Slashdot Mirror
U.S. Gov't To Use Full Disk Encryption On All Computers
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."
Well, on the one hand, it's a good idea to encrypt machines that contain sensitive data.
On the other hand, this is just a bandaid on their terrible information policy...The reason that they have to encrypt a zillion machines is because they store sensitive personal data on a zillion machines. Then there are multiple operating systems, levels of security, etc. All this means that compromising one machine will still be pretty easy, because when you have encryption on the crappy desktop in the mailroom where everyone surfs porn, you stop taking it seriously.
They could kill the whole problem by centralizing their data stores, and developing some secure web interfaces across enhanced encryption. That way, instead of trying to encrypt every machine, you could encrypt 50 data centers and control access locally...Hell, if I were the government I'd push all my software needs toward think clients and terminal services anyway...The average user doesn't need more, and that makes all your security problems more managable.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
Tell the truth and you won't have so much to remember.
Meh, they try to hide stuff all the time now, and how many things do we find out because someone left it written up on a poorly secured computer? Government "transparency" always depends on people on the inside leaking the information.
On the other hand, they're losing laptops full of veteran's records on a monthly basis. Either they need to take better care of the data, or they need to put tighter controls on who has access to the data.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
It's not about having something to hide, it's about protecting the info present within. How many gov't laptops containing personal information of citizens or groups have been stolen in recent history?
Large corporations that deal with private data from their customers should also be required to use full-disk encryption as well. In fact, I recommend some form of encryption for sensitive data to everyone.
"Lame" - Galaxar
It's actually more secure to have an essentially random password that people secure on a laminated card in their wallet (appropriately obfuscated of course) than have passwords that people can easily remember. When you think about it, people are actually very good at securing their wallet independently of their laptops.
Fear: When you see B8 00 4C CD 21 and know what it means
ACC is not quite that bad (yet). 9 char pwd. We ARE, however, going to the Standard Desktop Configuration (SDC) as of Jan 31. No admin accounts, no Outlook webmail, everything very much locked down. Which is fine for 99% of the poeple out there, but as a developer, I find it a real a real PITA.
"What?? I can't change the clock on the PC? How am I supposed to test this function that generates a string based on the time?"
"What? I can't defrag my own harddrive?"
"What? I can't create a folder in C:\?"
The SDC is good, but damn...some of us need a little more.
This is absolutely the right thing to do.
I can however confidently predict that since a very large number of people are involved in making the decision, the worst possible product will be chosen.
So it won't be TrueCrypt, or something decent - it'll be something like the latest commerical version of PGP.
Not a troll. If your system is appropriately configured, you (and your applications) won't be *allowed* to save things anywhere on the local drive other than your home directory. Temp and swap space are also good candidates for encryption -- but putting temp space in a ramdisk and encrypting swap is a pretty reasonable way to do this. Anything other than those should be code, not data -- and thus nonsensitive. Why spend the cycles to encrypt and decrypt without a need to do so?
All that said, I think that giving a contract like this to a commercial vendor developing proprietary software would be... unfortunate. Funding addition of missing, necessary features to TrueCrypt would be a one-time expense (rather than one which scales with the number of systems deployed), and would benefit the private sector as well.
I hate to sound like a dick, but....good!
By being forced to develop your software as a restricted user, you're forced to ensure that your software will run with restricted user privileges. You're forced to use the proper means of determining the user's home directory, their temp directory, etc. You're forced to use the HKCU registry to store any registry items. You're forced to make the software multiuser-capable.
That's the way it should be. If most software had been written like that from the beginning, Windows would probably be a lot more secure for the general population because they would be able to comfortably run as a restricted user and know that all their software would Just Work.
So while it may be more painful as a developer to run as a restricted user, the pain does have a rather substantial payoff. Hopefully that'll make the pain a bit more bearable.
Use 'slashdot stuff' in the subject line in any email you send me if you want to get past the spam filter.
If someone read Applied Cryptography or another text, then put concepts learned into practice, I wouldn't mind using a product made from them.
What gets me is that PGP isn't competing for this DoD bid. Of all the FDE solutions I have used, I like PGP's because it offers not just a PKI, but an open, standardized PKI that has stood the test of time. This is not to say that other FDE software isn't good. Safeboot, SecureDoc, DriveCrypt, and CompuSec are all very good solutions too.
What is funny is that FDE solutions have been around a long time, almost to the days of PGP 1.0. In 1990, Casady and Greene had a program called A. M. E. (Access Managed Environment) for the Mac that would DES encrypt every sector on the hard disk. FWB also had a solution using their Hard Disk Toolkit for partition encryption on the driver level (only used 2 DES rounds though.)