New State Laws Could Make Encryption Widespread

New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.

Re:Legacy Systems?

[Sebilrazen]

It seems like the Democrats are doing the same thing the republicans did after 9/11. Just as after 9/11 the Republicans pushed Security to an extremist state, Democrats are using the financial crisis to push down all those heave regulations down our mouth...

BS, this is state level law, not Congress, way to troll. Besides these laws were passed way before the meltdown, these are their enactment dates.

Re:Corruption opportunity

[Amazing Quantum Man]

I suspect that they'll just spec FIPS 140-2 [nist.gov] certification for the crypto app.

Re:Only 2% reduction?

[MrMr]

The DPA is one of the few generally excellent pieces of legislation in the UK
Ironic that it is just the local implementation of the 1995 EC data protection directive...

Re:mofo.com?

[hajihill]

Assuming here that the above poster is being funny, I'll clear this up for those this might actually cause some concern.

Morrison & Foerster [wikipedia.org] is a internationally recognized and prestigious law firm established in 1883, that has been going by the nickname MoFo since 1973. More on the linked wikipedia article for those still interested or skeptical.

Re:Ironic... or just interesting

[IchNiSan]

s/possessing/exporting/g

Re:Why so expensive

[Timothy Brownawell]

What magical encryption do you have that doesn't slow the system at all?

It's not the encryption, it's having a system with a processor made in the last 5 years. Spinning plates of rust are already insanely slow, adding symmetric encryption on top of that won't make a difference.

Re:Legacy Systems?

[Tony Hoyle]

You'd probably have trouble on AS/400 unless they've done a version that copes with all the nasty EBCDIC issues porting to that platform (and the fact that it doesn't use directories in any meaningful sense, and what there is of its filesystem is completely alien to the average PC user).

There are lots of those in operational use that have been doing mundane work for years.. and nobody is going to change them in a hurry, because replacement is very expensive and you don't get a better system at the end of it.

Hell, I'd hesitate to compile OpenSSL on quite mainstream OSs like HPUX (although probably someone has already gone through the pain of doing it I'm sure).

Re:nannystate tag?

[DavidTC]

It's not just personal data on the laptop.

I work for a fairly small company, and while we don't have any person data off our server, and in fact don't really have any personal data beyond names, addresses and email accounts...

...we have logins to our CC processor and whatnot that could trivially be used to steal quite a lot of CC numbers. In addition to probably breaking into our bank account and draining. In addition to getting into our servers and installing backdoors.

Which is why, of course, we have Truecrypt with boot-time encryption on all laptops, so that if they get stolen we don't have to run around like chickens with our heads cut off trying to figure out every single login that needs to be changed.

For those people worried about forgetting password: Burn three or four TrueCrypt 'recovery CD' and write the password on them. In fact, write the password everywhere...just don't carry it around in the laptop bag.

Seriously, half these 'data thefts' are random laptop thieves stealing random laptop that just happen to include absurdly dangerous amounts of data on them. They aren't targeted attacks, and the thief is probably wiping them before boot. But companies have to act like they have all your data because said companies are morons who can't spend a tiny amount of time setting up free software that would stop that from happening.

People often worry about computer security in entirely the wrong direction, worrying about changing internal company-only passwords every month, and then completely ignoring actual outside risks like someone snatching a laptop bag off someone's arm.

Re:Ironic... or just interesting

[NeoSkandranon]

Cuba, Iran, North Korea, Sudan, Syria off the top of my head. Not sure what the other(s) may be or if any of those are off the list.

Re:Ironic... or just interesting

[paco verde]

Apologies for replying to my own post, but I found the list in this PDF document [rsa.com]:

Cuba, Iran, Iraq, Libya, North Korea, Serbia, Sudan, Syria, and Talisman-controlled (sic) (Taliban-controlled?) areas of Afghanistan as of January 2000.

(Although there are nine -- counting "Talisman-controlled areas of Afghanistan" -- listed, not 7.)

-- Glenn

Re:Legacy Systems?

[yttrstein]

ssh was ported to AS/400 longer ago than I care to remember, and ssl along with it later when it became ubiquitous.

I've actually compiled OpenSSL on HPUX rather than use old, ratty, early version packages. It's really not so bad if you think in terms of old Solaris machines that you couldnt do too many useful things with until you "gnuified" them. As soon as you've gotten your gcc goodness and a bucket of appropriate libraries, openssl becomes trivial to build anywhere really. That was my point---I cant imagine a system that anyone still uses for anything--at least not one that approximates POSIX compliancy (and even many that dont), that would be impossible to build openssl on.

win98

[zanybrainy941]

Looks like a lot of state agencies are finally going to have to upgrade from Win98.

Re:Why so expensive

[DavidTC]

Right. Especially for laptops, which tend to have slower hard drives in the first place.

I installed TrueCrypt on my moderately old laptop, an Intel 1.6Ghz, and the only speed different I notice is that, for some reason, hibernation and unhibernation is twice as slow. I suspect this is some sort of bug. Other than that, I forget it's there except when I boot up.

TrueCrypt, by default, uses AES, which was designed for speed on modern processors. (Or, rather, was designed to use exactly the mathematical operations that CPU manufacturers optimize for in order to make games run faster, so as CPUs keep speeding those operations up AES gets faster.)

Ha, I just checked to see if that hibernation thing is a bug, and it turns out that not only is it, but it's been fixed in 6.0 and I should just upgrade instead of whining about it.

Re:Company laptops will be enctypted...

[valkraider]

The best solution would be to encrypt the files and don't trust the low level employee's with the key

You do realize that it is the "low level employees" who do most of the work, right?