Logically, Greenberg begins with the epic leak of the Pentagon papers. He then moves on to illustrate how the leaker movement merged with the paranoid, the hackers, the cypherpunks and others to develop encryption and privacy technology that is now used by millions around the world. This isn’t a story just for the technologist however. Greenberg brings to life the many colorful personalities and conflicts that make the story read like a novel as opposed to a textbook. In the book you will learn about characters like Julian Assange, Bradley Manning, Daniel Ellsberg, Phil Zimmerman, Jacob Applebaum, Jim Bell, John Young and a whole host of others you’ve likely never heard of before. All of them, and countless other unnamed and or pseudo-named persons have contributed to a technology base that can be used to protect personal privacy and anonymity, yet in the hands of a leaker, be used to expose the deepest secrets of the most powerful corporations and governments on the planet.

The most important reason to read this book is because this story is still being written and it affects all of us!  The leakers, cypherpunks and hactivists just happen to be on the front lines of civilizations struggle to find the correct balance between the privacy, anonymity, openness and accountability. While some might detest the leaks and the leakers, we all know that without them government power and corporate greed can quickly run into foul territory. Indeed, it is the leaker that history often judges the patriot and the powerful secret keepers the oppressors. So, the next time you’re shopping on a secure link or browsing the web anonymously with Tor take a moment to say thanks to all the wikileakers, cypherpunks and hactivists out there who are hard at work making life better for you and more difficult for big brother! Enjoy the book!

Apricorn Aegis Secure Key USB Flash Drive

The main reason to use these drives is for the security. What makes them so special is that you don’t have to worry about installing software and drivers on the host computer. The drives have a miniature 10-digit keypad so that you can configure and use a pass code of between 7 and 15 digits to secure your data. They are super easy to use. Just key in your pass code, press the unlock key and put it in the USB slot. Done! Your files are now unlocked and available on the host computer.

The Aegis Secure Keys have integrated hardware encryption circuits that use a 256-bit AES algorithm to protect your data. They automatically lock the instant they are removed from a computer or power is removed from the USB port. To prevent brute force attack, the units will destroy the key, effectively wiping the data, after 10 incorrect attempts at entering the pass code. The numbers on the keypad are wear resistant to minimize the possibility that someone could have hints at which keys you use most often. The electronics are also encapsulated in a tough epoxy making it extremely difficult for anyone to hack their way in without damaging the electronics.

The big news though is that the Apricorn Aegis Secure Key units recently received FIPS 140-2 certification. That means those of you in the health field now have a superb option for storing Patient Health Information (PHI) for on the go work. Those of you in larger organizations will benefit from the ability to set both an administrator pass code as well as user pass code. The drives can be reset with the data securely destroyed so that the devices can be safely reused again and again with different users and data sets.

I use Xubuntu Linux on all of my computers and I use the native dm-crypt encryption on all my drives, including cheap USB flash drives. This works great except when I have to interact with clients that use different operating systems. For those cases, I use the Apricon Aegis Secure Key to easily and securely move critical data between the different systems.

If you’re still using unencrypted USB flash drives to store critical data I recommend that you either learn how to use TrueCrypt or buy one of these Apricorn Aegis Secure Keys.  TrueCrypt is a great piece of software and I highly recommend it!  Unfortunately, it is NOT FIPS 140-2 validated so those of you working under HIPPA guidelines cannot rely on it to give safe harbor in the event a TrueCrypt encrypted USB flash drive is lost or stolen. These Apricorn Aegis Secure Keys however meet the HIPPA standard and will make your life under HIPPA easier should the worst happen.

If you’re really paranoid and can live with software encryption, you could also layer a TrueCrypt volume on top of the hardware encryption to make a drive that is even harder to crack!

Even smart folks who use strong WPA/WPA2 passwords are at risk. I was even caught out by this one! I started to feel bad that I missed it, but then I asked a few of my tech friends about it and discovered they knew even less than I did!

