I have chosen to observe it steadfastly – I have not added a single feature to WFTPD or WFTPD Pro or WFTPD Explorer that was based on anything I learned at Microsoft, or even on anything I had hoped to add to Microsoft’s FTP server during my stay there. I have even steered clear of adding features that I was planning to add to WFTPD and WFTPD Pro before Microsoft offered me the job, just to avoid the appearance of competing with my ex-employer.
So now, I’m giddy with anticipation, as this mostly self-imposed deadline is about to expire.
What should I start to code into my software?
Well, there’s an open comments section below – what do you think I should do, now that I can compete?
Freeware and shareware seems to come laden with 'extras' these days.
The DivX video player comes with Firefox and the Google Toolbar.
QuickTime (another movie player, graphic viewer and patch inducer) comes with iTunes.
Nero comes with the Yahoo! toolbar.
Can we please come up with a standard registry entry that I can set, which says "I download exactly those tools which I need – don't install any optional tools which are not intrinsically a part of the software which I am currently installing"?
I'm really sick and tired that I have to be awake and alert for every software installation, just in case someone manages to sneak a piece of software onto my system that I don't want.
I don't want Firefox; I don't want any extra toolbars; I don't want iTunes (because I like my music "unprotected" from my apparent inclination to thieve by choosing when and where I play music I've bought); I don't want anything but the software I downloaded.
Is that really too much to ask?