Windows Vista FVE in the news

http://archives.seattletimes.nwsource.com/cgi-bin/texis.cgi/web/vortex/display?slug=bizbriefs20&date=20051220

The enterprise edition of Vista will have a feature called “BitLocker” that can encrypt systems that have an optional security chip.

The feature debuted Monday on a test version of Vista that Microsoft released to get feedback from software developers and customers.

“So essentially if a machine is lost … it renders it useless to whoever steals it or takes it from them,” said Shanen Boettcher, a senior director in the Windows group.

Commentary: This further supports the idea that FVE will only be available to those customers who license the Enterprise edition of Windows Vista. Will this be available to the consumer? I would suspect not, based on Microsoft’s history and its planned set of SKU’s:

  • the Enterprise editions of Windows (2000, 2003) in the past haven’t shown up on the shelves of retail stores
  • What with plans for SKUs such as Windows Vista Home Basic, Windows Vista Home Premium and Windows Vista Ultimate – all presumably oriented for the consumer market – I personally doubt there’ll be room in the OEM lineups for a fourth SKU directed at their consumer market.
  • Previous rumours indicated that the Vista Enterprise edition will only be available to Microsoft customers who have signed up for (the not inexpensive) Software Assurance plan, which is definitely not something consumers (or even small/medium-sized businesses) can usually afford.

However, I feel obligated to point out that the (obviously out-of-context) quote from Shanen Boettcher seems pretty misleading/overreaching in its current form. If I’m interpreting correctly, the “BitLocker” feature is nothing more than Secure Startup (SSU)/Full Volume Encryption (FVE).

While SSU does make it more difficult to discover on-disk secrets and sensitive data files, its mere presence or default configuration hardly makes the machine or its data “useless to whoever steals it”. So long as the disk contents remain undisturbed, the simple configuration of SSU will allow Windows to boot up and allow an attacker to attempt to access its data (e.g. via console logon, network logon, shares access, unpatched vulnerabilities, previously-installed malware, or other as-yet-unimagined attack techniques).

Seems it’s time to discuss the Full Volume Encryption technical whitepaper that’s available for download – make sure we’re all understanding it the same way (or not), and raise the obvious questions worth asking.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s