The Risk

If you have a modern home or small office router with WiFi (wireless) and the WPS (WiFi Protected Service) functionality you may be at serious risk of being hacked! Software is readily available that takes advantage of an inherent security flaw within the WPS system and enables hackers to derive the router PIN and thus your WPA/WPA2 pre-shared key or password! Once someone has your wireless password they can get access to nearly anything on your local network.

The only good news here is that the vulnerability is limited to WiFi. That means your risk is to local hackers and not those from the other side of the globe. To take advantage of this vulnerability someone has to be close enough to your home or office to receive your WiFi signal. They might be in the house down the street or  a car parked half a mile away. If the attacker has a good antenna and line of sight they may be able to hack you from several miles away. Just because you live in small town or rural area doesn’t mean you can afford to ignore this threat. Thieves are everywhere!

I saw headlines about a problem with WPS nearly a year ago but I didn’t dig deep enough. I don’t use WPS to configure wireless devices so I thought I was safe. I was WRONG!

The truth is that the WPS flaw is a serious security issue that affects possibly millions routers in current use. Some routers with newer firmware are smart enough to foil the attack. Others are only safe if you disable WPS. It is reported that some routers remain unsafe even with WPS disabled!

The only way to know if a router is vulnerable is to test it yourself!

Test Your Router

The software used to exploit the WPS vulnerability is known as reaver. There is an excellent step-by-step article on how to use reaver with Backtrack Linux here.

I use Xubuntu 12.04 but neither reaver or the required aircrack are in the repositories. I downloaded and installed them per the instructions here.

The reaver software doesn’t need a super computer to work its magic.  I used a cheap old Asus 901 netbook for my tests. Almost any notebook with a wireless card is enough. If you use BackTrack Linux you may find that you need to install wireless drivers.

The first router I tested was a Netgear N600 Dual Band model. I started the brute force attack against the N600 in the evening before I went to bed. By the time I got up the next morning the WPA password was neatly displayed on the screen of my netbook.  Yikes! This is definitely not a preferred outcome!

Later, I upgraded the firmware on the Netgear N600 and tested again. This time, the reaver attack progressed slower than before. I didn’t let the test continue to completion but I have every reason to believe that I could have eventually obtained the password. I then disabled WPS and tried again. This time the router didn’t respond to the attack. It seems that disabling WPS on this router foils the attack.

I then tested a Cradlepoint MBR1400 router. This time I was lucky and I couldn’t get the router to play ball with the attacking computer. I presume this is because the Cradlepoint had gone through several firmware upgrades over the past year and one of them must have done something to fix the problem. On the other hand, I’m not a very good hacker so perhaps I wasn’t using the reaver program to its fullest potential? I still turned off WPS just to be safe!

I also tested an older Linksys WRT54G that I had stashed in a drawer for a backup. This one responded to the reaver queries but at a relatively slow rate.  I have every reason to believe that given enough time it would have eventually yielded to the attack.

Last weekend I tested a Qwest (now CenturyLink) ActionTec PK5000 router with the latest firmware. With WPS enabled the reaver attack processed about 4 PINs per second. I was short on time so I didn’t let the attack run to completion but it was clear that a password was only a few hours away. With WPS disabled, I saw no response from the router. Thus, the ActionTec PK5000 with latest firmware seems safe provided you disable WPS.

Summary

I have only tested a handful of routers, but 3 out of 4 of them were vulnerable with WPS enabled. Since WPS is enabled by default, there are likely a lot of vulnerable routers out there!

From what I can gather, most major manufacturers have issued firmware updates that will limit the damage reaver can do. The problem is that most people buy a router, bring it home, hook it up, and never look back. Thus, there are a lot of routers with old and vulnerable firmware just waiting to be hacked!  Hopefully, by reading this article, yours won’t be one of them!

What to do?

The best advice I can give you is this:

1. Upgrade your router to the latest firmware.
2. Disable WPS.
3. Test the router to see if it is vulnerable.

If you don’t have skills or time to test it yourself, then you should contact the router manufacturer to see if your particular router and firmware is vulnerable.

