White House Demands Encryption for Sensitive Data 214
An anonymous reader writes "Stung by a series of data losses or disclosures at federal agencies over the past month, the White House is requiring all agencies to follow new guidelines when allowing employees to carry sensitive data on laptops or access the information from afar, according to the Washington Post. From the article: 'To comply with the new policy, agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as "non-sensitive" by an agency's deputy director. Agency employees also would need two-factor authentication -- a password plus a physical device such as a key card -- to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity. Finally, agencies would have to begin keeping detailed records of any information downloaded from databases that hold sensitive information, and verify that those records are deleted within 90 days unless their use is still required.'"
And the real question is... (Score:5, Interesting)
Re:And the real question is... (Score:5, Insightful)
Because most of it is unenforceable, and certainly doesn't cover the entirety of the problem. Let's check it point by point.
1. Encrypt all data on mobile computers/devices which carry agency data unless the data
is determined to be non-sensitive, in writing, by your Deputy Secretary or an
individual he/she may designate in writing;
So basically ALL data will be sensitive. We're not longer talking about CIA operatives or Pentagon generals with state secrets under the arm. It's the secretary of the editor of the "Golden Days" monthly that will access the name of one of the retirees it serves from her son-in-law's computer to see why Ms. Applewhite didn't receive her beloved issue last month. The secretary is not only not going to encrypt the data, she's blissfully unaware that her son-in-law hard disk is completely shared on eMule due to her son-in-law's imperfect grasp of eMule's share facility.
2. Allow remote access only with two-factor authentication where one of the factors is
provided by a device separate from the computer gaining access;
Yeah, sure. I guess somebody is underestimating the ubiquity of data communications nowadays. Or thinking still about CIA operatives mainly.
3. Use a "time-out" function for remote access and mobile devices requiring user re-
authentication after 30 minutes inactivity
Now this one is probably going to be widely enforced, it'll be simple to do.
4. Log all computer-readable data extracts from databases holding sensitive information
and verify each extract including sensitive data has been erased within 90 days or its
use is still required.
The logging will be made, usually. But how about the verification, I mean, in some places Harvest will really be plentiful, and the Laborers??? few, if any. Who's going to check all those accesses and what happened of the data? And even if they do, what about the son-in-law's shared hard drive? I mean, what about other copies that could have been done, printed, etc. from that original data. Printouts in the garbage are still one of the better ways of getting confidential data. What about flash memories in the workplace. Remember that story about the trojan-seeded flash drives scattered by the entrance of some goverment office building? Or Los Alamos missing hard drives ? The data security problem is certainly not going to be solved by a four-points note from the White House.
Basically this not is just a paper that says that a) The White House is trying hard to address this problem. b) Now you know who to blame (usually the overworked DBA) if anything important gets copied and hits the news.
Re:And the real question is... (Score:5, Insightful)
The kit in question is available from a number of vendors. I got one with me from Aladin marketed under the name of eToken, supports standard x509 certificates and if it will be bought in the quantities .gov will buy it the price will be in the sub 10$ range. It is only moderately more expensive now.
Works with nearly all OS-es: Mac, Winhoze, Linux, *BSD. It is about one quarter the size of an average USB key and has RSA engine on board. Once you have written the private key on it there is no way to retrieve it. All RSA ops are performed on the key.
Add to that the fact that all modern laptops and most recent desktops have TPM. You can use that for similar purposes.
In fact, the problem is not in the tokens and dongles. There are plenty of these on the market. The problem is how to handle certificate infrastructure and trust levels on the level of millions of certificates especially revocation. Now how .gov handles that will be interesting to watch.
Re:And the real question is... (Score:2, Informative)
Re:And the real question is... (Score:4, Interesting)
The hard part starts from there on.
You have to revoke the certificate if GI Joe number 286456781 is dead or has gone missing in action. You have to revoke the certificate if GI Joe 286456781 is found to be really Major Razvedki Ivanov. You have to revoke the certificate if Gi Joe 286456781's wife is found to really be Major Li of the people revolution army and she has gotten hold of the card PIN along with the card by means of giving excellent head.
Actually, revoking as such is not that hard either. May be a bit painfull in a multi-tier certificate hierarchy, but still possible.
