Boring Toolbox December “Winter” 2020 Release

This post features our November and December releases.  We know you’d rather be spending your time drinking eggnog by the fire instead of reading about Boring security, but here we go anyways. For those of you focused on cyber-security this is our gift to you this holiday season. Our Winter Release puts enterprise and government security optimizations in the limelight and will provide greater flexibility in securing your Milestone / Boring Lab deployments. Platform Upgrades XProtect SDK 2020 R3 Both Boring Toolbox client and server complete have received an upgrade to XProtect 2020 R3 SDK.   With this new version of SDK we now have the ability to be FIPS 140-2 compliant and support end to end encrypted deployments of Milestone XProtect. 64-bit & .NET Framework Upgrading to 2020 R3 SDK brought with it some other necessary upgrades to the Boring Toolbox Client: The Boring Toolbox client has been migrated to a 64-bit architecture. The .NET framework has been upgraded as well. Aside from being necessary, these upgrades will introduce slight performance and security optimizations to the application. The one super tiny downside of the 64-bit move is that existing users of the Boring Client will be required to re-license the Boring Toolbox Client again. We tried to find a solution around this but alas, there was none to be found. Security for Enterprise & Government Support for end to end encrypted XProtect deployments For you admins who have decided to protect your XProtect installations with certificates and end to end encryption, including both the management and recording servers, rejoice! With the upgrade to the new XProtect SDK we now support Milestone XProtect deployments that are encrypted with certificates. This allows you to realize all the time savings and efficiencies of Boring Toolbox but with the security of an enterprise grade, encrypted VMS. HTTPS for download of scheduled reports Our original release of scheduled reports only allowed for the reports to be downloaded via http. By popular demand, you now have the option to turn on HTTPS on when downloading your scheduled reports so that they are not transferred openly on the network. This is still an option and you will need to provide your own SSL certificate to avoid clicking through a security warning. TLS 1.2 While all versions of the Boring Toolbox have always supported TLS 1.2, where available, our most recent optimizations will force the use of the highest level of encryption available on the IIS server. That means that if TLS 1.2 is configured on IIS we will use that or if, in the future, TLS 1.3 comes out, we will use that. AES-256 Encryption While sensitive data at rest has always been encrypted, the winter release now supports industry-standard AES-256 encryption throughout. “In fact, 2256 is 2128 times bigger than 2128.” In a 1Password blog from 2013 the author breaks down how doubling the key length from 128-bit to 256 -bit makes it nearly impossible for someone to decrypt your data. FIPS 140-2 Compliance To meet the needs of enterprise and government customers required to comply with FIPS 140-2, we have made necessary optimizations that will allow the Boring Toolbox to meet FIPS requirements. These developments include the features listed above. The result allows our customers to use the Boring Toolbox on Windows systems with FIPS 140-2 compliant mode enabled. Additional updates Password complexity validation for Hanwha We added additional validations for Hanwha and Samsung password complexity, now requiring the following: Minimum 8 characters Maximum 15 characters (per Samsung) It must include a combination of at least 3 of the following character types: alphabet letters with uppercase or lowercase, numbers, and special characters. User name may not be used as password. The following special characters can be used: ~`!@#$%^*()_-+=|{}[].?/ You may not use more than 4 consecutive characters. (example: 1234, abcd, etc.) You may not use the same character 4 or more times consecutively. (example: !!!!, 1111, aaaa, etc.) Licensing now applies to the machine One request we had often was having our Boring Toolbox licenses apply to the whole machine instead of per user. Since updating to 64-bit required a re-licensing of the Boring Toolbox we took this opportunity to update the license so that it applies to any user that logs into the machine instead of per each user. Full Release Notes Full release notes can be found here. Don’t have Boring Toolbox yet? Start Your Free Trial