If you are really paranoid, now is the time to ditch wireless altogether and use wired connections. WiFi may be convenient, but wired connections are faster and definitely more secure!

If any of you take time to test your routers, it would be helpful if you post results in the comments section so others can benefit.

Thanks for reading!

In earlier posts I’ve discussed issues of high performance computing as it relates to my engineering work in antennas and microwaves. I include such articles here since our collective security (or lack thereof) is strongly dependent on developments in high performance computing. In this post, I will briefly showcase the Mythlogic Chaos 2012 Notebook (also known as the Clevo W110ER) computer that I purchased this past June. With an 11 inch screen, and weighing under 4 lbs, this machine is only slightly larger than a netbook, yet it packs enough compute power to replace even current desktop and tower sized engineering workstations. Based in Ann Arbor, Michigan, Mythlogic sells a range of customized mobile and desktop computers based on designs sourced from Clevo in Taiwan. Clevo is not a household name but it is my understanding that they source the Dell Alienware computers so they are well-known in the industry.

Options

Mythlogic offers a range of customizations to the basic Clevo designs. You can choose CPU, disk, networking and even custom painted cases. For the CPU, I chose the Intel i7-3612QM chip as the best balance of speed, power and thermal load for my needs. This particular chip is one of Intel’s Ivy Bridge series hyper-threaded quad-core CPUs. It presents as 8 virtual cores to the OS. The i7-3612QM runs at 2.1 GHz but can ramp up to 3.1 GHz in turbo mode when necessary. The lower clock helps conserve battery and keeps idle temperatures cooler.

I maxed out the RAM at 16 GB to get best possible performance on my engineering tools and allow me to run multiple Virtual Machines. I chose only a pedestrian Western Digital 7200 RPM 500 GB drive and promptly replaced it with a 120 GB Intel SSD that I already owned when it arrived. The supplied bare 500 GB went into an external USB 3.0 case and now holds my portable data archive. I run Xubuntu as the host OS on all my machines so I opted to forgo having Mythlogic install an OS. This saved me the cost of an OEM license for Windows 7. Lastly, I opted for the standard dual-band Intel Centrino 802.11 a/g/n wireless for performance and compatibility with Linux.

The CPU, memory, and disk system of this tiny machine are obviously very good and on par with high-end Ultrabooks from the likes of HP, Apples, etc. The thing that sets it apart however is the included nVidia GeForce 650M series graphics with 2 GB of DDR3 video RAM. The 650M offers an amazing 384 CUDA cores that dramatically speed up 3D graphics and/or certain type of calculations.

One of my primary engineering tools is the Remcom X-FDTD 3D electromagnetic field simulator. This program can make use of nVidia CUDA cores to solve antenna and microwave engineering problems many times faster than it can with traditional Intel CPU cores. I do most of my X-FDTD work on a dedicated GPU workstation that uses two nVidia Tesla C2070 cards and an nVidia Quadro 5800. This machine is very powerful but it’s of no use to me when I’m traveling so I was very interested to see the capabilities of the Chaos 2012.

Quick GPU & CPU Benchmark

As a quick benchmark, I ran a simulation of a dielectric filled cavity resonator antenna on the GPU workstation and on the Chaos 2012. I configured the problem so that it fit within the 2 GB of video RAM available on the notebook machine. Runtime on the GPU workstation was 43 seconds versus 215 seconds on the Mythlogic.  For this problem, the GPU workstation is a healthy 6.14 times faster than the tiny notebook.  This is as it should be since the GPU workstation cost on the order of 10x the price! For reference, the same simulation required 507 seconds using all 8 virtual CPU Intel cores in the Mythlogic machine. I estimated run-time with a single core to be on the order of 30 minutes (1,800 seconds). For simulation work the 650M graphics is 2.36 times faster than all 8 virtual Intel cores. As a practical matter, doing the simulation on the GPU saves even more time! When running on the GPU, the simulator needs very little CPU power so I can continue to work on the machine (running a Virtual Machine, writing e-mails, a report, or configuring the next run for the solver) while I wait for the simulation to finish. When I’m running only on CPUs the machine is pretty much maxed out and I have to do something else like take a nap while the solver is working.