The hard bit is propagating the knowledge that the certificate is revoked across an infrastructure of a
Re:And the real question is... (Score:2)
reminds me of a story i read, i think over at fark, a month or two ago, about an army officer who had been retired for a number of years. someone who got his SSN was able to get a military id in the guys name (despite his having been retired,
Re:And the real question is... (Score:3, Informative)
Retired military are generally still issued a military ID, giving them access to base hospitals, the PX/BX, etc. There's a difference between someone who's simply a veteran and someone who's stayed in for 20 years and retired.
Re:And the real question is... (Score:2)
It is not the time for being offline which is the interesting bit in a revocation architecture of this size. It is the "being offline" idea in first place. Examples of units that must be able to operate while completely isolated are missile launching subs, missile silos, air defence, etc. Granted, for most of them you can limit the CRL only to "certificates of interest", but even after it has been limited it will grow
Re:And the real question is... (Score:2)
Uhh, there are more than just PKI-based kits available. For example, you could go with SNK cards. In this case, the service to be accessed generates a challenge code. You then enter your pin and the challenge
Beware, too (Score:5, Interesting)
Beset with yet another layer of Policies, Programs, and Procedures the things a bureaucracy will need are:
feasibility studies
staffing increases
training
miscellaneous budget increases
Does anyone know the source of that quote in the Civilization IV game:
The bureaucracy is expanding to meet the needs of an expanding bureaucracy.
[1] I am making this up.
Re:And the real question is... (Score:4, Interesting)
Counter-point:
1. It sounds as though they are talking about classification here. There is a such thing as "Sensitive but Unclassified". Also, personal information gets protection under the Privacy Act of 197-something. Anyhow, it isn't as serious as you make it out. The stuff that is classified is protected at a whole different level.
2. No, they are saying that if you're going to connect to their network, you're going to have to do it with approved systems and use their authentication and it will all probably be through an approved, encrypted VPN. I know that the DoD has made a push over the last few years to replace the ID cards with smart card IDs with PKI certs embedded on them. These tie into the PKI infrastructure that has been rolled out and although it's taken a few years to get going, we're finally seeing it become a reality...you know, where it's becoming mandatory to log on using your card, sign emails, etc etc.
3. Well, it's all enforceable. That's the beauty of a government owned network. If they catch you not following their rules, they can fire you or even go so far as to prosecute you. Why not? You could be a terrorist! *gasp*
4. I agree with you here. Logs are great and all, but having a great gob of logs doesn't do you much at all. I wish them luck trying to go back to find a single transaction from 89 days ago.
Re:And the real question is... (Score:4, Interesting)
Why we need it... (Score:3, Funny)
Re:And the real question is... (Score:3, Insightful)
I disagree. I work for a rather large company in which the average employee is probably dealing with less sensitive data than the average White House employee. Yet we have a policy that requires all laptop hard disks to be encrypted (regardless of what is stored on them), all remote logins to use two-factor authentication, etc. T
Re:And the real question is... (Score:2)
Getting back to the remote system....yes you can work from your nephews computer, you
Re:And the real question is... (Score:2)
"These days it's all secrecy, and no privacy."
- The Rolling Stones, from "Fingerprint File" [lyrics007.com]
Re:And the real question is... (Score:2)
Re:And the real question is... (Score:3, Insightful)
- Because encryption is a black art (and a dirty word) to a lot of people. I've had people tell me that they don't want to own books on crypto or have crypto software on-hand because it will make them look like they have something (evil / illegal) to hide. Makes me sad as a patriot...
- Because it's easier to keep your head in the sand regardi
Re:And the real question is... (Score:2)
Re:And the real question is... (Score:2)
Re:And the real question is... (Score:2)
This program is only going to cost approx. $99.99 ... per citizen.
Re:And the real question is... (Score:2)
While I'm not arguing with your general point, the following need addressing:
Apart from the 'knowing a fair amount about it' bit - see the 9/11 Commission report.
Again, rubbish. Saddam basically asked permission to invade Kuwait, and as the US didn't object, took that as presumptive permission. But the only reason this was a problem at all (compared to
Oh, lookie here (Score:5, Interesting)
Re:Oh, lookie here (Score:5, Funny)
Re:Oh, lookie here (Score:2)
No. RFI, couling induction and TEMPEST concerns are what I was told. Although only God knows why 3 ft is the magic number - and LCD vs tube doesn't seem to matter.
Freudian Slip (Score:2)
Re:Freudian Slip, Not (Score:2)
The logo is just on a white (as opposed to transparent) background. Hence, it's a square which happens to cover most of Europe. It had to cover something since the person making the graphic didn't convert the jpg to a tiff or png that has transparent backgrounds.
