portrait picture

TIMO ZIMMERMANN

balancing software engineering & infosec

Security 101: physical security

posted on Tuesday 24th of November 2020 in ,

One of the most overlooked aspects in information security is physical security. There is a wide range of things that can go horribly wrong and lead to a data breach. Some of them sound like a bad joke people make up to negotiate more money in the annual budget planning session. Some of them are things people simply do not think about anymore in 2020. But they all have one thing in common – a fairly good chance to cause problems you want to avoid.

Let us begin with one scenario most people will be able to relate to – a stolen laptop. This happens every day, they get swiped off of the table at a coffee shop or lifted out of an open bag. Thieves can also get fancy and use bluetooth scanners to find devices left in cars. A data breach originating from a stolen laptop can actually get pretty expensive.

The best stolen laptops story I’ve had to deal with personally happened a few years ago: Someone walked into an office, put some laptops that were lying behind the unmanned reception desk into a trash bag and walked out. Just like that, in broad daylight. Luckily those were all spares and were not provisioned, but counting on luck is most likely a guarantee to end up in court or the Have I Been Pwned database.

However, there are some simple and mostly free things you can do to mitigate some of the risk associated with stolen hardware.

Turn on automatically locking the system after a short period of time. Require a proper pass phrase and / or biometric authentication. Biometric authentication might be a bit questionable depending on the hardware being used, but circumventing it takes time and skill, something people most likely will only invest when it is a targeted attack. It does tremendously improves the user experience and makes adopting shorter timeouts and longer pass phrases easier.

Encrypt the hard drive – Windows and macOS ship one click solutions, Linux users can – as always – pick from many.

Deploy mobile device management. Most MDMs will allow you to remotely wipe a device when you notice it was lost or stolen. If geolocation services are supported you might even be able to locate the device once it connects to a network. I would not bet on being able to recover it, but you never know.

Granted, geolocation services are problematic, especially for mobile devices that might have constant Internet connectivity. As long as your employees have a company owned device with them, you and/or your IT team will be able to locate them whenever you feel like it. This requires proper education of your employees so they know about potentially being tracked. It might also be the reason employees with company issued hardware need longer to respond to emergencies, as they might not be comfortable carrying their device with them all the time. You should also make sure anyone with access to the monitoring software is properly trained and understand the implications (fired before they can even think of an excuse) of abusing it.

Overall, physical security is often ignored due to the misunderstanding of the potential threats. I once talked to a client with blueprints of physical products they manufacture (fully patented!), just lying around for anyone to take a photo of or grab them and run. You could easily access this area from their reception desk. Even demonstrating how fast you can take a photo without anyone noticing could not convince them that potential competitors would buy information like this. While a company focusing on a SaaS product probably has less obviously crucial things just sitting around on desks, there are often laptops, paperwork, external drives, maybe legal documents.

A few months ago I would have taken a bet that you have an office that a significant part of your workforce spends their days in. As soon as this becomes true once again (if it does), you should properly take care of your office security. There are three very obvious (and often not well implemented) steps for a solid baseline.

1) Make sure you got locks and access control. Best case you have some digital locks that keep track of who is entering and leaving the office. This might sound unnecessary, but open door policies are a security nightmare. Remember the laptops in the trash bag I mentioned? Open door policy.

If your locks use RFID or NFC keycards for access control get everyone an RF blocking case for each keycard. Hardware to copy those keycards with a swipe is only slightly more expensive than an RF blocking case.

2) A clean desk policy also reduces the risk of things spontaneously finding a new owner. Access control is all fine and good, but you will have external people walk into your office for legitimate reasons – cleaning, catering, maintenance, just to name a few. Have people take their laptops and paperwork with them or lock them away. It might be a bit inconvenient and require some training and reminders, but having a full desk drawer or desk carried out of the office is far less likely than a laptop.

3) Security cameras are a bit of a misunderstood asset. They will not prevent break ins or theft. They rarely help you identify a thief and chances to find one based on footage alone is even less likely. So what are they actually good for? Well, cutting insurance cost if you are lucky. Prominently placed they discourage crimes of opportunity. “Oh look! A new MacBook and no one is around! Ohhh, there is a security camera… never mind”.

Exceptionally good physical security is hard. Really hard, really expensive and nearly impossible to get right without professional 3rd party services. Following the advice in this post you will not be guarded against targeted attacks specifically designed to hurt you, professional industry espionage or someone beating one of your employees with a five dollar wrench.

But these are not your most likely risk scenarios. The most common and biggest physical security risks for early stage companies are crime of opportunity, accidents and carelessness. Getting the basics right is more often than not enough to cover those.


Thoughts on touchscreen Macs

posted on Monday 16th of November 2020 in , ,

Apple was always pretty clear that they do not work on a touchscreen Mac. They consider Macs a different class of devices and do not see a touchscreen as an valuable asset. Now, with Big Sur being released and the aesthetics being close to what we know from iOS and iPad OS, there was more speculation.

