TSA to Contractors - Encrypt Your Laptops

eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"

Overheard conversation

[postbigbang]

"No, not the keys to the truck and trailer, I need the damn keys to the laptop!"

Re:

[TechwoIf]

That would be funny if it did not actually happen to me. I drive a truck and cross the boarder to Canada and back to the USA. I was literally asked for the keys to the laptop by customs.

Re:

[postbigbang]

We agree that the keys to encryption need to be well managed, and penalities for any kind of data loss need to be incredibly severe.

Not flying or going to an airport since 9/11 (presuming *because* of 9/11's aftermath) as a result of your demands, would appear to border on paranoia in the extreme, however. Someone has your IP address for the message you posted, and has already traced you back. It's in your service provider's info sent to the NSA. You didn't have an https connection, so everyone saw what you

Re:

[postbigbang]

Triangulation errors don't matter with nuclear weapons.

And if the accuracy is that bad, it means you're in a desolate area, so reversion to a google map ought to do the job, unless you're in a cave. And if you're in the niddle of a baseball stadium, that narrows it down a lot! Mine currently is placed either in NJ, or in a western burb of Chicago, both very far away from my actual locus.

Nukes wouldn't even do it. But maybe some cool X-files laser-from-the-sky might figure out my latencies and zap me on the

Re:

[moderatorrater]

Every GeoIP service I've checked

Unless you've checked the one used by the NSA, your argument doesn't really matter.

Re:

[hedwards]

Encryption is not perfect. It can be broken.

Sigh, you clearly don't get it. Encryption isn't to keep it from being broken. Encryption is to delay access for as long as possible. Any encryption scheme can be brute force cracked if one has the time to do so. A desirable scheme should require the correct key, and make brute forcing the key take centuries. And that is assuming the algorithms are sound and that the passphrase or key is strong enough to do the trick.

Encryption really shouldn't be thought of as a way of keeping anybody from reading it, it

Re:

[ehrichweiss]

You forgot that if the laptop was stolen from a trucker then the thief isn't likely to want to spend the same amount of time on a trucker's encrypted laptop, that may only contain nudie pics the trucker is trying to hide from his wife, as they would one stolen from the FBI where they'd almost be certain of getting something fun to view.

Re:

[Daimanta]

Any encryption scheme can be brute force cracked if one has the time to do so.

Actually, that is incorrect. One-time pads and matrix multiplication are both methods that are uncrackable without the key.

Re:

[moderatorrater]

This is one of the many reasons I haven't set foot in an airport since 9/11.

Let me guess, another is that your hat sets off the metal detector?

Many have been told to backup...

[psychicsword]

Though many never do, will this be the same?
I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.

Re:

[sumdumass]

If MS preencrypted the drive, the default pass word would probably be something like MSr0cKs01 or something and it would never be changed and most likely useless.

There, is that good enough for you? I know it sort of slams the users too but what the hell, it is a slow news day.

It's always sad

[techpawn]

That these kind of measures are retroactive instead of proactive.

Re:It's always sad

[Volante3192]

"Reactive"

It's more likely it was pitched, but either for cost or time, management probably shot it down. Never mind there've been high profile laptops missing all over, like the VA one. Being naive, I would wager that the IT department would like to lock down the systems as tight as possible (I know I would) but are being thwarted by management becaue it'd make things too hard, too different, or cost too much.

It's always after the sole data server blows up that they decide "oh, guess that backup option would've been worthwhile." (Had this happen too. Financial data, customer data, and no paper trail. But the tape drive cost 'too much'.)

Re:It's always sad

[mlts]

I keep wondering, if the data is that sensitive, IT departments should have it physically never leave the data center. Instead, offer different means of access via secure means, such as Remote Desktop, ssh, a secure webapp available after connecting to a VPN, or some other means of accessing the data and gathering reports from remote. Keep the data available, but have it physically reside in the (relatively) secure environment of the data center.

If someone needs offline access (for example in a remote location with no Internet access), that is a different story, but in a number of laptop theft cases, there is no real reason the info is physically sitting on the laptop.

