Slashdot Mirror
U.S. Gov't To Use Full Disk Encryption On All Computers
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."
Well, on the one hand, it's a good idea to encrypt machines that contain sensitive data.
On the other hand, this is just a bandaid on their terrible information policy...The reason that they have to encrypt a zillion machines is because they store sensitive personal data on a zillion machines. Then there are multiple operating systems, levels of security, etc. All this means that compromising one machine will still be pretty easy, because when you have encryption on the crappy desktop in the mailroom where everyone surfs porn, you stop taking it seriously.
They could kill the whole problem by centralizing their data stores, and developing some secure web interfaces across enhanced encryption. That way, instead of trying to encrypt every machine, you could encrypt 50 data centers and control access locally...Hell, if I were the government I'd push all my software needs toward think clients and terminal services anyway...The average user doesn't need more, and that makes all your security problems more managable.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Tell the truth and you won't have so much to remember.
Meh, they try to hide stuff all the time now, and how many things do we find out because someone left it written up on a poorly secured computer? Government "transparency" always depends on people on the inside leaking the information.
On the other hand, they're losing laptops full of veteran's records on a monthly basis. Either they need to take better care of the data, or they need to put tighter controls on who has access to the data.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
What about page files/swap space, application generated temporary files etc. There are plenty of places that potentially sensitive information could leak into on just about any OS.
It's not about having something to hide, it's about protecting the info present within. How many gov't laptops containing personal information of citizens or groups have been stolen in recent history?
Large corporations that deal with private data from their customers should also be required to use full-disk encryption as well. In fact, I recommend some form of encryption for sensitive data to everyone.
"Lame" - Galaxar
Granted, it should be spent regardless as government information about private citizens (i.e., social security numbers) should be protected at all costs
Well, this should be fully analyzed to see whether it's actually going to protect anything, or whether it's just "Something must be done! This is something my brother who runs this one company told me about, therefore we must do it!" For instance, laptops are involved in the majority of data loss cases. If someone suspends a laptop and sets it down somewhere, will the OS purge the key from memory so that when Evil Dude picks it up he can't simply resume with full access to the drive? What about cases where people close the lid thinking the laptop will automatically hibernate, but for whatever reason it doesn't?
Here's a thought for you: how much would it cost me to get the government to quit putting sensitive information on so many laptops?
If I have been able to see further than others, it is because I bought a pair of binoculars.
I am very sorry if my lack of grammer offended you.
I am very busy at work and suffer under the delusion that the idea of electronic communication is to get ones point accross and not to have it reviewed for grammer, spelling or punctuation or to be saved for posterity.
Just for the record, your paragraphs are too short, you did not reference your source material, and, oh-by-the-way, you (I guess I should say "we" now) are off topic.
Good question. I'd guess no. Part of the allure for the gov't in contracting out to private firms is that the gov't can delegate accountability to the contractor. "It wasn't our fault the terrorists/indentity thieves/Germans got the personal details of every registered voter/sex offender/childcare provider in Idaho, it's the fault of ACME Inc. They told us they were secure! It's right here in their sales pitch document! Let's lynch 'em!"
It's actually more secure to have an essentially random password that people secure on a laminated card in their wallet (appropriately obfuscated of course) than have passwords that people can easily remember. When you think about it, people are actually very good at securing their wallet independently of their laptops.
Fear: When you see B8 00 4C CD 21 and know what it means
ACC is not quite that bad (yet). 9 char pwd. We ARE, however, going to the Standard Desktop Configuration (SDC) as of Jan 31. No admin accounts, no Outlook webmail, everything very much locked down. Which is fine for 99% of the poeple out there, but as a developer, I find it a real a real PITA.
"What?? I can't change the clock on the PC? How am I supposed to test this function that generates a string based on the time?"
"What? I can't defrag my own harddrive?"
"What? I can't create a folder in C:\?"
The SDC is good, but damn...some of us need a little more.
How this will probably work is the end solution uses a smart card to do some authentication and key storage.
All gov't employees will at some point get an ID card similar to the Common Access Card. This will have a number of public keys on it. One of which probably decrypts their workstation.
