IBM client security...

Message

SimonCC · #1 Post by **SimonCC** » Mon Dec 20, 2004 7:17 pm

Im thinking of d/l the client security software as i feel that not utilising the security chip is a waste of a perfectly good piece of tech. Am i right in thinking that the chip stores the user authenification password for login (that replcaces windows login) and so is far harder to crack? I currently have an admin password, a hdd password and a windows password but am keen to utilise the chip purely because it provides hardware encryption, but the message on this forum on the chip has been negative without any real reasons. Can anyone please provide some clear insight into whether d/l the software is worth it?

Thanks,

Simon.

Dow Jones · #2 Post by **Dow Jones** » Mon Dec 20, 2004 10:00 pm

For me, the software was a complete waste of time. The boot time slowed down, and the software didn't work properly (error codes), which eventually caused me to recover the entire system.

I never really got a chance to see the chip working in its full capacity. To me, it seemed like it added yet another password for me to forget. I didn't spend much effort into ironing out the issues, because I wasn't sure if it was worth the trouble. I think IBM is a little vague when it comes to explaining what the chip ACTUALLY does.

But again, my data is not that sensitive, and a fast boot time and error free computing is higher in priority.

If you're gonna try out the chip, you might as well try it out when your computer is new and you can recover without hesitation. I did, and I thought it was blah....

SimonCC · #3 Post by **SimonCC** » Tue Dec 21, 2004 6:32 am

thanx. but how could it be another password to remember when it simply replaces the windows login??

SimonCC · #4 Post by **SimonCC** » Tue Dec 21, 2004 10:06 am

please can more people help me here, ive d/l the software but need to know more about it before i install it, I looked on the IBM site but they are vague and seem to brush over talking about what it really does.

Elhabash · #5 Post by **Elhabash** » Tue Dec 21, 2004 12:55 pm

The password has to comply with so many rules (after all this chip & software is for making everything safer), that none of my passwords would fit. I prompltly forgot the new one when playing around, but fortunately it came to my mind later.
I deinstalled this dangerous thing instantly

It just uses resources and slows down startup, and you have to use the old-school logon. I like the twinkle of the XP-Style things...

I would use it if my TP was for serious purposes only, but for private use I can live with some "danger".
As usual, the sum of freedom and safety is constant; if you enhance one, you lose on the other...

SimonCC · #6 Post by **SimonCC** » Tue Dec 21, 2004 1:28 pm

well i have installed it with no problems at all. My windows and UVM ibm security logon password are merged into the same thing and other than that, using the software is a piece of cake. Yes it does take longer to boot up but that is not important to me, safety is! Also i love the way, after you are authorised, it makes that safe opening/air chamber decompressing sound! cool....

eriqesque · #7 Post by **eriqesque** » Tue Dec 21, 2004 1:58 pm

Someone... I forget who, said you can override the whole security thing by entering in safe mode.
Even the encrypted files show up.
Have you tested this?

SimonCC · #8 Post by **SimonCC** » Tue Dec 21, 2004 2:02 pm

no but isnt that missing the point as you would still need the pw to boot up no matter what...

waterside · #9 Post by **waterside** » Tue Dec 21, 2004 10:55 pm

eriqesque wrote:Someone... I forget who, said you can override the whole security thing by entering in safe mode.
Even the encrypted files show up.
Have you tested this?

That isn't entirely correct.

You can get around the UVM login, but this is the case for any windows login interface. It is a "deficiency" of GINA, but really isn't a significant issue.

If you use IBM Client Security with IBM File and Folder Encryption, then any files or directories encrypted (with FFE) are still encrypted. The keys required to encrypt/decrypt these files/directories are stored on the security chip, and without the proper passphrase these keys can not be retrieved.

If you don't provide your passphrase to the security chip, it can't decrypt the keys it stores. There is no way to retrieve information stored in the seucrity chip - removing it from the TP will effectively destroy it.

UVM also supports biometric scanners and provides perhaps the strongest password manager that exists - all your passwords are stored on the security chip and retrievable only with the appropriate passphrase. If you bypass UVM, then you don't provide a passphrase to the security chip and anything encrypted with the chip remains encrypted.

There are many methods by which IBM client security can improve security. Whether it provides a real benefit to average users is another story.

eriqesque · #10 Post by **eriqesque** » Wed Dec 22, 2004 12:18 am

waterside wrote:
eriqesque wrote:Someone... I forget who, said you can override the whole security thing by entering in safe mode.
Even the encrypted files show up.
Have you tested this?
That isn't entirely correct.

You can get around the UVM login, but this is the case for any windows login interface. It is a "deficiency" of GINA, but really isn't a significant issue.

If you use IBM Client Security with IBM File and Folder Encryption, then any files or directories encrypted (with FFE) are still encrypted. The keys required to encrypt/decrypt these files/directories are stored on the security chip, and without the proper passphrase these keys can not be retrieved.

If you don't provide your passphrase to the security chip, it can't decrypt the keys it stores. There is no way to retrieve information stored in the seucrity chip - removing it from the TP will effectively destroy it.

