Slashdot Mirror
New State Laws Could Make Encryption Widespread
New laws that took effect in Nevada on Oct. 1 and will kick in on Jan. 1 in Massachusetts may effectively mandate encryption for companies' hard drives, portable devices, and data transmissions. The laws will be binding on any organization that maintains personal information about residents of the two states. (Washington and Michigan are considering similar legislation.) Nevada's law deals mostly with transmitted information and Massachusetts's emphasizes stored information. Between them the two laws should put more of a dent into lax security practices than widespread laws requiring customer notification of data breaches have done. (Such laws are on the books in 40 states and by one estimate have reduced identity theft by 2%.) Here are a couple of legal takes on the impact of the new laws.
Only laptops. I was worried that we would have to encrypt our entire database.
What kind of n00b do you think I am? Like I'm really going to click through a link to mofo.com.
Jesus.
Forcing idiots to encrypt sensitive files will ...
force idiots to encrypt files (not the ones they should encrypt, obviously) using the password "password" ...
and
lose half the data, believing they encrypted it
and
send the data to half their family, especially anyone claiming to be a hacker, with the subject line "can you tell me the password for this file", who'll put it online on wikileaks (who'll happily -and proudly- publish extremely private information on anyone they don't like, laws and privacy be damned)
Well at least, when the honeymoon's over and it's time for Barack O. to publish his email correspondance he can claim to have "encrypted it" and then send a random string, telling the judge the password has something to do with a very dark hole where apparently many claim the sun does not shine.
How interesting and ironic that not that long ago (1991) possessing encryption tools was considered as munitions!
It used to be that Philip Zimmermann was getting hassled for his creation of PGP.
Boy we've come a long way. Check out the Wikipedia entry on PGP if you can
but clueless users will write the password on a post it note, and probably burn a plaintext CD copy to leave lying around.
Government agencies will be worse.
Or if they are in the UK.
Let's say that this (good) idea is properly implemented (rather then just pretend implemented), and all the laptops have full disk encryption in place.
Now someone with one of these laptops travels outside the US, and then flies back in and is asked to boot up the laptop. They will do so of course, and then, suddenly, there is no point to having the encryption, at that point. Sure it's still useful for cases where the laptop gets left on a train or something (assuming that they also require a password when opening a closed laptop, something that should be the case anyway), but it doesn't stop over-zealous and possibly corrupt government agents from looking over the info anyway.
It is even worse if such a laptop goes with someone who knows the password to the UK...
-----
Over all though? Great idea, and anything that opens more people up to the idea of encryption and the need for it is probably good as well. The more people who can prevent the govt. from looking at their data, the better. (And see a previous comment in a different story about hiding data to prevent the govt. from forcing you to hand over your keys.)
I wank in the shower.
Here comes the flood of complaints that their systems are slow, not responsive or too busy.
We have gunfights with our encryption client almost on a daily basis, being a resource hog and all that.
First rule of holes; When in one, stop digging.
Okay, why is this already tagged "nanny state"? Is it somehow a fascist imposition on the free market to make companies protect the personal data of their customers? Aren't slashdot articles run all the time criticizing how lax many corporations (including financial companies that should know better) are with their customers' data?
I am the man with no sig!
I'm not surprised it has made so little difference.
As we know, technical solutions are rarely enough to protect data. Human processes and policies can be much more important.
Personally I prefer the UK approach, the Data Protection Act. No doubt it is flawed, and sadly not enforced as rigorously as it should be, but the concept is better. Rather than mandate specific technological approaches, it imposes a set of general requirements on any organisation that holds personal data:
The DPA is one of the few generally excellent pieces of legislation in the UK. It's just a shame that the Information Commisioner's Office that enforces it isn't as active as it could be. But it gives you quite a bit of power to take on companies yourself.
Paul Leader
It sounds to me like all you need to do is encrypt the hard drive and require a password, but if so, why so much? It seems $300 per person is probably on the expensive end for the software, but I'll let that one slide. However, $50 per person per month just to maintain the system? What is this cost for? What is there to maintain? The only thing I can think of is dealing with forgotten passwords, which will require restoring the system and losing whatever was on the laptop and not backed up. $600 per employee per year seems high for this.
Why do I have a sneaking suspicion that specific software will be endorsed and/or required to meet this new requirement? Probably whichever one spends the most money to "demonstrate" its capabilities to the lawmakers by treating them all to free vacations in the Bahamas. How much do you want to bet that a free solution like Truecrypt just won't meet the "standards" set by this new law?
End of lesson. You may press the button.