Of course, this won't prevent an employee from doing an export of all the tables to their laptop, but having the sensitive data behind a username, password, and a SecurID token means that the losses due to a stolen laptop will be minimal. Add a decent FDE program (BitLocker is decent because it doesn't get in the way of users, provided they can access their user), and a laptop loss can be written off as "just" hardware.

A number of Dell laptops and desktops have the ability to have CompuTrace installed in the BIOS. This is another good tool to help find stolen goods.

By using the tools out there, from WDE, to having data physically residing on a different location (although there are cases where this isn't possible), to CompuTrace, damage done from a stolen laptop can be greatly mitigated.

Re:

[Volante3192]

&%*%*& coworker pulled the network cable for the room while i was submitting a comment to this. apparently it got poofed. Anyway...

There's the conflict between management and IT again. IT wants secure, management wants easy and convenient, and management nearly always wins out.

I deal with a similar situation in that, as an outsourced tech, I pretty much can pitch whatever, but it's up to the customer to decide if they want to impliment policy. Usually I'm overruled. "Stuff has worked fine for

Re:

[Sancho]

Many companies have policies that state that machines must be password protected--BitLocker, OS X, etc. handle encryption seamlessly if this is the case. There is no convenience reason not to use it on company laptops if they're managing sensitive data.

You can't believe how sad...

[WED Fan]

That these kind of measures are retroactive instead of proactive.

Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.

Uh, dude, I think you mean "reactive".

Re:

[techpawn]

descriptive of any event or stimulus or process that has an effect on the effects of events or stimuli or process that occurred previously

Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

Even More Sad

[WED Fan]

Having people start to encrypt because of stolen laptops is a retroactive solution to the problem of the wild data

Wrong, Sparky. "REACTIVE" is the word. But, thank you for playing. Johnny will tell you what your consolation prize is...Tell him what he won, Johnny!

Johnny: A dictionary...Now, look that up in your Funk and Wagnel.

The norm for govt.

[Nick Driver]

As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer fr

Mod Parent Informative

[mpapet]

Generally, a very informative post that generally conforms with my experience.

the govt organizations themselves are too cheap to do security right in the first place,
Most of the orgs comply on paper, but operationally its pretty bad.

and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits.

The blame goes both ways. I've been in situations where good security was seen as not necessary by the agency. There is also the nasty proble

Re:

[Lord_Frederick]

I work for a federal agency and I see a lot of "stepping over dollars to pick up dimes" when it comes to security. We have CAC authentication and there is now talk of all hard drives being encrypted, while everyone carries around a flash drive full of contractor information and a pst file. It feels like we are going through the motions just so a director can have a nice bulleted list of how secure we are. There is plenty of talk about security with government agencies, but very few properly implement even b

Re:

[shawn(at)fsu]

You could look at this a few different ways. First you could say that this is partially active and not totally reactive. Laptops were lost or stolen with large quantities of data, it's not sure if that data was used for nefarious purposes right at least it hasn't been disclosed publicly. So you could say that this is a semi active response. Some one said we got darn lucky lets remove this vector.

Also think about all the ways some one can get to your data. You have to step up your protection to all of these

Re:It's always sad

[Chris Mattern]

If they could actually take retroactive measures, they'd be much happier. "Johnson, I need to secure that data so that it didn't get stolen three days ago!"

Chris Mattern

Encrypting Personal Information

[Dragonslicer]

After two laptops were lost containing the personal data... we mandated that contractors need to encrypt any and all data

Is there anything to say besides "Duh"?

Re:

[beavis88]

Is there anything to say besides "Duh"?

Yeah - "Don't write your encryption passphrase on a sticky note and attach it to your laptop"

Because you just know that'll be the next TSA directive.

Re:

[afidel]

This may be the most insightful thing ever posted to Slashdot in its ten year history.

Re:

[Stray7Xi]

Of course it already is policy, every IT dept says not to write down passwords but it still happens. The real problem is a lack of security auditing. A flawless policy is useless if its not enforced. Someone needs to go verify that there aren't sticky notes with passwords on the computer, that the drive is encrypted.