Likely just an office worker doing something quick in powerpoint without spending a lot of time finessing the thing.
Leave it to slashdot to find something wrong with it. I'll
Re:Oh, lookie here (Score:5, Informative)
The 3-foot rule is an old EMSEC (Emmissions Security) rule that seems a bit outdated. It's supposed to prevent signal emmissions of hard-wired machines from being interfered with or being collected by other devices. I know it sounds ridiculous, but the program is is old and outdated.
Overall, that PDF slideshow is not a very good IA training tool. They probably don't even use that anymore, or it's only used by a small group of people. The link at the end of the document brings you to a course completion page that shows the date of the program as 2004. You guys might not be able to see the site if you are not on a
IA training is mandatory for all users of DoD client machines, but the DoD networks have many other safeguards to protect information. As always, a security policy is only as strong as the people abiding by it, so IA training tries to lessen the risk of information leaking out due to poor information protection by the user.
Re:Oh, lookie here (Score:2)
Well, I think I'll keep a copy of this around to show people what "IA training" meant as recently as 2004. It should go a long way toward educating those who are overly enamored of the Do
3-foot rule (Score:4, Interesting)
The concern has to do with radiation produced by equipment; classified systems are shielded (sometimes) or kept in shielded rooms (more commonly, because actual shielded equipment is more expensive) with RF chokes on all the lines going in and out. The idea being that you don't want somebody to be able to listen to RF signals that your monitor on your classified system is putting out, by attaching an antenna to the building's cold-water pipe.
Where the problem gets even more complicated is that you can compromise a well-shielded system (one that doesn't radiate any information back into the power lines, etc.) if you put it close to an un-shielded (unclassified) system. The RF being produced by the shielded system will couple to the coils and whatnot in the unshielded system (which doesn't have any fancy chokes on its connections) and now you're back to radiating classified information into the building's power/water grid.
The '3 foot rule' is definitely arbitrary, but apparently it's the distance at which the people who are paid to think about these things believe that a classified system won't interact with an unclassified system and produce any significant radiation back into the building's infrastructure. If it sounds paranoid, that's because it is -- this was all Cold War era research -- but that doesn't meant it's not still true.
You're right though in saying that the artificial division between EMSEC and COMSEC and COMPUSEC is outdated and should be replaced with something more inclusive and relevant; however, the EMSEC precautions aren't completely outdated, and still exist for a reason where classified data is concerned.
Re:Oh, lookie here (Score:4, Insightful)
Since a LOT of people use P2P for pirating copyrighted material, that is also a valid statement. Just because its not ALWAYS used illegally, does not invalidate this statement for their purposes.
DOD is a BIG agency, with a lot of employees. It likely that many of them have routers capable of wireless tramsmission, but not new enough to use WPA. To enable the most people to be able to connect remotely, WEP is allowed. Notice that recent loss of laptops with sensitive info did NOT include DOD, nor did they include actual CLASSIFIED material. That stuff is covered under a whole different, and MUCH stricter, set of rules!
3 foot space? Covered adequately by other posters who know more about it than I do.
A LOT of people lose laptops. Civilians, government workers, and military. This statement is there for obvious reasons. People always need to be reminded, plus, statements like this are needed to remind employees that their employer thinks the issue is important. You cannot just take it for granted that people will just magically understand how you think. In addition, if this is included in such a presentation as this an emnployee can't later claim that he/she wasn't told! It's therefor a CYA for the organization.
My own agency uses a total encryption program that encrypts the entire HD. We take nothing for granted. Employees have no choice, laptops are issued this way. You don't like it, you don't get a laptop. We use a two step authentication procedure for remote connections, in fact, everything this article says the White House is demanding, my agency has been doing for over two years.
Has it cost a lot? Yes, this stuff isn't cheap. Is it worth it? Yes, you won't see my group in the news like this!
Does info get out in ways accessible to potential thieves? Probably, we have over 10,000 employees; it's hard to control the actions of that many people, and information can be copied in so many ways. But we do what we can; we only allow the use of encrypted laptops, desktops that are allowed home are also encrypted this way, too. As mentioned, two step authentication, firewalls, 24/7 firewall/WAN monitoring for suspicious activity. If a machine is caught broadcasting packets identified as coming from prohibited software, a technician is dispatched to remove it. User has no choice. Desktops are locked down, and special permission is required from a committee to allow local admin control for any user. Users can't even install their own local printers!
