Slashdot Mirror
TSA to Contractors - Encrypt Your Laptops
eweekhickins writes "After two laptops were lost containing the personal data of 3,900+ truckers who handle HAZMATs, the Transportation Security Administration has ordered its contractors to encrypt any and all data. 'After the second theft or loss, the TSA conducted an IT forensic investigation that ascertained that the (previously) deleted information could be retrieved if a thief had the proper training. "So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place," Davis said.'"
Nothing for you to see here. Please move along.
sure pal
"No, not the keys to the truck and trailer, I need the damn keys to the laptop!"
---- Teach Peace. It's Cheaper Than War.
Though many never do, will this be the same?
I think that even if you force the security measures in place people will always find a way around it. People write their passwords on a Post-in note or tape it to their monitor. These security measures are good but definitely not perfect.
That these kind of measures are retroactive instead of proactive.
Ask not what you can do for your country. Ask what your country did to you
OK, so I have my Open Office document with goodies of HAZMAT data in it. I deploy my favorite encryption program and encrypt the document. Then I delete the original document. Same problem exists. Encryption is not enough.
Either the data needs to be "shredded" or stored in it's natural form on a fully encrypted volume.
For what it's worth, it's Lockheed.
We don't want people knowing how much crap happens at a typical bridge, or airport. So only autherized personal should have access to the data. Hmm, my ignorance is comforting as I type this.
Yeah, I installed TruCrypt today so I could encrypt my drive yesterday.
Uh, dude, I think you mean "reactive".
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Can we have someone post something to the effect "that if MS weren't so evil, they'd encrypt the drive already and we wouldn't have this problem"?
For gods' sake, people, this is /., if you don't post about how this is MS evil doing, entropy will set in.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
As someone who works for a govt contractor (state & local govt, not federal), ironically in the security field lately, I've noticed that retroactive measures for security lapses are generally the norm, and not the exception. The govt organizations themselves are too cheap to do security right in the first place, and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits. Fortunately, my employer has a clue and we don't suffer from such moronism, but we sure see a lot of it when we have to come in and finish or repair a system implementation that a prior contractor botched up.
Always put the password somewhere near your laptops in case you forget it. Security is aight, but there's nothing worse than forgetting your password!
Due to the problem with most computers NOT being able to offer full HD encryption, to use a X86 emulator (like VirtualBox) with an encrypted directory via TruCrypt.
That problem is it does NOT provide good stego. I've went over that before, but there's a way to prove by contradiction that there is a likely chance of hidden partitions in data.
Just don't take your laptop through a German airport now...
Be serious here!
You steal a laptop. If you're not a complete dimwit, you first of all check what you got. So you boot the thing up and notice that you have a government laptop in your hands.
Question for 100: Do you want to know what's on it? Let's even assume you don't know jack about computers, but do you want to know what's on the box?
Now, it's fairly trivial to get information out of a hard drive and restore deleted information (unless it's been overwritten, where it becomes less trivial). A halfway informed person with a bit of knowledge is enough, you don't need a forensic expert. All you need is the usual program(s), downloadable at leisure. And presto, instant information recovery.
The question is not whether information can be gained from the laptop, the only question is whether the thief has the brains to use it. That he has access to it without any hassle is a given. The only thing that matters is whether he knows a fence for information rather than just hardware.
And yes, those people exist...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So even though [there's only a] small chance of [the data being misused], we did notify all affected individuals and advised them of what steps to take to protect themselves, and we mandated that contractors need to encrypt any and all data in addition to any deletion procedures that might be in place
The data that goes out, why spend incredible efforts tracking every action of the victims in case it's a fraud.. versus, invalidating the data that went out?
Your social security number was leaked because of the government? The government changes your social security number, fixes their data, and the old one remains as a trap waiting for some fraudster wanna be try and use it.