Of course "inspectors" are usually associated with bureacracy and corruption. However TSA is already built around useless bureacracy not effectiveness, so how can it hurt.

Re:

[CastrTroy]

People write down passwords because they can't remember them. This is often due to setting too many rules for which characters the password can contain, and making the user change their password too often. The other problem is, is that people have to remember too many passwords. Different passwords for their home computer, banking website, gmail, office computer, debit PIN, and probably about 5 other things.

Re:

[flyingfsck]

Hmm, after the first one was lost, the data was set free already, so now after the second one was lost, the crooks have a backup too. Good luck with encrypting lost data.

Re:

[Pig Hogger]

Is there anything to say besides "Duh"?

Yes: Mmmmm! Donuts!!!

Not Enough

[s31523]

OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program [smalleranimals.com] and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.

Either the data needs to be "shredded" [fileshredder.org] or stored in it's natural form on a fully encrypted volume.

Re:

[Anonymous Coward]

An idea might be to put a VMWare Virtual Machine inside a TrueCrypt [truecrypt.org] volume.
This way your entire OS will be encrypted.

Re:

[apparently]

That one's been on my To Do list; I'm curious to see what the performance hit is.

Re:

[mlts]

I'm running the VM I use for Web browsing in a TrueCrypt container (less for security than ease of backups), using VirtualPC, and I also have a Linux VM running under VMWare that is also residing on a TrueCrypt volume.

Performance on either is a little slower, but if the VM has enough RAM, its not too bad.

I'd give it a try, you probably won't notice the performance difference for most applications, especially Web browsing.

Encrypt the drive

[Skapare]

Encrypt the drive ... except for a partition or flash module with enough of the OS to get started and prompt for the drive key password.

Re:

[ic3scrap3r]

Full Disk Encryption. That is the only answer. Otherwise you are relying on the user to make security decisions and they don't understand security.

Full Disk Encryption is just that. It encrypts the entire thing and requires pre-boot authentication. Even the OS is encrypted.

Re:

[SpzToid]

Full Disk Encryption. That is the only answer.

True, and so easy there's no excuse. Debian 4, and from my understanding Ubuntu 7.10 Gutsy due tomorrow, both offer full-disk encryption upon initial installation. It is so easy, why not? Also, because it is so easy and low-cost, I don't understand why enterprise and government don't immediately start a review of laptop OS' and their required client functionality, because of this built-in feature that is a royal pain on Windows.

Re:

[AceCaseOR]

Except, to give credit where credit is due, Vista Ultimate includes Full Volume encryption functionality as well.

Re:

[surprise_audit]

Ahh, pre-boot authentication... You'd think that any company requiring laptops to have full disk encryption would want that. Not, apparently, where I work. My full-disk-encrypted laptop boots all the way to the Windows login prompt without asking for anything, even though there's a device driver loaded extremely early on. I know it's not talking to the company server either, because it'll boot at home with no network access whatsoever.

I wouldn't be too terribly surprised to find that people with desktop

Contractors

[EveryNickIsTaken]

For what it's worth, it's Lockheed.

Re:

[Anonymous Coward]

This would surprise me, as I know at least in my division of Lockheed all laptops have mandatory full disk encryption. Posted as anonymous for obvious reasons.

Re:

[frankwatkins]

For what it's worth, Lockheed Martin can only do what the prime contractor (IBT) directs and pays for. I think someone else noted this in another thread.

this should read

[ILongForDarkness]

We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.

Don't forget!

[suv4x4]

Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!

And it seems...

[Creepy Crawler]

Due to the problem with most computers NOT being able to offer full HD encryption, to use a X86 emulator (like VirtualBox) with an encrypted directory via TruCrypt.

That problem is it does NOT provide good stego. I've went over that before, but there's a way to prove by contradiction that there is a likely chance of hidden partitions in data.

Re:

[jojo1835]

What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

I'm not as concerned about the laptops being lost as I am about contractors keeping the data on their laptops as long as they like.