The U.S. gov't is building the capacity to issue millions of smart cards on their own. See this: http://www.fcw.com/article94813-06-07-06-Web There was a proper publicly available contract up for bid for this project but it wouldn't surprise me if it has been pulled in favor of a no-bid award.
Before anyone says, "Well it should be a secret! What if the terrists get a badge?!" There are two things to remember.
1. Lots of bad people have proper ID in their country of choice. Identification has little if any relationship to their activities. The failure points remain the usual human factors out in the field.
2. There's no need for secrecy in the production environment. Every half-decent perso system/PKI properly manages such an obvious point of failure. If a Visa-certified card plant can manage to keep track of 10's of millions of cards anyone can. It's not rocket science.
I for one welcome our fully encrypted overlords.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Maybe things are so mixed up on Windows that you need full disk, but on OS X, Linux, and other Unixes it should be sufficient to encrypt only the home directory of users.
should be? You gonna personally guarantee that every possible Linux and Mac application store all of their information in the same place? If we're talking "should be"'s, then there wouldn't be this problem in the first place, because no sensitive data should be stored on laptops that walk out of buildings. "Should be" is what causes these problems in the first place.
This is absolutely the right thing to do.
I can however confidently predict that since a very large number of people are involved in making the decision, the worst possible product will be chosen.
So it won't be TrueCrypt, or something decent - it'll be something like the latest commerical version of PGP.
Not a troll. If your system is appropriately configured, you (and your applications) won't be *allowed* to save things anywhere on the local drive other than your home directory. Temp and swap space are also good candidates for encryption -- but putting temp space in a ramdisk and encrypting swap is a pretty reasonable way to do this. Anything other than those should be code, not data -- and thus nonsensitive. Why spend the cycles to encrypt and decrypt without a need to do so?
All that said, I think that giving a contract like this to a commercial vendor developing proprietary software would be... unfortunate. Funding addition of missing, necessary features to TrueCrypt would be a one-time expense (rather than one which scales with the number of systems deployed), and would benefit the private sector as well.
I hate to sound like a dick, but....good!
By being forced to develop your software as a restricted user, you're forced to ensure that your software will run with restricted user privileges. You're forced to use the proper means of determining the user's home directory, their temp directory, etc. You're forced to use the HKCU registry to store any registry items. You're forced to make the software multiuser-capable.
That's the way it should be. If most software had been written like that from the beginning, Windows would probably be a lot more secure for the general population because they would be able to comfortably run as a restricted user and know that all their software would Just Work.
So while it may be more painful as a developer to run as a restricted user, the pain does have a rather substantial payoff. Hopefully that'll make the pain a bit more bearable.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
Uh, bad example. Good design would normally dictate you prototype this function as follows:
char* generate_string(time_t time);
Now you can call it using the output of time(), or in a unit test, try a bunch of different time_t values. What, were you going to have your unit test keep changing your system time?
Then, if you area always going to call it using the current time, simply write a small wrapper that does just that.
No comment.
Fist you give them Quad-Core AMD/Intel 3GHz Cpus
Then you give them Ultra-speedy flash memory HDDs and lots of Ram
And only then can you find back that speed feeling you had when you first launched Win95...
BTW, you forgot something :
"each file is decrypted, scanned" then encrypted again into a secure memory heap with a random location in Ram then reinterpreted and decrypted from memory by the CPU for processing "and then viewed" on a secured, shielded screen that itself is decrypting the secured data transmission from the HDMI so you can't divert the data to a VCR/PVR.
Also you are using a laser-interrupt shielded keyboard with a white noise generator, so we cannot infer the electromagnetic blip from hitting a key or reconstruct the words from typing noise frequency, a hardened mouse so you can hit and strangle the person who tried to read above your shoulder all that super secure multi-encrypted BBC newsfeed you have on your 7 vision angle screen.
Gosh I hope you also encrypt all internal network traffic with a multi-gigabit differential quantum thingy. that all you network equipment is in the hardened nuclear bio hazard bunker, with all Cat 10 titanium head hardened Ethernet cables screwed/glued/welded to the unapprochable High Voltage Switch (220 V on the inside, 10000V on the outside).
