Thursday, February 28, 2008

Disabling automatic Windows logout

Today, my IT department set my Windows desktop up to automatically lock up and require entry of my password after an idle timeout. No big deal -- this sort of thing happens all the time and is, of course, usually blamed on Sarbanes-Oxley.

Well, for me it was a slightly bigger deal for a couple of reasons:
  1. My Windows desktop actually runs under my Linux desktop. It's a virtual machine running under VMWARE.
  2. Although IT advertised the timeout as 60 minutes, in reality, it was closer to 10 for me.
After a lengthy email exchange, I finally got IT to admit it is really a technical issue -- they need to lock down all the desktops on the domain, they (for some reason) can't distinguish virtual ones from real ones, and that's the way it is. (No word on why the timeout is so short, though.)

Obviously, technical issues call for technical solutions. Here's mine. By the way, it would be very unethical to use this on a "real" Windows desktop as opposed to a virtual one :)

All these steps should be taken inside the Windows VM. If you have a fast internet connection, you should be set up in under 5 minutes:

  1. Run the installer for Python:

  2. Run the installer for SendKeys:

  3. Save the following Python script to a file:

  4. import time
    from SendKeys import SendKeys

    while 1:
    print "Did it again"

  5. Run the file, e.g. by double-clicking on it.

This script will virtually press the caps lock key twice on the window with the focus, once every 5 minutes. Adjust to taste. You can minimize it after you run it, you can run it at startup, etc.

I have to admit that the idea of using the caps lock key is not original with me. I saw it somewhere, but I cannot remember where at the moment. Anyway, it works great, even when the key is pressed while you are typing.

Friday, February 8, 2008

Security and sector lockdown

I would love to believe that most technical people and technical companies are too smart to succumb to the sort of security theater which is foisted on us by Homeland Security and the TSA.

Unfortunately, I am having a hard time sustaining that belief in the face of hard facts.

Today's example of technical people doing things which ostensibly aid security, but which really just give aid and comfort to the enemy, comes from chip vendor Atmel.

Some of the members of Atmel's DataFlash (TM, etc.) family have a feature called "sector lockdown". (An example datasheet is here).

Once you lock down a sector, it can never be unlocked, or erased or written again.

This sounds great in principle for things like boot sectors. But, let's look at the implementation.

For one thing, there doesn't seem to be any protection on the locking of sectors. Locking a sector is accomplished by a simple command, which is very similar to any other command which is sent to the flash. Sector locking even works when the part is "write protected" via hardware. (Obviously, only good guys would ever write the bits which disallow the writing of other bits, so there is no need to write-protect those lockdown bits.)

Let's examine a few basic usage scenarios for a flash device such as this:
  1. Deeply embedded. When an adversary cannot send any commands to the flash, the sector locking is a no-op, except that a hardware or software error could inadvertently issue the command and render the flash useless. Slight disadvantage to sector locking.
  2. Write-once boot device. In this scenario, the sector locking might be handy. On the other hand, there is a hardware pin which will disallow writes, so sector locking only adds marginal functionality.
  3. Upgradeable boot device, no external recovery mechanism. Sector locking the recovery sector seems like a good idea. However, as with the write-once boot device, there is already a hardware mechanism available. And, if a third party can issue commands to write other sectors, they can now issue the sector locking command on those other sectors! So, they may not be able to change the recovery sector, but they can disallow the recovery code from ever writing to the rest of the flash.
  4. Upgradeable boot device with an external recovery mechanism (or non-boot device.) If the device is not required for booting, or if it can be written via JTAG or some other mechanism even if the unit it is embedded in cannot otherwise boot, then, before sector locking, malicious code could always be removed. After sector locking, malicious code can lock itself in until the device is disassembled and the flash is desoldered and replaced.
Maybe Atmel is rooting for the bad guys, so they can sell more replacement flashes. Or maybe there is some hidden way where this actually works out OK. I don't know because I'm not really a security guy, but it looks like an obvious hole to me after 10 seconds with the datasheet, and a full read of the datasheet didn't explain why it really might be a good idea, so for now, I'm assuming it's a horrible idea and chalking it up to another example of marketing run amok.

That's too bad, because Atmel has some good products. I have to assume that Atmel has at least one person smart enough to recognize this for the looming disaster it appears to be, so their management must not be doing a very good job of listening to the troops.

Saturday, August 11, 2007

Privacy at the Post Office

Update: I just noticed the post office doesn't even consider an account number to be "personal information", at least according to this ruling.

It has been my habit for many years to routinely toss any "PRSRT STD" (as the envelope says) mail, on the theory that it shouldn't be of a personal nature. (I have long made an exception for credit card offers -- those always meet the shredder in any case).

However, I recently received a "PRSRT STD" letter in the mail which contained information of a very personal nature, as I realized while the letter was sailing towards the recycling bin. Incredibly miffed, I started researching the applicable laws so I could give the company a good dressing down, when I discovered it was all perfectly legal.

Apparently, while us consumers weren't paying attention, all the direct mailers got together and got the Post Office to change its rules on what kinds of matter have to be mailed First Class. Now, your credit card company can send you a letter which contains your account number via Standard Mail instead of First Class as long as the reason they are doing that is to try to advertise new services to you, and the account number is relevant to the advertisement.

For example, I just got an American Airlines mailing with my AAdvantage miles balance in it, mailed via Standard Mail. This is now perfectly acceptable. You may think it would be a stretch for a financial institution to try to use Standard Mail for account information, but you would be wrong, although thankfully, they need to be at least a little creative about it.

Ironically, one of the reasons I started using the Standard vs. First Class method of sorting mail was because of all of the envelopes which claimed to have "personal" information in them but didn't. The post office has been perfectly fine with this fraud for awhile now, so I started looking for other clues to aid in distinguishing real mail from advertisements, and honed in on the type of postage, which is always clearly visible on the front of the letter.

That apparently worked fine until sometime in late 2004. I shouldn't feel too bad about not realizing this stopped working until now -- apparently the post office still just tosses undeliverable Standard Class mail in the bin, as well. (Companies can avoid this by marking the mail "Return Service Requested" or "Forwarding Service Requested", but that actually costs money if the mail is returned as undeliverable, and we're talking about companies who have already shown a clear preference for their money over your privacy.)

This insecure disposal of private information would seem to go against the spirit of the Privacy Act. It might even go against the actual law, too -- the definition of "record" is arguably broad enough to include letters, and the Post office certainly "collects" and "disseminates" them.

Even worse, in this current political climate, "the mailing of articles at Standard Mail rates .. constitutes consent by the mailer to postal inspection of the contents." So you don't even need to be President Bush to open one of these puppies without a warrant.

Write your congressman, of course, but Congress and the post office may have been bought and sold on this issue, so unfortunately, we might have to fight it one business at a time. Check all your mail, and ask the companies and charities you do business with to update their privacy policies to indicate they will never communicate any of your personal information via Standard Mail.

Friday, August 10, 2007

Well, I did it

I finally went and got myself one of those "blog" things.

That wasn't my first unoriginal action, and it certainly won't be my last.

Nothing I write here will be new and exciting, so I wouldn't bother checking back, at least not very often.

Thanks for stopping by, though.