Why I wouldn’t swap hard drives on a laptop.

Dax0007 wrote in response to my point 14. Secure format/wipe hard disk, and replace with original disk.  Repeat process. (21 Things to do when quitting work)

“When taking over a company laptop I think its a god idea just go out and buy another HD, HD kit for the laptop, & some restore cd’s for that laptop.. then setup your new harddrisk for personal use and when u do company work use ur company harddrisk.. you should be 100% safe to surf, download, and do what u want.. right????”

Maybe Dax0007.  But swapping hard disk drives on a Lenovo Thinkpad is going to get awful tiring fairly quickly.  The following three drawings from IBM illustrate how much of a process it is:
t43hdd1t43hdd2t43hdd3

(used to take me 10 minutes to swap the disks on a T41 Thinkpad)

If I still had a company laptop, I would

  • set a drive password on the hard drive
  • encrypt the hard disk drive with TrueCrypt.
  • also TrueCrypt encrypt any “backup” drives I used at/for work.

And I’d also remind myself that anything I do while connected to the corporate network, is definitely not “safe” from scrutiny.

Bulk EFS decryption & encryption

Short story version: use the CIPHER command.

I had a 3-2-1 backup fail on me recently."

21,684 files could not be copied”.

The original files were EFS encrypted.  Here’s a picture of what was going wrong:
Encrypted files do not copy to other PC

In technical terms, the second computer did not have the EFS decryption key.  The easy fix was to remove the EFS encryption via the CIPHER command:

cipher /a /d /s:<directory name>

where:

  • /a is all files, including subdirectories
  • /d is decrypt
  • /s: is the directory name.
    ie. d:\users\wisefaq\downloads

To bulk encrypt, you just need to replace the /d with /e
ie. cipher /a /e /s:<directory name>

Note: the cipher command will fail if the files have the READ-ONLY flag set (ie. remove the flag first)

 Bookmark and Share

Automatically encrypting Firefox web pages

HTTPS_Everywhere_new_logoto stop snooping eyes from viewing what you’re doing.

Well you could use the HTTPS Everywhere Firefox plugin by the Electronic Frontier Foundation. 

The idea is simple.  You go to a web site, like http://www.google.com , and if there is a secure version (say https://www.google.com), you’ll be automatically redirected to it.

Useful?  Maybe…

If you don’t want your employer viewing your Google search, or Twitter, it might work for you. 

The 0.2.2 release of HTTPS Everywhere currently has support for the following 27 web sites:
Amazon, DuckDuckGo, EFF, Facebook, GMX, Google, GoogleAPIs, GoogleServices, Identica, Ixquick, Live, Mail.com, Meebo, Microsoft, Mozilla, Nederland, NYTimes, PayPal, Scroogle, Torproject, Twitter, WashingtonPost, Wikipedia, WordPress, zGentooBugzilla, zNoisebridge, Zoho

You can download the HTTPS Everywhere plugin here.

Bookmark and Share

Inside a RSA SecurID tag

This is a “new style” RSA SecurID token.
RSA Securid Token

It, like the older style token, generates a code number every 30 seconds.  With the code number, and a PIN code and a username/password, I’m able to logon to my employer’s computers, from anywhere in the world.  The SecurID tokens are supposed to be tamper resistant.

In fact, the electronics package is mostly covered in a soft plastic coating.  The kind of plastic you might pour over a insect to preserve it.  It is fairly easy to remove, so it doesn’t seem that resistant to me.  The CR-2032 battery is soldered to the electronics board, so you can’t re-use it.
RSA SecurID opened up RSA SecurID Token, some plastic scrapped away

You’d hear stories about the old token, such as opening the case would cause the SecurID token to immediately disable itself.  I was disappointed that the newer model didn’t do that.  For those who don’t remember the old token, here’s what they looked like:
RSA SecurID token displaying OFF

Bookmark and Share

Today’s password is ‘4rfvgy7uj’

Never heard about the concept of password “snakes” until I visited a customer 2 years ago.

Password snakes, simply put, are passwords which follow a path on the keyboard, as this picture illustrates.
final_snake

It’s an interesting idea, but not one I’d really encourage as it’s too easy to remember, particularly for those types of people who like looking over your shoulder.