Users are required to review an annual Information Security Awareness presentation, via the intranet, so we can monitor compliance. If you don't view it within a certain time frame, your account is automatically disabled, and you then need special permission from an Associate Commissioner to get reconnected without viewing the show! This guarantees management attention to your failure to follow security procedures!
I have only touched on the most obvious arrangements, there are a lot of others that I can't reveal - I'd have to shoot all of you! I'm sure that there are others I don't know.
Does all of this guarantee we won't see a breach? No, I'm sure it doesn't. But it makes it much more likely that if one occurs, the headlines will make note of an employee that broke procedure and did something to get around agency safeguards, and will eventually report his/her prosecution.
We are not perfect, and we'll be the first to admit that. We ARE human, after all. (gasp!) BUT, just because we get our paychecks from Uncle Sugar doesn't mean we left our brains at the door.
Some agencies use the budget Congress gives us to do our jobs, and we try to do them without being told. We even try to close the barn door BEFORE the cow gets out!
I know that's a shock to some of you, but we really do try, and we most often get it right. You only read about it when we don't...
Re:Oh, lookie here (Score:2)
Makes it easier to see if there are any cables strung between the two computers. Also makes it more obvious if someone is taking something out of the one machine to attach to the unclassified machine (such as storage media). Assuming that someone is watching (or that there is surveilance footage being archived).
(Both hurdles are bypassible with a little sleight-of-hand. Newer wireless protocols such as Bluetooth, WiFi, IR mak
Re:Oh, lookie here (Score:2)
Re:Oh, lookie here (Score:2)
IF the government is stupid enough to mix classified and unclas machines in the same vicinity, this might have to do with RFI, as an earlier post stated. Generally speaking, the classified computers and networks are physically separate from the unclas stuff (as in, separated by a vault or a bunker).
Re:Oh, lookie here (Score:2)
From the parents PDF:
Like thats going to stop a hacker for all of a few minutes.
Bizarre. WEPs shortcomings have been known for years.
Re:Oh, lookie here (Score:2)
I'm surprised they have to tell people to use strong passwords? They don't enforce this when a user changes their password?? There's a bit on P2P too - they don't block this?? I know P2P networks can be a bitch to control through the firewall but there are application layer firewalls and other intelligent devices to sort this kind of thing out.
Interesting that classified PC's must also have removable HDD's and be clearly marked classified - shouldn't they just be physically located
Re:Oh, lookie here (Score:2)
Wow... (Score:3, Funny)
Re:Wow... (Score:5, Funny)
Re:Wow... (Score:2)
Re:Wow... (Score:3, Funny)
Be careful where you point that joke. My .sig at work over the last few years has been:
..and I still get email from people to tell me that their computer was able to read my email, so Outlook must support this "ROT-26" encryption thing. And they aren't joking.
Re:ROT13 (Score:2)
Yes but what do you do about... (Score:5, Insightful)
Mostly I remember people INSIDE government agencies leaking this information to the press on purpose, to disclose high shenanigans and malfeasence in the Bush administration.
This doesn't do much to stop this kind of leak, but makes it much easier to track down those who do leak information. I don't think this has as much to do with security, as it does fear and punishment.
Re:Yes but what do you do about... (Score:2)
You know, there was a time when doing that sort of thing was called treason...
Re:Yes but what do you do about... (Score:5, Insightful)
You know, there was a time when doing that sort of thing was called treason...
Maybe if this administration was a little more well-liked [cbsnews.com] they'd be able to convince people that the leaking of it's shortcomings and bastardization of the law(s) of the land was a real threat. As it stands, the only thing these leaks are doing is proving to your average American that, hey, Bush really is the bastard the ultra-liberals decried him as in the first place.
Re:Yes but what do you do about... (Score:5, Interesting)
Except that the "average American" is not quite as "average" as the classist ultra-liberals envision him. What it really does is cause the "NASCAR Dads" and "Soccer Moms" to get even more disgusted with the mainstream news spigots and start seeking less-biased and more representative sources. That, of course, can only hurt the bottom lines of the Old Guard [nytimes.com].
To successfully compete with an Internet across which one can aggregate news (and opinions) from all over the political spectrum, a traditional mainstream outlet will have to either clearly claim allegiance to one pole (e.g., Fox News) or genuinely have no political leanings or agenda (e.g., nobody right now). The days in which an outlet can pose as unbiased while actually trying to manipulate opinion with stories slanted either left or right are dwindling, or so say the accountants...
