BreachExchange mailing list archives
Re: (article) "We recovered the laptop!" ... so what?
From: "B.K. DeLong" <bkdelong () pobox com>
Date: Fri, 16 Feb 2007 08:32:21 -0500
It's funny - PKI and Key Management has been (mostly) mastered by the military and intelligence services, (or at least taken VERY seriously the past few years)....you'd think the business world would have looked to them by now for guidance. On 2/16/07, Adam Shostack <adam () homeport org> wrote:
When we wanted to perform m of n key backup for the master keys at Zero Knowledge systems, there was nothing commercially available. Is there anything now? I'm unaware of anyone who uses m of n sharing in the real enterprise systems. Please enlighten me. On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: | When serious encryption is needed, key management is as important as the | algorithm and key strength used. Most people have seen in the movies when | it takes multiple keys turned at the same time to activate the firing | mechanism for a nuclear weapon. It is similar in many enterprise data | encryption situations (minus the threat of worldwide destruction). M of N | key management requires a certain minimum number (say 3 of 6) of | custodians to input their piece of the key to decrypt the data. | | Obviously, this doesn't work when you need to log into your laptop ("yeah | Bob, this is Mike, could you come down to Starbucks and log me in again? I | went to the bathroom and it powered off while I was gone"). So, we come | back to the fact that certain kinds of data shouldn't be on laptops in the | first place. | | --Sawaba | | On Tue, 13 Feb 2007, Adam Shostack wrote: | | >Speaking for myself here. As I understand things: | > | >Certain versions of Vista (I think Ultimate and Enterprise) include | >Bitlocker whole drive encryption. It's not on by default because of issues | >about key management. So just upgrading to Vista, in and of itself, | >doesn't change anything. | > | >Bitlocker itself has a bunch of modes, ranging from keys stored in a | >TPM and unlocked with a PIN, to keys stored on the hard drive and | >unlocked with a password. How you actually protect the encryption | >keys might be seen as important. I don't know if anyone has done a | >comparison against state laws. | > | >Adam | > | >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: | >| Let me give an example: If I do business in California, and my | >unencrypted | >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I need | >to | >| disclose this loss and reach out to 100,000 people to comply with SB | >1386. | >| | >| Now, if I upgrade my laptops to MS Vista, can I get away with it? | >| | >| | >| | >| I?m only asking as I am seeing an interesting response from CXO | >individuals | >| looking at MS Vista as a solution to their laptop/legal issues. If there | >is no | >| official technical workaround to this encryption and it takes thousands | >or | >| millions of years to crack, then it may fall under the ?reasonable? | >steps to | >| protect information and become a powerful tool for businesses looking to | >| comply. | >| | >| | >| | >| Thank you | >| | >| Herve Roggero | >| | >| Managing Partner, Pyn Logic LLC | >| | >| Cell: 561 236 2025 | >| | >| Visit www.pynlogic.com | >| | >| | >------------------------------------------------------------------------------- | >| | >| From: blitz [mailto:blitz () strikenet kicks-ass net] | >| Sent: Monday, February 12, 2007 8:14 PM | >| To: Herve Roggero | >| Cc: dataloss () attrition org | >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so what? | >| | >| | >| | >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. | >The data | >| is still compromised and in someone elses hands, and they have no idea | >if its | >| secure or not. | >| That still counts as a loss in my book. | >| | >| At 08:54 2/12/2007, you wrote: | >| | >| | >| Hi everyone | >| | >| This thead is very interesting. All techniques so far deal with reading | >data at | >| a low level. Will Windows Vista prevent techniques such as Symantec | >Ghost? I | >| understand that Vista performs bit-level encryption with its BitLocker | >| technology. | >| | >| Thanks. | >| | >| Herve Roggero | >| Managing Partner | >| Pyn Logic LLC | >| Visit www.pynlogic.com | >| | > | >| _______________________________________________ | >| Dataloss Mailing List (dataloss () attrition org) | >| http://attrition.org/dataloss | >| Tracking more than 148 million compromised records in 573 incidents over | >7 years. | > | >_______________________________________________ | >Dataloss Mailing List (dataloss () attrition org) | >http://attrition.org/dataloss | >Tracking more than 148 million compromised records in 573 incidents over 7 | >years. | > _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 148 million compromised records in 576 incidents over 7 years.
-- B.K. DeLong (K3GRN) bkdelong () pobox com +1.617.797.8471 http://www.wkdelong.org Son. http://www.ianetsec.com Work. http://www.bostonredcross.org Volunteer. http://www.carolingia.eastkingdom.org Service. http://bkdelong.livejournal.com Play. PGP Fingerprint: 38D4 D4D4 5819 8667 DFD5 A62D AF61 15FF 297D 67FE FOAF: http://foaf.brain-stream.org _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 148 million compromised records in 576 incidents over 7 years.
Current thread:
- Re: (article) "We recovered the laptop!" ... so what? Max Hozven (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 12)
- <Possible follow-ups>
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? Al Mac (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? blitz (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 13)
- Message not available
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 17)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 19)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? security curmudgeon (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)