I have to say that everybody is all for encrypting your laptop until you realize what that means. For us we are running Pointsec (or as some people call it, PointSuck) on every laptop in the company. It's annoying because Pointsec is a dog to install and about 1 in 10 people who do end up having it crash before it reaches the magical 1% and have to rebuild their machine from scratch. They say it doesn't affect disk performance, but it is yet another layer of overhead that makes the Core2Duo based Laptops we use now take 10 minutes to boot up (10 minutes until the disk dies down and it's usable at least, thanks to Symantic, ZoneAlarm, Patch Checker, Radia, etc...) and not feel any faster than the previous generation laptops.
It has been especially annoying for my department because we have lots of older hardware (like Sony Vaio Picturebooks that are really nice for portable testing, and Sharp Zaurus SL-C7xx series linux boxes that we really have no way of encrypting, and must plant clear instead, even though they'll never have any kind of vital information on them). Not to mention all of the people who are in to dual booting (we now use VMware a lot instead, although VMware has several issues that make it annoying, the most basic of which is the clock drift). It's also been a pain for our laptop re-imaging system (which is basically dead now)
In the end I'll be glad if my main work machine is stolen since I'm pretty sure Outlook doesn't encrypt anything and I have confidental information on it, but the cost is a lot higher than the price of one copy of Pointsec.
In Soviet Russian laptop encrypts you!
Guess some people have to be told what should have been obvious.
The latest versions of Puppy Linux have an easy-as-pie way to encrypt everything. Just burn a CD, boot from it, then at shutdown you're prompted to save your session. You can save to the hard drive or any other storage device, and you have the option to encrypt the data.
Boot from the CD, and it'll find and load the data you stored. Enter your password (correctly, one would hope) and go. It doesn't get much simpler than that.
Of course, you can't use your insecure Windows "helpers". But if they were *really* concerned about data security... well, I won't go *there*.
Stressed? Me? Of course not. Stress is what a rubber band feels before it breaks, silly.
The TSA can issue orders like that until it is blue in the face. If it ain't in the contract, and it ain't in the Federal Acquisitions Regular (FAR), then the only way this happens is if TSA (in other words, the taxpayer) chooses to *pay* for it to happen.
Are there any real-world effective laptop encryption solutions?
Encryption requiring a simple password:
They key space will be limited making for easy cracking.
Encryption requiring a sufficiently complex password to avoid above:
The password will be too hard to remember so people will write it down... on a sticky note on the laptop.
Encryption requiring an external device to supply complex key:
This will fail because many people will either attach the device to the laptop, or keep it in the same bag as the laptop.
I guess the simple password solution is the best since it would at least require a degree of technical expertise from the thief to get around.
Generally, a very informative post that generally conforms with my experience.
the govt organizations themselves are too cheap to do security right in the first place,
Most of the orgs comply on paper, but operationally its pretty bad.
and many contractors are too greedy to include proper security measures in their govt projects since those will cut into their profits.
The blame goes both ways. I've been in situations where good security was seen as not necessary by the agency. There is also the nasty problem of politics winning the bid instead of specs/price/service. And yes, the contractors cut corners.
http://www.maxineudall.com/2010/02/should-economists-be-sued-for-malpractice.html
Encrypt the drive ... except for a partition or flash module with enough of the OS to get started and prompt for the drive key password.
now we need to go OSS in diesel cars
I like how TFS says "theft OR loss". Which one is it? Are they trying to shrug off accountability or are they just idiots?
Wrong, Sparky. "REACTIVE" is the word. But, thank you for playing. Johnny will tell you what your consolation prize is...Tell him what he won, Johnny!
Johnny: A dictionary...Now, look that up in your Funk and Wagnel.
Politics is the art of looking for trouble, finding it everywhere, diagnosing it incorrectly and applying the wrong fix.
Encryption is not perfect. It can be broken.
How about this: don't drive around with laptops full of sensitive data.
I don't care if downloading the data to a laptop is cheaper; it puts me at risk! If you are going to be handling my data, then I demand that you take better care of it.
Not that my demands mean anything at all. This is one of the many reasons I haven't set foot in an airport since 9/11.