Tim

Re:

[Creepy Crawler]

---What they should be looking at is VMware's ACE product. Built in encryption, security policies, and the ability to expire a VM after a certain amount of time. Add to that the ability to lock out USB devices and un trusted networks, and you have a pretty cool product.

And I dont see an easy to maintain that kind of security with exception of TPMs. They support remote network control as you describe.

If I was attacking that kind of setup, I'd extract the HD partitions to my emulator (yes, a real ICE) and pro

Re:

[Creepy Crawler]

Im assuming high hostility against a federal machine. So, no, the host password will NOT be easily extracted. You know.. SysKey, encrypted ~/windows directory, encrypted user directories... Not fun. To combat that, you use an ICE. In Circuit Emulator.

Next the VM... Yes, you could roll back the clock, but how would one prevent that simple of an "attack"? Record via signed encrypted file when the last time/date access was. Ok.. so now we can just 'freeze' the VM so restart starts with those very files at that

"Only a small chance"?

[Opportunist]

Be serious here!

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?

Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.

And yes, those people exist...

Re:

[s31523]

The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it.

Or the motivation... There is a good chance the thief just took his/her booty to a pawn shop and sold it. The person who ends up buying the laptop from the pawn shop will most likely pop the latest Ubuntu Boot CD in and re-format (only a geek would buy a used laptop from a pawn shop). The laptop could have contained the answer to who really killed Kennedy, but, now it is really gone!

Seriously, the TSA is having a hissy about a few laptops that got stolen, but the reality is that probably hundreds of

Re:

[mlts]

Thieves are getting smarter though. Its on the news often how the data stolen on a laptop was worth millions. Even the local "swipe and run" guy at the university prowling the library for people who briefly leave their laptops unattended are becoming aware that the data on the laptop is just as valuable if not more than the hardware itself, so they will be more likely to find a partner in crime to extract the data from it for either selling to someone else for ID theft, or just outright extortion. If a t

Re:

[Opportunist]

Wiping a laptop without first checking its contents? Are you nuts? Especially a Geek would do anything to sniff around the HD, if only to add to his blog how a company sold a laptop without properly wiping it.

Re:

[squidfood]

So you boot the thing up and notice that you have a government laptop in your hands.

And if it's from one of the smart gov agencies that followed policies since the SSA lost some laptops, you may or may not notice that through BIOS it's phoned home provided it's been reported stolen, and you've got full disk encryption on your hands. Have fun!

The real question is why "smart" doesn't seem to extend to TSA and their contractors. Agency I contracted for mandated that over a year ago.

Re:

[RobertB-DC]

You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.

You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance. They couldn't undelete a file to save their life.

If someone has the wherewithal to undelete files and sell the contents to the Russian Mafia, they're not going

Re:

[Chris Mattern]

Yes, but the same token, the smash-n-grab junkie isn't going to reformat the drive and prep it to be fenced out to an end user, either. When it falls into the hands of somebody smart enough to do that prep work, chances are awfully good that that somebody will be smart enough to know it's worth checking what info the laptop already contains.

Chris Mattern

Re:

[Opportunist]

Maybe, but is his fence a dimwit? Few are, believe me that. A trader in used goods of shady sources has to be pretty smart or he won't be in business for long. And they usually smell a chance for more money if there is one.

Re:

[stephanruby]

You're forgetting that most smash 'n grab thieves *are* complete dimwits. They're going to take the box to the pawn shop for cash for their next hit of a controlled substance.

Agreed, but don't discount the pawn shop owners, or whomever buys the laptops from those pawn shops. You'd be surprised at how organized small crooks can become. Take for instance the Nigerian scammers, apparently there is an informal market of Nigerian scammers selling and trading leads with each other. So it doesn't matter if a scam

Re:

[Kjella]

Thinking like a real slashdotter. Remember that jury guy in the RIAA case that hadn't used the Internet? Well, most of the drifters, hobos, junkies, pickpockets and others doing most of the petty theft often don't really strike me as anywhere near qualified or interested. They're interested in moving it for some quick cash either to a fence or online, if sophisticated enough at that. That means the only thing they care about is not having a big "STOLEN" sign all over it, and it's plausible to format it to p

Re:

[Opportunist]

Yes, but he will probably not try to sell it himself. He will take it to some shady pawn shop, where the owner may have a lot more experience how to make the most out of the crap that comes to him, what parts he can sell and for how much.