Apple representatives were quick to point out that they did not consider touch input when designing Big Sur. And having used Big Sur for a bit it is pretty obvious that it still would suck for touch input. Funnily the AppStore had an animation up for some time showing a hand interacting with Big Sur. The tweet is „unavailable“ by now, I am not sure why.

I see two options in the long run, both equally likely at this point. (And with long run I would say give it a year or two – basically an eternity when it comes to computers.)

The first option is we will indeed at one point see a touchscreen Mac – and Apple will pretend they just invented a whole new device class. Dell, Lenovo and Razer already ship 2in1’s or laptops with touchscreens and the Surface lineup is gaining more and more fans. There certainly is a market, people are satisfied with the devices and Apple is not ready yet to join the game.

What I actually hope for is option number 2: Apple bringing the full power of macOS to the iPad. Maybe via a docking solution. Run iPad OS while on the road, dock your iPad and switch to macOS. It might cannibalize some of their laptop sales, but I would also throw a lot more money at a device like this than at an iPad. Looking at the size of an iPad Pro 12.9″ and a MacBook Air this should be easily doable with the M1 or its successor.

Either way, I expect Apple to announce something along those lines somewhen the next twelve month. Otherwise competition might actually start gaining a lot more traction as they refine their hardware design and hopefully also operating systems.


Trying to avoid Amazon is an adventure

posted on Friday 13th of November 2020 in , ,

While I do not see myself cancelling Amazon Prime any time soon, I am actively trying to bring my business somewhere else. Amazon has proven too many times that they are a company I do not want to support. (Especially after their “support” basically left me hanging with a broken screen and the seller ghosting me.) But they got one thing right – letting me buy stuff.

I was looking for some memory to upgrade one of our systems. Nothing fancy, 32GB modules DDR4 registered ECC. Something you would expect to find in most servers these days. Usually I order hardware at Alternate. They ship fast, have okay-ish prices and an amazing customer support. Sadly they did not have anything close to what I needed, so I was browsing a few shops I ordered from in the past. I ended up with Mindfactory.

If I would have known what a mess this will be, I would have tried my luck with eBay, the experience could not have been worse…

Took me 30 minutes to cancel the order and actually notice that Alternate now got inventory for the memory I want. One day later I receive a package with 6 32GB sticks.

So far, the number of articles I ordered on Amazon.de that were not available after the order was placed? Zero. Problems cancelling an order or modifying on order before it was shipped? Zero. Number of times Amazon told me I do not know what I ordered and refused to sell me the items? Take a guess.

Shopping at a local store usually works well. Ordering something from the manufacturer directly has always been a great experience. Amazon, no matter how much I dislike it, just works – they streamlined the experience so much that it’s nearly impossible to have a bad experience. Everything else is a gamble if the experience is great or a complete disaster.


Thoughts on Apples M1 chip

posted on Wednesday 11th of November 2020 in , ,

Yesterday was the day. Apple announced their first generation of systems using their “own silicon”, aka an ARM based SOC. I am excited to see how those systems will do once people can throw real world benchmarks at them. I am a bit sceptical if they will hold up well. Apple advertises “best in class”, which is not that competitive for the Mac Mini and only slightly competitive for the MacBook Air. The MacBook Pro on the other hand will be interesting.

A major talking point was efficiency, which is the actually interesting part. 20 hours battery life while playing videos is no joke and a good indicator that the notebook will likely last more than one or two work days for office work. And I expect the M1 chips to be a really good fit for exactly this scenario. Their (most likely) smaller version already does a really good job at this workload – in an iPad Pro.

I have seen a ton of complains that Apple does not ship 32GB memory configurations. I do not know if this is simply Apple not thinking that the target audience of those system will need 32GB memory or if there are memory bandwidth / channel limitations in the M1. But except a small, orange bubble in a corner of the Internet, not many people need 32GB memory on a day to day basis and if they do, they do not necessarily want a notebook. Are there legitimate use cases for more than 8GB or 16GB memory? Obviously. A lot. But more than enough people buying a MacBook Air or a Mac Mini will likely never get close to the memory limit. Some office work, browsing the web and occasionally looking at photos really does not need the same amount of memory as running another operating system, interpreting a text file which is edited in a browser running in a native window wrapper. But I also agree with anyone arguing that a product with “Pro” in its name should provide 32GB as an option.

I expect the M1 to be replaced by a new chip somewhen next year, likely with a bit more performance and some other neat features. Judging from how fast the first iPhone, Apple Watch and iPad were replaced by the second generation (which most people should have bought), I would give the current M1 system roughly 12 months. This does not mean they will be useless after that, but that you can get a way better system if you do not want to be an early adopter. There will also most likely be fewer bugs and better app compatibility. The fact that they still ship a 720p cam would also suggest that it is time for a (even more) major overhaul.

For heavy workloads I would still buy an Intel based Mac without second thought. They will be supported for more years to come, certainly enough to make it worth the investment and I do not see many companies shipping professional software stopping to support them. You might miss out on a few iOS or iPad OS apps which the M1 can run but your Intel based system cannot, but this will most likely also be a slow transition.