I use Truecrypt to encrypt a partition on a drive and store all of my documents there. It's transparent to the user, once you've mounted your volume(s) and it's pretty danged fast, too. You can do encryption with Twofish, Serpent and AES or a cascading combination of them. Pretty damned secure, opensource and free.
You can even encrypt a whole device. If you do that, it just looks like a blank volume and a thief won't even know there is data on the volume to be decrypted.
I think that even if you force the security measures in place people will always find a way around it.
So the requirements will be used to force contractors to buy Vista and use bitlocker. Sure, there are better solutions available using free software and the government has spent all sorts of money on Bastile Linux for just this purpose, but that won't keep Steve Balmer in coke. M$ is having a hard time after the outright rejection by the FAA and DOT, the Fortune 500, higher education, their Wintel press buddies and anyone with a memory. They have to work on less established, less competent and much easier to manipulate and bribe agencies like the TSA, local school districts and so on and so forth.
Most Thinkpads support something like Full Disk Encryption. Password in the BIOS, and you can't boot without it. The disk is literally unusable without the password.
My gig at I%$&#, they had me write my FDE password down and give it to the nice Systems tech. That way, when I left, they could recover the disk and reissue the machine after the usual shredding and wiping.
Without it, they would have to throw out the drive and buy a new one.
And yes, you need to remember your password. This you write down and leave at home, or with the Keymaster in the office, or your boss.
Honestly, this is not that hard.
deleting the extra space after periods so i can stay relevant, yeah.
The social security number is a unique identifier. It should be used to refer to you, to unambiguously distinguish your identity from someone else's, not be construed as any kind of authentication token. Having power over someone because you know his name belongs in a fairy tale, not a purported security scheme.
In general, it is safe and legal to kill your children. -- POSIX Programmer's Guide
Thousands Standing Around
" In my opinion, any company, corporation, organization or government entity that misplaces (through loss or theft) sensitive financial data should be responsible for paying for identity theft coverage for as long as the potentially affected individuals live. Then maybe they wouldn't be so damned quick to store all of that data or just hand it out to every contracter they hire.
Telling someone "So sorry, we lost a disk with all of your credit-card numbers, social-security number, personal history. We suggest you buy identity theft coverage right away." is total bullshit.
One of the banks that I used to do business with had 2 laptops stolen with my information on them. They told me they were going to be good enough to *give* me 1 free year of credit protection. I told them that the data on that drive wasn't ever going to *go away* and that they were going to pay for that coverage for the rest of my life. We argued and I basically said that if I ever had my identity stolen, it would come back to haunt them as they had as good as given out my data to whoever stole the laptops. Eventually I got them up to 10 years of coverage, however I let them know that that did not let them off the hook and that if anything happened after that time frame, they would be paying to take care of it one way or another.
Who is general failure, and why is he reading my hard drive?
Wouldn't a laptop with a TPMv1.2 chipset and Bitlocker fix this? Can't crack the password db since it's encrypted. Only two ways in: stonewall the 40 number recovery key in vitro or guess the luser's password in vivo. Both a tough nut to crack.
I think the biggest problem with using encryption is making it easy for people to use without having to go through a lot of hoops. I recently decided to try to setup an encryption solution on my laptop, because of worries about this sort of problem, and a curiousity to see if I, as a geek, could get encryption in use as easily as I think it should be to do.
One solution to this is something like PGP whole disk encryption. The problem is, that is something that has to be purchased separately, and in a lot of cases, will slow a person's computer down significantly. Whole disk encryption is not really efficient, as you don't really need to encrypt system files and program files (though it is nice to encrypt the swap file, encrypting most other system files is a bit of a waste - though it might make your system harder to tamper with, I suppose). Dedicated encryption/decryption hardware could take the penalty out of this approach (something like the encryption engine that Via has added to their recent CPUs - gotta hand it to Via for innovating a potentially very useful [even if it seems somewhat obvious, they did manage to be the first, which makes me wonder why Intel/AMD didn't do this long ago] enhancement for CPU hardware).