UVM also supports biometric scanners and provides perhaps the strongest password manager that exists - all your passwords are stored on the security chip and retrievable only with the appropriate passphrase. If you bypass UVM, then you don't provide a passphrase to the security chip and anything encrypted with the chip remains encrypted.

There are many methods by which IBM client security can improve security. Whether it provides a real benefit to average users is another story.

Thanks for clearing this up.
I wasn't sure if they were correct or not that's why I had asked SimonCC if he had tried this or not. I have not set it up on my machine as I have nothing that needs to be that secure.
But, I was truly hoping IBM would not put out something that is suppose to be so secure and yet could be so easily defeated.

SimonCC · #11 Post by **SimonCC** » Wed Dec 22, 2004 8:17 am

just thought id add that the software is incredibly simple to use and that eriqesque is right in saying that the encrption is excellant. I use the UVM secure login because although not perfect - due to gina defect - it is still difficult to hack as the passphrase is stored in the chip. This teamed with encrypted folders makes for a pritty secure system indeed!

cszy67 · #12 Post by **cszy67** » Wed Dec 22, 2004 10:11 pm

I have been using the Client Security Password Manager (CSPM) for the past few weeks and I kind of like it. Not that security is a big deal for most personal things - just having all the passwords at your fingertip is nice.

The only thing I would like to change is when I use it for the first time after a fresh boot I am still required to enter a password - after that point I can just use the fingerprint sensor anytime I call up a password.

Is there any way I can bypass the initial CSPM password entry and just use the fingerprint sensor?

Champ · #13 Post by **Champ** » Thu Jan 06, 2005 3:31 pm

how do you use your fingerpint? mine still instants on entienrg the password?

Leon · #14 Post by **Leon** » Thu Jan 06, 2005 7:46 pm

SimonCC wrote:well i have installed it with no problems at all. My windows and UVM ibm security logon password are merged into the same thing and other than that, using the software is a piece of cake. Yes it does take longer to boot up but that is not important to me, safety is! Also i love the way, after you are authorised, it makes that safe opening/air chamber decompressing sound! cool....

where can I get that sound file (without installing the Client Security SW)?

WilsonF · #15 Post by **WilsonF** » Thu Jan 06, 2005 9:06 pm

I am using the client security software and am very pleased with it. We are going to roll it out on all our TPs. It is simple to adminster and use and is reliable. The one drawback to File and Folder encryption is you cannot move a an encrypted sub-folder nested in an encrypted folder. You have to copy to the new location and then delete the old one.

The client software CAN be disabled by a knowledgable thief, but most of them aren't and disabling the User Verification Manager won't enable a thief to decrypt encrypted files and folders.

From what I understand, the client security chip can be disassembled and "read" but doing so without destroying the motherboard requires a lot of skill and -- more importantly -- a very expensive piece of equipment.

For most users, the power-on and HDD passwords coupled with the fingerprint software are enough to prevent a thief or other unauthorized person from gaining access to your system, and, if your system is properly labeled, to prevent the thief from selling a stolen system to anyone who doesn't have enough sense to try to turn it on before buying. There are places that advertise the ability to "recover" data on a HDD-password-protected drive for about $220, but no thief is likely to spend the money, and I don't think the power-on password can be circumvented except by replacing the motherboard.

The Client Security Software is icing on that cake.

SimonCC · #16 Post by **SimonCC** » Fri Jan 07, 2005 9:18 am

where can I get that sound file (without installing the Client Security SW)?[/quote]

sorry Leon, i have no idea....anyone else know???

pdudas · #17 Post by **pdudas** » Sat Jan 08, 2005 6:23 am

I turned on the CSS on my T42.

It is working, but the saving of the changes lasts about 15-20 minutes.
(Now I changed the logon type to fingerprint from UVM).
In this time the system saves the backup keys to my pendrive, but not the pendrive slow. There are 3 authorized user on my T42 and the amount of the data that saves to mpendrive is only 160KByte.
The acamucli.exe makes 40-50% usage on my processor.

Do you have any idea why takes so long time to save the changes?

T42, M735,1GB,40Gb, fingerprint reader,9cell battery.

kiig · #18 Post by **kiig** » Sat Jan 14, 2006 6:07 pm

Still want the wav.files Leon ? I've had CSS 5.43 installed for a day... didn't like it, - or wasn't patient enough to realize it's potentiel....and it can't do harddrive encryption anyway, - so I removed it again, - but I do have the sound-files... .-)

Kim Igel.

p.s. I'll put CS Suite 6.0 on it now.. maybe the sounds are better! ...

UPDATE : no sounds at all... .-( glad I kept the files.....

yossarian · #19 Post by **yossarian** » Mon Jan 16, 2006 5:18 am

I run CSS 6.0 with fingerprint software. Both are excellent pieces of software and don't increase my bootstrap times by much.

The password manager I find especially useful.

IBM client security...

IBM client security...

Nothing but hassle...

Who is online