Why is it taking so long for the Apple tablet to come out? It is getting beat over and over again. The Nvidia tablet, Dell slate, old school dell xt, oqo gear. Apple does things for good reasons.They are waiting for a a perfect storm of ideas. Small light touchscreen tech is maturing this year. Battery life is better with atoms and SSDs. And-

I’m guessing the Apple tablet is running a thinned down OSX. Probably named OS 11. It will be super lightweight, just some wireless drivers, graphics, small fast storage. Exactly what the standard cookie cutter Chrome OS machine will be later this year. All the manufacturers are ramping up on the touch screen slate. Apple will be fashionably late as usual (like on the current lack of security patches,) and dazzle us with some overpriced gadget. As always, I won’t buy one because I can’t afford the lack of bang for bucks. But if someone gives me a toy that cool I’ll be ever so happy.

Where does this leave me? Errr ummmm… Yipes. MS has been working on their own cloud for a long time. I wonder if it will arrive in time before the google hurricane.

So there is my crazy prediction for 2010. Apple iSlate or whatever is running a ChromeOS style OS, on near netbook hardware, and sold at Verizon with cell service. If they don’t have a light OS, goodbye Apple, and welcome google vs MS for the next cold war.

Operating system password only: BAD

If you depend on the Windows password to protect patient data, you belong in jail or in a place where they levy fines against you daily. You are lazy, ignorant or an evil penny pinching jerk. Enough said. No computers for you!

BIOS Password: NOT ACCEPTABLE

Honestly not much better than an OS password as far as time needed to exploit, bios passwords are easily defeated by many tools. They are bundled in to many boot cds anyone can download from the internet. I’ll leave these tools without a name because any idiot can use these and I’m not giving the lazy ones a head start.

Hard Disk Password: Getting started

Vendor information tells you that your hard disk’s password is safe even if the data is taken to another computer. This is not so. There are software tools that can brute force or wipe the chip containing the password. You can buy replacement security chips for certain hard drives. Tools to exploit a hard disk password located on the hard drive are a little more rare that say a multimeter. So obscurity is beginning. This is a good starting point, but here are few ways around it to prove how easy it is:

Call YEC. Ask about purchasing a Shinobi unit for $1190. You can use this to kill the password on most drives. Anyone could buy this for their garage, sell a legit password reset service on craigslist and make the cost back in a week. Then just start trading drives on ebay and dig for gold. For $100-$300, YEC will do the crack for you if you call them. A person who knows they have aquired a laptop with sensitive data doesn’t have to own anything or have experience hacking/cracking, they can just mail it in.  One could also remove the platters of the drive and install them in a nonprotected drive for around $500-$1000 using a data recovery service.  A few hundred dollars is more than enough to build a “clean box” to move the platters without a clean room and have a very good chance of imaging the drive without damage. 

Hard Disk passwords can be enhanced by using something like a Shinobi to install a better MD5 protected password. This adds some complexity and shows any court that you are making a heck of an effort to protect data. For $1000 it is really cheap if you use it to protect 100 hard drives, and also use it to wipe your disks before disposal. 

As a proof of concept I just ran a few tools against a sata 160GB drive, brute force took 2.5 hours on a single word, 1 digit password. Easy peasy. 

Whole Disk Encryption: Decent-Good

Implementation is the key here. Whole disk encryption is breakable using information in RAM. Google cold boot attacks. Adding a token like from Pointsec doesn’t gain you anything against ths same type of attack on RAM. This holds true for Truecrypt, Bitlocker, apples encryption, pgp, most of them. To use whole disk encryption to protect HIPAA data you need to:

Disable sleep, hibernate, any low power settting other than ON or OFF.

Set the laptop to shut off if the lid is closed.

Don’t use TPM without a pin or usb key in combination with TPM

If whole disk encryption is combined with a hard disk password, you get a great combination for security. Your users will hate you for having 2 passwords which need to be different in order for the effort to be worthwhile. 

