Abstract: Arrangements for permitting incoming mail to be transferred from a WAN Drive to a notebook computer hard drive under conditions that are not stressful to the hard drive. Preferably, a WAN card is configured to wake a notebook when mail capacity is full or close to full. Mail is then preferably moved from the flash drive to the hard drive, subject to verification that this will not overly stress the hard drive. In a variant embodiment, the WAN card may preferably be configured to wake a notebook when mail is received at all. Again, mail is then preferably moved from the flash drive to the hard drive, subject to verification that this will not overly stress the hard drive. Once mail is moved to the hard drive, the system preferably runs an embedded email program that allows the user to employ an existing VPN infrastructure.

Abstract: Arrangements for permitting incoming mail to be transferred from a WAN Drive to a notebook computer hard drive under conditions that are not stressful to the hard drive. Preferably, a WAN card is configured to wake a notebook when mail capacity is full or close to full. Mail is then preferably moved from the flash drive to the hard drive, subject to verification that this will not overly stress the hard drive. In a variant embodiment, the WAN card may preferably be configured to wake a notebook when mail is received at all. Again, mail is then preferably moved from the flash drive to the hard drive, subject to verification that this will not overly stress the hard drive. Once mail is moved to the hard drive, the system preferably runs an embedded email program that allows the user to employ an existing VPN infrastructure.

Abstract: A method and system for ensuring security-compliant creation and signing of endorsement keys of manufactured TPMs. The endorsement keys are generated for the TPM. The TPM vendor selects an N-byte secret and stores the N-byte secret in the TPM along with the endorsement keys. The secret number cannot be read outside of the TPM. The secret number is also provided to the OEM's credential server. During the endorsement key (EK) credential process, the TPM generates an endorsement key, which comprises both the public key and a hash of the secret and the public key. The credential server matches the hash within the endorsement key with a second hash of the received public key (from the endorsement key) and the vendor provided secret. The EK certificate is generated and inserted into the TPM only when a match is confirmed.

Abstract: In a central system for receiving reports of utility usage from a number of remote meters, a provision is made for assuring that a received report has actually been transmitted from a meter that has been registered with the central system. During the registration process, the meter transmits its public cryptographic code to the central system. With each report of utility usage, the meter sends a version of a message encrypted with its private cryptographic key. The central system decrypts this message with the meter's public key. If it matches an unencrypted version of the message it is known that the meter sent the report. The unencrypted message may be generated by the central system and transmitted to the meter in a request for a report, or it may be generated by the meter and sent along with the encrypted version.

Abstract: A method for preventing malicious software from execution within a computer system is disclosed. Before any actual execution of an application program on a computer system, the application program needs to be cross-compiled to yield a set of cross-compiled code of the application program. The set of cross-compiled code of the application program can then be executed in an execution module that is capable of recognizing and translating the set of cross-compiled code of the application program to the actual machine code of the processor.

Abstract: A computer determines whether it has been booted from a hard disk drive or from an alternate source (e.g., a floppy drive or portable memory) that entails a higher risk of importing a virus into the computer, and if it is determined that a non-HDD source was booted from, corrective action such as a virus scan can be preemptively taken.

Abstract: A method for preventing malicious software from execution within a computer system is disclosed. A permutation is performed on a subset of instructions within an application program to yield a permuted sequence of instructions before any actual execution of the application program on the computer system. A permutation sequence number of the permuted sequence of instructions is stored in a permuted instruction pointer table. The permuted sequence of instructions is executed in an execution module that is capable of translating the permuted sequence of instructions to an actual machine code of a processor within the computer system according to the permutation sequence number of the permuted sequence of instructions stored in the permuted instruction pointer table.

Abstract: A method, system and computer-usable medium are presented for remotely controlling a TPM by loading a trusted operating system into a computer; and in response to the trusted Operating System (OS) being loaded into the computer, authorizing a Trusted Platform Module (TPM) in the computer to execute a command that would otherwise require, for execution of the command, an indication of a physical presence of an operator of the computer.

Abstract: When data changes in LBAs of a disk storage, the IDs of changed LBAs are written to a cache, with the LBAs being hashed to render a hash result. The hash result and contents of the cache are written to a file on the disk, the cache flushed, and the hash result written back to the cache for hashing together with subsequent changed LBAs. The process repeats. In this way, the hash result in the most current file on the disk can be compared with the hash result in cache, and if the two match, it indicates that the files on the disk contain an accurate record of changed LBAs.

Abstract: A computer system that may include a trusted platform module (TPM) along with a processor hashes a user-supplied password for a predetermined time period that is selected to render infeasible a dictionary attack on the password. The results of the hash are used to render an AES key, which is used to encrypt an RSA key. The encrypted RSA key along with the total number of hash cycles that were used is stored and the RSA key is provided to the TPM as a security key. In the event that the RSA key in the TPM must be recovered, the encrypted stored version is decrypted with an AES key that is generated based on the user inputting the same password and hashing the password for the stored number of cycles.

