SSDs and built-in encryption–and how to enable it

Update: This entry was based on preliminary information that turned out to be incorrect. Please see the following update.

One of the last knocks on SSD performance is that they don’t perform well with full-drive encryption. But on Sandforce 1200- and 2200-based drives, and the next-generation Intel 320 drives introduced today, that’s not an issue anymore. Encryption happens on the drive, in hardware, with no performance penalty.

The problem was that nobody talked about how it works. I found the details buried in Anandtech’s review of the Intel 320 drive. The takeaway is this: If you set your BIOS password, the drive will be unreadable if you remove it and put it in another system. Update: No it won’t. But you can add ATA password support, under some circumstances.
Read more

How to check your downloaded files’ integrity

On some web pages offering programs to download, you may have seen something called an MD5 near the program link, consisting of a long, weird code like 6cbfd919baa7c9e03c8471ae4d8f8bb.

You can use that code to make sure the file you downloaded is what the author intended you to get and wasn’t corrupted during the download process or, worse yet, booby-trapped by someone else. Here’s how.

Read more

The tyranny of consumerization is real

Computerworld cites the Ipad 2 and increasing demand by end users to use such consumer devices in corporate environments as “The tyranny of consumerization.”

This has happened before. And if history repeats itself, the future will be better than today, but the road there is going to involve some pain.
Read more

How to audit your PC’s software for updates

Sometimes you like to use backdated software, perhaps to avoid bloatware. But perhaps you have some old software you’ve forgotten about. If you want to know, Secunia has a free product called PSI that will scan your system and alert you to any outdated software you may have. Then you can either update it, if it’s something you use and want to keep up to date, or uninstall it. Read more

You network guys…

One of my clients has a problem. We’ll call him Melvin, because I like changing names when I tell stories.

Melvin doesn’t like network guys, and takes every possible opportunity to tell anyone within earshot. “You network guys don’t understand what’s going on over that wire, and you don’t want to.”

We do understand, but not the way he thinks network guys should. Melvin is wrong.

Read more

Misguided security, episode 14

I was working in a data center, where we had a couple of Cisco VOIP phones. I don’t know who put them in or when–it’s possible they predated me. We never got them working, but nobody ever really tried, either.

The idea was that two guys working on servers in different datacenters across the WAN might need to talk. The reality was that we didn’t do that very often and usually had other ways to do it–a cellphone being the most obvious option. Our networking guys always had much more pressing issues than getting the VOIP phones working, so the phones just sat there and looked pretty. Until the wrong guy noticed them one day, that is.

Read more

The circulating privacy threat warnings miss the boat

This week I’ve had multiple people send me warnings they saw on Facebook about a new privacy threat, which, after I read about it, really appears just to be something that aggregates information already available about you.

Perhaps not coincidentally, PC Magazine has a piece telling you what you need to do if you’re really concerned about privacy and really want to disappear. http://www.pcmag.com/article2/0,2817,2376023,00.asp
Read more

Some security-ish short takes

Windows 7 SP1 is coming soon. Possibly as soon as this weekend.

Historically, service packs tend to get off to a bit of a rocky start, so I’m not going to be installing this right away. But since it’s so imminent, I’m not going to be installing Windows 7 on anything else yet either. I’ll probably give it a couple of weeks, then slipstream and install. Being the first on the block to install a service pack usually isn’t a good idea. Seems to me that in one Slashdot poll several years ago, given the choice between installing a service pack on the first day or watching the movie Master of Disguise, the really bad Dana Carvey movie won out. There’s a reason for that.

Microsoft Security Essentials, Take 43,291. And while we’re picking on Microsoft, my biggest beef with Microsoft Security Essentials is that it doesn’t update itself quickly enough. But you can make it check for updates as frequently as every hour. Directions are at http://lifehacker.com/5733597/change-microsoft-security-essentials-update-frequency

They cite this as a good thing to do on laptops. I completely agree. My laptop gets used just sporadically enough that it has trouble staying updated, and usually, when I use it on the road, it’s not up to date at first, and it’s when you’re using strange networks that you most want to be up to date.

Frankly I think it’s a good thing to do on your desktop too. When the signatures get updated, would you rather get the updates right away, or tomorrow? I’ll vote for right away.

When I was administering antivirus for a living, when I updated my AV server, my clients got the updates within an hour or so. Sometimes it was within a few minutes. That system wasn’t even directly connected to the Internet. So if that system needed its updates that fast, so do home PCs.

Passwords. It’s now possible to test 400,000 passwords per second using Amazon’s services, at a cost of 28 cents per minute. So, testing 24 million possible passwords costs 28 cents.

Strengthen your passwords. Going to 16 characters with two uppers, two lowers, two special characters and two umlauts is overkill, but you want to be using more than 8 characters, and use at least one number, one upper and one lowercase letter, and one special character like a punctuation mark. If your password is something like “popcorn,” well, let’s do the math. It takes one second to test 400,000 passwords, and there are arguably a million words in the English language, so cracking a simple one-word password should take a maximum of two and a half seconds and cost 3 cents.