New Hard Disk – On disk encryption “opal standard“: Good

Far from perfect, the new standards implemented by storage industry manufacturers and computer vendors are more complex, but fairly safe. The Opal standard is the Trusted Computing Initiative plan to solve laptop/desktop storage security issues.  My personal experience with the Dell/Wave/TPM module is negative so far. The software is buggy and bloated, I’ve had to reset the encryption a few times on a few machines and this has made the experience for the user horrible.  As of 4/15/2009, the Dell/Wave/Embassy suite for an XT tablet is an 198MB download! The fingerprint reader should at least work for a 200MB installer. Not something I will be implementing company wide any time soon. I don’t want ALL the employees to hate me. 

As time goes on this technology will get better, but the clock is ticking until someone releases a crack for it too. I’m not sure why but vendors always seem to be in a state of denial about the number of people activly working against their new “unbreakable” technology. Right now I rank the opal standard as great by means of “security through obscurity.” It is new enough not to have a giant target on it’s head. For now I’d say it is your best bet. As market share increases and more computers use this technology, it will be broken in to and you should have a back up plan in place.

Windowsnerd recommendation: Wholedisk + HDkey

Older computers/small business- Truecrypt + your HD vendors key. Not perfect by any means but it sure is a good effort and it is free  + $manpower. Will someone in a hurry to do a cold boot attack know they need to crack your HD password first? Yes. Will they do it while your laptop still has power? Maybe not. If anyone ever tries to prosecute you for losing HIPAA data on a laptop with both of these in place, I’m sure they will lose. I would not recommend spending thousands of dollars on a whole disk product until you have a company with a whole lot of machines. When installing Truecrypt, use Twofish+serpent+AES. Adds a big A for effort, slows you down 10% or so. If the performance is important, buy faster hard disks. If performance is really important buy SSDs. Security is with regulated data is more important than speed. You can make that part of your employment policy. 

New computers/large business – pointsec/newer disk key. I still like Pointsec over PGP only because of the active directory tools and key management. I recommend Pointsec and a password on every hard drive. If you get new computers, buy a drive advertised to have encryption capabilities and use that as well. Read up on the OPAL standard, manufacturers are just getting started with releasing some good drives compliant with OPAL. 

Oh and dont forget- backups become UBERimportant. When these encrypted drives/operating systems smoke, they go down in big flames. If you can’t get past that first password you can’t use any recovery tools. 

Lesson to be learned over and over:

HIPAA reminds me a lot of FERPA. Universities lose FERPA data all the time.  They know that bad press is the worst that will happen to them. With the number of records being lost every year creeping into the thousands of incidents, they know the bite from the press is becoming painless. Nobody notices, it happens all the time. When your information is lost, xUniversity sends you a letter telling you to file a police report, a freeze on your credit and  leaves the mess to you. I have many of these letters. I know the admins who weren’t given money to protect the FERPA data. They weren’t given the money because the worst that would happen is that xU sends some letters and fires the admin who asked for money to protect the data in the first place.  If there were fines against the institution in the millions of dollars, data would be protected.  Don’t universities have history, ethics or computer science classes? Ah but the accounting and economics classes are more important than ethics and history at todays degree mills. The worker bees at the big Us don’t want to listen to the academics anyhow.

To date I beleive we are still at 2 prosecutions in the US for misuse of HIPAA data. The fact remains that bad press is all that will likely come of losing HIPAA data. See above for ramifications. Did I mention HIPAA is a 1996 thing and the year right now is 2009? 2 prosecutions?

So the lesson I keep learning and repeating – the solution to protect data. The only solution that works is to have government regulations with real teeth. The day we assign jail time, personal fines and prosecute offenders will be the day our data becomes  safer. Right now everyone looks at the least they can do to satisfy the rules. Or how much the fine is vs the cost to implement safegaurds. If the fine is steeper, the demand for good security goes up, and industry produces better security more often. 