BTW, now that we finished securing you infrastructure, can you please remind me what OS you are using ?
[evil joy] MU HAH HAH HAH HAH [/evil joy]
It takes 40+ muscles to frown, but only four to extend your arm and bitchslap the motherfucker
There's a myth out there that the hardest part of technology is understanding the technology. That's certainly a part of it, but there's a lot more too it than that. You have to have funding or know how to get funding. You have to know how to run a company, or find someone that does. You also obviously have to take a lot of personal risk.
Maybe the GP has all those skills and is willing to take the risk, maybe he doesn't. The point is though that the lure of making more money, or having more control over the product isn't necessarily enough.
AccountKiller
If someone read Applied Cryptography or another text, then put concepts learned into practice, I wouldn't mind using a product made from them.
What gets me is that PGP isn't competing for this DoD bid. Of all the FDE solutions I have used, I like PGP's because it offers not just a PKI, but an open, standardized PKI that has stood the test of time. This is not to say that other FDE software isn't good. Safeboot, SecureDoc, DriveCrypt, and CompuSec are all very good solutions too.
What is funny is that FDE solutions have been around a long time, almost to the days of PGP 1.0. In 1990, Casady and Greene had a program called A. M. E. (Access Managed Environment) for the Mac that would DES encrypt every sector on the hard disk. FWB also had a solution using their Hard Disk Toolkit for partition encryption on the driver level (only used 2 DES rounds though.)
Re: Multiple user entries:
Not initially, but I believe the current version does so.
The boot sequence is to load (from a reserved area) the FDE sw which first tries to verify that it is running in plain unprotected DOS mode, then it takes over the keyboard hw so that it can read keystrokes without risking a trojan/keylogger attack.
After getting the password/passphrase it uses this to decrypt the user entry which contains the master disk key: If this doesn't succeed it goes into a sw timeout loop, taking progressively longer each time, before letting you retry.
When Windows loads, it must run in bios mode, until the protected mode crypto driver can be loaded.
Terje
"almost all programming can be viewed as an exercise in caching"
But there's only a couple of IT contractors who handle stuff like this.
People need to understand this. Government rules, regulations and procedures disqualify most possbible bids. Only those companies *specialized* in government contracts get these jobs. In addition, the margins on these jobs are so small, that larger companies have a huge advantage in the bidding process. Throw in several layers of lawyers and you end up with a system several realities removed from any semblance of a market.
Don't blame me, I didn't vote for either of them!
Swap is encrypted on its own, in a smarter way.
/tmp is held in memory and never written to the disk (if appropriately configured)
/usr/tmp?
/var/tmp or somewhere else; the effect is the same. /usr is a read-only filesystem.
/usr read-only. Historically, /usr was what /home is today. But people created /var instead.
/etc and /usr/etc, log info in /var/log, and databases in /var, /usr, and other /home directories; those may, in fact, contain a lot of the sensitive information on the machine.
Bullshit.
Bullshit. Not only is that not the case on most systems, it's a lousy idea.
What kind of fucked up unix has a
Historically, just about every UNIX system. On other systems, it's
In recent years, many distributions have made
Again, in addition to all that, there are keys and networking info in
Overall, the fact remains: no matter which particular directory layout your UNIX system happens to use, you're a moron if you think that encrypting your home directory is sufficient for keeping private data private. Whole disk encryption is necessary.
You can't just go installing full disk encryption based on some open source solution that might or might not get updated
Right. So you make sure it gets updated. By paying someone to make sure it gets updated. How does paying a third party to sell you a proprietary solution make you less amenable to misfortune than maintaining the effort directly? I'd trust a publically funded open venture far more than I'd trust any shrinkwrap binary. Leading commercial vendors go belly up all the time. Then what do you have? On the other hand, F/OSS solutions can be maintained as long as necessary. Furthermore, if the specifications are open, there can be real competition to produce the best implementation. If the solution is proprietary, there's really no competition at all.
Stop using my taxes to subsidize crapware.