As many people in the election on both sides has stated There are a lot of small business out there, more that do not focus on IT in general. Excessive restrictions and regulations are just as bad as none. You can't hold the hands of every company. You need to let them mess up from time to time. Encrytion is a good thing however forcing it isn't even for companies. As many of the small business are an employee of one and it is their own personal PC.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I wonder if Massachusetts concern about encrypting stored data has anything to do with EMC being headquartered in the state. Considering that EMC owns RSA (the company), a law like this would probably benefit EMC. Also, Massachusetts is home to TJX, famous for having had a major data breach.
[Note: I work for EMC, but have no inside knowledge related to this topic.]
It amuses me to see how government always wants to have its cake and eat it too. I agree that widespread use of strong encryption and good security practices is of great benefit to society, but some Senator or law enforcement agency is bound to complain that their ability to wiretap or access encrypted data is being compromised by these better private security measures. Strong encryption and good security are two edged swords, they help us and they help our enemies as well, there is no way around that. Personally, I don't have a problem with that. I would rather live in a society were encryption is used, privacy is paramount, and some criminals and evil doers are a bit harder to catch, not a bad trade-off IMHO. However, there will doubtless be howls of indignation from the law enforcement community, which contains more than its fair share of self-righteous authoritarian pricks, about how criminals are getting away with crimes and going unpunished. I suppose that my response to them would be to make better use of the tools and laws that we already have instead of depending upon ever more egregious invasions of our collective personal privacy and abridgements of our Constitutional rights merely to prevent some drug addict from getting his fix or some high school students from posting pictures of themselves on MySpace or Facebook.
Just because a state mandates something, does not mean it automatically happens. Look at speeding, look at drug laws, look at overtime rules for P/T and F/T employees, look at many other unenforced business regulations.
This stuff is like when a judge ordered a server's RAM chips removed and stored as evidence, as they were a 'data storage device'. Government typically sucks at anything like this.
I want to delete my account but Slashdot doesn't allow it.
What currently operational (and I mean operational, I dont mean just turned on and sitting in a corner gathering dust with a little yellow light peering from between paddle switches) legacy operating system can you in no way compile OpenSSL on?
...who thought that the link to MOFO.com would be some kind of Samuel L. Jackson fan site and not a law office?
LETS DECOMPOSE & ENJOY ASSEMBLING
It seems like the Democrats are doing the same thing the republicans did after 9/11. Just as after 9/11 the Republicans pushed Security to an extremist state, Democrats are using the financial crisis to push down all those heave regulations down our mouth...
BS, this is state level law, not Congress, way to troll. Besides these laws were passed way before the meltdown, these are their enactment dates.
"There are no facts, only interpretations." --Friedrich Nietzsche.
a laptop is stolen weekly with 10000 credit card numbers on it. Yet the companies only respond to it when it affects their bottom line. This has to be law as it will take another decade before most companies even think about it.
i thought once I was found, but it was only a dream.
"Information wants to be free."
I don't know about free. Anything but free. This is government admiting they expect widespread monitoring of communications. For example, in the case of the UK, that means all business data will be scanned along with peoples emails, so it makes sense that governments and companies with international offices, are going to be worried their internal email documents are going to be intercepted.
There are 10 kinds of people in the world... those who understand binary and those who don't.
As long as the restrictions are reasonably commonsense, I don't think small businesses should be exempt. In the end it doesn't matter if my personal information ends up on the black market via a small business or a large business with lax security, either way I'm screwed.
Simple solutions that would solve 95% of the data leaks (especially the big ones):
1. Never store customer data on machines that must travel outside of the company. 2. Regardless of #1, all laptops have full disk encryption where possible, and extra safeguards (could be a sticker on the top that says NO PERSONAL DATA) against storing such data on those machines otherwise.
Getting people to practice proper database security is harder, and may not be practical to legislate. I'm not sure. Still, the vast majority of publicized personal information thefts have been the result of stolen laptops with personal information left unencrypted. It is simply not acceptable to carry around unencrypted personal data like that, no matter how small your company is, not with effective and cheap disk encryptors available.
I read the internet for the articles.
>Also I could see huge problems later on when the only IT guy who knows the key is fired, hit by the obligatory train, or quits.
If you're covered by the credit card industry's Data Security Standard, you're already required to use encryption and you're required to use it competently, with a key management infrastructure.
Corporate crypto deployments have been using some form of key escrow for many years. Availability is as much part of security as confidentiality is.
You can't hold the hands of every company. You need to let them mess up from time to time. Encrytion is a good thing however forcing it isn't even for companies.
Lead reduction is a good thing however forcing it isn't even for companies.
Proper document shredding is a good thing however forcing it isn't even for companies.
Proper hazardous waste disposal is a good thing however forcing it isn't even for companies.
