So, from April 5th through the 8th I was in San Antonio, Texas on business for the annual Ratabase conference. I’d been planning on live blogging it again like I did last year (actually, I was planning on doing it better than last year), but things didn’t quite work out that way. So, instead of the latest news on cool new things you can do with an insurance rating calculator (stop laughing!), I’ve got a cautionary tail about relying on new equipment, planning before doing things, and generally about how I do stupid stuff with technology.
Now for a bit of background. Windows Vista & 7 have this cool feature called “BitLocker”. Basically, it encrypts your hard drive so that if the computer/drive is stolen, an attacker would have to go through the OS level security mechanisms (usernames/passwords/smartcards/ACL’s). The attacker wouldn’t be able to circumvent the OS mechanisms by, say, editing the password store to give change the passwords. Or they could go after the EFS keys and just decrypt files that you had encrypted explicitly so that other people wouldn’t be able to read them!
One “mode” of Bitlocker relies on this cool hardware device called a TPM (trusted platform module). The TPM is involved in the key management/access process, and basically serves to ensure that the entire system, starting from the beginning of the boot process, is “trusted”. After all, you wouldn’t want some nefarious person coming in, booting to a different environment that can impersonate the BitLocker process, and then unlocking/decrypting the BitLocker volume and thus bypassing all the security it was supposed to offer. If the TPM/BitLocker (not sure which actually does the checks) detects that the system is under attack (for example, the order of the devices that the system boots from has changed), the system will require that a 56 digit recovery key be entered. Assuming you created a recovery key initially…but everyone does that & keeps that key safe, right?
A week before I was to head to San Antonio, my new Tablet PC (a Lenovo X200T) arrived. Incidentally, it’s a very nice system…fast, light, long battery life, lots of accessories (I bought most of the options…X-Base so I have an optical drive, webcam, fingerprint reader, WiMAX, HSDPA/UMTS, GPS, etc.). And it has a TPM v1.2. Which was cool, because it meant I could use BitLocker!
So I put Windows 7 (beta) on the system, enabled BitLocker, created the recovery key, and used the system successfully for a week. One time while rebooting the system I had to enter the recovery key, which I thought was kind of funny at the time, but didn’t really worry that much about it. So along came Sunday morning, it’s 5:00AM and I need to head out to the airport, so I hibernate my tablet and pull it out of the docking station (X Base). Figured I wouldn’t need the optical drive, and certainly wouldn’t need the extra weight. Thought about putting the recovery key on a flash drive or the external hard drive I was taking, but then thought “nah, I wouldn’t need that”. Besides, the key would be a lot more exposed to compromise if I had it with me and, say, my flash drive got lost/stolen.
Remember how I said the boot order mattered to the TPM? And remember how 1) I installed the OS shortly before this (from a DVD), & 2) how I wasn’t taking the X-Base with the DVD drive with me? And how I ignored the fact that when I’d last attached the X-Base I had to enter the recovery key? And how I wasn’t taking the recovery key with me? (this is where it should become apparent to most people that I am, in fact, an idiot.)
Of course I got all the way to the airport, through security, and was sitting at the gate with 30 minutes until boarding started when I went to use my tablet. And of course it saw that the DVD drive was no longer present and began going “oh noes! I’m under attack!”. Which then caused me to first realize exactly what mistakes I’d made, then freak out (it’s amazing what sorts of brief, complete clarity you can have when a situation goes to crap).
Part of the freak out was calling up a trusted friend and giving him all the details of connecting back to my network via VPN (including user names and passwords). I figured “okay, get connected to the internal network, then the administrator account can be used to login to the online CA and security server to retrieve the recovery key”. Yes, it was a moment of weakness and complete stupidity. Fortunately, years ago when I got the VPN stuff working, I had the foresight to use L2TP and require certificates to connect in addition to passwords. So no VPN connection could be established, giving the passwords did absolutely no good (but no harm either), and the recovery key couldn’t be retrieved. Hurray for defense-in-depth.
I was not totally without my tablet during the trip though. Remember how I brought an external hard drive with me? Well, that drive is the bootable one that I use to make OS recovery images. And I’d used it just a week before to backup the Lenovo factory default config. So I spent the flight down to Texas doing restores until I got the system working again.
Here are some pictures from the trip (more (and higher res ones) can be found on my Windows Live Photos album for the trip):
Westin La Cantera Resort gulf course outbuilding
San Antonio, TX Riverwalk. There’s a boat ride around it that’s kind of cool too (+). Lots of people (-). On the whole, it was a cool area, and made for a good change of pace from the conference.
The Alamo (of course!).
Now playing: Greg Laswell – Three Flights From Alto Nido – 04 Comes & Goes (In Waves)