Out of curiousity, I started reading about Microsoft’s BitLocker technology. This is a way of encrypting a whole hard drive that stores keys in the machine’s trusted platform module (TPM).

My conclusion (though I may be wrong) is that a laptop that uses BitLocker without either an external crypto token or a secure boot ROM is likely susceptible to some relatively easy hardware attacks. BitLocker may defend against casual snooping on random stolen laptops, but a determined attacker with a deliberate target probably won’t be thwarted unless the extra precautions mentioned above are taken.

While on the surface it appears to be a good idea, it seems to have a number of flaws that seem apparent at first glance.

Note that asking for a PIN would add some complexity to the attack, but would be vulnerable to poor PIN choices.

1. The algorithm assumes that BIOS code is immutable. Since the OpenBIOS/LinuxBIOS people have been replacing BIOS chips for a while, this seems to be something that can be easily circumvented. The replacement BIOS need only extend the base PCR with the original BIOS image, effectively inserting itself into the chain of execution.

Note that Microsoft’s document here talks about BIOS upgrades and how they can destroy keys. See this BitLocker presentation for some more information.

The solution for this problem is getting laptop manufacturers to add a secure bootloader that checks the cryptographic signature of the BIOS and embeds a secret key in the TPM. This would be a tricky operation – requiring a hidden boot ROM like what is available on the XBOX.

Difficulty: best case: replacing socketed BIOS or backup BIOS. Worst case: desoldering/resoldering chips.

2. The TPM can be transplanted. By running the TPM in a controlled environment, any software can extend the PCR registers as they would be extended on a real boot, which would then allow the TPM to unseal the keys. The solution, again, is to have a hidden boot ROM that embeds a secret key.

Diffculty: desoldering/resoldering chips.

3. The whole authentication system can be emulated after boot in a non-secure OS. It might be possible to reset the TPM without resetting the system itself. I don’t have specific facts here, but I know that the TPM does have a way to reset the PCR registers, but this doesn’t reset an internal “resets after reboot” counter. An alternative might be to cut one of the Vcc leads of the TPM and allow it to be power-cycled externally.

Once the TPM has been reset, the user may then use an x86 emulator such as QEMU to run the BIOS and boot loader and recover the decryption keys from memory or a more sophisticated attack.

Difficulty: best case: software-only attack, worst case: hardware hack to reset TPM after boot.

We’ve spent an interesting month with our new Roomba Scheduler. The role it fills is a “between-vacuuming” cleanup.

It works really well on carpets. It gets pretty much every spot that it can reach, and its small, round shape lets it get a lot of spots.

How it works on tile is a different matter altogether. I don’t know if it’s because our kitchen tile is a dark color, but we’ve found that it missed pretty much all the dirt along the edges of the kitchen, and a fair bit in the middle too. I guess the Scooba is designed to excel at this part of the cleaning, but it would be nice if Roomba had better support for cleaning smooth surfaces.

It’s been good at keeping out of trouble so far. You pretty much have to pick up any rugs or mats that Roomba might encounter. I believe they claim that Roomba will just seamlessly transition over these rugs, but most of the time you’ll find it pulling the rugs over themselves and occasionally getting caught. The net result of this is us spending roughly five minutes before each Roomba run picking everything up.

For a “between-vacuuming” device, the Roomba certainly helps out a lot. The carpets look nice and clean after it finishes and there isn’t half as much stuff on them when it comes time to do the real vacuum.

We haven’t used the scheduling functionality yet because between the two of us we are home pretty much all the time. It’s easier to start it as you are heading out or run it while you are home.

For a gadget nut, this is a perfect device!

UPDATE: The author of portaPuTTy has updated his build with the font fix as well. Excellent! I recommend going with his version - it's more likely to be supported.

I rebuilt a portable version of PuTTy using the latest 0.58 release.  It correctly saves font information (a shortcoming of the current portaPuTTy) and has all the updated security and bugfixes of 0.58.

I've also packaged up all the PuTTy executables (paegent, pscp, etc.) so that you can easily use them portably as well.  Note that all of the executables will load configuration files from $EXEPATH\.putty\configuration.

Get it here:

Portable PuTTy 0.58 (binaries)
Portable PuTTy 0.58 (source)

For those who want to know what I changed, here's a quick summary:

• Moved the unix storage backend into the windows storage backend, since it has all the code we need
  
• Added a BSD Win32 "dirent.h" and "dirent.c" implementation
• Changed the code to look in the EXE's path (via GetModuleFilePath(NULL)) instead of $HOME
• Added the Win32 font load/save code
• Hacked the Makefiles manually to add dirent.obj (out of sheer laziness ;))
  

There's no patch available, but those instructions will reproduce the exact build I provided from the latest SVN or source packages.

Saw V for Vendetta for the second time. Bought it this time.

It has the same mood that the original Matrix movie had. Recommended!

The intention of the plot is certainly obvious and the message of control by fear isn’t obfuscated.

This, of course, reminds me of the nagging question: why is there a “green” on the colour-coded terror alert if they are never going to use it?

Eclipse has a new Remote System Explorer plugin that sounds interesting.

It’s an interesting approach. One type of connection is just a wrapper over SSH and SFTP, allowing you to manage systems remotely and edit files without much work. You can also get a command prompt up for more advanced administration.

The other type of connection allows you to run a full-featured java application on the server that gives you access to more functionality. I haven’t tried this one out yet.

You can read more about this feature in the RSE presentation.

Looks like posting works fine but the first post was doubled. It seems a little more friendly than using the markup editor in Typo. I might stick with this instead!

UPDATE: This post didn’t get doubled up. Strange! Maybe it has something to do with me testing the blog connection.

UPDATE #2: BTW, editing posts works fine. ;)

Testing Google’s Writely support for blog posts.

I can’t believe how cool this technique is.

It takes a 3D mesh and calculates the lowest-error set of billboards that, when rendered, look very much like the object they are representing.

Take a look at this sample movie of a billboard-cloud-tree flyover.

Looks like NDoc is one of many .NET open-source projects to “bite the big one”, but certainly not the last. I stopped development on NProf a while back because I couldn’t build up any momentum around it. I suppose that it was slightly annoying that I found some of my GPL’d code in Jetbrains’ new profiler. Perhaps they could have contributed something back to NProf at least. ;)

NAnt releases are getting further apart and the mailing list traffic is dwindling. Log4Net seems to be moving so slow I don’t know how they manage to get releases out!

Is there such a fundamental difference between .NET and Java developers that one community can sustain such a great set of open-source projects and one can’t?

The sad thing about the death of open-source projects on the .NET platform is that they end up being replaced by closed-source (or worse – shared-source) projects that you can’t fix bugs in or redistribute without a team of lawyers.

I’m not sure why, but they don’t seem to learn anything from the open-source equivalents that they clone either. Compare NAnt to MSBuild, for instance. MSBuild ends up being a horribly complicated system that doesn’t let you do half the stuff as clean or as elegantly as the equivalent NAnt script.

As the original author of the solution task in NAnt, I can now say that I’m glad that they have to deal with the numerous ideosyncracies in their bizarre world of .NET project building, like reading source files to figure out what the names of embedded resources are.

All I can really say to them is good luck re-implementing all this stuff.

I’ve been a little slack lately on the blog posting, most likely baby-related.

In case you weren’t keeping track, Everett is five months old now. He’s doing well, but seems only to be able to roll to the left. I suppose that’s pretty amazing considering that the two halves of his brain have only had a few months to become acquainted with each other. ;)