I guess you know my view to protection of USB-ports. I get often asked how you can protect your user’s from using USB-sticks. There are ways – especially in Vista – but don’t do it. Your users most probably have a good business reason, why they would want to use USB-sticks and by not letting them, they will most probably find another way to transport your sensitive information.

Rather give them the tools to do their business in a secure and safe way. Protect sensitive information with technology like Active Directory Rights Management Services – then you do not have to worry anymore where your data resides. Additionally you might still be worried about the loss of thumb drives as this happens so often. This might be the background why I get so many questions on Bitlocker To Go. Let’s just briefly look at the user experience when using this technology.

I just plugged in a normal USB stick into my Windows 7 box. I then right-click on the USB drive in “My Computer” and get the following menu:

So, let’s try to click on Turn on BitLocker… and give it a try:

This answers one of the questions I often get:How does Bitlocker To Go authenticate the user. As you can see, there are two options:

• You can use a password to protect it – or even better a passphrase. This will be the option you use, if you want to share the USB-key or if you are not sure what kind of machine you will have to unlock it as you do not know whether there is a smartcard reader (or you know that there is no smartcard reader on the target machine).
• If you want to make sure you have strong authentication and only you get access, use smartcard!

And then – no, not yet. The drive will not be encrypted yet. As you know from “normal” Bitlocker, there is no encryption without backup keys:

After having a backup of the key, you are ready to go and to encrypt the USB stick:

So far so good: Pretty easy! But what happens, if I plug this stick in to another machine? This is what I did and this happened:

So, I am prompted for the password, I enter it and the device is unlocked. However, if I forgot my password, this happens:

So, similar to Bitlocker on your main machine/disk you can use the recovery key to unlock it.

If you look at it, it is a pretty easy and straight forward way to encrypt a USB stick and protect it against loss by encrypting it with the same technology as your main disk.

One final question I get asked pretty often: What editions of Windows 7 support it? In Windows 7 BitLocker Executive Overview, you find the answer: BitLocker To Go can be utilized on its own, without requiring that the system partition be protected with the traditional BitLocker feature. Although you will need a premium Windows 7 SKU to enable protection of removable storage devices with BitLocker, any SKU can be utilized to unlock and use a protected device. Finally, BitLocker To Go provides read-only support for removable devices on older versions of Windows allowing you to more securely share files with users who are still running Windows Vista and Windows XP.

Roger

A few months ago, I already had some discussions with Eugene Kaspersky during an event of the Council of Europe on Cybercrime, how to address cybercrime on the Internet. At the moment, I am at a very, very slot connection and just got, what I saw on my RSS feed enclosure and could not verify the whole article but it is pretty much in line with the discussion we had there:

So, let me try to give you a perspective and some comments in this context. He seems to say: The short term solution is to get global cooperation with the police, because the police of different countries don’t know how to collaborate with one another. He believes the police want more successful investigations, not just to stop the criminals but to also own the list of successes. So nothing is getting done and each one is blaming the other for the problem. We have to start to work together, think globally, and create a global police force.I could not agree more with this but I am going one significant step further: We do not “only” need a better collaboration between the different police forces in different countries (or within a single country), we need a better collaboration between Law Enforcement, Judges, Prosecutors and the private sector. This requires a different way of thinking by all the parties but it is absolutely necessary. The biggest challenge here is, that there is not history of deep trust between these parties. From what I know, the Council of Europe is a great catalyst to help us all to get there. Additionally there are extremely good people in the different bodies like in Interpol, Europol who really want to move this on.

Next: The long term solution is to get governments around the globe to implement a universal list of rules and regulations for the public internet network. Well, yes and no. I am not completely sure, whether I want this. If these rules are written together with the industry, there is a certain chance that we regulate the right thing. However, knowing the different players at the moment, there is a good chance that this will not be used for the sake of a safer Internet but only to get a competitive advantage – and this would be really bad!

Finally he says: In addition, a personal ID will be required for internet access and for logging into financial websites, similar to a driver’s license or insurance card. “If you want to get connected or onto a website you will have to present an ID.” He explains. This is, where we had the discussion as I fundamentally object this idea. This is – in my opinion – not feasible as it would destroy one of the biggest advantages of the Internet: Free speech. Think about the events recently in Iran: Would the same kind of communication been feasible if we would have had strong authentication? Definitely not.

So, what we need is a model, which allows for both – and this is what we think the claims based authentication is about to deliver – it is part of the End to End Trust framework we introduced earlier.

So, I think that Eugene should stop with this claim. It does not really add to a fruitful discussion. Let’s collaborate (as stated above) to jointly work towards one goal: A safer Internet.

Roger

This is “real” hard-core security. If the ATM feels that it is tempered with, it releases pepper spray. It is kind of a “self-defense” mechanism. I just hope it never thinks that I am tempering with the machine when I just want to get money…

ATMs fitted with pepper spray

Roger

This has absolutely nothing to do with security but is a lot of fun: A few years ago, I read an article about Geocaching. Basically, this is a treasure hunt using GPS. Wikipedia describes it like that: Geocaching is similar to the 150-year-old game letterboxing, which uses clues and references to landmarks embedded in stories. Geocaching was imagined shortly after the removal of Selective Availability from GPS on May 1, 2000, because the improved accuracy of the system allowed for a small container to be specifically placed and located. The first documented placement of a GPS-located cache took place on May 3, 2000, by Dave Ulmer of Beavercreek, Oregon. The location was posted on the Usenet newsgroup sci.geo.satellite-nav as 45°17.460′N 122°24.800′W / 45.291°N 122.413333°W / 45.291; -122.413333. By May 6, 2000, it had been found twice and logged once (by Mike Teague of Vancouver, Washington). According to Dave Ulmer's message, the original stash was a black plastic bucket buried most of the way in the ground and contained software, videos, books, food, money, and a slingshot.

There are people who are really addicted to and found thousands of caches all around the globe. For us, it is more a family-fun-event and we are up to a few dozens till now. However, the reason why I wrote this post is more that we started to use it during vacation to get to know space we would never have gone to.

Let me give you two examples. Last year we went to a camping at Costa Brava in Spain close to Barcelona. Close to where we stayed, there was a national park where a lot of people go to. So, we went looking for a cache called Monastery of Sant Pere de Rodes, basically a really touristic attraction.

However, the cache itself was not located there (the picture was actually taken on the way up to the cache). It was about a 30 minutes hike up the mountain to an old castle up there with an outstanding view on all sides – something we would never have seen without the wish to find the cache:

Another example is just form our latest vacation in Crete. We were looking for Crete - Akrotiri - "3 Monasteries Cache" – again monasteries. The first one on that list was the one, the buses stopped. The last one was about 30 mins later… Look at the pictures:

Worth it – wasn’t it? I know that I am a simple person: I just do not want to be in the big masses of people and I love toys (like GPS). But Geocaching led us to spots we would never have gone to. We did not even know that the center point of the state we are living in (and I was even growing up here) is just about 2 km away from where we live.

So, this is definitely something I would recommend you to look into. Just visit the Geocaching website and have fun

Roger

Just some fun before I leave for vacation: http://www.youtube.com/watch?v=VUawhjxLS2I

BTW: Office 2010 really rocks – I am running the Technical Preview since quite a while now…

Have a good summer

Roger