Battery Life

The Chaos 2012 has a lot of horse power and there is no battery technology in existence that will let you run number smashing jobs all day and still fit inside such a small case. That said, you can reasonably expect up to 5  hours or more away from the wall socket if you’re just doing normal office work. If you’re gaming, simulating or trying to crack passwords with the GPU and all 8 virtual cores maxed out you shouldn’t expect more than about an hour of battery life. That’s not a lot, but this computer is more about pure compute power than it is about long battery life. That’s a good trade-off for my needs so I’m not complaining!

Summary

While the Chaos 2012 doesn’t replace a dedicated GPU workstation it does provide enough CPU and GPU power to enable me to do real world work with the X-FDTD simulator when I’m not in the office.  This is a big advantage for me and well worth the roughly $1300 price.

Where does a machine like the Chaos 2012 fit into the issue of security? Well, it comes down to encryption. Everything we do on the web hinges on the notion that if we encrypt a message that it will take someone a very long time to decrypt it if they don’t have the password. As computers get faster it’s getting easier and cheaper to break encryption. The notion that we now have tiny notebook computers with extremely powerful GPU and CPU processors means that the hacker of the future (today perhaps?) might well be able to do his/her code breaking while they are mobile! This is a sobering thought and should motivate you to start using good passwords that are harder to crack.

Linux Addendum

The Chaos 2012 along with many other modern notebooks have what is known as Optimus technology. Optimus combines a low power Intel graphics chip with a higher end nVidia chip to get the best of both power saving and powerful 3D graphics. Unfortunately, it seems nVidia is not making available graphics drivers to support this technology under Linux. As a result, the default install of say Xubuntu 12.04 will only use the Intel graphics chip. This is fine for most business and personal applications, but to utilize the nVidia portion of the graphics subsystem you will need to install Bumblebee software.  Setup of Bumblebee under Xubuntu was relatively straightforward and you should have no problems following the directions on the Bumblebee site. After Bumblebee is working you can start GPU intensive applications using the optirun command. This gives you the flexibility to selectively run the demanding GPU applications according to whether you’re connected to the grid or on battery.

If you find that your particular GPU application is having trouble with Bumblebee you may need to confirm that the software is written such that it can use the Kepler based GPU.  In my case, I had to wait several months for Remcom to play catch up and change their software to use the 650M chip. That’s a big part of the reason that I’m writing this article in December and not July right after I got the machine!

Disclaimer

I purchased the above mentioned notebook computer from Mythlogic using my own funds. I have no financial relationship with them.

• Data Mining: If the government wants to track you, they have more than enough means to take a single email, track it back to another person, unlock all that persons email accounts, search through those emails, then track back to you.
• Content: Even if you leave out names in an email, by tracking the header meta data, its possible to infer meaning.  Best not tot talk about sex or other details that stoke media hype.
• Encryption: Its hard to know for sure, but no one seemed to be using encryption.  This suggests Petraeus knows it is better to use disposable accounts, then try to encrypt a message.  This may tell us a lot about sources and methods.  Or perhaps General Petraeus is simply not IT savvy.
• G-Mail: Apparently Petraeus and Broadwell used a technique Terrorists use to communicate.  They had a shared GMail account.  They edited a joint “Draft” email, communicating through the draft without ever sending it.  So there was no email to track, just the source IP address from logins.
• Feds Can Track Drafts: With stories of 1000s of messages” between Petraeus and Broadwell, given they communicated through Drafts in Gmail, it suggests the feds can trace old versions of a draft document.

