Category Archives: Security

Pistol-packing Paul: in which I get my Florida concealed-weapon permit

As some of my readers may know, California is nominally where I live; however, I’ve been in Pensacola since October. California, of course, has the distinction of having extremely restrictive gun laws. Needless to say, these laws have done little or nothing to reduce gun-related crime. They do, however, make it difficult or impossible for law-abiding citizens to exercise the same rights and freedoms that citizens of other states take for granted. (But at least it’s not as bad in California as it is in DC; check out Emily Miller’s Washington Times series on DC gun ownership to see what I mean.)

(nb. This would be a good time to mention that I’m not interested in debating any aspect of firearms law. I believe that as a law-abiding citizen I have the constituionally-protected right to keep and bear arms, and that that right properly includes the ability to carry a weapon on my person for self-defense, whether or not I face an imminent threat like a crazed ex-spouse. I don’t think that criminals or the mentally ill should have guns.. but criminals get them anyway, even in places like California and DC. Feel free to disagree with me, but do it someplace else.)

Anyway, one side effect of California’s laws is that it is difficult, or impossible, to get a permit to legally carry a concealed weapon in California. Each individual county makes its own rules, and larger counties, like Santa Clara County, just flat-out won’t issue permits. (Unless you donate thousands of dollars to the sheriff’s re-election campaign. But I digress.)

However, Florida and Utah offer permits to non-residents. If you meet the legal requirements to obtain a Florida or Utah permit, you can then use that permit to legally carry a concealed weapon in the 38 or so states that have reciprocity agreements with Florida and/or Utah. That means that a Florida non-resident permit will allow the holder to legally carry in Alabama, Louisiana, Mississippi, Tennessee, Texas, and Washington– all places I travel. Of course, in each state the permit holder still has to obey the laws of that state, which vary from place to place.

Florida and Utah both require a class that covers the legal and safety aspects of concealed carry. The interesting thing is that one can become certified as an instructor qualified to teach this class, then offer it out of state. I’d been trying (though not very hard) to find a convenient class in the Bay Area, but hadn’t managed to do so before I came out to Pensacola. After Christmas, I decided to resume my search and called around to a couple of local gun shops. I quickly got the word that I needed to talk to “Captain Ron.”

“Captain Ron” is actually Ron Beermünder, who runs the Blackwater River Tactical Range. His web site contains a wealth of information on Florida’s CCW law, as well as information about the classes he teaches. I opted for the 4-hour course; for $180, you get the legal instruction that Florida requires plus the chance to shoot 300 rounds of various-caliber pistol ammunition while being coached by an expert instructor. What’s not to like? I signed up, and this past week drove out to Ron’s range to take the class.

The class itself was excellent. Ron is an engaging and funny man, with a sharp sense of humor and a large chest of war stories. We spent about 90 minutes on the legal overview; simply put, in Florida the law is that a CCW permit holder is essentially held to the same standard as a police officer when it comes to use of force. If a police officer would be justified in using deadly force to prevent or stop a crime, so too would a CCW holder, but neither a citizen nor a cop is allowed to use unreasonable or excessive force. That strikes me as a reasonable standard, and it’s easy to keep in mind. Other details we covered include what Florida law says about where you may and may not carry, under what conditions you may use deadly force, and the fact that just because the law says you can stand your ground in the face of a threat doesn’t mean you should.

The range portion was equally good. Ron had a wide variety of pistols; I shot Smith and Wesson revolvers in .22 and .22 Magnum and Glock pistols in 9mm (including the Glock 26, which is what I’d normally be carrying.) We did timed-fire drills, and I learned a great deal about trigger manipulation and indexing. My accuracy and speed both improved quite a bit during our time on the range, and I’m looking forward to getting some more practice when my schedule allows. If nothing else, I learned that the Glock has a reset trigger and how to properly use it; that tip alone made a huge difference in my second-shot accuracy.

The actual mechanics of getting the permit are straightforward if you qualify: once you’ve completed the class, you need to provide the state proof that you completed it, a registration fee, and fingerprints. You can do this via mail, but it takes up to 3 months to get your permit back. Ron suggested driving to the nearest regional office of the Department of Agriculture and Consumer Services and applying in person. (Yes, I did say “Agriculture.”) Thus I found myself driving to Fort Walton Beach in search of the nearest office; there are only 8 throughout the entire state. I had previously made an appointment, and when the appointment time arrived I filled out an on-screen form, gave the clerk a copy of my certificate from Ron’s school, had my fingerprints scanned, wrote a check for $117, and had my application notarized. 20 minutes later, I was done; now all I have to do is wait for my permit to arrive in the mail! (I should note that I have never dealt with state government employees as pleasant, efficient, or helpful as the folks at the FWB licensing office. I wish they could export their attitude to the California DMV!) Once my permit arrives, it will be valid for seven years from the date of issuance.