And that "parts" includes the information.

Now that got me thinking

[suv4x4]

So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

Re:

[faloi]

The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?

Because, right or wrong, that social security number is your magic number. It sounds simple to just invalidate it and get a new one. And if it were more like a credit card, it would be that simple. You run the risk of having to update one or two automatic payments out of your account, and that's about it. To get your social swapped, a bunch of gov

Social security numbers

[Jaxoreth]

Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.

Sounds good, but as with credit cards and bank account numbers it still ignores the unfathomable stupidity of requiring you to trust arbitrary third parties (e.g. merchants with whom you conduct business) with information that carries privileges only some of which you'd like to grant.

The so

As a Government Contractor

[Anonymous Coward]

I have to say that everybody is all for encrypting your laptop until you realize what that means. For us we are running Pointsec [checkpoint.com] (or as some people call it, PointSuck) on every laptop in the company. It's annoying because Pointsec is a dog to install and about 1 in 10 people who do end up having it crash before it reaches the magical 1% and have to rebuild their machine from scratch. They say it doesn't affect disk performance, but it is yet another layer of overhead that makes the Core2Duo based Laptops

Re:

[mlts]

I personally have not used PointSec, but I have had excellent results with other encryption programs, where you install, encrypt the boot/system volume (PGP can journal the encryption so a cold power failure won't juice the data), then not worry about it other than punching your password at bootup.

Performance wise, I've not noticed any slowdown (the bottleneck is the HDD rather than the encryption layer.)

Please don't discount WDE programs in general because one of them is underperforming. I have used WDE p

Re:

[david_thornley]

I was a contractor for over a year at a financial institution using Pointsec. There were three problems that I noticed.

First, it effectively rendered the machine single-user. It's perfectly possible for a Windows machine to have multiple users, each with their own passwords, but either Pointsec can't do this or wasn't configured to.

Second, when a disk goes it's apparently unrecoverable. I had one laptop get trashed for some reason during a central software install. It would start Pointsec, but then

In Soviet Russia........

[y86]

In Soviet Russian laptop encrypts you!

Re:

[MarkGriz]

"In Soviet Russian laptop encrypts you!"

Also in Soviet Russia.... they know how to make 'In Soviet Russia' jokes.

Re:

[ChrisMP1]

That's stupid. "In Soviet Russia" is supposed to contain some amount of wit, not just any random sentence reversed.

Oh, and don't drop big heavy objects on your head

[John Jorsett]

Guess some people have to be told what should have been obvious.

Easy encryption, but not with Windows

[RobertB-DC]

The latest versions of Puppy Linux [puppylinux.org] have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.

Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.

Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.

Re:

[Curate]

Not with Windows??? Did you know that Vista (Enterprise and Ultimate, but not Home) comes with a full-disk encryption feature called BitLocker (http://en.wikipedia.org/wiki/Bitlocker)?

Ch-ching!

[bug]

The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.

Effective solutions?

[WPIDalamar]

Are there any real-world effective laptop encryption solutions?

Encryption requiring a simple password:
    They key space will be limited making for easy cracking.

Encryption requiring a sufficiently complex password to avoid above:
    The password will be too hard to remember so people will write it down... on a sticky note on the laptop.

Encryption requiring an external device to supply complex key:
    This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.

I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.

Re:

[jandrese]

Most of the military is going towards the CAC Card [wikipedia.org], which is good because since it is your badge you have to take it with you when you go somewhere (you can't just leave it plugged into your workstation when you stand up to go somewhere, because eventually a guard will stop you and ask why you're not wearing your ID, and then you're in trouble).

Now they have a lot of issues with their implementation currently, but the underlying concept is a good one.