Petraeus could probably have used better technology.  Its however safe to assume if you write something in a digital realm, the Federal Government can find it if they want to find it.  If you need to be discreet, feel you deserve your privacy, or otherwise want the Government and others to stay away there are some good practices to follow:

1. Content: Don’t communicate anything on line, in a document, or digitally that looks bad when observed by a 3rd party after the fact amidst a media frenzy. Delete all documents, emails, texts, etc after transmission.  Run CCleaner on a regular basis.  Better yet, put it on a schedule.
2. Meta Data: Assume the government has means to look across meta data and see links in nodes.  This means if you log in from an IP address to look at a bank statement, and then log in to Gmail through a browser to use an anonymous email address, its easy to link your ID from the banking event to your anonymous email account.  Assume the feds have this technology and its turn key.  Key identifiers include: IP address, SimCard, MAC address, phone number, geo-location.  Reduce your meta data footprint:
   • Browser: Access accounts through a browser using HTTPS and in private mode
   • IP address: Use TOR to mask your true IP Address.  Assume though that NSA can back track TOR if you are doing something truly illegal.
   • VPN: Implement VPN services like Hamachi or Privoxy
3. Encrypt Emails: Encryption may signal you are up to something wrong.  Given Petraeus did not seem to use encryption, it may suggest he knows all encryption is crap.  Its safe to assume, if needed, with enough resources encryption can be compromised.  However, it takes a lot of resources.  So as long as you are not doing something truly evil, encryption gives you some protection.  Good browser based email tools include Voltage, Hushmail, and 10Minute.  HushMail’s servers are in Canada, which limits non-specific subpoena’s reach (i.e. FBI could not have accessed Petraeus while researching the paramour cat fight)
4. Drop Box: Drop box, google drive, etc are essentially insecure and easily accessed by blanket warrants.  They offer very limited ability to control access or view access.  If you are going to put data into these shared locations, use encryption tools like SecureZip.
5. Texting: It’s a bit unsure, but with the volume of texting, its unclear text messages are easy to track.  Blackberry messenger is giving the Saudi’s fits because they have a hard time penetrating its peer-to-peer nature.  Some use of texting may be helpful for quick but low profile communication.
6. Virtual Machines: As you wonder through the internet in your browser, you leave various traces behind on your computer.  For your more sensitive work, consider creating a virtual machine or loading Linux onto a USB stick.  If you encrypt the disk with the VM image, its very difficult for someone to get to the core data within the virtual machine.  Within your virtual machine, configure your session to always use TOR, private browsing etc. you can maintain a very low profile.
7. USB Boot: There are various tools to create a bootable linux OS from a USB stick.  This bypasses many tracking/data access issues.  Someone would typically need to get to the actual USB stick to get access to your data history.  This is much like a Virtual Machine, just more secure.

Its important to note that in the end, the NSA can get whatever it wants from your online and computer activity.  If you are doing something criminal, the recommendations above will not protect you.  We do not advocate criminal activity.  If you want to protect your privacy, which is still legal in the United States, these recommendations can help protect you from others probing eyes.

For the server or other mission critical PC or notebook I think you need to have at least two images. Here’s why:

The most likely person to mangle the server isn’t a hacker from the other side of the globe, but the IT person (or potentially you, the small business owner!) during routine maintenance and system upgrades. This is because the IT person needs to have full administrator rights to do their job. With administrator privilege, an errant mouse click or a typo at the command line can lead to costly mistakes and permanent data loss!

Further, if you think things through, you will see that it is imperative to have least two image drives to avoid a situation where you could potentially lose both your system drive and your backup image in one step. Consider that to create an image, both the system drive (source) and the image drive (target) need to be live on the system at the same time. If you only have one image drive and you plan to update it with a new image by overwriting it, then your only backup is now at risk to administrator errors. It is also at risk by virtue of the imaging process itself!  You see, the moment you start the imaging process, the computer begins copying the source drive bit-by-bit and overwriting the data on the target. If the source drive crashes during the imaging process you will have lost your original data and your only backup will be corrupted.

