Need a laptop with a TPM?

For the third time in a week someone asked the question "If I want to use BitLocker with a Trusted Platforms Module (TPM), which computer should I get?"

Wonderful question. For some reason, the hardvare vendors seem to treat the TPM chip as the ugly stepchild that they do their best to ensure nobody knows they have. Som even ship with the chip disabled in the BIOS by default. And, if you want to find out whether a particular computer has one, be prepared to read long and geeky tech specs, looking for keywords like "TPM 1.1", or, if the manufacturer decides to make things a bit snazzier, key words like "HP ProtectTools Embedded Security", which is HP-Marketing speak for "it has a TPM chip."

I finally found a decent resource. Wave, makers of software that utilize the TPM, provids a matrix of platforms that ship with a TPM, and, if they know, which version. To run BitLocker with a TPM, you must have a version 1.2 TPM chip. The page is not entirely up to date. For example, the HP nx9420, 8510p, and HP6715b, all have a TPM chip, but are not listed. For Lenovo, they list only "ThinkPad Notebooks", when, in fact, the T-series and X-series both have version 1.2 compliant TPM chips. The Dell Latitude Dx20 and Dx30 also have a version 1.2 chip, but only the, Dx20s are listed.

If you have a computer that should have one but BitLocker says you do not have one, check to see if it is enabled. Windows Vista Enterprise and Ultimate will detect it automatically. Open Computer Management, click the Device Manager node, and see if there is a "Security Devices" node there. If there is, expand it. You should see a Trusted Platforms Module there, complete with version. If you do not, check the BIOS. Dell, for example, ship with the TPM turned off. Go into the BIOS and look under the Security entry or tab. There may be a TPM or "TPM Security" entry there. See if the chip is disabled. Enable it and Windows Vista will pick it up the next time you boot.

From the mouth of babes, part 12398

A couple of weeks ago I got myself invited to my oldest son's fourth-grade class to talk to the kids about security. The teacher is really into technology and is doing some very cool stuff. Unfortunately, he is not very into security, yet, so that part was, shall we say, lacking. He created this really neat literature blog about books they were reading and the kids were supposed to submit comments to the blog. I sent the teacher a note asking if he accepted anonymous comments. The answer: "No. I told the kids they have to put their names on the comments."

So, this entire discussion launched into a mini-lesson on security, and the next thing I know I have a date to go speak to the class, and I now have to figure out what to talk about. A couple of days before I was out driving with all my kids and decided to talk to them about passwords and how you should come up with long ones, how you can write them down and hide the note somewhere only you know where it is, and how you should never tell anyone, even your brothers and sisters, what they are.

My oldest son, who is very security savvy, immediately echoed all this to his younger siblings. "Yeah, that's right. You should have a long password. Mine is 'expialidocious'." I asked whether he hadn't listened when I told him, about thirty seconds ago, not to tell his brother and sister what the password was. His comment was totally priceless:

"But dad, it's OK. They don't know how to write!"

Way to show me up. I guess it's OK to tell someone that doesn't know how to write what your password is, as long as you change it before they learn how.

Security is not just for PCs

A friend just pointed me to this fascinating article about an attack on the Greek Vodafone network. The article discusses an attack that installed a rootkit on an Ericsson cellular phone switch which was used to divert calls of high-ranking Greek officials to unknown numbers.

There are a number of interesting lessons in this article, notably in the area of how not to handle forensic investigations. The phone company, as we all know (or should know) is in the business of billing, not in providing any kind of services, and certainly not in forensic investigations. Therefore, they wiped logs to make room for billing info and would not take the systems offline for analysis. The result was that crucial forensic evidence was lost. Furthermore, amateurs were put in charge of gathering evidence, taking actions which tipped off the criminals and enabled them to run and hide.

One must also not forget that this was an attack against a highly complicated, very obscure type of system, but with huge value targets. Often these types of systems have less security built-in than the average desktop operating system, and rely instead on obscurity for security. Irrespective of that, however, the value of the targets means it is still at significant risk. This highlights the shift toward a much more sophisticated type of attacker. This type of attack is highly unlikely to be perpetrated by some asocial teenager sitting in his basement. It's a new world, and a new adversary.