Abstract: If a user forgets the power-on password of his computer, he can depress the “enter” key or “access” key once to cause the BIOS to locate the power-on password in memory and attempt to unlock the HDD using the power-on password to boot a secure O.S. The HDD password either can be the same as the power-on password or the HDD can recognize the power-on password for the limited purpose of allowing access to the secure O.S. In any case, the secure O.S. is booted for password reset.

Abstract: A method and system for remotely storing a user's admin key to gain access to an intranet is presented. The user's admin key and intranet user identification (ID) are encrypted using an enterprise's public key, and together they are concatenated into a single backup admin file, which is stored in the user's client computer. If the user needs his admin file and is unable to access it in a backup client computer, he sends the encrypted backup admin file to a backup server and his unencrypted intranet user ID to an intranet authentication server. The backup server decrypts the user's single backup admin file to obtain the user's admin key and intranet user ID. If the unencrypted intranet user ID in the authentication server matches the decrypted intranet user ID in the backup server, then the backup server sends the backup client computer the decrypted admin key.

Abstract: The invention partitions the HDD into three areas, namely, no access, write-only, and the conventional read/write. Sensitive data (antivirus programs, back up data, etc.) is written into write-only areas, which thereafter become designated “no access” by appropriately changing their designation a data structure known as “logical block address” or “LBA”. Only users having approved passwords can change the status of a “no access” block back to “write-only” or “read/write”.

Abstract: The present invention adds a procedure to the operating system file subsystem of a processing system that significantly reduces the amount of time necessary to verify the validity of executable files. Each executable is extended with a file signature containing a header containing validation data. This header may be added to an existing ELF header, added as a new section, or placed in a file's extended attribute store. The header contains results of all previous validation checks that have been performed. The file signature is inserted, with a date stamp, into the file attributes. On execution, the system checks the previously-created file signature against a current file signature, instead of creating the file signature for every file during the execution process. Checks to ensure that the file signature is secure, and is valid and up to date, are also implemented. Only if the file signature is not valid and up-to-date does the execution program create a new file signature at the time of execution.

Abstract: A method and system is presented for making a client computer compliant with a data security regulatory rule. A client computer is connected to a network that includes a compliance fix server. The compliance fix server determines if the client computer is in compliance with a data security regulatory rule, based on a level of compliance at which that the client computer is authorized. If the client computer has not executed the appropriate compliance software required to put the client computer in compliance with the data security regulatory rule, then the compliance fix server sends appropriate compliance software to the client computer for installation and execution.

Abstract: A procedure and implementations thereof are disclosed that significantly reduce the amount of time necessary to perform a virus scan. A file signature is created each time a file is modified (i.e., with each “file write” to that file). The file signature is inserted, with a date stamp, into the file attributes. The virus scan program checks the previously-created file signature against the virus signature file instead of creating the file signature for every file during the virus scan. Checks to ensure that the file signature is secure, and is valid and up to date, are also implemented. Only if the file signature is not valid and up-to-date does the virus scan program create a new file signature at the time of the running of the virus scan.

Abstract: Methods and arrangements are disclosed for secure single sign on to an operating system using only a power-on password. In many embodiments modified BIOS code prompts for, receives and verifies the power-on password. The power-on password is hashed and stored in a Platform Configuration Register of the Trusted Platform Module. In a setup mode, the trusted platform module encrypts the operating system password using the hashed power-on password. In a logon mode, the trusted platform module decrypts the operating system password using the hashed power-on password.

Abstract: An apparatus, system, and method are disclosed for validating files. In one embodiment, a target module determines if an operation is to be performed on a file. If the operation is to be performed on the file, an identification module identifies the file extension of the file and a characterization module characterizes the file format of the file. A comparison module compares the file format of the file to the expected file format corresponding to the file extension of the file. A validation module validates the file if the file format matches the expected file format. The validation module may block the operation if the file is invalid.

Abstract: A computer system contains selectively available boot block codes. A first boot block is of the conventional type and is stored in storage media such as flash ROM on a system planar with the processor of the computer system. A second boot block is located on a feature card and contains an immutable security code in compliance with the Trusted Computing Platform Alliance (TCPA) specification. The boot block on the feature card is enabled if the first boot block detects the presence of the feature card. The computer system can be readily modified as the computer system is reconfigured, while maintaining compliance with the TCPA specification. A switching mechanism controls which of the boot blocks is to be activated. The feature card is disabled in the event of a computer system reset to prevent access to the TCPA compliant code and function.

Abstract: A method for theft deterrence of a computer system is disclosed. The computer system includes a trusted platform module (TPM) and storage medium. The method comprises providing a binding key in the TPM; and providing an encrypted symmetric key in the storage medium. The method further includes providing an unbind command to the TPM based upon an authorization to provide a decrypted symmetric key; and providing the decrypted symmetric key to the secure storage device to allow for use of the computer system. Accordingly, by utilizing a secure hard disk drive (HDD) that requires a decrypted key to function in conjunction with a TPM, a computer if stolen is virtually unusable by the thief. In so doing, the risk of theft of the computer is significantly reduced.