ThinkVantage Client Security System

[jdhurst]

I like to keep my updates up-to-date (Windows and IBM) so that updaters come up empty when there is nothing new.

Now, for the first time, Software Installer is bugging me about the ThinkVantage Client Security program. I have never installed this and the security chip is disabled.

What happens if I install this:
1. Does installation enable the security chip?
2. If no, does a disabled chip prevent Client Security from working?
3. If I install it, can I ignore it? i.e, just not set it up?
4. If I install it and have to use it, what does it do? The web site says it starts encrypting files, and then I may not be able to use the files on my other machines.

I may, for the first time, have to live with an update that I will always (and forever is a long time) have to uncheck and ignore. Pain, that.
... JD Hurst

[christopher_wolf]

If you don't need it, then you don't have to get it. All it does, as far as I can tell, is activate some little extra security features that require the security chip to be enabled. Encryption of files is done, after you have set it up (it is non-obtrusive afterwards and during both boot up and shut down), by a right mouse click and selection of "Encrypt this..." or "Decrypt this..." if it already has been encrypted. So

1.) The Chip will be enabled
2.) The Chip has to be enabled, otherwise CSS will not function properly
3.) You can pretty much ignore it for the most part; it is non-obtrusive and rarely, if ever, have I seen it pop-up asking you to save info or whatnot. Although there is a minimum setup you have to go through
4.) As mentioned above, you can decrypt and encrypt files, these files (in the decrypted state) will work just fine on another machine. If they are encrypted, they require the generated Key for a Security Chip to decrypt them before they can be read on the target system.

Also, you aren't forced to get the upgrades for CSS everytime, nor are you threatened by it shutting down if it doesn't have the latest update.

Oh, and it also lets you fill out secure web forms easily.

[GomJabbar]

Now, for the first time, Software Installer is bugging me about the ThinkVantage Client Security program. I have never installed this and the security chip is disabled.

I see the same thing now. I do not have CSS installed, but I do have RnR V3 installed, which does install part of CSS even if you tell it not to. RnR V3 installs the ATMEL security chip driver, and every time I boot up, I get a window for about 5 seconds telling me something about installing CSS. I think the only security I am getting currently is with RnR backups. Can't do any of the other stuff.

A1. Yes, I'm sure it does.
A2. I would say yes (but I am not an expert on this by any means).
A3. Probably, except for the window mentioned above.
A4. Probably true.

[christopher_wolf]

That window only comes up during boot up and only if you haven't installed CSS fully, only RnR.

[jdhurst]

I took a spare hard drive with my Windows XP Preload installed and installed Client Security V6. Here is what I know so far:

1. Client Security runs after install and restart.
2. Standard Setup or Advanced: I chose Standard
3. Windows Logon or CS Passphrase: I chose Windows
4. Forces a password to be set if none has been set.
5. Requires three questions (for later query).
6. Set ups a Virtual Disk Drive (defaults to R:) in "My Documents". I used the default size of 100Mb.
7. Security chip becomes enabled. According to ThinkPad Configuration Utility, the IBM Client security software is not installed (?)
8. Uses a Domain-style login (even for WORKGROUP) and prevent "Logoff" from being displayed in the Start Menu. A specially installed version of tvt_gina.dll seems to be the cause of this.
9. Creates a Secure volume for every user id.
10. If you save a document in the Secure Volume, it seems impractical to move it or copy it from there to another network drive.
11. If you save a document in the Secure Volume, and then open it from that volume, you can "Save as" somewhere outside the volume, copy it to another drive and open it there without issue.

So on balance, I don't see why to use this tool (for me, in my method of working).
1. I don't like not having Logoff in the Start Menu.
2. In order to Briefcase documents to my Desktop (or use other replicator), I would have to extract them from the Secure Volume first. That would be a pain.

I may be missing something, but it is not clear how this benefits a business. Business documents frequently (not always, of course) are server-based shared documents. People change them and put them back. It seems mightily inconvenient to put a Secure Drive in the middle of this.

So for the time being, I am not installing this tool on my main machine.
... JD Hurst

[GomJabbar]

I may be missing something, but it is not clear how this benefits a business.

My guess is; if you are the type to carry State Secrets on your hard drive, or you have Bin Laden's hideout location and future plans, or you have the blueprints for Intels future generation processor, and you worry that your laptop might fall into the wrong hands, then you want the CSS. That way you don't have to worry about the information being compromised.

For the average user, I would have to agree with you. There is probably more danger of losing important documents because of some user or system error, than there is of losing important data to someone who could actually use it.

[pae77]

For me as well, the IBM security solution seems like overkill and I fear that something will go wrong with it at some point, perhaps during an upgrade. Still, I have recently decided it would be desireable to be able to encrypt and hide some files on my hard drive such as, for example, tax records etc. and I have found an elegant, nonobtrusive, highly secure, and best of all, free solution. For anyone interested in such check out the freeware program "Truecrypt" http://www.truecrypt.org

Free open-source disk encryption software for Windows XP/2000/2003 and Linux
Main Features:

* Creates a virtual encrypted disk within a file and mounts it as a real disk.

* Encrypts an entire hard disk partition or a device, such as USB flash drive.

* Encryption is automatic, real-time (on-the-fly) and transparent.

* Provides two levels of plausible deniability, in case an adversary forces you to reveal the password:

1) Hidden volume (steganography – more information may be found here).

2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5, Serpent, Triple DES, and Twofish.
Mode of operation: LRW (CBC supported as legacy).

* Based on Encryption for the Masses (E4M) 2.02a, conceived in 1997.

Further information regarding features of the software may be found in the documentation.


What is new in TrueCrypt 4.1 (released November 25, 2005)

[DIGITALgimpus]

I have it installed, but don't use the secure disk stuff. I just use the password manager on occasion.

[christopher_wolf]

I don't use the secure disk volume either; the log off option is still in my start menu although that is because I run a previous version of CSS.

I can see how it could be a pain for centrally located files that are shared within a workgroup in a business, but I think IBM had this in mind for a Business user that had sensitive information on the Thinkpad and was the only one that modifies it.

Good call on installing it on another HDD first.

[DIGITALgimpus]

There's an option to enable fast user switching again (as long as your not using CSS to manage windows login).

[jdhurst]

I suspect that if I had enabled Logoff on the hard drive, it might have worked (it does work for one user here). I don't want fast user switching, just the logoff. If I get time, I may try changing the options or uninstalling / reinstalling to see if I can get it back. If I can, I may try installing it just for fun and knowledge on my primary hard drive. I am one of those users here who tries all the updates just to see what happens. ... JD Hurst

[michael23]

Hi all,

I've recently updated my old version 5.4 to the latest 6.1 version and have an annoyance with the password manager application. When it loads on startup, it will immediately prompt for my passphrase even though I have not even begun to use it to recall a password.

In the old version, it will prompt for the password on the first time you start recalling a password.

Anyone know how I can get around it? I'm seriously thinking of going back to version 5

BTW, version 6 no longer has the encrypt file/folder option - it appears to be replaced by the private disk feature.