grack.com

Out of curiousity, I started reading about Microsoft’s BitLocker technology. This is a way of encrypting a whole hard drive that stores keys in the machine’s trusted platform module (TPM).

My conclusion (though I may be wrong) is that a laptop that uses BitLocker without either an external crypto token or a secure boot ROM is likely susceptible to some relatively easy hardware attacks. BitLocker may defend against casual snooping on random stolen laptops, but a determined attacker with a deliberate target probably won’t be thwarted unless the extra precautions mentioned above are taken.

While on the surface it appears to be a good idea, it seems to have a number of flaws that seem apparent at first glance.

Note that asking for a PIN would add some complexity to the attack, but would be vulnerable to poor PIN choices.

  1. The algorithm assumes that BIOS code is immutable. Since the OpenBIOS/LinuxBIOS people have been replacing BIOS chips for a while, this seems to be something that can be easily circumvented. The replacement BIOS need only extend the base PCR with the original BIOS image, effectively inserting itself into the chain of execution.

Note that Microsoft’s document here talks about BIOS upgrades and how they can destroy keys. See this BitLocker presentation for some more information.

The solution for this problem is getting laptop manufacturers to add a secure bootloader that checks the cryptographic signature of the BIOS and embeds a secret key in the TPM. This would be a tricky operation – requiring a hidden boot ROM like what is available on the XBOX.

Difficulty: best case: replacing socketed BIOS or backup BIOS. Worst case: desoldering/resoldering chips.

  1. The TPM can be transplanted. By running the TPM in a controlled environment, any software can extend the PCR registers as they would be extended on a real boot, which would then allow the TPM to unseal the keys. The solution, again, is to have a hidden boot ROM that embeds a secret key.

Diffculty: desoldering/resoldering chips.

  1. The whole authentication system can be emulated after boot in a non-secure OS. It might be possible to reset the TPM without resetting the system itself. I don’t have specific facts here, but I know that the TPM does have a way to reset the PCR registers, but this doesn’t reset an internal “resets after reboot” counter. An alternative might be to cut one of the Vcc leads of the TPM and allow it to be power-cycled externally.

Once the TPM has been reset, the user may then use an x86 emulator such as QEMU to run the BIOS and boot loader and recover the decryption keys from memory or a more sophisticated attack.

Difficulty: best case: software-only attack, worst case: hardware hack to reset TPM after boot.

Read full post

We’ve spent an interesting month with our new Roomba Scheduler. The role it fills is a “between-vacuuming” cleanup.

It works really well on carpets. It gets pretty much every spot that it can reach, and its small, round shape lets it get a lot of spots.

How it works on tile is a different matter altogether. I don’t know if it’s because our kitchen tile is a dark color, but we’ve found that it missed pretty much all the dirt along the edges of the kitchen, and a fair bit in the middle too. I guess the Scooba is designed to excel at this part of the cleaning, but it would be nice if Roomba had better support for cleaning smooth surfaces.

It’s been good at keeping out of trouble so far. You pretty much have to pick up any rugs or mats that Roomba might encounter. I believe they claim that Roomba will just seamlessly transition over these rugs, but most of the time you’ll find it pulling the rugs over themselves and occasionally getting caught. The net result of this is us spending roughly five minutes before each Roomba run picking everything up.

For a “between-vacuuming” device, the Roomba certainly helps out a lot. The carpets look nice and clean after it finishes and there isn’t half as much stuff on them when it comes time to do the real vacuum.

We haven’t used the scheduling functionality yet because between the two of us we are home pretty much all the time. It’s easier to start it as you are heading out or run it while you are home.

For a gadget nut, this is a perfect device!

Read full post

UPDATE: The author of portaPuTTy has updated his build with the font fix as well. Excellent! I recommend going with his version - it’s more likely to be supported.

I rebuilt a portable version of PuTTy using the latest 0.58 release.  It correctly saves font information (a shortcoming of the current portaPuTTy) and has all the updated security and bugfixes of 0.58.

I’ve also packaged up all the PuTTy executables (paegent, pscp, etc.) so that you can easily use them portably as well.  Note that all of the executables will load configuration files from $EXEPATH\.putty\configuration.

(download links no longer available)

For those who want to know what I changed, here’s a quick summary:

  • Moved the unix storage backend into the windows storage backend, since it has all the code we need

  • Added a BSD Win32 “dirent.h” and “dirent.c” implementation
  • Changed the code to look in the EXE’s path (via GetModuleFilePath(NULL)) instead of $HOME
  • Added the Win32 font load/save code
  • Hacked the Makefiles manually to add dirent.obj (out of sheer laziness ;))

There’s no patch available, but those instructions will reproduce the exact build I provided from the latest SVN or source packages.

Read full post

Saw V for Vendetta for the second time. Bought it this time.

It has the same mood that the original Matrix movie had. Recommended!

The intention of the plot is certainly obvious and the message of control by fear isn’t obfuscated.

This, of course, reminds me of the nagging question: why is there a “green” on the colour-coded terror alert if they are never going to use it?

Read full post

Eclipse has a new Remote System Explorer plugin that sounds interesting.

It’s an interesting approach. One type of connection is just a wrapper over SSH and SFTP, allowing you to manage systems remotely and edit files without much work. You can also get a command prompt up for more advanced administration.

The other type of connection allows you to run a full-featured java application on the server that gives you access to more functionality. I haven’t tried this one out yet.

You can read more about this feature in the RSE presentation.

Read full post