Re:Yes but what do you do about... (Score:4, Insightful)
I don't think that such a perspective is possible. First of all, I've never seen a theory or technique enumerated or even hinted at for achieving a biasless perspective. I can't help but conclude that human communication is inherenly biased. Even if there were such a technique, would human organizations be able to achieve that standard with limited time and resources?
Let's say that you did have a biasless report on something. You still have to present the information in serial order. Which side gets to make the 'first move'? (Whose side is presented first?) Who gets the last word? Who gets more words? Who gets longer quotes?
Re:Yes but what do you do about... (Score:2)
I won't disagree with you.
Of course, the logical follow-through to the argument is that all journalists are frauds at worst, and merely "pundits-in-training" at best.
Works for me.
Re:Yes but what do you do about... (Score:5, Informative)
I find that most people who throw about the word "treason" don't actually comprehend what it encompasses, nor do they understand the historical & legal background.
To commit treason someone has to overtly and willfully cooperate with an enemy, to overthrow the gov't. Anything else gets treated as espionage, since Sedition laws are nonexistant.
You show me how leaks to American newspapers qualify as over and willfull cooperation with "the enemy" and we can talk treason, until then, please refrain from echoing the ignorant statements of others.
Re:Yes but what do you do about... (Score:2)
To emphasize that, here is the text of Article III, Section 3:
Re:Yes but what do you do about... (Score:2)
Uhm... (Score:2)
TFA (which I read for a change) says this is about the leaks of personal identity information.
Data management.... (Score:4, Insightful)
I am no Neocon and I usually don't agree with Mr Bush and his crowd on anything at all but this time I fail to see what the fuss is about. They are planning to:
- Encrypt all sensetive data on laptops and PDAs.
- Drastically harden authentication methods and make damn sure idle connections are severed.
- Make damn sure sensetive information is not left lying around on hard drives all over the place thus decreasing the likelyhood of it ending up in the hands of people it wasn't intended for by accident. In short they plan to drastically improve the management of sensetive data.
In my humble opinion these are all pretty resonable and sensetive measures for any government to take. My only question is: Why wasn't this done many years ago? These are measures major corporations have considered standard for years in order to thwart industrial espionage. I am quite frankly flabbergasted at the what the article seems to imply, which is that US officials, military bigwigs and intelligence people have been traveling all over the USA and the rest of the world for that matter carrying unencrypted sensetive data on their WinDell laptops.Re:Yes but what do you do about... (Score:2)
People will look at whistleblowers in different ways. In many of the recent cases regarding disclosure of questionable Bush programs, the r
5 years of "homeland" defense (Score:3, Insightful)
Re: 5 years of "homeland" defense (Score:2)
Maybe for a suitably fraudulent definition of "debated" [washingtonpost.com].
Re: 5 years of "homeland" defense (Score:2, Insightful)
Or "masturbated".
Our country is losing two wars abroad and sliding into a fascist dictatorship at home, and Specter's got nothing better to do than lecture a near-empty chamber about his family history under the pretense of advocating an amendment that serves no purpose but to rally some knee-jerk voters.
Re: 5 years of "homeland" defense (Score:2)
Wouldn't that be "masturbaited", then?
Re:5 years of "homeland" defense (Score:5, Insightful)
At the risk of being labelled a trolling fanboy, there is nothing intrinsically wrong with using Windows (or indeed any given operating system) for a government agency.
What is intrinsically wrong is not taking some time to investigate the requirements of the agency and configuring things accordingly, instead just throwing a bunch of laptops onto a domain and saying "There y'go".
It may even be the case that they did configure things accordingly with strong encryption available and everything. But maybe no effort was made to ensure it actually got used. Perhaps strong encryption was used, and effort was made to ensure it worked when accessing databases - but some other application crept in for which it was easier to do a plain-text dump of the database onto an unencrypted area of the disk.
In any sizeable organisation, desktop IT requirements are very complicated. Just saying "They used Windows. What do you expect?" isn't particularly helpful, and doesn't cut to the root of the problem.
Re:5 years of "homeland" defense (Score:2)
This is similar to the current implementation of CAC cards for the military. Since about two years ago every soldier, DA Civilian, and DA Contractor has had a CAC card with working crypto keys intended one day to be used for CAC Logon, Email Signing, and EFS style keys. I joined the Army in 2002 and pushing out the CAC card reader
the real question is, of course (Score:4, Insightful)
Why would this data be on a laptop in transit in the first place? 15 years ago, I would understand the need to carry a bunch of tapes from location A to location B. With recent advances in networking the utility of carrying around data in a suitcase seems quite elusive.