Re:

[mlts]

The best compromise for this I've seen is a hardware token. Of course, people are likely going to keep it in the same container as the laptop, but most hardware tokens can be configured to render themselves inoperable after a number of wrong password attempts.

Now, even if someone has the token and the laptop, they have 3-15 tries to guess the password on the token, and usually that password is 8 characters or more.

Re:

[cadeon]

Are there any real-world effective laptop encryption solutions?

Are there any real-world effective encryption solutions, period?
Encryption, overall, is a slippery slope of hate and doom. The only way (currently) to encrypt something is to use a key that's long enough to take a 'really really long time' to guess. Unfortunately, 'really really long time' shortens with growing processor power.

It wasn't all that long ago that we were using 40bit encryption for online banking. . . now that's unthinkable, we

Bitlocker?

[Anonymous Coward]

Wouldn't a laptop with a TPMv1.2 chipset and Bitlocker fix this? Can't crack the password db since it's encrypted. Only two ways in: stonewall the 40 number recovery key in vitro or guess the luser's password in vivo. Both a tough nut to crack.

Theft OR loss?

[Ethanol-fueled]

I like how TFS says "theft OR loss". Which one is it? Are they trying to shrug off accountability or are they just idiots?

Re:

[kiore]

Overall it's probably theft and loss.

For each individual laptop it is either theft, or it is loss.

For some laptops it isn't known which.

Some laptops may have even have been both lost and stolen.

Then there's Schoedinger's laptop ...

Truecrypt!

[NitroWolf]

I use Truecrypt [truecrypt.org] to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.

You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.

Re:

[mordeith]

what about bootlocking or drive locking....is that gonna help with security....

Re:

[mlts]

Boot locking, as in setting a hard disk password in the security section of BIOS?

Setting a hard disk password (all IDE and SATA hard disks made since 2001 or so have the ability to require a password before access is granted) is decent security, however how truly secure it is, is debatable. Some people have claimed there are backdoors and universal passwords, others have claimed that only a low level recovery service that has the clean room and tools to look at the actual bits stored on the platters can ac

Re:

[mordeith]

ahh mosta the laptops ive had to work on in the last 10 yrs or so have been bootlocked in one way or another....i appreceate your responce...i tell my clients and family to bootlock and drivelock there laptops...wit both #ers n letters...insofar ive not found an easy not destructive way of defeating it....as for backdoor passwords ive riun your typacal library brute force attacks against the usual ones...to no avail....my personal info isnt on hardisk anywhere that isnt truecrypted or somesuch.....what abou

Re:Truecrypt!

[mlts]

TrueCrypt is an excellent program, the devs have put a lot of thought into every aspect of security. I use it for encrypting external drive volumes completely so if someone does a smash and grab on my stuff, they will end up with hardware, but the data is protected by a passphrase and a keyfile stored on the (WDE encrypted, using a hardware token) boot drive.

The biggest thing to remember with TrueCrypt, if you lose the first 1024k or so of an encrypted volume, you have completely lost the volume because the first part contains the encryption key (or keys) for the rest of the data. ALWAYS back up the volume headers (they are encrypted with the same mechanism as the volume itself, so they just need to be stored safely) of all critical volumes.

Of course there will be people saying that "I don't use encryption programs, I have nothing to hide." That is analogous to saying "Don't have a front door as you might has something to hide." Its not the governments these programs are for (most governments can obtain the decryption key via other means including a rubber hose), its thieves. These days, TrueCrypt and other security programs are highly necessary to keep a $1000 laptop from becoming a loss of many thousands in ID theft.

Re:

[maxume]

When you view your documents, how do you go about making sure that none of the data in them gets shoved into virtual memory?

Is Truecrypt really secure? Does it compress data?

[KWTm]

Something funny happened with my Truecrypt today.