With the M1 being out there chances for my dream device are a lot better than before: An iPad running iPad OS and when connected to an external screen loading Big Sur or its successor. I am not saying this will happen and I am not sure if that would fit in Apples plans, but a Surface is a sexy device and if Microsoft ever gets their software right a tempting option.


Valve Index – so much potential, so little wow

posted on Monday 9th of November 2020 in , ,

A few weeks ago I ordered a Valve Index. One week later I returned it. I have been pretty skeptical of VR ever since the first headset was released. But more people I know are getting into it and Star Wars Squadrons was announced, so I had an incentive to buy one anyway (and more than one game I wanted to play). The order process was a bit strange and the availability information was simply wrong – I assumed the headset will arrive around Christmas, but it only took them a week to get it to me.

The setup with two beacons is easy enough, as they only need a power outlet and even having one positioned around my chest height did not impact tracking in a negative way. Their field of view is pretty good. So if you have enough empty space on the floor to have a nice playing field, chances are you will find a place for the beacons that works, even if it is not optimal. Sadly things took a turn for the worse from here.

The first experience after putting on the headset is a kind lobby you can walk around in, look at things, check your friends list and start games. And it actually is really impressive. But it also uncovered my first problem: Properly adjusting the headset. I wear glasses. I only need them for anything that is further than two to three meters away, so I assumed I will not need them for VR. Boy… was I wrong. I could not adjust the headset on any way to make things even lying right in front of me look sharp.

A friend mentioned that he had to get an aftermarket faceplate to be able to wear his glasses. While it is a bit inconvenient that you spend 1100€ on a headset with nice material and then have to find some silicon faceplates for 11€ on eBay, I do not see an option to build a headset that works for everyone, so I guess that is a necessary inconvenience.

It took me five minutes to get the headset setup in an okay-ish way so I could at least play a game. This was the moment I noticed how much I was sweating where the material touched my face. It was not really a distraction while playing, but I am not sure I would want to wear one at a friends place.

The experience of firing up Star Wars was exactly what I wanted it to be. Looking around a bit, entering my TIE-Fighter and getting ready for some action. (At least I believe it was one. This was a few weeks ago and I was still getting used to the whole VR thing considering I was only ten minutes in.) Sadly the action never happened. The game told me to press „S“ and look straight ahead. I did both. Nothing happened. Repeatedly. I had found a game breaking bug – I could not start the first mission as long as VR was enabled. I tried every trick and nothing worked. According to steam forums SWS is a bit of a mess, full of bugs and crashes. I have to agree.

Next up: Half Life Alyx. It looks so impressive and feels like playing a tech demo on steroids. It got gameplay and it got a story, but a lot feels like it was built to show the capabilities of VR, not necessarily because it makes sense. Remember the first 3D movies? Like that.

Skyrim VR is an insult. I cannot put it any other way. Communities mods have a higher quality and it is more than unjustified charging the full price for it. And this comes from someone who owns three Skyrim editions on two platforms.

Resident Evil 7 never made it to the PC as a VR title and other games have a more indie like graphics, feel like demos or try to be a replacement for proper exercise (looking at you Beat Saber, although I know many enjoy playing it) so the number of games I was excited about was exhausted. I am not that interested in most of the other titles or applications people are hyped about.

My initial plan was to play VR sitting down. I work out enough, when I fire up a game I want to relax. This plan did not last for five minutes. Except some games explicitly designed to be played while being seated, like Star Wars or racing games, major titles like Alyx would likely be unplayable and you would miss out on a lot of the experience.

My wife gave Alyx a shot for, I believe, 20 minutes. She got scared of the atmosphere and stopped playing. She enjoyed the graphics, but could not stomach any of the movement options provided.
(Wife‘s comment: I am a super anxious person and I scare easily! It looked really, really great though. I think I’d love exploration games in VR, probably. Continuous movement felt better thank blinking, but the vertigo was really unpleasant.)

For me personally the game was too slow. I expect Half Life to be a semi fast paced shooter. With VRs limitations around movement, developers obviously had to slow it down. Having to fetch ammo from your backpack and reloading your gun also does not help and slows the game down even further. This is surely something you get used to and I think it is the correct decision, but it just did not meet my expectations of the game.

After all that, I returned my Index because I was honestly underwhelmed by the games. I expected only having two or three titles to play for some time, and I was okay with that. VR is still young – despite this being the second generation I would still consider it early adopter status – and you invest in a new technology with the hopes that it will become amazing. But of the three titles none would have even lasted a week. If Skyrim would have provided a good experience, that would have been enough to wait for the next batch of triple A titles to be released. But in its current state the investment for what I think can be the future of gaming is not worth it. And with my experience so far I only say „can“, I am not convinced it absolutely will be. Not as long as I have to hope someone 3D prints a faceplate and sells it on eBay.

If you are curious about VR, do not mind spending the money and have a different taste in games than me, I would suggest giving the Index a shot. It is surely expensive, but I would expect it to last for a few years and do well over the next few generations of VR games. What I can tell you for sure is that no review will give you an idea what this hype is all about and what the actual experience will be. There are so many things that come down to personal taste, you have to experience it yourself to form an well-rounded opinion.