Re:the real question is, of course (Score:4, Insightful)
The answer to that question would provide some relevance, context and insight as to the why the decision was made. Aside from the obvious, of course.
I can't quote any specifics, but I remember hearing the tail end of an NPR story on the "laptop" incident mentioned in the article. Seems the person who had the laptop stolen worked for the VA and typically worked in the field and required routine access to a large database of records to verify claims or something similar. The impression I got listening to the story was that it was a case benign ignorance more than anything else. My guess is that kind of ignorance, both on the part of the laptop owner and his/her agency, wouldn't be unlike the widespread ignorance found in the private sector. I'll resist the too easy Blame Microsoft angle, but we do have a generation of computer users who grew up blissfully unconcerned with such notions of security, so it shouldn't surprise anyone when the folks in charge over-react, or hand down edicts to force everyone into line.
Government does have a role in setting agendas (ODF is a good example), so I guess this is a good thing. At the very least, it raises awareness.
Re:the real question is, of course (Score:3, Informative)
Pick any very large corporation that provides any measure of benefits for employees. Chances are good, if that corp is big enough, that it's currently under some kind of audit by the Internal Revenue Service. If so, there's a strong possibility that some portion of the examination is looking at the benefits plans provided to the the employees. In that case, there is a laptop at the IRS, belonging to the Employee Plans Revenue Agent on the c
Not "requirements" (Score:5, Interesting)
Which means this is likely to have zip for effect.
They delete THEIR downloads after 90 days... (Score:5, Insightful)
As far as I know, the founding fathers tried to protect the people from their government, fearing that it might turn one day against them. I think it's time to put this in practice. Not the government has to monitor its people, it is to be done the other way around.
Re:They delete THEIR downloads after 90 days... (Score:3, Interesting)
Come on now, it's way too hot outside for tinfoil apparel.
We're talking about data that's copied off to laptops for mobile use. Copied. The concern is over some federal worker or contractor dumping some subset of sensitive data (say, YOUR information?) off to a laptop while workin
That's not what I'm talking about (Score:2)
Now, if a gov official copies data, 90 days later nobody knows anymore what he copied. It cannot be traced. 90 days is a very short time in our judical system.
In related news... (Score:4, Insightful)
Seriously, the US government is only just figuring out what encryption is for? Exactly incompetent are they?
And before you get comfortable laughing at these people, consider for a second how dumb you must be to let these same people hoover up all your civil liberties...
Re:In related news... (Score:2)
THE TERRORISTS JUST WON!!!!!! (Score:2, Funny)
Awesome (Score:2, Funny)
It actually makes sense!
Practical and impractical solutions.... (Score:5, Funny)
1. As every agent who possesses sensitive information leaves office, shoot him.
2. Destroy his/her/it's laptop.
B. Impractical solutions:
1. Build a new proprietary operating system for secret agents.
2. Build proprietary hardware for them.
3. Build scretive, propriateary network cards, that operate on proprietary, unpublished protocols.
If neither Plan A or B seems workable, post Ask Slashdot for ideas!
-
Quick, Start selling ROT-13 software suites! (Score:2)
Re:Quick, Start selling ROT-13 software suites! (Score:2)
Only a matter of time... (Score:3, Insightful)
You can put all the security you want on databases, firewalls, and file servers. But in the end, users still need to access that data. Therefore, accidental (or otherwise) leakage of info by a consumer of this data is the main risk of disclosure, not a hacker. We need to have better IA (Information Awareness) training first, and remind users of their duties to keep this information secure. Another layer of protection won't work if users don't understand how important it is to secure this data.
So that's how it is... (Score:5, Insightful)
(And yes I'm well aware that nothing is forcing us in the US to hand over our encryption yet but don't worry it'll probably happen sooner than you expect.)
One law for the king and another for the people. We can't live like that...
encrypting everything (Score:2)
And, will anyone in the public domain ever really know what has been encrypted and why?
Why doesn't everyone (including me!) encrypt? (Score:4, Interesting)
Of course, I don't use FileVault.