This is all of course rendered moot by the fact that a) I work on a military base where no one is allowed to have personal weapons and b) all my pistols are in California, not to mention that c) I can’t legally carry in California anyway. If nothing else, I’m glad to have contributed to the numbers of law-abiding CCW permit holders. There are more of us out there than you think.

1 Comment

Filed under General Stuff, Security

Don’t use Symantec security software

You may know that Symantec recently admitted that its network was compromised and that the attackers got the source code to pcAnywhere, Norton Internet Security, and a few other products. Buried in their acknowledgement, however, was the fact that the source code leaked in 2006 and has thus been floating around in the community for quite a while.

Jonathan Shapiro’s response on the IP list seemed to hit the right note for me:

The pcAnywhere source code leaked in 2006, and in all that time nobody thought to do a serious security review to assess the customer exposure that this created? And now after five years in which a responsible software process would have addressed these issues as a matter of routine, they are having people turn the product off?

This is the company that ships the anti-virus and firewall software that you are probably relying on right now. A version of which, by the way, has also leaked. Do you want to be running security software – or indeed any software – from a company that fails to promptly report critical vulnerabilities when they occur and then ignores them for five years?

You can argue about whether Microsoft’s disclosure policy is perfect or not. I cannot, however, imagine a circumstance in which Microsoft became aware of a potential vulnerability and then didn’t fix it for five years.

So: if you’re running Symantec security software on your personal machine, your company’s workstations, or your servers… time to get rid of it and replace it with software from a more responsible (and, one hopes, more security-conscious) vendor.


1 Comment

Filed under FAIL, Security, Smackdown!, UC&C

1394, DMA, and BitLocker

The IEEE 1394 spec (also called FireWire by Apple and briefly, i.Link by our friends at Sony) specifies a high-speed interface for connecting peripherals. One of the reasons 1394 offers high speeds is that it supports the use of direct memory access, or DMA. Normally, when a peripheral device is performing I/O operations, the system CPU has to be involved. For example, to read a block of data from a disk drive, the CPU sends commands to the disk controller, then stores the resulting data into a block of system memory. (This is a somewhat simplistic description, I know, but it’s good enough for now.) That means that I/O operations could end up being CPU-bound, or they could negatively affect CPU performance.

To fix this some bright stars came up with the idea of DMA, which allows the peripheral controller to read from and write to system memory without the CPU’s involvement (and, often, without its knowledge or supervision.) Sounds neat, right? It is, but it also introduces a security threat: a malicious device can read valuable data out of memory… like, say, an encryption key.

The basic attack is simple: the attacker walks up to a BitLocker-protected computer, plugs in a custom 1394 device, and steals the key. (The details of how the attacker finds the key are interesting, but unimportant here.) Key in hand, the attacker can then decrypt the protected volume.

Not all BitLocker-protected machines are vulnerable to this particular attack. If you have a TPM, but are not using an additional authentication factor like a PIN or a USB token, this attack may succeed. However, even if you do use an extra authentication factor, if you leave your machine powered up or on standby, an attacker who gets physical access may be able to steal your BitLocker key.

This isn’t a huge threat for systems that are kept in physically secure locations, but it is worrisome for mobile users. That’s why the Data Encryption Toolkit that I helped write counsels you to be very careful about leaving portable computers powered on and unattended, and it spends some time going over the different security issues with standby, sleep, and hibernate modes. You should read it. Trust me, I’ve been to the doctor Smile

This is all a somewhat long-winded way of explaining that Microsoft has released a KB article describing how to turn off DMA for 1394 ports to reduce the threat of a DMA attack against BitLocker on TPM-only machines. The article, 2516445, describes how you can turn off the driver that provides DMA for 1394 devices. Given that very, very few Windows machines are ever connected to 1394 devices, this is probably something that you should implement if you have sensitive data on your BitLocker-protected machines.

If you’re not running BitLocker, well, why not?

1 Comment

Filed under Security

SecureDoc full-volume encryption for Mac OS X

Windows users have more security options, and that’s just the way it is. Or is it?

Let’s start with the obvious: I love BitLocker and I cannot lie. Despite its faults, it remains a great example of a real-world security feature that delivers immediate value. It’s fully supported by the OS manufacturer, meets government security standards, and doesn’t have to rely on skanky hacks to work its magic.

Windows laptop users can also take advantage of Seagate’s Momentus FDE line of disk drives. These disks, sometimes called self-encrypting disks or just SEDs, perform hardware encryption, and they are qualified by the US National Security Agency as meeting NSTISSP #11. Unfortunately, these drives require support in the BIOS. Since Apple’s laptops all use EFI instead of the standard x86/x64 BIOS, you can’t just plop a Momentus FDE into your Mac and expect it to work.