There are a lot of things that are inconvenient that we, as a society, have decided that our citizens must do. In each of the above cases, including yours, the regulations exist to enforce real, tangible protections. These aren't hypothetical problems that only give legislators something to gripe about, but actual problems that would otherwise directly affect other parties.
As many of the small business are an employee of one and it is their own personal PC.
Install TrueCrypt and be done with it. This isn't something for a small business to panic over.
Dewey, what part of this looks like authorities should be involved?
Any lawyers reading want to comment on Massachusetts's attempt to impose this regulation on any business (even one without a presence in Massachusetts) storing information about Massachusetts residents? My take on this is that they are WAY overstepping the boundaries of what state laws can do, but IANAL.
click-click
click
<password><enter>
Damn, that was cryptic. Oh, wait.
TrueCrypt file volume. I now have a nice safe drive U:
Full disk encryption just prompts you for the password or smartcard+PIN at boot time.
Millenium Development Goals :
Yes, you're right, that is un-American.
You'd probably have trouble on AS/400 unless they've done a version that copes with all the nasty EBCDIC issues porting to that platform (and the fact that it doesn't use directories in any meaningful sense, and what there is of its filesystem is completely alien to the average PC user).
There are lots of those in operational use that have been doing mundane work for years.. and nobody is going to change them in a hurry, because replacement is very expensive and you don't get a better system at the end of it.
Hell, I'd hesitate to compile OpenSSL on quite mainstream OSs like HPUX (although probably someone has already gone through the pain of doing it I'm sure).
Encryption is good for protecting trade secrets, but useless for protecting social security numbers. Thieves who want to steal credit card or social security numbers can choose from tens of thousands of possible targets, at least one of which will be insecure. We need to stop pretending that social security numbers are useful as identification or authentication, because using an SSN to identify yourself requires disclosing it. We need to switch to a system of public-key cryptography, and put the blame for identity theft where it belongs: on the banks, who somehow decided that a few readily-discoverable numbers and a few easily-forged documents were all that's needed to take a loan in your name.
It's not just personal data on the laptop.
I work for a fairly small company, and while we don't have any person data off our server, and in fact don't really have any personal data beyond names, addresses and email accounts...
Which is why, of course, we have Truecrypt with boot-time encryption on all laptops, so that if they get stolen we don't have to run around like chickens with our heads cut off trying to figure out every single login that needs to be changed.
For those people worried about forgetting password: Burn three or four TrueCrypt 'recovery CD' and write the password on them. In fact, write the password everywhere...just don't carry it around in the laptop bag.
Seriously, half these 'data thefts' are random laptop thieves stealing random laptop that just happen to include absurdly dangerous amounts of data on them. They aren't targeted attacks, and the thief is probably wiping them before boot. But companies have to act like they have all your data because said companies are morons who can't spend a tiny amount of time setting up free software that would stop that from happening.
People often worry about computer security in entirely the wrong direction, worrying about changing internal company-only passwords every month, and then completely ignoring actual outside risks like someone snatching a laptop bag off someone's arm.
If corporations are people, aren't stockholders guilty of slavery?
I wonder if people will simply ROT13 their data for cheap token compliance.
ssh was ported to AS/400 longer ago than I care to remember, and ssl along with it later when it became ubiquitous.
I've actually compiled OpenSSL on HPUX rather than use old, ratty, early version packages. It's really not so bad if you think in terms of old Solaris machines that you couldnt do too many useful things with until you "gnuified" them. As soon as you've gotten your gcc goodness and a bucket of appropriate libraries, openssl becomes trivial to build anywhere really. That was my point---I cant imagine a system that anyone still uses for anything--at least not one that approximates POSIX compliancy (and even many that dont), that would be impossible to build openssl on.
Looks like a lot of state agencies are finally going to have to upgrade from Win98.
A requirement for on-disk encryption could actually be a real problem for many medical practices, because an astonishing number are still using slightly-updated versions of practice management software from the early- to mid-90's on systems like SCO's OpenServer 5.0.x. I support a fair number of those practices.
We also have one practice running a dedicated system for ophthalmologists that is so old it doesn't understand networks. Users are connected via serial port expansion units. Makes it a pain when they have multiple sites and the telco says "We're dropping support for those 56k dedicated lines you've been using for 15 years."
fencepost
just a little off
openssl des3 -d -salt -in file.des3 -out file.txt -k horsefeathers
Your password can be read in /proc; top will gladly do the work for me. Don't ever give the password as part of the command line.
And you're wrong, using crypto isn't hard. I use then full-disk encryption Ubuntu has spoon-fed me. When I boot, I enter "hunter2" at the password prompt. That's it.