What I ended up going with personally was setting up an encrypted virtual drive, using TrueCrypt, as that seems like the currently easiest solution, under windows. Under Linux (I have my laptop setup to dual-boot), I followed a guide to get my home directory and swap partition encrypted with LUKS. Getting that setup seemed like it was harder than it should be, but once it was setup, it seems to work pretty good.
But, it seems to me that operating system vendors (Microsoft, Red Hat, Novell, Debian, Ubuntu, etc) need to work on making it easier for users to setup to transparently encrypt user data (home directories/profile directories, swapfiles/partitions, etc), without having to encrypt system and program files. When I'm playing a game, I don't want to pay for the performance penalties of decrypting game-related files, which I don't really care if they are encrypted (which also gets into maybe the OS vendors need to figure out a way to come up with virtual memory management systems that allow programs like word processors and spreadsheets to allocate memory that gets paged to encrypted swap, while games and such would allocate on an unencrypted (higher-performance) swap partition/file.
People won't 'work-around' the encryption once it's easier to use the encryption than to not use the encryption.
Wait till you mount the encrypted volume, then snatch the computer. . . or covertly record the person entering the passphrase over their shoulder. . . or steal the external device with the keyfile. Encryption can be useful against a random robbery, but if someone knows you use encryption, and that someone is determined, encryption won't do a heck of a lot of good. Doesn't matter if it's government or criminals, they can both do the same things. And if they don't mind going the violence-or-threat-thereof route, and you are still determined, there's always the "You sure got a pretty/nice wife/husband/son/daughter/mother/father. Sure would be a shame if something happened to 'em".
Something funny happened with my Truecrypt today.
I agree with the parent and sibling postings that Truecrypt is a great program to have, and I use it all the time. I set all my Truecrypt volume sizes to equal 650MB, so that I can burn it to CD-ROM easily (e.g. archived copies of my finances, etc.). The fixed size means that someday I can pick a few of my Truecrypt volumes to include a hidden volume, but most of them won't have hidden volumes --but any attacker can go spin his wheels trying to look for a hidden volume where there isn't any.
Lately I've been making a lot of backup text/XML files within my Truecrypt volume, approximately some 650MB of text files, but then yesterday something unexpected happened:
I ran out of room.
I was surprised because I thought TrueCrypt would have compressed the text files before encrypting them. I had read that files such as text files have low entropy --that is, high predictability-- and thus the cryptographically secure thing to do is to compress them first before encryption, or else it is a cryptographic flaw that makes the encryption more predictable and thus easier to break.
To be sure, even with this vulnerability, my TrueCrypt volume is probably going to be unbreakable by most standards, but can someone either verify or refute my statement? I had assumed that, for purposes of cryptographic security, TrueCrypt would automatically compress my data, and thus I would be able to stuff a lot more than 650MB of text files into my 650MB volume.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
If everyone used encryption, would encryption be made illegal? If not made fully illegal, would *more* laws not be passed to criminalize just about anyone who owns a computer because they might be using encryption? I seem to get the sense that government is beginning to fear the general population more and more because of the all the increased access to technology that people have. It is fairly trivial to encrypt one's communication over the internet and I think this quite frankly scares the bejeezus out of law enforcement officials. For that matter, why doesn't Slashdot use https for submitting posts?
For a moment, I thought it was "TCPA".
Seeing has how the mere act of encrypting data has been used in court to establish guilt, I'm thinking I don't want to be one of the TSA's contractors.
Nothing to see here. Move along.
TrueCrypt encrypts at the *block* level, not the file level. Whatever the OS tells it to write to a particular block, it writes.
So format the TrueCrypt partition with NTFS and turn on folder compression if you want additional compression.
Wolde you bothe eate your cake, and have your cake?
well of course it do have bad effects..that's why many people refuse to use it!! for me,as long the laptop is in your eyesight,u will be safe!!