The only solution I’ve found to get an SED to work in a modern Mac laptop is from WinMagic. Their SecureDoc product is essentially a full-volume encryption tool that competes directly with BitLocker, as well as with other FVE products from PGP, PointSec, and so on. The big difference: the Mac version of SecureDoc supports Momentus FDE disks. Naturally I had to try it.

Installation is simple: you run an installer, which adds a couple of kernel drivers and modifies the boot loader. If (and only if) it detects an unlocked Momentus FDE as the boot volume, it will ask whether you want to use hardware or software encryption. (The installer also tells you that it will change the system’s hibernation mode, but let’s not get ahead of ourselves yet…)

When you’re done, you must reboot, at which point you see the new (and quite ugly) SecureDoc login screen. When you log in here, the SecureDoc bootloader unlocks the FDE disk and the normal Mac OS X boot cycle proceeds.

The docs ask that you turn off pagefile encryption by unchecking the "Use secure virtual memory" option in the General pane of the Security preferences tool. This makes sense: there’s no reason to ask the OS to encrypt the page file if the disk on which it lives is already encrypted. You must also turn off the "Put hard drive to sleep whenever possible" checkbox, as the OS doesn’t deal well with having the disk go to sleep (and thus get locked) while you’re using it.

In my test install, I ran into an odd problem: the machine would freeze when waking from sleep. The cursor and keyboard would work normally, but I’d get the spinning rainbow pizza of death. After doing some digging, and with the help of WinMagic’s tech support folks, I determined that the system’s hibernation mode wasn’t properly set by the installer. (Page 4 of this document is the only place I’ve found the different hibernation mode codes explained.) Uninstalling the SecureDoc software, manually setting the hibernation mode with the pmset tool, and reinstalling it fixed the problem and it has worked flawlessly since.

The standalone version of SecureDoc doesn’t have the same set of management or control features that BitLocker does. Of course, that’s because WinMagic wants you to buy their server-based toolset, which uses a group policy-like mechanism to enforce whatever encryption policies you choose. Without having tested either the server tool or the Windows version, I’m not ready to pick a winner between BitLocker and SecureDoc, but for the Mac it’s a low-impact solution that does what it says, and I’m happy with it so far.

Comments Off on SecureDoc full-volume encryption for Mac OS X

Filed under General Tech Stuff, Security

IEEE Spectrum Risks blog

If you use a computer– at work, at home, at school– you should be reading The Risk Factor, a blog on computer-related risks operated by the fine folks who bring us the IEEE Spectrum. There’s a ton of fascinating stuff there, like this and this. The Risk Factor is like a gateway drug, though. After reading it for a while, you’ll be ready for the hard stuff.

Comments Off on IEEE Spectrum Risks blog

Filed under General Tech Stuff, Security

Oracle failed to produce CEO’s e-mail

Cue the tiny violins: a federal judge ruled that Oracle “destroyed or failed to preserve Chief Executive Larry Ellison’s e-mail files sought as evidence in a class-action lawsuit filed in 2001 against the software maker.” The alleged destruction (or failure, depending on how you look at it) happened in 2006– well after Oracle touted archiving features in Oracle Collaboration Suite. Ooops.

Comments Off on Oracle failed to produce CEO’s e-mail

Filed under General Tech Stuff, Oops!, Security

ISA and TMG announce virtualization plans

A few weeks ago, I wrote a column highlighting Microsoft’s announcement of their Exchange 2007 virtualization strategy. I just found out that the team that owns the Internet Security and Acceleration (ISA) Server and Forefront Threat Management Gateway (TMG) has announced their virtualization policy… and it’s a good one! Basically, they’ll support ISA and TMG on virtualization solutions that are part of the Server Virtualization Validation Program (SVVP)– including Hyper-V.

The full document is here. Here’s the money graf:

… if a hardware virtualization platform is listed as “validated” with the SVVP (not “under evaluation”), Microsoft ISA Server and Forefront TMG will be supported for production use on that platform within the limits prescribed in the Microsoft Product Support Lifecycle, Non-Microsoft hardware virtualization policies and the system requirements for that product version and edition.

This will make both ISA and TMG much more palatable to a wide variety of customers, particularly in the SMB space. I’m looking forward to redeploying ISA (which I haven’t been using for a few years) now that it won’t cost me a server’s worth of electricity to use.

Update: this VMware press release says that VMware ESX has passed the SVVP. This is huge news given that it essentially means Microsoft is now supporting Exchange, ISA, and TMG on the most widely deployed virtualization platforms– welcome air cover for all the folks who have been doing it for a while now 🙂

Comments Off on ISA and TMG announce virtualization plans

Filed under General Tech Stuff, Security