If you are a consumer- suck it up and pay to have your credit monitored. Your personal data WILL be stolen and it will not be your fault. If you decide to be insured or monitor your credit, you are taking some good advice from someone who watches admins lose data all the time.

http://www.pcworld.com/article/163836/eight_reasons_your_next_computer_should_be_a_pc.html

There are many many other reasons the cycle won’t be broken. Macs are cool, just not going to dominate.

Home users tend to buy what they have at work. Mac refuses to support old OS and software choices. Too many businesses get stuck in a rut where they run an old Windows OS because of an old application. Can’t do that on a mac. They want a low renewal and replacement age.

This can be seen in so many ways. Hardware that breaks a lot. Not ever easy to maintain. Even the G5 tower had impossible to remove processors despite their incredibly high failure rate. Wasn’t the G5 tower supposed to be all easy to swap things in and out of? pshaw. Macs are created to be as disposable as possible. Cracking all the imacs open has always sucked. The CRT monitors were always having huge issues. The mac air overheats. Just check the apple forums. Same problems, same chinese innards, different sticker. 

Mac is a closed system. Which is why it works well. It should as it is written/built by Apple(still amazing considering the amount of code for any OS.) They are getting close to the thin line between monopoly and cool small competitor. A closed system can’t survive with a large market share because law suits will force them to stop being a monopoly. No more scuttling mac clone vendors, software has to be supported longer, programs from 3rd parties cause kernel panics. Viruses and spyware runs rampant on OS’s that have too many 3rd party applications not conrolled by the MAC. Not a pc I want to own. I like the low market share closed system macs I own now. They don’t crash too often, have more patches than raggedy ann, but look good and keep clickin. Security through obscurity rocks. 

Mac can’t possibly keep the insane stock price can they? I hate when a stock is overvalued because it is trendy to own vs performing. Here are today’s numbers to compare-

top 2 rows are today, dividends are bunk from me looking on google quick.

yeah dividends are hard to predict right now, but go google it yourself. still more than 0 for the last 3. I don’t have any stock at $100 a share that doesn’t pay. 

Overall my psychic prediction is this- Mac can not have a large market share and still be Mac. If they get big, you will see malware, crashes, clones, and windows running on mac hardware. OR you will still see rabid mac fans supporting a small company that popularizes cool tech. Notice I didn’t say innovates, creates, invents.

SRI and SANS came up with this sweet predictive blacklist fun. It reminds me of what Symantec used to do with their free log reader software, Deepsight . Symantec used to give this log aggregation software away, feed all the data into it’s own servers and then provide threat analysis to it’s enterprise customers. Nobody had a free central log reader out for windows clients then so it seemed like a good idea at the time.  I didn’t have time to read logs from over 1000 machines. Part of the image was the magic of deepsight. I gave Symantec 1000 private IPs with DNS names to analyze and they gave me a daily email showing where my threats were coming from. It was even HTML email. OOooOOooOOoo. Anyhow under the hood was the same deal as this blacklist “predictor” which predicts nothing… It shows you a current threat and distributes that data based on comparing some logs. Still cool stuff just a funny name for free stuff. I expect it to cost money soon.

Now the open source community catches up! This is super cool. Hooray for open source that currently is exciting and will soon be purchased or boring and unsupported!

Even better than ATT this stupid company can get you an area code in 80% of the US. No other US telecom company can do that. Magicjack blog entries etc show that they have had trouble with navigating phone menus. Like “press 2 to speak English.” They have poor call quality sometimes but that is identical to a comcast phone for $25 a month not $20 a year.

I predict MagicJack will get bought out. Someone with a more professional name will come along. They will drive a phone line cost to 0. phones will become an ad interface. Land lines aren’t valuable anymore. Once there is a magicjack converter for wimax, cell phone companies will be next.

Someday I want to just buy an internet pipe of X diameter. Thats it. I decide what to push or pull through.