Startup gets locked down

Imagine the nightmare your company would face if one of its computer hard drives landed in the hands of a competitor. It’s a situation that Feisal Hurzook has been thinking about recently.

Hurzook is the chief technical officer of Archronix Corp., a Toronto tech design and integration firm specializing in control systems. He said some of his company’s clients — corporations and political groups for whom data security is paramount — have found themselves in awkward spots when such things befell them.

“We have clients in very sensitive situations that have stumbled over that issue,” he said, explaining that some Archronix customers have come close to essentially handing important information over to the competition because they didn’t wipe old hard drives before putting the disks out to pasture.

Once a competitor has sensitive company details in hand, “it’s hard (for the firm that created the information) to backpedal out of it,” Hurzook said.

That’s why Hurzook’s ears perked up when Microsoft Corp.’s reps described “Secure Startup” at WinHEC, a conference for hardware developers, held in Seattle late last month. He was there when the software giant’s executives explained how Secure Startup – part of Microsoft’s ensuing “Longhorn” operating system – would foil people trying to access data that doesn’t belong to them.

Secure Startup locks info away from prying eyes when hackers come calling on a hard drive, according to Microsoft. The application uses a Static Root of Trust measurement (SRTM) and Platform Configuration Registers (PCRs) ensconced in a hardware component, the Trusted Platform Module, to decide who gets to see what data on the disk.

A computer armed with Secure Startup would scrutinize the SRTM that the operating system creates during the boot process, and compare it to the static PCRs. If the SRTM matches what’s in the PCRs, the computer offers access to files and documents saved to the PC. If the SRTM doesn’t match the PCRs — as would happen if someone were using a hacker tool to scan the hard drive — the PC would offer no access.

Stacy Stonich, a Microsoft program manager, demonstrated Secure Startup’s capabilities at WinHEC. She had two PCs at her disposal, each representing a stolen laptop. One had Secure Startup. The other didn’t. Stonich used a hacker tool on the unprotected machine, while a colleague used a hacker tool on the Secure Startup box.

Stonich’s machine offered up 33,000 files, one of which happened to be a document describing the inevitable bankruptcy of the imaginary firm that owned the computer. “I could sell this to the Wall Street Journal,” she said. Her colleague’s hacker tool found not one file on the Secure Startup-protected computer. His view field showed nonsense — useless characters indicating serious data encryption.

Hurzook seemed impressed by what Microsoft had to say about Longhorn’s security features. He pointed out that his clients are keen on reliability and security. Secure Startup could help them keep data safe in the future.

Longhorn spotlighted

Secure Startup isn’t the only Longhorn feature that Microsoft talked about at WinHEC. While the software company didn’t unveil all of the details of this much-anticipated predecessor to Windows XP, it touched on the highlights, including:

• anti-malware functionality that bakes protection against Trojans and viruses right into the OS. It closes a hole left open between boot and protective application start-up — a short time during which the PC is vulnerable. Today, malware creators could exploit that gap, according to Elliot Katz, Microsoft Canada’s Co.’s product manager, Windows client. He said the built-in Longhorn anti-malware should help keep data locked down.

• new user privileges that let computer operators add printers and software in the “user” rather than the “administrator” mode. Users need administrative functions to perform simple tasks on Microsoft machines today, Katz said, pointing out that the administrator mode also gives users access to program files in the OS that most users shouldn’t be allowed to touch. Longhorn aims to close the door on inadvertent file-system amendments and, at the same time, make “user” functionality worthwhile.

• a new graphical user interface (GUI) with animated windows and improved resolution for on-screen images.

• software that tracks what users do. Like a flight data recorder in an aircraft does for plane crash investigators, this function is supposed to help IT technicians diagnose problems, adding user context (what the PC operator was doing just before the machine crashed) to aid recovery.

• virtual folders that collect all of a particular kind of document — sorted by author, size, type, anything — according to user-set parameters.

“This is the decade we can have the greatest impact,” said Bill Gates, Microsoft’s chief software architect, during a speech at WinHEC pumping his company’s developments. He added that Longhorn represents Microsoft’s OS platform for the next decade.

No surprise

Eddie Chan, an IT industry analyst at IDC Canada Ltd., said it’s no surprise that some of Longhorn’s features beef up the operating system’s security stance.

“It’s a central message that Microsoft’s conveyed,” Chan said, pointing out that the company has been talking about security for a while now. “It’s good to throw speeds and feeds and feature sets, but at the end of the day if the operating system’s prone to attacks, it kills your productivity.”

Katz from Microsoft Canada said Longhorn Beta I should be ready by this summer. Beta II should be ready after Microsoft’s Professional Developers Conference in the fall. The final version is expected to hit store shelves by the 2006 holiday season.

Microsoft said PCs would require 512MB of RAM, a graphics processor capable of working with the Longhorn display driver and a “modern” CPU to support the new OS. The company said it would release more information in the future.

QuickLink 059005

— For more news from WinHEC, including Microsoft’s vision of the 64-bit computing future and comments from Bill Gates, visit and enter the following QuickLink numbers: 051944; 056841.