Are you ready to spend the next few days reinstalling everything from scratch? I didn’t think so!

Even good IT pros make mistakes! The thing that makes them good is that they recognize that mistakes are possible and that Murphy lurks around every corner. Good IT pros always have a plan B, or C or D to cover them when they screw up or when Murphy finally gets his way. If you’re a small business owner and manage your own IT, I believe you will find that having a second or even third image of the server tucked away somewhere (preferably off-site) might just save you a lot of time and money on the day all hell breaks loose. If you’re an IT person the same strategy might just allow you to keep your job should Murphy’s pranks get out of hand!

Update September 17, 2012

I forgot to mention that you can find instructions here for cloning your hard drive using free Linux based software.

September 4, 2012 – CNN.com – Finally! Windows XP no longer most popular desktop system

Windows 7 has finally surpassed Windows XP as the most popular desktop operating system with a 42.72% market share. Windows XP at trailed only slightly at 45.52%. Windows Vista held 6.15% and various Mac OS versions totaled about 4.83% share.

It comes as no surprise to me that XP still dominates over Vista as nearly everyone I know either skipped that version or switched to Mac or Linux after growing frustrated with its numerous problems. I have used Windows 7 in a Virtual Machine under Linux for several months now. I’ve generally been pleased with it and I’ve had no problems serious enough to lead to premature baldness. If you’re still running XP, it’s time you considered making the switch to Windows 7 or perhaps Windows 8 when it is released in late October. If you’re more adventurous and want to keep your old hardware you might want to consider trying one of the new Linux distributions such as Ubuntu or Linux Mint. If you’re tired of Windows and have some cash to burn maybe now is a good time to get a new Mac?

Whatever you choose, I urge you to act sooner than later since Microsoft’s extended support for Windows XP ends April 8, 2014.  After that date Microsoft will no longer provide security updates and bug fixes for Windows XP.  I recommend that you plan to be completely done with XP long before the EOL (End of Life) date for all of your main production computers that are connected to the Internet. Unfortunately, some of you will most likely have certain critical legacy applications that only run in XP either due to compatibility or licensing issues. In those cases, I recommend that you experiment with running the legacy applications in a Windows XP Virtual Machine under a newer OS. If the VM (Virtual Machine) approach works you should be able to choose whatever newer OS you like (Windows, Mac or Linux) and still have the benefit of the older software. If the VM approach doesn’t work then I suggest you plan to isolate your legacy Windows XP computers from the Internet to help avoid exposing them to whatever new threats might emerge after the EOL date.

The next 18 months could be some of the most interesting times in modern computing history. In that short time we’re going to see some 40% of the world’s desktop computers either retired or switched to a new operating system. No matter how things turn out the market opportunities that exist now may never be repeated.

Microsoft worked hard to achieve tight integration of function in SBS2011E so I was surprised to learn that it didn’t include any type of anti-virus functionality. Like the lack of encrypted backups, Microsoft again leaves it up to the small business owner to find an acceptable solution to a critical security function!

Even more surprising however is that the first option many people might look to as a solution doesn’t work! Here I’m referring to the Microsoft Security Essentials (MSE).  MSE is a solid product that is free to use on home computers running the Microsoft 2000/XP/7/8 series of operating systems.  Microsoft even allows MSE to be used in a small business environment on up to 10 workstations so it’s use within small businesses is not without precedent.  Nevertheless, you will find that MSE is not licensed for use on the Microsoft server operating systems such as SBS2011E.  I don’t claim to understand Microsoft’s reasoning on this, but many of the anti-virus solutions from others makers are similarly not workable on the SBS2011E environment either due to licensing or compatibility issues. This is a sad state of affairs for a product aimed at small businesses who are in dire need of affordable, well thought out, and easy to use products that address critical security issues!

After doing some web research, I determined that one of the best anti-virus options for SBS2011E was the program known as Immunet.  It is a Windows implementation of the open source Clam AV anti-virus product that is a defacto standard in the Linux / Unix world. I’ve used Clam AV on my Linux machines for years so I was comfortable recommending Immunet for use on a client’s small business server.

