BreachExchange mailing list archives
Re: (article) "We recovered the laptop!" ... so what?
From: Adam Shostack <adam () homeport org>
Date: Sat, 17 Feb 2007 16:28:14 -0500
I do't believe that's effectively multi-person control of the data in the fashion that your nuclear launch analogy evokes. It may be multi-person or multi-factor initilization, but once the system is up and running, there are in-memory processes which have access to all the data on the disk. On Fri, Feb 16, 2007 at 11:21:50PM -0500, sawaba wrote: | Many enterprise disk encryption appliances use M of N key sharing, such as | those from Decru and Neoscale. Password-protected smart cards are used to | store the key shares. | | --Sawaba | | On Fri, 16 Feb 2007, Adam Shostack wrote: | | >When we wanted to perform m of n key backup for the master keys at | >Zero Knowledge systems, there was nothing commercially available. Is | >there anything now? I'm unaware of anyone who uses m of n sharing in | >the real enterprise systems. Please enlighten me. | > | > | >On Wed, Feb 14, 2007 at 10:03:41PM -0500, sawaba wrote: | >| When serious encryption is needed, key management is as important as the | >| algorithm and key strength used. Most people have seen in the movies when | >| it takes multiple keys turned at the same time to activate the firing | >| mechanism for a nuclear weapon. It is similar in many enterprise data | >| encryption situations (minus the threat of worldwide destruction). M of N | >| key management requires a certain minimum number (say 3 of 6) of | >| custodians to input their piece of the key to decrypt the data. | >| | >| Obviously, this doesn't work when you need to log into your laptop ("yeah | >| Bob, this is Mike, could you come down to Starbucks and log me in again? | >I | >| went to the bathroom and it powered off while I was gone"). So, we come | >| back to the fact that certain kinds of data shouldn't be on laptops in | >the | >| first place. | >| | >| --Sawaba | >| | >| On Tue, 13 Feb 2007, Adam Shostack wrote: | >| | >| >Speaking for myself here. As I understand things: | >| > | >| >Certain versions of Vista (I think Ultimate and Enterprise) include | >| >Bitlocker whole drive encryption. It's not on by default because of | >issues | >| >about key management. So just upgrading to Vista, in and of itself, | >| >doesn't change anything. | >| > | >| >Bitlocker itself has a bunch of modes, ranging from keys stored in a | >| >TPM and unlocked with a PIN, to keys stored on the hard drive and | >| >unlocked with a password. How you actually protect the encryption | >| >keys might be seen as important. I don't know if anyone has done a | >| >comparison against state laws. | >| > | >| >Adam | >| > | >| >On Tue, Feb 13, 2007 at 07:34:43AM -0500, Herve Roggero wrote: | >| >| Let me give an example: If I do business in California, and my | >| >unencrypted | >| >| laptop gets stolen with 100,000 SSNs in it, stored in clear text. I | >need | >| >to | >| >| disclose this loss and reach out to 100,000 people to comply with SB | >| >1386. | >| >| | >| >| Now, if I upgrade my laptops to MS Vista, can I get away with it? | >| >| | >| >| | >| >| | >| >| I?m only asking as I am seeing an interesting response from CXO | >| >individuals | >| >| looking at MS Vista as a solution to their laptop/legal issues. If | >there | >| >is no | >| >| official technical workaround to this encryption and it takes | >thousands | >| >or | >| >| millions of years to crack, then it may fall under the ?reasonable? | >| >steps to | >| >| protect information and become a powerful tool for businesses looking | >to | >| >| comply. | >| >| | >| >| | >| >| | >| >| Thank you | >| >| | >| >| Herve Roggero | >| >| | >| >| Managing Partner, Pyn Logic LLC | >| >| | >| >| Cell: 561 236 2025 | >| >| | >| >| Visit www.pynlogic.com | >| >| | >| >| | >| | >>------------------------------------------------------------------------------- | >| >| | >| >| From: blitz [mailto:blitz () strikenet kicks-ass net] | >| >| Sent: Monday, February 12, 2007 8:14 PM | >| >| To: Herve Roggero | >| >| Cc: dataloss () attrition org | >| >| Subject: RE: [Dataloss] (article) "We recovered the laptop!" ... so | >what? | >| >| | >| >| | >| >| | >| >| Ok, so youve got a copy of an encrypted disk to crack at your leisure. | >| >The data | >| >| is still compromised and in someone elses hands, and they have no idea | >| >if its | >| >| secure or not. | >| >| That still counts as a loss in my book. | >| >| | >| >| At 08:54 2/12/2007, you wrote: | >| >| | >| >| | >| >| Hi everyone | >| >| | >| >| This thead is very interesting. All techniques so far deal with | >reading | >| >data at | >| >| a low level. Will Windows Vista prevent techniques such as Symantec | >| >Ghost? I | >| >| understand that Vista performs bit-level encryption with its BitLocker | >| >| technology. | >| >| | >| >| Thanks. | >| >| | >| >| Herve Roggero | >| >| Managing Partner | >| >| Pyn Logic LLC | >| >| Visit www.pynlogic.com | >| >| | >| > | >| >| _______________________________________________ | >| >| Dataloss Mailing List (dataloss () attrition org) | >| >| http://attrition.org/dataloss | >| >| Tracking more than 148 million compromised records in 573 incidents | >over | >| >7 years. | >| > | >| >_______________________________________________ | >| >Dataloss Mailing List (dataloss () attrition org) | >| >http://attrition.org/dataloss | >| >Tracking more than 148 million compromised records in 573 incidents | >over 7 | >| >years. | >| > | > _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 148 million compromised records in 576 incidents over 7 years.
Current thread:
- Re: (article) "We recovered the laptop!" ... so what? Max Hozven (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 12)
- <Possible follow-ups>
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? Al Mac (Feb 12)
- Re: (article) "We recovered the laptop!" ... so what? blitz (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Herve Roggero (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 13)
- Message not available
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? B.K. DeLong (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 16)
- Re: (article) "We recovered the laptop!" ... so what? Adam Shostack (Feb 17)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 19)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? security curmudgeon (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? Chris Walsh (Feb 13)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)
- Re: (article) "We recovered the laptop!" ... so what? sawaba (Feb 14)