I agree with the parent and sibling postings that Truecrypt is a great program to have, and I use it all the time. I set all my Truecrypt volume sizes to equal 650MB, so that I can burn it to CD-ROM easily (e.g. archived copies of my finances, etc.). The fixed size means that someday I can pick a few of my Truecrypt volumes to include a hidden volume [truecrypt.org], but most of them won't have hidden volumes --but any attacker can go spin his wheels trying to look for a h

Re:Is Truecrypt really secure? Does it compress da

[WuphonsReach]

TrueCrypt encrypts at the *block* level, not the file level. Whatever the OS tells it to write to a particular block, it writes.

So format the TrueCrypt partition with NTFS and turn on folder compression if you want additional compression.

Re:

[pev]

So you've stored your documents on an encrypted partition. What happens to all the "~wrdxxxx.tmp" temp files then? Generally they're in your user or windows's temp directories and probably have all sorts of recoverable juicy info. I'm not convinced that anything other than full disk encryption (pref in hardware) is really worth the effort...

~Pev

FDE works too..

[rickb928]

Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.

My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.

Without it, they would have to throw out the drive and buy a new one.

And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.

Honestly, this is not that hard.

Re:

[Creepy Crawler]

Thats just an ATA password, as enclosed with the ATA spec. That means without that password, the HD motor just doesnt start up.

All you need is disk microscopy to recover data. Just send it offshore to a semi-legitimate firm for data restoration on backup DVDs. It'll cost a thousand or so.

Re:

[rickb928]

On the Thinkpad I used, the FDE password was not just an ATA password. the drive it self was encrypted with this, and not having it meant the drive was unreadable on any system.

I may have mislead you. It isn't a BIOS password, it's a pre-boot password. No password, no boot. It just cycles through another POST and askes for the password after the retries wear out.

If it were just an ATA password, what good would that do?

Re:

[Creepy Crawler]

An ATA password is kept on a certain part of the disk that is normally inaccessible. The HD will not work if you dont provide that ATA password, whether or not you switch machines with that HD.

Re:

[kasperd]

The disk is literally unusable without the password.

I consider that to be a design flaw. It should be possible to change the password without knowing the old one, but of course doing so would mean all data on the disk were lost. But are you really sure the disk encrypted the data? And could you verify the quality of the encryption? Maybe flashing a new firmware on the drive would have allowed you to bypass the protection.

Re:

[rickb928]

My understanding (and we grilled our supervisor on this one - he was good) is that flashing the drive would REQUIRE the password. But even if it didn't, the data is encrypted. If the password is on the drive firmware, flashing it would lose the password and woops, no data.

This is the hardware encryption scheme - supposedly, even if you put the drive in another Thinkpad, that chip has a different hardware key and even the right password won't decrypt. So it encrypts data onto the drive.

Yes, you could send

TSA stands for

[sheldon]

Thousands Standing Around

Who should pay for the identity theft coverage?

[GuyverDH]

"So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves
"

In my opinion, any company, corporation, organization or government entity that misplaces (through loss or theft) sensitive financial data should be responsible for paying for identity theft coverage for as long as the potentially affected individuals live. Then maybe they wouldn't be so damned quick to store all of that data or just hand it out to every contracter they hire.

Telling someone "So sorry, we lost a disk with all of your credit-card numbers, social-security number, personal history. We sugge

Guilty!

[Wolfger]

Seeing has how the mere act of encrypting data has been used in court to establish guilt, I'm thinking I don't want to be one of the TSA's contractors.

Re:

[david_thornley]

Seeing has how the mere act of encrypting data has been used in court to establish guilt

Has it been? The only case I've heard of that being alleged was one here in Minnesota, where the prosecution said that somebody who committed whatever crime would almost certainly have an encryption program. It was of no more significance, than, say, car color. If a crime is committed, and the getaway car is described as a blue compact, then if I come under suspicion the fact that I drive a blue compact is relevant

Re:

[Wolfger]

I misspoke, slightly, in my original post. From one of several news articles:

A Minnesota appeals court has ruled that the presence of encryption software on a computer may be viewed as evidence of criminal intent.

If the mere presence of encryption software can be used as evidence of criminal intent, it's unethical (and, arguably, criminal) for the TSA to require contractors to encrypt the data on their computers.