While the Immunet anti-virus engine has it’s roots in Linux/Unix, the Immunet product has a number of features that set it apart from the well-regarded Clam AV program. One of the most interesting changes is that Immunet uses cloud computing to deliver real-time protection to your PC. They claim that you “stay protected against over 13 million viruses and thousands of new threats daily without ever downloading another virus detection file again.” For those that are off-line from time-to-time there is also an option to use the down-loadable Clam AV virus definitions. Immunet claims to be a lightweight anti-virus solution which doesn’t slow down your PC. Having suffered with heavy weight anti-virus products in the past, I generally recommend lightweight tools to avoid situations where “the cure is worse than the disease.” Immunet claims to provide “collective immunity” that continuously improves with each new user who installs Immunet Plus. They say that when Immunet detects a threat on one user’s PC, that threat is blocked from harming all users in the Immunet Community simultaneously, giving all Immunet users shared immunity against computer viruses. If implemented properly, this kind of thinking might help the majority of us avert a zero-day disasters at some future date.

While not critical for SBS2011E, Immunet also claims to be compatible with existing anti-virus solutions that might already be on your PC. I’ve seen the results of installing multiple incompatible anti-virus solutions on Windows before and the result isn’t pretty. So, for the really paranoid, Immunet might be a good option to add extra protection without added headaches and system slowdown.

I had used MSE on my Windows 2000/XP/7 workstations, but Immunet seemed like a nice option so I tried it out on a Windows 7 VM before installing it on the client’s MSE2011E server. Installation was easy but I noted high CPU usage until I configured it to ignore the MSE directory. See here for details on fixing that. Overall it seemed like a nice, easy to use and free anti-virus solution!

I’ll note that I didn’t experience any issues whatsoever when installing Immunet on the SBS2011E server since it didn’t have a preexisting anti-virus solution. On SBS2011E Immunet is an an easy download and go solution.

My experience to date has been limited to the free version of Immunet, but they also offer an enhanced version (Immunet Plus) which offers additional functionality at a modest cost.  Features such as “Offline Scanning”, Advanced Rootkit Detection and Removal, and Enhanced Virus Removal might be well worth the modest fees for many small business operators.

Overall, Immunet seems like an ideal anti-virus solution on the SBS2011E platform where options are otherwise somewhat limited. Even those running the workstation class Windows 2000/XP/7/8 operating systems might want to consider Immunet as either a primary or additional layer of protection for your machines.

Microsoft’s Small Business Server 2011 Essentials (SBS2011E) was the most cost effective platform that met the requirements of their niche’ business application. I installed a trial version on a server that I put together using some spare parts that I had leftover from my work experimenting with a GPU workstation build last fall. The base computer used an Asus motherboard, an AMD Phenom II X6 6-core CPU, 16 GB ECC RAM, an nVidia NVS300 graphics card, and an nVidia Edition Cooler Master case. The vendor of the business app recommended using a RAID server so I added a 3Ware 9650SE 8-port hardware RAID card. I configured it to use RAID 10 with four Western Digital enterprise grade 7200 RPM 1 Terabyte drives. Overall, a nice looking and very capable system that didn’t break the bank.

Installation of SBS2011E was very straightforward, but be aware that it insists on taking the primary hard drive all to itself and it will format the entire drive for it’s own use. Not what I’d call user friendly, but the assumption is that you’re only using SBS2011E on the machine so it seems a reasonable choice. Also, be sure to set a computer name and domain name that you like since you can’t change it later. Lastly, note that you can only use a Domain with SBS2011E. You’ll need to look elsewhere if you need a Workgroup type solution.