Why not? Well, it's one more thing to go wrong. I'm far more worried about losing my files or losing access to them, than I am about having other people look at them. And, frankly, I've never bothered to find out exactly what happens when you use a standard backup tool on a FileVault-protected Mac (presumably all the backups are UNencrypted if you are running the backup tool from within the protected account?)
So... I dunno. I don't understand why everyone doesn't use encryption, but I don't use encryption myself. Of course, I have reasons. Probably everyone else has reasons, too?
It still won't matter (Score:3, Insightful)
It still won't matter. Just look for the yellow post-it note with the password stuck on the monitor, under the keyboard, or under the mouse pad.
What's good for the goose... (Score:2)
Privacy (Score:2, Insightful)
My solution (Score:2)
Sorry, still on my morning caffiene high
So what software packages will they be using? (Score:2)
- PGP sells a corporate level product called "PGP Whole Disk Encryption". [pgp.com]
- SecureStar sells DriveCrypt Plus Pack [securstar.com]
What else is out there that is trustworthy? (Heck, do we even trust that there aren't any weaknesses / or back doors in PGP or DCPP?)
Re:So what software packages will they be using? (Score:2)
I have a feeling I have some work ahead of me.... (Score:2)
Re:I have a feeling I have some work ahead of me.. (Score:2)
About 80% of our computers go out the door. They are laptops issued to field agents, special agents, and officers, as well as a smattering of appraisers, engineers, analysts, and more. The whole disk encryption things is going to be very big for us. It might be easy if it gets well thought through before implementation. It might be a nightmare. I'm uneasy about the near future.
Sensitive vs. non-sensitive: translation (Score:2)
the name of the mole they have in the opposition parties headquarters.
source and destination of slush fund money
the memo stating that the WMDs and terrorist links were bogus and just a trumped up excuse to send billions to Haliburton
the names of US companies sending contraband materials to Iraq, Iran and N. Korea
the plan to use diebold to steal more elections
what they really think about the voters
non-sensitive information:
your name, SSN, mother's maidenname, credit card numbers,
phn conversations,
False sense of security (Score:2)
We all know that there are user friendly apps out there to retrieve data from encrypted files, though it will raise the bar a little.
Using a hardware security device also could lead to a f
Why let them have it at all? (Score:2)
Why are financial records not given the same protections as medical records?
I have no real problem with credit reporting agencies. These companies are in general very careful with data. I know that when I interviewed with Equifax I was very, VERY impressed by their security. Several steps to get in...everyone checked on the way out. No laptops/PDA's allowed inside, etc -- and I was just interviewing!
The compan
Re:Why let them have it at all? (Score:2)
Actually, with GLB there are some very specific regulations required for Banks and Financial institutions. The downside is most banks aren't following these guidelines and the laws aren't uniformly enforced. The same thing is happening with your medical records. HIPPA rules are very specific, but the laws aren't being enforced [infoworld.com].
You have no privacy and all of these laws are passed just to make you feel better, not to actually
transparency implications (Score:2)
Re:transparency implications (Score:2)
There are plenty of days when I wish that natural selection would get rid of the idiots in this world at a hi
Re:transparency implications (Score:2)
Yes. The problem is that other agencies were all left to their own discretion as to how to protect what. They do a remarkably non-uniform and rather spotty job of it, which is why the OMB is stepping in with more detailed guidance.
As Ye Sow.... (Score:4, Interesting)
Re:As Ye Sow.... (Score:2)
NO WAI!
hehehehe. I think the security apathy reaches far beyond the government. I mean how many people really use PGP [or the like] nowadays anyways? Fairly low.
Tom
Re:As Ye Sow.... (Score:2)
That's my point -- the stupid government policies made it impossible to incorporate decent crypto into data structures by default. (It might not have happened anyway, or might have happened with half-assed implementations such that anyone desiring real security would have had to add it themselves anyway, but it could not happen while the old crypto rules were in place.)
Here is a stupid question - why take home data? (Score:2, Interesting)
Re: Nixon parallels are staggering (Score:2, Informative)
Bush makes Nixon look like a choirboy.
Neither. It's... (Score:2)
Re:directly from the white house? (Score:2)
Ach du LEEEEE-Ber, Fritz! You left ze link to your German language vebsite [algorithman.de] in a post mocking the Texas accent of ze President of ze United States!
Mein Gott!! Vat a DUUUUM-Kopf you must be, Ya?
* * *
Demonstrating once again that Americans don't have a lock on jingoism, nationalism, and general stupidity.
Thanks for participating in our survey.