Bookmark and Share

Anti-virus False Positives – been a few

McAfee - Not Proven Security (image courtesy Lifehacker) It was an Ed Bott article which got me to thinking, “just how many anti-virus false positives have I dealt with over the years?”.   Six.   A false positive is when your anti-virus product flags a non-virus file as being virus-infected.

Number of false positive virus updates which impacted my customers? 6
Number of virus outbreaks which occurred, which the AV products missed? 3
Number of virus outbreaks actually prevented by an AV product? 0

I’ve often thought that enterprise customers should pilot AV updates before inflecting them on their wider user community.  I mean, what’s the point of having an AV product which effectively does more damage than an actual outbreak?

Here is the list of anti-virus updates I’ve seen which have caused some havoc for customers.  It was longer than I thought it would be.

AV product Date Product it killed Customer impact
McAfee AV April 2010 Windows Minor.  We stopped it in time.
CA eTrust September 2008 Spybot S&D Couldn’t use SpyBot as eTrust deleted the .exe
CA Pest Patrol March 2005 IBM SameTime 20,000+ computers unable to use instant messaging product.
CA eTrust January 2004 Windows Stopped Windows booting in two countries.
CA eTrust December 2003 WiseScript created utilities Broke a number of software installations, and caused a logon error on 1,000+ computers.
Symantec Norton AV November 2001 InstallShield created software installs. When trying to install a particular VPN product, Symantec said the install was “NIMBA”.  Stopped a country-wide deployment for a week.

The anti-virus product I use at home?  Microsoft Security Essentials.

Bookmark and Share

Semi-regular web-link clearance – April 2010

Your First Silverlight Application

Learn how to write your first Silverlight application. Where to get the tools, and what settings to use during development. Only 4 lines of real code stand between you and having a Silverlight application running. Join me as I begin a series with this introductory article.

Parallelism in .NET – Introduction

Parallel programming is something that every professional developer should understand, but is rarely discussed or taught in detail in a formal manner.  Software users are no longer content with applications that lock up the user interface regularly, or take large amounts of time to process data unnecessarily.  Modern development requires the use of parallelism.  There is no longer any excuses for us as developers.

It’s Not Your To-Do List: Using Application Compatibility Tools to Diagnose Problems, Not Surface Them

There are a large number of tools available to assist you with application compatibility, and part of the challenge of becoming an app compat ninja is to understand how to apply each of these tools in the most effective way. I spoke last time about leveraging compatibility evaluators, hoping to help you work these into the process in a way more likely to make you happy. This time around, I want to back off and try to address a more general misconception:

No app compat tool is going to provide you with a to-do list of all the things you must fix in order to make your application compatible.

NumberQuotes

Ever need a good quote to add scale to a number?

You know, you’re giving a presentation on sales and you want to give a number some scale.

“Last year our industry changed by 50 billion dollars – that’s the GDP of Serbia.”

Only finding those quotes used to be a pain, but with NumberQuotes you can find the quote you need fast and easy. Numberquotes.com is a great tool for writing speeches,articles, public relations, and presentations.

Give your numbers some scale today!

Understanding Windows File And Registry Permissions

Whenever something happens in a system, a principal (which could be a process or thread acting on behalf of a user or service) acts upon objects. Files, directories, and registry keys are examples of commonly known objects. The basic security mechanism of Windows involves having a trusted system component check permissions and rights (AccessCheck) before an operation is allowed to proceed. Thus, you manage system behavior by setting permissions and rights. Since you cannot appropriately set permissions without understanding what is being done under the surface, I’ll start by describing security settings on objects and how they are processed, and I’ll follow that with how to set values for them.

Bookmark and Share

Internet Explorer Security Tab Restrictions

One of our web developers contacted me, and asked how they could look at the settings for the Trusted Zone in Internet Explorer.  The Custom Level and Default Level buttons were greyed out.  And it’s not an Admin vs. Non-admin rights problem, as I have the same problem:

Internet Options - Security - Custom settings

The answer? Set the Security_options_edit value, t0 0 (that’s zero) in the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings.

The Web Developer can now play to her heart’s content.  (if the Web Developer wanted to remove all of the group policy settings, they could do that by following these instructions.)

A breakdown of the security tab restrictions follows.

Continue reading