If you look at the product matrix of the SBS 2011 family you will notice that SBS2011E includes a nice backup option that isn’t present in SBS 2011 Standard even though the latter is more expensive. SBS2011E doesn’t include Bit Locker disk encryption like the more expensive server options, but we had already already standardized on TrueCrypt for workstations and notebook computers. We figured that TrueCrypt would be a good option for the server too. Indeed, I’m pleased to report that TrueCrypt works nicely with SBS2011E and encrypting the system drive on the fly after installation was as fast and easy. If you’re a Windows user and need encryption it’s hard to beat TrueCrypt.

After the system disk was encrypted I proceeded to create an encrypted volume on a 2 TB hard drive connected via an e-Sata dock. I intended to use this drive as removable backup storage. Once the encryption completed I mounted the drive and then attempted to configure the SBE2011E backup service. The first thing it asked for was the location for the backup. Unfortunately, the TrueCrypt volume was no where in the list. I unmounted and remounted it and I even restarted the computer to no avail. The SBE2011E backup service would not recognize a TrueCrypt volume! Out of frustration, I pointed the backup setup at the drive itself and just like that it reformatted it for it’s own use and in the process destroyed the TrueCrypt volume. This wouldn’t have been all bad, except that there was NO option whatsoever to encrypt the data on the backup drive! I guess this shouldn’t be a surprise since Bit Locker isn’t even an option in SBS2011E!

In today’s world, unencrypted backups are not an option so I disabled the Essentials backup utility. I again created a TrueCrypt volume and then went looking for an alternative backup solution that could cope with TrueCrypt. I quickly settled on Novastor. The program installed easily and recognized the encrypted volume without any problems. Novastor and TrueCrypt seem to be a fine solution for encrypted backups in Essentials. Well, almost! When I tried to login to the Domain from a Windows 7 Pro machine I was still presented with all of the options of SBS2011E’s backup service even though it is disabled. Worse, the Launchpad is displayed on every login and at the top of the list is Backup, but not the NovaStor backup function! I determined that this wold be a very confusing setup to the users since they would expect expect features presented to them to work! Try as I might, I couldn’t figure out a way to disable the backup feature so tightly integrated throughout SBS2011E.

At this point I thought perhaps if we got the more expensive version of SBS server that included Bit Locker we might be better off. Some web research however suggested that even with BitLocker it wasn’t easy to setup an encrypted backup. There was one site that suggested that it could be done, but it was clearly a hack and not a turnkey setup that I could turn over to a client.  At this point I had wasted a lot of time trying to find a solution to a problem that shouldn’t exist in the first place! I was outraged that Microsoft had the audacity to sell software that didn’t offer encrypted backups or at least allow the backups to be written to volumes encrypted with widely used open source encryption software.

Again, I looked at other options. I considered using Windows 7 Pro and a simple Workgroup to host the business app, but was told that it didn’t work efficiently with more than about four connections to the SQL server.  That wasn’t enough for the business so we were stuck. SBS2011E was the right choice and the client just about ready to accept unencrypted backups even though that wasn’t the best thing for their data. Then I had the aha moment!

Why not use a hardware encrypted hard drive for the backup! Eureka! Go to Amazon and there they are. A tad more expensive than a bare eSATA drive but just like that the problem is solved. I opted for an Apricorn Padlock series drive, but Datalocker and others also make products that can meet your needs for bombproof encryption. In retrospect this seems like an easy decision, but I was expecting a software solution so it took me a while to realize that wasn’t the way go in this case.

In summary, if you want to have encrypted backups with SBS2011E or any of the 2008 R2 based server solutions from Microsoft, your best bet is to bite the bullet and buy a hardware encrypted hard drive. To the best of my knowledge, software encryption just doesn’t seem to be a viable option at this time.

I hope this saves some of you a bit of time and frustration. I also hope someone at Microsoft will take note and fix this critical flaw in the SBS2011E backup service. Thanks for reading!

 Update December 7 , 2012

The Apricorn Padlock drive has worked just fine now for over 5 months. I highly recommend the use of hardware encrypted drives as a means of overcoming the shortcomings of the SBS2011E backup utility.